Opinion
CV 20-04855 DDP (SKx)
08-30-2023
CONNOR BURNS, Plaintiff, v. MAMMOTH MEDIA, INC., Defendants.
ORDER GRANTING DEFENDANT'S MOTION TO DISMISS SECOND AMENDED COMPLAINT [34]
DEAN D. PREGERSON, UNITED STATES DISTRICT JUDGE.
Presently before the court is Defendant Mammoth Media, Inc. (“Mammoth”)'s Motion to Dismiss Plaintiff's Second Amended Complaint. Having considered the submissions of the parties and heard oral argument, the court grants the motion and adopts the following Order.
I. Background
Plaintiff Connor Burns, a citizen of Idaho, downloaded Mammoth's mobile “Wishbone” application (“app”) when he was fourteen years old. (Second Amended Complaint (“SAC”) ¶ 2.) To use the app, Plaintiff was required to create an account, select a username and password, and provide his e-mail address. (Id.). Plaintiff deleted the app soon after downloading it, but did not delete his Wishbone account. (SAC ¶ 3.)
Four years later, Mammoth informed Plaintiff that it had suffered a data breach, and that “some Wishbone users' “usernames, emails, phone numbers, timezone/region, full name, bio, gender, hashed [i.e., encrypted,] passwords, and profile pictures” may have been compromised. (SAC ¶ 4.) Plaintiff also alleges that Mammoth collected and maintained other types of user data that were also compromised, including date of birth, location information, user settings, social media profiles, and “access tokens.” (Id. ¶¶ 15, 25.) Plaintiff further alleges that data pertaining to 40 million Wishbone users was circulated for sale on the dark web, and ultimately released for free. (Id. ¶ 22.)
Plaintiff used the same e-mail address and password that he used to log into the Wishbone app as his login credentials for his Spotify and Reddit accounts. (SAC ¶ 40.) Plaintiff alleges that, following the Wishbone data breach, an unauthorized third party accessed his Spotify account, and he then had to change his Spotify password to secure the account. (Id. ¶ 38, 42.) Plaintiff also received notice that his Reddit account had been “compromised and locked.” (Id. ¶ 39.) Plaintiff reset his Reddit password as well. (Id. ¶ 42.) Plaintiff also began receiving spam e-mails. (Id. ¶ 41) Plaintiff spent about three hours changing other online passwords, setting up fraud alerts, and reviewing his bank accounts for fraudulent transactions. (Id. ¶ 58.) Plaintiff alleges that the theft of his data will result in identity theft and fraud, lowered credit scores resulting from fraudulent activity, loss of access to online and financial accounts, and the loss of time and enjoyment stemming from efforts to mitigate or prevent identity theft. (Id. ¶ 64.)
The SAC alleges, on behalf of a putative class, three causes of action for negligence, a declaratory judgment, and breach of confidence. Defendant Mammoth now seeks to dismiss the SAC pursuant to Federal Rule of Procedure 12(b)(1) and Rule 12(b)(6).
II. Legal Standard
A motion under Rule 12(b)(1) may challenge the court's jurisdiction facially, based on the legal sufficiency of the claim, or factually, based on the legal sufficiency of the jurisdictional facts. White v. Lee, 227 F.3d 1214, 1242 (9th Cir. 2000)(citing 2 James Wm. Moore et al., Moore's Federal Practice 12.30[4], at 12-38 to 12-41 (3d ed.1999)). Where the motion attacks the complaint on its face, the court considers the complaint's allegations to be true, and draws all reasonable inferences in the plaintiff's favor. Doe v. Holy See, 557 F.3d 1066, 1073 (9th Cir. 2009). In a factual challenge, the court is not required to accept the allegations of the complaint as true, and may consider additional evidence outside of the pleadings. Maya v. Centex Corp., 658 F.3d 1060, 1067 (9th Cir. 2011). Once the moving party has presented evidence showing a lack of subject-matter jurisdiction, the burden shifts to “the party opposing the motion [to] furnish affidavits or other evidence necessary to satisfy its burden of establishing subject matter jurisdiction.” Safe Air for Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir. 2004). If the plaintiff cannot meet his burden of establishing the jurisdiction it seeks to invoke, the court must dismiss the case. Fed.R.Civ.P. 12(h)(3).
When considering a Rule 12(b)(6) motion, a court must “accept as true all allegations of material fact and must construe those facts in the light most favorable to the plaintiff.” Resnick v. Hayes, 213 F.3d 443, 447 (9th Cir. 2000). A complaint will survive a motion to dismiss when it “contain[s] sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)(quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). Although a complaint need not include “detailed factual allegations,” it must offer “more than an unadorned, the-defendant-unlawfully-harmed-me accusation.” Iqbal,556 U.S. at 678. Conclusory allegations or allegations that are no more than a statement of a legal conclusion “are not entitled to the assumption of truth.” Id. at 679. In other words, a pleading that merely offers “labels and conclusions,” a “formulaic recitation of the elements,” or “naked assertions” will not be sufficient to state a claim upon which relief can be granted. Id. at 678 (citations and internal quotation marks omitted).
“When there are well-pleaded factual allegations, a court should assume their veracity and then determine whether they plausibly give rise to an entitlement of relief.” Iqbal,556 U.S. at 679. Plaintiffs must allege “plausible grounds to infer” that their claims rise “above the speculative level.” Twombly, 550 U.S. at 555-56. “Determining whether a complaint states a plausible claim for relief” is “a context-specific task that requires the reviewing court to draw on its judicial experience and common sense.” Iqbal, 556 U.S. at 679.
III. Discussion
A party invoking federal jurisdiction bears the burden of demonstrating that he has Article III standing. Lujan v. Defs. Of Wildlife, 504 U.S. 555, 561 (1992). To meet that burden, “a plaintiff must show (1) it has suffered an ‘injury in fact' that is . . . actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision. Friends of the Earth, Inc. v. Laidlaw Env't Servs. (TOC), Inc., 528 U.S. 167, 181 (2000). “Rule 12(b)(1) jurisdictional attacks can be either facial or factual.” White, 227 F.3d at 1242. “In a facial attack, the challenger asserts that the allegations contained in a complaint are insufficient on their face to invoke federal jurisdiction. By contrast, in a factual attack, the challenger disputes the truth of the allegations that, by themselves, would otherwise invoke federal jurisdiction.” Safe Air, 373 F.3d 1035 at 1039.
A. Risk of Identify Theft
i. Nature of the data
An increased risk of identity theft may constitute a “credible threat of real and immediate harm” sufficient to constitute an injury in fact for standing purposes. In re Zappos.com, Inc., 888 F.3d 1020, 1025 (9th Cir. 2018) (quoting Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010). Mammoth contends, in the context of both a factual and facial challenge, that Plaintiff here has not alleged any credible threat of future identity theft. As an initial matter, although both parties have submitted expert declarations, there does not appear to be a dispute that hackers only obtained Plaintiff's “name, his username for the Wishbone app, his email address, a record of the date he created his Wishbone profile, his gender, the user ID number that Mammoth assigned to him, his encrypted password, his Mammoth assigned access token, an authorization token, a Facebook ID, a url to an image, country, time zone, Apple idfa, stickers left, and the date last updated.” (Declaration of Brian DeBoer, ¶ 6; Declaration of Mark Clifford, ¶ 5.) Plaintiff's compromised information did not include his date of birth, address, social security number, or any financial information. (De Boer Decl., ¶ 7.) Whether considered as a factual or facial challenge, the key allegations relevant to risk of identity theft, and thus to Plaintiff's injury in fact, are the allegations that (1) Plaintiff's email address and password were compromised and (2) Plaintiff used the same email and address and password to access other online accounts, including his Spotify and Reddit accounts, but not including his financial accounts. (SAC ¶¶ 42.)
Although Plaintiff suggests that there is some factual dispute as to the nature of one of these items, the “Apple idfa,” the affidavits submitted are not in direct conflict. Mark Clifford, in support of Plaintiff's position, relates a description of the function of the “Apple idfa” generally, and opines that that function conflicts with Brian DeBoer's description of the “Apple idfa.” (Clifford Decl. ¶¶ 40-43.) Mammoth, however, submits additional evidence that the datum deBoer describes as an “Apple idfa” is a series of characters that identifies Plaintiff to Mammoth if he uses an Apple account to log in to the Wishbone app, but cannot be used to access or change any Apple account. (Declaration of Solene Schwartz,, ¶ 12.) Thus, Mammoth contends, the item DeBoer describes as the “Apple idfa” is not a “true idfa” of the sort described in the Clifford Declaration. (Reply at 1:1720.)
Although the SAC alleges that hackers obtained “hashed,” or encrypted passwords, Plaintiff also alleges that Mammoth's encryption methods were outdated and easily circumvented. (SAC ¶ 30.) The Clifford declaration supports this allegation, and the DeBoer declaration takes no position on the effectiveness of the encryption protocol. (Clifford Decl., ¶ 12-15.)
Plaintiff seeks to liken the data breach at issue here to those in Krottner and Zappos. In Krottner, the court found a sufficient risk of identity theft to confer standing where a thief obtained a laptop containing unencrypted names, addresses, and social security numbers. Krottner v. Starbucks Corp., 628 F.3d 1139, 1141 (9th Cir. 2010). In Zappos, hackers obtained names, passwords, email addresses, billing and shipping addresses, phone numbers, and credit and debit card information. Zappos, 888 F.3d at 1024. Some plaintiffs also alleged that hackers subsequently took over e-mail accounts and sent advertisements to all of the plaintiffs' contacts. Id. at 1027-28. Notwithstanding a lack of compromised social security information, the Zappos court concluded that “the information taken in the data breach still gave hackers the means to commit fraud or identity theft,” and found the risk of identity theft sufficient to constitute an injury in fact for purposes of standing. Id.
In his attempt to draw parallels between this case and Zappos, Plaintiff mischaracterizes the latter by asserting that the Zappos court “focused on the likelihood of harm that could arise from nonfinancial information compromised in the breach.” (Opp. at 7:8-9.) Not so. Rather, the court likened “the sensitivity of the stolen data” to that of the social security numbers stolen in Krottner. Zappos, 888 F.3d at 1027. Indeed, the court specifically analogized credit card information to social security numbers, explaining that Congress has taken specific steps to safeguard the confidentiality of the former. Id. Although the court did refer to nonfinancial harm suffered by plaintiffs whose email accounts were hacked, the court stated only that such attacks “further support Plaintiffs' contention that the hackers accessed information that could be used to help commit identity fraud or identity theft.” Id. at 28. That information, of course, included sensitive credit card information. The Zappos court did not, however, suggest that the hacked email accounts alone evidenced an ongoing risk of identity theft or constituted an injury in fact.
Plaintiff also mistakenly relies upon the Zappos court's recitation of allegations that “the type of information accessed in the Zappos breach can be used to commit identity theft, including by placing them at higher risk of ‘phishing' and ‘pharming' . . . .” Zappos, 888 F.3d at 1027. As the court observed, the defendant in Zappos raised only a facial challenge to standing. Id. at 1023 n.2. The court was therefore required to take the plaintiff's phishing allegations at face value. Doe, 557 F.3d at 1073. Furthermore, “the type of information accessed in the Zappos breach” was, as discussed above, qualitatively different from that obtained here. The DeBoer Declaration essentially states that the information obtained here was useless, and the Clifford declaration does not suggest that the theft of Plaintiff's email address or password made Plaintiff more vulnerable to phishing attacks.
Although Plaintiff also refers repeatedly to unauthorized access to his Spotify account following the Wishbone data breach, Plaintiff acknowledges that such an attack does not rise to the level of identity theft. (Opp. at 10:9.) Nor is it clear to the court how the Spotify issue “underscore[s] the present risk Mr. Burns faces.” (Id.) Plaintiff alleges that, while he did use the same email address and password for his Wishbone and Spotify accounts, he did not use those credentials for his financial accounts. (SAC ¶ 42.) And even if, as Plaintiff alleges, the Wishbone hackers were able to discover Plaintiff's “personal music listening history,” Plaintiff does not explain how that data is in any way comparable to social security numbers, credit card information, or other sensitive information that might give rise to a risk of identity theft.
Notwithstanding Plaintiff's occasional reference to his Reddit account, there is no allegation that his Reddit account was breached, only that was “compromised and locked.” (SAC ¶ 39.) See Clifford Dec., ¶ 29 (“I was unable to confirm that an email address and password were sufficient to access Reddit at the time Mr. Burns's information was stolen.”).
In light of this allegation, it is difficult to see how any future identity theft or breach of a financial account could be traceable to Mammoth and the Wishbone breach. Plaintiff's suggestion that future harm might be traceable to Mammoth because he might have other accounts that he forgot about that use the same Wishbone credentials has no merit. (Opp. at 16.)
Plaintiff also alleges that his Spotify account “could reveal” other personal information. (SAC ¶ 41.) As an initial matter, Plaintiff does not specify what types of personal information could possibly be revealed through his Spotify account. Furthermore, to the extent Plaintiff suggests that the Wishbone data was the first, and the Spotify breach the second, domino in a series of breaches that might each reveal a separate piece of a mosaic that might eventually and cumulatively give rise to a risk of identity theft, that assertion is too speculative to constitute a concrete injury in fact.
ii. Mitigation Efforts
There appears to be no dispute among the parties that, in certain cases, a Plaintiff's mitigation efforts may constitute an actual injury sufficient to confer standing. See, e.g., Adkins v. Facebook, Inc., 424 F.Supp.3d 686, 692 (N.D. Cal. 2019). Even in appropriate cases, however, such efforts must be reasonable. See Holly v. Alta Newport Hosp., Inc., No. 219CV07496ODWMRWX, 2020 WL 1853308, at *6 (C.D. Cal. Apr. 10, 2020). Even taking Plaintiff's allegations at face value, his efforts to set up fraud alerts and monitor bank accounts for fraudulent transactions were not necessary or reasonable. Plaintiff appears to suggest that his mitigation efforts were reasonable because he did not know the scope of the data breach, as Mammoth informed him that the hacked e-mailed addresses, user names, and other data comprised only "some of the compromised data.” (Plaintiff's Supplemental Memorandum at 8:28) (emphasis Plaintiff's). But Plaintiff knew what data he had provided to Mammoth when he created a Wishbone account as a fourteen year-old, and knew that that data set did not include financial or any other sensitive information. Nor could the subsequent hacking of Plaintiff's Spotify account justify his fraud-fighting efforts. Plaintiff knew that the login credentials he used for both his Wishbone and Spotify accounts were not the same credentials he used for more sensitive accounts. Nor does, or could, Plaintiff allege that hackers' ability to access his Spotify listening history somehow necessitated his fraud-focused remedial efforts.
Even considering only the information known to Plaintiff at the time, the data accessed in the Wishbone breach was not sensitive enough to create a sufficient risk of identity theft to constitute an actual injury for purposes of standing. Plaintiff's efforts to mitigate any such illusory risk are, therefore, also insufficient to support standing.
B. Inherent Value of Data
Plaintiff also argues that, independent of the risk of identity theft, he has suffered harm in the form of diminution in the value of his personal data. (Opp. at 12-13). As explained in this Court's prior Order, several courts have rejected similar theories as implausible, speculative, or otherwise infirm, especially where, as here, there is no allegation of a legitimate market for the information. See, e.g., In re Facebook, Inc., Consumer Priv. User Profile Litig., 402 F.Supp.3d 767, 784 (N.D. Cal. 2019) (“The plaintiffs do not plausibly allege that they intended to sell their non-disclosed personal information to someone else. Nor, in any event, do they plausibly allege that someone else would have bought it as a stand-alone product. The plaintiffs' economic-loss theory is therefore purely hypothetical and does not give rise to standing.”); Svenson v. Google Inc., 65 F.Supp.3d 717, 724-25 (N.D. Cal. 2014); Low v. LinkedIn Corp., No. 11-CV-01468-LHK, 2011 WL 5509848, at *5 (N.D. Cal. Nov. 11, 2011); LaCourt v. Specific Media, Inc., No. SACV 10-1256 GW JCGX, 2011 WL 1661532, at *4-5 (C.D. Cal. Apr. 28, 2011); Chambliss v. Carefirst, Inc, 189 F.Supp.3d 564, 572 (D. Md. 2016); Green v. eBay Inc., No. CIV.A. 14-1688, 2015 WL 2066531, at *5 (E.D. La. May 4, 2015); cf. In re Google Inc. Cookie Placement Consumer Priv. Litig., 806 F.3d 125, 149 (3d Cir. 2015); Adkins v. Facebook, Inc., No. C 18-05982 WHA, 2019 WL 3767455, at *3 (N.D. Cal. Aug. 9, 2019); but see In re Anthem, Inc. Data Breach Litig., No. 15-MD-02617-LHK, 2016 WL 3029783, at *15 (N.D. Cal. May 27, 2016).
Although the SAC, like the First Amended Complaint, does not allege the existence of a legitimate market for Plaintiff's data, the Clifford Declaration does state that such a market exists, pointing to a browser extension that allows users to allow data tracking in exchange for rewards “points.” (Clifford Decl. ¶ 38). Even assuming the existence of such a legitimate market were alleged in the SAC, however, it is not clear how the Wishbone breach would diminish the value of Plaintiff's information. First, it is not clear that the browser extension Clifford describes tracks the same type of data accessed in the Wishbone breach.Second, even assuming that to be the case, it is not clear how or whether Plaintiff's data, a nonrival good, commands a lesser price or fewer “rewards” by dint of having been accessed by hackers in the past. Thus, even assuming that Plaintiff's data does have value, he has not sufficiently alleged that he has been deprived of any such value.
See note 1, above.
IV. Conclusion
For the reasons stated above, Defendant's Motion to Dismiss is GRANTED. Plaintiff's SAC is DISMISSED, with prejudice.
Having concluded that the SAC must be dismissed for lack of standing, the court does not reach Defendant's other arguments.
IT IS SO ORDERED.