Opinion
Case No. 20-cv-05177-JCS
12-31-2020
LELAND DAMNER, Plaintiff, v. FACEBOOK INC., Defendant.
ORDER GRANTING MOTION TO DISMISS FIRST AMENDED COMPLAINT AND DISMISSING WITH LEAVE TO AMEND
Re: Dkt. No. 28
I. INTRODUCTION
Plaintiff Leland Damner, pro se, brings this action against Defendant Facebook Inc. ("Facebook") based on allegations that his Facebook account was hacked, causing him to lose access to and control over his account, and that Facebook has refused to assist him in restoring access to the account. Presently before the Court is Facebook's Motion to Dismiss First Amended Complaint ("Motion"). The Court finds that the Motion is suitable for determination without a hearing and therefore vacates the Motion hearing scheduled for January 8, 2021 pursuant to Civil Local Rule 7-1(b). The Initial Case Management Conference set for the same date will be continued to April 2, 2021 at 2:00 p.m. For the reasons stated below, the Motion is GRANTED.
The parties have consented to the jurisdiction of the undersigned magistrate judge pursuant to 28 U.S.C. § 636(c).
II. BACKGROUND
A. Procedural Background
On May 11, 2020, Plaintiff filed this action in the District of Arizona, asserting five causes of action: (1) violation of the Stored Communications Act ("SCA"), 18 U.S.C. § 2701(a); (2) violation of the SCA, 18 U.S.C. § 2702(a); (3) intrusion upon seclusion; (4) negligence; and (5) breach of written contract. Facebook filed a motion to dismiss, or, in the alternative, a motion to transfer venue. Dkt. No. 9. Plaintiff stipulated to Facebook's request to transfer the action to the Northern District of California and the case was transferred to this Court. See Dkt. Nos. 17, 18. With the exception of the request to transfer, the Arizona District Court denied Facebook's motion to dismiss without prejudice. After the case was transferred to this Court, the parties stipulated to the filing of the First Amended Complaint ("FAC"). Dkt. No. 23. The FAC includes the five initial causes of action and three new ones: (6) breach of the implied covenant of good faith and fair dealing; (7) violation of Cal. Civ. Code § 1798.29; and (8) fraudulent and negligent misrepresentation. FAC ¶¶ 42-58.
B. Allegations in the First Amended Complaint
"Facebook operates a social networking website which allows its users to interact and communicate with other individuals." FAC ¶ 6. According to Plaintiff, each of Facebook's "billions of users" regularly record into their Facebook profiles a "virtual tsunami of private information." Id. ¶ 7. Plaintiff alleges that "[a] vital feature of the viral spread of Facebook is the appearance of control users have over their sensitive information" based on Facebook's privacy settings. Id. ¶ 8. Because of these privacy settings, users "reasonably expect [u]ser information will only be accessible to the extent they authorize such access." Id. ¶ 9. Plaintiff alleges that "[p]rivacy is very important to Facebook users" and that its CEO, Mark Zuckerberg "has publicly acknowledged that people share on Facebook because they 'know their privacy is going to be protected.'" Id.
"Facebook sets forth its data security policy in a Statement of Rights and Responsibilities and in a separate Data Policy." Id. ¶ 10. According to Plaintiff, the "opening line" of the Statement of Rights and Responsibilities ("SRR") states as follows:
1. Privacy
Your privacy is very important to us. We designed our Data Policy to make important disclosures about how you can use Facebook to share with others and how we collect and can use your content and information. We encourage you to read the Data Policy, and to use it to help you make informed decisions.
2. Sharing Your Content and Information
You own all the content and information you post on Facebook, and you can control
Id. ¶ 11. Plaintiff alleges that "[i]n order to register as [a user] of Facebook, [he] was required to, and did, affirmatively assent to its Terms and Conditions and Privacy Policy." Id. ¶ 35.how it is shared through your privacy and application settings.
Plaintiff alleges that he "relied on Facebook's promises to secure his data" and provided his "valuable personal data." Id. ¶ 13. He further alleges that on April 20, 2020, his Facebook account was "hacked by an unknown source." Id. ¶ 15. Plaintiff alleges that someone, unknown to him still today, "has control over Plaintiff's Facebook account and is sending messages to other users demanding money." Id. at ¶ 18. According to the FAC, this unknown hacker has "changed Plaintiff's password and other credentials, so Plaintiff is effectively locked out of his account." Id. Plaintiff alleges that when he learned his account had been hacked he called Facebook and sent messages and emails to Facebook employees seeking assistance in restoring access to his account but that he received no response. Id. at ¶¶ 16, 17. According to Plaintiff, Facebook is on notice of the problem but will not "properly assist" him in recovering his account from the hacker. Id. ¶ 19.
C. Facebook's Statement of Rights and Responsibilities
The Court considers the contents of the SRR under the doctrine of incorporation by reference, which allows courts to consider on a Rule 12(b)(6) "documents whose contents are alleged in the complaint." See Swartz v. KPMG LLP, 476 F.3d 756, 763 (9th Cir. 2007) ("in order to '[p]revent[ ] plaintiffs from surviving a Rule 12(b)(6) motion by deliberately omitting . . . documents upon which their claims are based,' a court may consider a writing referenced in a complaint but not explicitly incorporated therein if the complaint relies on the document and its authenticity is unquestioned.") (citation omitted). Here, Plaintiff repeatedly invokes the terms of the SRR in support of his claims and he has not disputed the authenticity of the copy of the SRR attached to the Pricer Declaration, which was filed in support of Facebook's Motion.
The SRR states that it is Facebook's "terms of service that governs [its] relationship with users[.]" Pricer Decl., Ex. A (SRR), Preamble. In addition to the language quoted in Plaintiff's FAC, reproduced above, the SRR contains the following provisions:
• "We do our best to keep Facebook safe, but we cannot guarantee it." Id. § 3.
• "We are not responsible for the conduct, whether online or offline, of any user of Facebook." Id. § 15.2.
• "WE TRY TO KEEP FACEBOOK UP, BUG-FREE, AND SAFE, BUT YOU USE IT AT YOUR OWN RISK. WE ARE PROVIDING FACEBOOK AS IS WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, AND NON-INFRINGEMENT. WE DO NOT GUARANTEE THAT FACEBOOK WILL ALWAYS BE SAFE, SECURE OR ERROR-FREE OR THAT FACEBOOK WILL ALWAYS FUNCTION WITHOUT DISRUPTIONS, DELAYS OR IMPERFECTIONS. FACEBOOK IS NOT RESPONSIBLE FOR THE ACTIONS, CONTENT, INFORMATION, OR DATA OF THIRD PARTIES, AND YOU RELEASE US, OUR DIRECTORS, OFFICERS, EMPLOYEES, AND AGENTS FROM ANY CLAIMS AND DAMAGES, KNOWN AND UNKNOWN, ARISING OUT OF OR IN ANY WAY CONNECTED WITH ANY CLAIM YOU HAVE AGAINST ANY SUCH THIRD PARTIES. . . ." Id. § 15.3 (capitalization in original).
D. The SCA
"Enacted in 1986 as Section II of the Electronic Communications Protection Act ("ECPA"), the SCA creates criminal and civil liability for certain unauthorized access to stored communications and records." In re iPhone Applic. Litig., 844 F.Supp.2d 1040, 1056-57 (N.D. Cal. 2012). Section 2701(a) makes it an offense for anyone to "(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtain[ ], alter[ ], or prevent[ ] authorized access to a wire or electronic communication while it is in electronic storage in such system . . . ." 18 U.S.C. § 2701; see also 18 U.S.C. § 2707(a) (creating private right of action for violations of SCA). There is an exception, however, for "conduct authorized . . . by the person or entity providing a wire or electronic communications service[.]" 18 U.S.C. § 2701(c)(1).
Section 2702(a) provides as follows:
(a) Prohibitions.--Except as provided in subsection (b) or (c)—
(1) a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service; and
(2) a person or entity providing remote computing service to the public shall not knowingly divulge to any person or entity the contents of any communication which is carried or maintained on that service-
(A) on behalf of, and received by means of electronic transmission from (or created by means of computer processing of communications received by means of electronic transmission from), a subscriber or customer of such service;
(B) solely for the purpose of providing storage or computer processing services to such subscriber or customer, if the provider is not authorized to access the contents of any such communications for purposes of providing any services other than storage or computer processing; and
18 U.S.C. § 2702(a).
(3) a provider of remote computing service or electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by paragraph (1) or (2)) to any governmental entity.
E. The Motion
In the Motion, Facebook contends all of Plaintiff's claims fail as a matter of law and therefore must be dismissed under Rule 12(b)(6) of the Federal Rules of Civil Procedure. With respect to Plaintiff's claim under § 2701(a), Facebook argues that the claim fails because it is exempt under § 2701(c). In any event, it argues, Plaintiff has not alleged any facts showing unauthorized access by Facebook and cannot do so because Facebook cannot hack its own server, as a matter of common sense. Likewise, Facebook asserts, Plaintiff has not alleged any facts that would establish unlawful intent on Facebook's part. Facebook argues that the claim under § 2702(a) also fails because Plaintiff has not plausibly alleged that Facebook "knowingly divulge[d]" his private information. According to Facebook, "[a]n alleged failure to take steps to protect information in the event of a hack, even if true, does not constitute 'knowingly divulg[ing]' information under the SCA." Motion at 8.
Facebook argues that if the Court dismisses the SCA claims it should decline to exercise supplemental jurisdiction over the state law claims but that if it retains jurisdiction, those claims are inadequately pled as well. With respect to the breach of contract claim, Facebook contends the terms of the SRR contradict Plaintiff's allegations as to the nature of the agreement he contends was breached. Similarly, the SRR defeats his claim for breach of the covenant of good faith and fair dealing, which cannot impose substantive duties or limits on the contracting parties beyond those incorporated in the specific terms of the agreement. According to Facebook, Plaintiff has "not identified a contractual term that Facebook has violated, nor can Plaintiff tie any conduct by Facebook - as opposed to an unknown hacker - to a violation of either the language or the spirit of the SRR." Id. at 11.
Facebook argues that Plaintiff's negligence claim fails because it is based on the existence of a duty to safeguard his personal information, which is contradicted by the terms of the SRR. It further contends Plaintiff has failed to allege with any specificity how Facebook breached such a duty even if there is one. "The FAC does not, for example, allege how the hack was plausibly caused by any alleged action or inaction by Facebook." Id. at 13.
Facebook challenges Plaintiff's claims for negligent and fraudulent misrepresentation on the grounds that Plaintiff does not plead the existence of any actionable misrepresentation with particularity. With respect to the statement by Mark Zuckerberg that users "engage and share their content and feel free to connect because they know their privacy is going to be protected[,]" see FAC ¶ 54, Facebook argues that "Plaintiff lacks any basis to allege that statement was a misrepresentation" because "[t]he FAC explicitly states that the alleged hack was entirely the action of an unknown third-party and not any action in Facebook's control." Motion at 14 (citing FAC ¶ 15). Nor can Plaintiff plausibly allege he relied on Zuckerberg's statement, Facebook contends, given the vagueness of Zuckerberg's statement and the specific statements in the SRR "in which Facebook foreswears any responsibility for the actions of third parties and emphasizes that Facebook cannot guarantee its platform will be safe." Id. (citing Pricer Decl., Ex. A (SRR) §§ 3, 15.3). According to Facebook, the fraudulent misrepresentation claim fails for the additional reason that it is subject to the heightened pleading standard of Rule 9(b) of the Federal Rules of Civil Procedure, which Plaintiff has not satisfied. Finally, it argues that the negligent misrepresentation claim fails because such a claim can be based only on misrepresentations about "past or existing facts, not future promises." Id. at 15.
Facebook argues that Plaintiff's claim for intrusion on seclusion fails because Plaintiff "fails to allege that Facebook - as opposed to the hacker - intruded on Plaintiff's privacy." Moreover, Facebook asserts, "the SRR specifies that Plaintiff 'release[s] [Facebook] . . . from any claims and damages, known and unknown, arising out of or in any way connected with any claim you have against any such third parties.'" Id. at 16 (citing Pricer Decl. Ex. A (SRR), § 15.3).
Finally, Facebook argues that Plaintiff cannot state a claim under Cal. Civ. Code section 1798.29 because that provision applies only to state agencies.
III. ANALYSIS
A. Legal Standards Under Rule 12(b)(6)
A complaint may be dismissed for failure to state a claim on which relief can be granted under Rule 12(b)(6) of the Federal Rules of Civil Procedure. "The purpose of a motion to dismiss under Rule 12(b)(6) is to test the legal sufficiency of the complaint." N. Star Int'l v. Ariz. Corp. Comm'n, 720 F.2d 578, 581 (9th Cir. 1983). Generally, a claimant's burden at the pleading stage is relatively light. Rule 8(a) of the Federal Rules of Civil Procedure states that a "pleading which sets forth a claim for relief . . . shall contain . . . a short and plain statement of the claim showing that the pleader is entitled to relief." Fed. R. Civ. P. 8(a).
In ruling on a motion to dismiss under Rule 12(b)(6), the court takes "all allegations of material fact as true and construe[s] them in the light most favorable to the non-moving party." Parks Sch. of Bus., 51 F.3d at 1484. Dismissal may be based on a lack of a cognizable legal theory or on the absence of facts that would support a valid theory. Balistreri v. Pacifica Police Dep't, 901 F.2d 696, 699 (9th Cir. 1990). A pleading must "contain either direct or inferential allegations respecting all the material elements necessary to sustain recovery under some viable legal theory." Bell Atl. Corp. v. Twombly, 550 U.S. 544, 562 (2007) (citing Car Carriers, Inc. v. Ford Motor Co., 745 F.2d 1101, 1106 (7th Cir. 1984)). "A pleading that offers 'labels and conclusions' or 'a formulaic recitation of the elements of a cause of action will not do.'" Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Twombly, 550 U.S. at 555). "[C]ourts 'are not bound to accept as true a legal conclusion couched as a factual allegation.'" Twombly, 550 U.S. at 555 (quoting Papasan v. Allain, 478 U.S. 265, 286 (1986)). "Nor does a complaint suffice if it tenders 'naked assertion[s]' devoid of 'further factual enhancement.'" Iqbal, 556 U.S. at 678 (quoting Twombly, 550 U.S. at 557). Rather, the claim must be "'plausible on its face,'" meaning that the claimant must plead sufficient factual allegations to "allow the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. (quoting Twombly, 550 U.S. at 570).
B. SCA Claims
The SCA has a "narrow scope[;]" it "'is not a catch-all statute designed to protect the privacy of stored Internet communications.'" In re Google, Inc. Privacy Policy Litig., No. C-12-01382-PSG, 2013 WL 6248499, at *12 (N.D. Cal. Dec. 3, 2013) (quoting Orin S. Kerr, A User's Guide to the Stored Communications Act, and a Legislator's Guide to Amending It, 72 GEO. WASH. L. REV. 1208, 1214 (2004)). Thus, Section 2701(a) makes it an offense to access an account only if it is "without authorization." Moreover, Section 2701(c) exempts conduct "by the person or entity providing a wire or electronic communications service."
Plaintiff asserts a claim under § 2701(a) based on the allegation that Facebook "intentionally refused to take the necessary steps and dedicate[ ] resources to restore Plaintiff's account" after it was hacked. FAC ¶ 24. Yet Plaintiff has not alleged any access to Plaintiff's account by Facebook (as opposed to the alleged third-party hacker) that was without authorization. See In re Google, Inc. Privacy Policy Litig., No. C-12-01382-PSG, 2013 WL 6248499, at *12 (N.D. Cal. Dec. 3, 2013) (dismissing § 2701(a) claim on the pleadings on the basis that "[w]hatever the propriety of Google's actions, it plainly authorized actions that it took itself."); Svenson v. Google Inc., 65 F. Supp. 3d 717, 726 (N.D. Cal. 2014) (dismissing § 2701(a) claim on the pleadings where "[i]t appear[ed] from the face of the complaint that the 'facility' in question was Defendants' own servers" and the plaintiff did "not allege any facts suggesting that Defendants were not authorized to access their own servers as required under § 2701(a)."). Further, the exception in subsection (c) clearly applies to the alleged actions and/or inaction on Facebook's part with respect to the protection of Plaintiff's personal information and its efforts to restore Plaintiff's access to his account. Therefore, Plaintiff's claim under Section 2701(a) fails to state a claim.
Plaintiff's second SCA claim, asserted under § 2702(a), is based on the allegation that Facebook "unlawfully divulge[ed] the contents of Plaintiff's communications to third parties, including but not limited to whomever the hacker is sending communications or information to while logged in to Plaintiff's account." FAC ¶ 24. This claim fails because Plaintiff must allege facts establishing that Facebook knowingly divulged the contents of Plaintiff's communications in order to state a claim under § 2702(a). While the SCA does not define the term "knowingly[,]" courts that have addressed the meaning of the term have looked to the following definition, found in the legislative history:
The term knowingly means that the Defendant was aware of the nature of the conduct, aware of or possessing a firm belief in the existence of the requisite circumstances and an awareness of or a firm belief about the substantial certainty of the result.Muskovich v. Crowell, No. CIV. 3-95-CV-20007, 1996 WL 707008, at *4 (S.D. Iowa Aug. 30, 1996) (quoting H.R. Rep. No. 647, 99th Cong., 2nd Sess. at 64 (1986) (emphasis added in Muskovich)).
In Muskovich, an employee of the defendant company made harassing anonymous calls to the plaintiff, having obtained her unlisted telephone number from company records. 1996 WL 707008, at *1. The plaintiff alleged that the defendant violated § 2702(a) by failing to implement adequate safety procedures to protect her private information and that the defendant "knew or should have known" that the lack of safeguards would lead to the disclosure of her telephone number. Id. at *3. The Court disagreed, holding that it was not enough that the defendant may have been "aware of the possibility that an employee could obtain such information[.]" Id. at *4-5. Relying on the definition of "knowingly" quoted above, the court reasoned that "[a]wareness of a 'possibility' does not rise to the level of awareness of a 'substantial certainty' required for liability" under § 2702(a). Id. Similarly, in Worix v. MedAssets, Inc., the court dismissed an SCA claim in a data breach case because "the failure to take reasonable steps to safeguard data does not, without more, amount to divulging that data knowingly." 857 F. Supp. 2d 699, 703 (N.D. Ill. 2012); see also In re Yahoo! Inc. Customer Data Sec. Breach Litig., No. 16-MD-02752-LHK, 2017 WL 3727318, at *42 (N.D. Cal. Aug. 30, 2017) (noting that the court was not aware of any court in the Ninth Circuit that had addressed the scope of the term "knowingly" in 18 U.S.C. § 2702 and holding based on, inter alia, Worix and Muskovich, that the plaintiffs could not state claims under the SCA "simply because a defendant failed to prevent a data breach.").
The Court finds the reasoning of Worix and Muskovich to be persuasive and therefore concludes that Plaintiff's allegations are not sufficient to raise a plausible inference that Facebook "knowingly divulged" any communication in violation of § 2702(a). In particular, no facts are alleged in the FAC that would establish that Facebook knew with substantial certainty that its allegedly insufficient efforts to safeguard Plaintiff's account or restore access to it would result in Plaintiff's communications being divulged by a third-party hacker.
For these reasons, the Court concludes that Plaintiff has failed to allege any viable claim under the SCA.
C. State Law Claims
1. Intrusion on Seclusion
Plaintiff asserts a claim for intrusion on seclusion based on the allegations that he input his private information into his Facebook account because the Facebook's privacy settings gave him a false sense of security as to who would be able to access this information. FAC ¶¶ 29-30. These allegations are not sufficient to state a claim for intrusion on seclusion under California law.
Under California law, an action for intrusion on seclusion "has two elements: (1) intrusion into a private place, conversation or matter, (2) in a manner highly offensive to a reasonable person." Shulman v. Grp. W Prods., Inc., 18 Cal. 4th 200, 231 (1998), as modified on denial of reh'g (July 29, 1998). Under the first element, courts consider whether the defendant "'intentionally intrude[d], physically or otherwise, upon the solitude or seclusion of another,' that is, into a place or conversation private to [the defendant]." Id. (citing Rest.2d Torts, § 652B; Miller v. Nat'l Broad. Co., 187 Cal. App. 3d 1463, 1482 (1986)). Plaintiff has pointed to no authority that suggests that failure to take adequate measures to protect against the intentional intrusion of a third party satisfies the first element of a claim for intrusion on seclusion and the Court has found none. Further, Plaintiff cannot base his claim against Facebook on the actions of the third party who allegedly hacked his account because Plaintiff alleges in the FAC that he agreed to the terms of service in the SRR, which releases Facebook from any liability based on the actions of third parties. See FAC ¶ 35; Marder v. Lopez, 450 F.3d 445, 448 (9th Cir. 2006) (dismissing claims under Rule 12(b)(6) based on release that was referenced in the complaint and that the court treated as part of the complaint ). Therefore, the Court concludes that Plaintiff has failed to state a claim for intrusion on seclusion against Facebook based on the allegations in the FAC.
In paragraph 35 of the FAC, Plaintiff refers to Facebook's "Terms and Conditions and Privacy Policy[,]" which he calls "the Agreement." Based on the language he quotes from the "Agreement," see FAC ¶ 38, the Court concludes that Plaintiff is referring to the SRR.
The Court notes that Plaintiff did not respond to Facebook's arguments challenging this claim and did not dispute that the release contained in the SRR bars his claim to the extent it is based on the conduct of the hacker.
2. Negligence
Plaintiff asserts a claim for negligence based on the allegation that Facebook breached a duty to Plaintiff to "exercise reasonable care in safeguarding and protecting" his personal information by failing to "maintain[ ] and test[ ] Facebook's security systems and tak[e] other reasonable security measures to protect and adequately secure the personal data of Plaintiff from unauthorized access and use." FAC ¶ 32. In order to state a claim for negligence, a plaintiff must allege that: (1) the defendant has a legal duty to use due care; (2) the defendant breached such legal duty; (3) the defendant's breach was the proximate or legal cause of the resulting injury; and (4) there was resulting damage to the plaintiff. Ladd v. County of San Mateo, 12 Cal.4th 913, 917, (1996). "The existence of a duty of care is a question of law to be determined by the court alone." Camp v. State of California, 184 Cal. App. 4th 967, 975 (2010) (citing Ballard v. Uribe, 41 Cal.3d 564, 572, fn. 6 (1986)). Here, Plaintiff's allegation that Facebook owed him a duty of care to keep his personal information safe is contradicted by the terms of the SRR, which expressly disclaim such a duty. See Pricer Decl. Ex. A (SRR), §§ 3, 15.3; Young v. Facebook, Inc., No. 5:10-CV-03579-JF/PVT, 2010 WL 4269304, at *5 (N.D. Cal. Oct. 25, 2010) (dismissing negligence claim against Facebook based on allegation that Facebook owed the plaintiff a duty "to use due care when hiring and training personnel to monitor and enforce website activity according to their outlined contractual agreement" because "the Statement of Rights and Responsibilities expressly disclaims any duty to provide for the safety of Facebook users."). Therefore, the Court finds that Plaintiff fails to state a claim for negligence.
3. Breach of Contract
Plaintiff alleges that the SRR was a binding agreement between Plaintiff and Facebook under which Plaintiff "transmitted sensitive personal information . . . to Facebook in exchange for use of Facebook and Facebook's promise that it would not share that personal information with third parties, including hackers." FAC ¶ 37. He asserts a breach of contract claim on the basis that Facebook allegedly failed to safeguard his sensitive personal information as promised. Id. ¶40. In particular, he alleges that Facebook failed to keep its promise to keep Facebook safe and bug-free. Id. ¶ 41 (quoting SRR §§ 3, 15). Plaintiff fails to state a viable claim for breach of contract, however, because he does not point to any specific provision that was breached. See Frances T. v. Vill. Green Owners Assn., 42 Cal. 3d 490, 512-13 (1986) (dismissing breach of contract claim because the plaintiff did not point to any provision in the alleged agreement that imposed the obligation that was allegedly breached).
Plaintiff quotes incomplete phrases from Sections 3 and 15 of the SRR in support of his breach of contract claim but those sections do not, when read in their entirety, constitute promises to safeguard Plaintiff's private information. In particular, Section 3 states "We do our best to keep Facebook safe, but we cannot guarantee it." Pricer Decl., Ex. A (SRR) § 3 (emphasis added). Likewise, Section 15 states, "WE TRY TO KEEP FACEBOOK UP, BUG-FREE, AND SAFE, BUT YOU USE IT AT YOUR OWN RISK." Id. § 15 (emphasis added). The section goes on to state that Facebook is being provided "AS IS," that Facebook does not "GUARANTEE THAT FACEBOOK WILL ALWAYS BE SAFE, SECURE OR ERROR-FREE OR THAT FACEBOOK WILL ALWAYS FUNCTION WITHOUT DISRUPTIONS, DELAYS OR IMPERFECTIONS[,]" and that Facebook is not responsible for the actions of third parties. Id. In other words, the SRR makes clear that Facebook did not promise to safeguard Plaintiff's private information. Therefore, the FAC does not allege a valid claim for breach of contract.
4. Breach of Implied Covenant of Good Faith and Fair Dealing
Plaintiff's claim for breach of implied covenant of good faith and fair dealing also fails to state a claim. "Every contract imposes on each party a duty of good faith and fair dealing in each performance and in its enforcement." Careau & Co. v. Sec. Pac. Bus. Credit, Inc., 222 Cal. App. 3d 1371, 1393 (1990), as modified on denial of reh'g (Oct. 31, 2001) (citing Rest.2d, Contracts, § 205; Egan v. Mutual of Omaha Ins. Co. 24 Cal.3d 809, 818, 169 (1979); Seaman's Direct Buying Service, Inc. v. Standard Oil Co., 36 Cal.3d 752, 768 (1984)). This duty requires that neither party "will do anything which will injure the right of the other to receive the benefits of the agreement." Id. (internal quotations and citations omitted). On the other hand, "[t]he covenant 'cannot impose substantive duties or limits on the contracting parties beyond those incorporated in the specific terms of their agreement.'" Appling v. State Farm Mut. Auto. Ins. Co., 340 F.3d 769, 779 (9th Cir. 2003) (quoting Guz v. Bechtel Nat. Inc., 24 Cal. 4th 317, 350 (2000)).
Plaintiff asserts his claim for breach of the implied covenant based on the allegations that "Facebook is on notice that Plaintiff's user account has been taken over[,] Facebook has a duty to assist Plaintiff in thwarting the hack and recovering the account. Facebook will not properly [do] so." FAC ¶ 45. According to Plaintiff, "Facebook's conduct demonstrates a failure or refusal to discharge contractual responsibilities including its duty to do its best to keep Facebook safe." Id. ¶ 46. As discussed above, however, Plaintiff has not pointed to any contractual obligation on Facebook's part to keep Facebook safe; rather, the SRR disavows such an obligation. As a claim for breach of the covenant of good faith cannot impose substantive duties not found in the underlying contract, Plaintiff fails to state a claim.
In the FAC, Plaintiff asserts a claim under Cal. Civ. Code § 1798.29 based on the allegation that "Facebook intentionally refused to take the necessary steps and dedicated resources to restore Plaintiff's account." Section 1798.29 is a provision of the Information Practices Act of 1977 and applies to state agencies; it does not apply to private businesses. See Cal. Civ. Code § 1798.45 (allowing individuals to "bring a civil action against an agency" when the agency does not comply with relevant provisions of the Act). Because Facebook is not a state agency, this claim fails as a matter of law.
In his Opposition, Plaintiff did not respond to Facebook's challenge on this basis, implicitly conceding that the provision does not apply to Facebook.
6. Fraudulent and Negligent Misrepresentation
Plaintiff brings claims for negligent and fraudulent misrepresentation based on alleged misrepresentations by Facebook that his privacy would be protected. FAC ¶ 54. His allegations fall short as to both claims.
To state a claim for fraudulent misrepresentation, a plaintiff must allege:
(1) the defendant represented to the plaintiff that an important fact was true; (2) that representation was false; (3) the defendant knew that the representation was false when the defendant made it, or the defendant made the representation recklessly and without regard for its truth; (4) the defendant intended that the plaintiff rely on the representation; (5) the plaintiff reasonably relied on the representation; (6) the plaintiff was harmed; and (7) the plaintiff's reliance on the defendant's representation was a substantial factor in causing that harm to the plaintiff.Graham v. Bank of Am., N.A., 226 Cal. App. 4th 594, 605-06 (2014) (internal quotation marks and citation omitted). A claim for fraudulent misrepresentation is subject to the heightened pleading standard of Rule 9(b) of the Federal Rule of Civil Procedure, which requires that "[i]n alleging fraud or mistake, a party must state with particularity the circumstances constituting fraud or mistake." Broge v. ALN Int'l, Inc., No. 17-CV-07131-BLF, 2018 WL 6308194, at *5 (N.D. Cal. Dec. 3, 2018). "In order to satisfy this heightened pleading standard, a plaintiff must provide 'an account of the time, place, and specific content of the false representations as well as the identities of the parties to the misrepresentations.'" Id. (quoting Swartz v. KPMG LLP, 476 F.3d 756, 764 (9th Cir. 2007) (internal quotation marks and citation omitted); and citing Vess v. Ciba-Geigy Corp. USA, 317 F.3d 1097, 1106 (9th Cir. 2003) ("Averments of fraud must be accompanied by the who, what, when, where, and how of the misconduct charged." (internal quotation marks and citation omitted))).
To state a claim for negligent misrepresentation, a plaintiff must allege the defendant:
(1) asserted a material fact, (2) which was untrue, (3) without a reasonable grounds for believing it to be true, (4) with the intent that plaintiff would rely upon the assertion, (5) that the plaintiff justifiably relied upon the representation, and (6) as a result was harmed.First Am. Specialty Ins. Co. v. Carmax Auto Superstores California, LLC, No. C 16-05951-WHA, 2017 WL 5235646, at *4 (N.D. Cal. Nov. 10, 2017) (citing OCM Principal Opportunities Fund v. CIBC World Markets Corp., 157 Cal. App. 4th 835, 845 (2007), as modified (Dec. 26, 2007)).
Plaintiff's misrepresentation claims fail because he does not plausibly allege - much less allege with particularity - any misleading statements that his privacy would be protected. The only specific statement alleged in the FAC in support of this claim is one by Facebook CEO Mark Zuckerberg that users "engage and share their content and feel free to connect because they know their privacy is going to be protected." FAC ¶ 54. This vague statement is not a representation of material fact about Facebook's commitment to protecting user's privacy. Even if it were, however, Plaintiff has not alleged facts showing "justifiable" or "reasonable" reliance on the statement given that Facebook expressly warns users in the SRR, to which Plaintiff agreed, that it does not protect users' safety or take responsibility for the actions of third parties. Therefore, Plaintiff fails to state a claim for negligent or fraudulent misrepresentation.
IV. CONCLUSION
For the reasons discussed above, the Motion is GRANTED and Plaintiff's claims are dismissed. While it is not clear from his opposition brief that Plaintiff will be able to cure the defects identified herein, in light of his pro se status the Court will allow Plaintiff to amend his complaint to address the deficiencies in pleading as to his existing claims. Plaintiff's Second Amended Complaint shall be filed no later than February 1, 2021.
IT IS SO ORDERED. Dated: December 31, 2020
/s/_________
JOSEPH C. SPERO
Chief Magistrate Judge