Opinion
CV-22-01565-PHX-MTL
10-27-2023
Felicia Durgan, et al., Plaintiffs, v. U-Haul International Incorporated, Defendant.
ORDER
MICHAEL T. LIBURDI, UNITED STATES DISTRICT JUDGE
Plaintiffs are former customers of Defendant U-Haul International Incorporated. As part of the transaction, Plaintiffs provided Defendant with their personal identifiable information (“PII”). During the summer of 2022, Defendant fell victim to a cyber-attack by unknown hackers. The hackers gained access to Plaintiffs' PII. Plaintiffs subsequently sued Defendant, alleging that Defendant failed to take reasonable precautions to protect their PII. (Doc. 33.) Defendant moves to dismiss Plaintiffs' First Amended Consolidated Class Action Complaint (“FAC”). (Doc. 34.) The Court rules as follows.
I. BACKGROUND
Defendant previously moved to dismiss Plaintiffs' Consolidated Class Action Complaint. (Doc. 22.) The Court granted the Motion with respect to all claims except Plaintiffs' claim under the California Consumer Privacy Act (“CCPA”). (Doc. 31 at 27.) It dismissed Plaintiffs' claim under Oregon's Unlawful Trade Practices Act with prejudice, but otherwise granted leave to amend. (Id.) Thereafter, Plaintiffs filed their FAC. (Doc.33.) It asserts claims of negligence, breach of implied contract, and violations of the Arizona Consumer Fraud Act (“ACFA”) and the CCPA. (Id. at ¶¶ 182-255.) Defendant again moves to dismiss all claims. (Doc. 34.)
The Court fully recounted the factual background of the case in that Order. (Doc. 31 at 1-3.) It will not repeat that background here.
II. LEGAL STANDARD
To survive a Rule 12(b)(6) motion to dismiss, “a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.'” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). A claim is facially plausible when it contains “factual content that allows the court to draw the reasonable inference” that the moving party is liable. Id. At the pleading stage, a court's duty is to accept all well-pleaded complaint allegations as true. Id. Facts should be viewed “in the light most favorable to the non-moving party.” Faulkner v. ADT Sec. Servs., Inc., 706 F.3d 1017, 1019 (9th Cir. 2013). “[Dismissal] is proper if there is a ‘lack of a cognizable legal theory or the absence of sufficient facts alleged under a cognizable legal theory.'” Conservation Force v. Salazar, 646 F.3d 1240, 1242 (9th Cir. 2011) (citation omitted). Generally, when deciding a Rule 12(b)(6) motion, courts shall look only to the face of the complaint and documents attached thereto. Van Buskirk v. Cable News Network, Inc., 284 F.3d 977, 980 (9th Cir. 2002); Hal Roach Studios, Inc. v. Richard Feiner & Co., Inc., 896 F.2d 1542, 1555 n.19 (9th Cir. 1989).
III. DISCUSSION
A. Negligence
To state a claim for negligence under Arizona law, “a plaintiff must prove: (1) a duty requiring the defendant to conform to a certain standard of care; (2) breach of that standard; (3) a causal connection between the breach and the resulting injury; and (4) actual damages.” CVS Pharmacy, Inc. v. Bostwick ex rel., 251 Ariz. 511, 517 (2021) (quoting Quiroz v. ALCOA Inc., 243 Ariz. 560, 563-64 (2018)). Defendant argues that Plaintiffs fail to allege a cognizable injury and causation. (Doc. 34 at 2-5.) Plaintiffs counter that their alleged injuries are concrete, and they sufficiently allege causation. (Doc. 35 at 2-7.)
1. Cognizable Injury
Plaintiffs rely upon the same allegations of injury that they cited in response to Defendant's first Motion to Dismiss. (Compare Doc. 23 at 2-9 with Doc. 35 at 2-6.) Namely, Plaintiffs allege that they are at an ongoing risk of imminent harm and that they have suffered injury stemming from their reasonable mitigation efforts and the diminution in the value of their PII. (Doc. 35 at 2-6.) Defendant responds that Plaintiffs simply repeat previously rejected arguments that remain unavailing. (Doc. 38 at 1-4.)
i. Risk of Harm
Plaintiffs argue that the theft of their PII is sufficient to demonstrate a credible risk of imminent harm. (Doc. 35 at 3-5.) They do not dispute that the compromised information at issue is limited to names, dates of birth, and driver's license or state identification numbers. (Id.) The Court previously stated that “[w]ithout disclosure of social security number, bank, or credit card information, the Court finds that the PII does not present a clear ability for unscrupulous actors to commit fraud or identity theft.” (Doc. 31 at 6.) Accordingly, it found that Plaintiffs did not allege a risk of imminent harm. (Id.)
Plaintiffs' FAC contains new allegations describing how bad actors may make limited use of the PII. (Doc. 33 ¶¶ 71-89.) For example, Plaintiffs allege that the compromised information may allow the hackers to steal more information using “social engineering.” (Doc. 33 ¶ 73.) The hackers may then develop “Fullz” packages, which consist of bits and pieces of compromised PII. (Id. ¶¶ 74-78.) Additionally, Plaintiffs provide examples of types of fraud that bad actors may commit with a stolen driver's license number. (Id. ¶¶ 81-84.) But courts within the Ninth Circuit have encountered this situation before, and as the Court previously noted, have consistently found that theft of this specific type of PII, while undoubtedly problematic, is insufficient to demonstrate imminent harm. (See Doc. 31 at 4-6 (collecting cases)). Thus, the Court again finds that Plaintiffs fail to allege a cognizable risk of imminent harm.
ii. Plaintiffs' Mitigation Efforts
Plaintiffs argue that their FAC “adequately demonstrates that [they] have experienced concrete, redressable harm from the [d]ata [b]reach in the form of the lost time and out-of-pocket expenses they necessarily incurred in responding to the [d]ata [b]reach.” (Doc. 35 at 5.) For “costs incurred in an effort to mitigate the risk of future harm [to be cognizable], the future harm being mitigated must itself be imminent.” In re Adobe Sys., Inc. Priv. Litig., 66 F.Supp.3d 1197, 1217 (N.D. Cal. 2014); see also Antman v. Uber Techs. Inc., No. 15-cv-01175-LB, 2018 WL 2151231, at *9 (N.D. Cal. May 10, 2018) (stating that “the risk of identity theft must first be real and imminent, and not speculative, before mitigation costs establish injury in fact”) (citations omitted).
For the same reasons that Plaintiffs' allegations of future harm are speculative, Plaintiffs' mitigation expenses surrounding the data breach merely establish conjectural or hypothetical harms. Thus, Plaintiffs' mitigation expenses are similarly speculative. (Doc. 31 at 6); See Muransky v. Godiva Chocolatier, Inc., 979 F.3d 917, 931 (11th Cir. 2020) (reasoning that wasted time and mitigation efforts “necessarily rise[] or fall[] with [the] Court's determination of whether the risk posed . . . is itself a concrete harm”). Moreover, Plaintiffs do not argue that any mitigation efforts or expenses, even if not speculative, were reasonable. See Griffey v. Magellan Health Inc., 562 F.Supp.3d 34, 47 (D. Ariz. 2021) (citing In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F.Supp.2d 942, 970 (S.D. Cal. 2014)) (requiring mitigation efforts and expenses to be “reasonable and necessary”). The Court therefore finds that Plaintiffs' mitigation efforts are not cognizable.
iii. Diminution in Value of PII
To successfully show harm arising from diminution in PII's value, a plaintiff must “establish both the existence of a market for her personal information and an impairment of her ability to participate in that market.” Svenson v. Google Inc., No. 13-CV-0480-BLF, 2016 WL 8943301, at *9 (N.D. Cal. Dec. 21, 2016) (citing In re Google, Inc. Priv. Pol'y Litig., No. 5:12-CV-001382-PSG, 2015 WL 4317479, at *4 (N.D. Cal. July 15, 2015)). Merely alleging that PII has value in general is insufficient. See Pruchnicki, 845 Fed.Appx. at 614-15 (finding no compensable damages where a plaintiff established that personal information may have value in general but “failed to adequately allege that her personal information actually lost value”) (emphasis in original) (citation omitted).
Plaintiffs first allege that the existence of data brokers demonstrates a market for PII. (Doc. 35 at 5-6; Doc. 33 ¶ 98.) They contend that their ability to participate in that market has been impaired because their PII is available on the dark web and no longer rare. (Doc. 35 at 5-6; Doc. 33 ¶ 100.) But Plaintiffs fail to allege that a legitimate market exists for dates of birth or driver's license or state identification numbers. (Doc. 33 ¶ 98.) Their allegation of a general market for PII, but not a market for the specific type of PII at issue here, is insufficient. Pruchnicki, 845 Fed.Appx. at 614-15.
Plaintiffs next allege that a market exists for their PII because consumers derive economic benefit “from being able to use it and control the use of it.” (Doc. 33 ¶ 99.) They allege that their ability to participate in that market has been impaired by the theft of their PII, which has “left [them] to face greater transaction costs or even outright denial of participation in ordinary transactions.” (Doc. 35 at 6; see also Doc. 33 ¶ 99 (“A consumer's ability to use their PII is encumbered when their identity or credit profile is infected by misuse or fraud . . . In this sense, among others, the theft of PII in the [d]ata [b]reach led to a diminution in value of the PII.”).) One court has accepted such allegations. Smallman v. MGM Resorts Int'l, 638 F.Supp.3d 1175, 1191 (D. Nev. 2022) (“[T]he [d]ata [b]reach devalued Plaintiffs' PII by interfering with their fiscal autonomy. Any past and potential future misuse of Plaintiffs' PII impairs their ability to participate in the economic marketplace.”).
The Court finds that there is a market for Plaintiffs' PII because disclosure of that PII is, at times, necessary for their participation in the economic marketplace. In that respect, the Court finds the reasoning of Smallman persuasive. But Plaintiffs have failed to allege that their ability to participate in that market has been impaired. (See Doc. 33 ¶¶ 97-104.) They do not allege that they have actually incurred increased transaction costs or outright denial of participation in ordinary transactions because of any fraud or misuse of their PII. (See id.) The Court is left to guess whether such things will occur. The Court declines to adopt the full reasoning of Smallman, which appears to permit such speculative injury. 638 F.Supp.3d at 1191 (referencing “potential future misuse of Plaintiffs' PII” when discussing diminution in the value of that PII). Accordingly, Plaintiffs' allegedly diminished PII value is not a cognizable injury.
This is evidenced by the fact that Plaintiffs were required to disclose the PII to Defendant as part of the transaction. (Doc. 33 ¶ 99.)
iv. Lost Benefit of the Bargain
Defendant argues that Plaintiffs fail to adequately plead lost benefit of the bargain as a cognizable injury. (Doc. 34 at 4-5.) Plaintiffs do not refute this. (See Doc. 35 at 2-6.) Defendant contends that Plaintiffs have accordingly “conceded the insufficiency of their benefit of the bargain allegations.” (Doc. 38 at 3.) Defendant is correct. “The Court will not manufacture arguments for Plaintiff[s] . . . It is a well-settled principle that by failing to address arguments in an opposition, a party effectively concedes a claim.” Thompson v. Isagenix Int'l LLC., No. CV-18-04559-PHX-SPL, 2020 WL 1432840, *4 (D. Ariz. Mar. 24, 2020) (citing Walsh v. Nev. Dep't of Human Res., 471 F.3d 1033, 1037 (9th Cir. 2006)). Thus, the Court finds that the supposed lost benefit of the bargain does not establish a cognizable injury.
2. Causation
Defendant argues that, while “Plaintiffs now claim that [Defendant] could have prevented the [d]ata [b]reach by undertaking a variety of actions . . . they still fail to explain how those deficiencies ‘led to the alleged harm.'” (Doc. 34 at 5 (quoting Doc. 31 at 10).) Plaintiffs respond that they have plead a connection between Defendant's inadequate security and the subsequent data breach. (Doc. 35 at 6-7; see Doc. 33 ¶¶ 40-44, 54-55.) They are correct. See Griffey, 562 F.Supp.3d at 45. Plaintiffs' allegations concerning Defendant's purported failure to protect the PII directly relate to the hackers' ability to successfully steal the PII. (See Doc. 33 ¶¶ 40-44, 54-55.) This point, however, is inconsequential as Plaintiffs fail to allege a cognizable injury. Accordingly, their negligence claim must be dismissed. See Bostwick ex rel., 251 Ariz. at 517.
B. Breach of Implied Contract
Contracts may be express or implied. See Barmat v. John & Jane Doe Partners A-D, 155 Ariz. 519, 521-22 (1987). “The distinction between an express contract and one implied in fact is that in the former the undertaking is made by words written or spoken, while in the latter conduct rather than words conveys the necessary assent and undertakings.” Id. at 521 (citation omitted). To succeed on a breach of contract claim, “the plaintiff has the burden of proving the existence of the contract, its breach and the resulting damages.” Thomas v. Montelucia Villas, LLC, 232 Ariz. 92, 96 (2013) (quoting Graham v. Asbury, 112 Ariz. 184, 185 (1975)). “For a valid contract to exist, there must have been an offer, acceptance of the offer, consideration, sufficient specification of terms so that the obligations involved can be ascertained, and the parties must have intended to be bound by the agreement.” Day v. LSI Corp., 174 F.Supp.3d 1130, 1153 (D. Ariz. 2016) (citations omitted).
Previously, the Court found that Plaintiffs failed to sufficiently allege the terms of the contract, consideration, and cognizable damages. (Doc. 31 at 10-12.) Defendant contends that Plaintiffs' FAC suffers from these same defects. (Doc. 34 at 5-7; Doc. 38 at 3-4.) Plaintiffs respond that they now adequately allege the existence and breach of the purported implied contract. (Doc. 35 at 7-10.) 1. Terms
Plaintiffs argue that the specific terms of the alleged implied contract are encompassed by Defendant's privacy policy, wherein Defendant represents that it “[u]ses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your [information and our systems.” (Doc. 35 at 8 (quoting Privacy Notice, UHAUL, https://www.uhaul.com/Legal/#Security (last visited Oct. 23, 2023).) Defendant responds that the privacy policy does not promise data security, but to the contrary, expressly notes that “while [Defendant's] Internet-based technology enables it to lower costs and better serve customers, it ‘exposes [Defendant] to various risks including . . . cyber-attacks.'” (Doc. 38 at 3-4 (Privacy Notice, UHAUL, https://www.uhaul.com/Legal/#Security (last visited Oct. 23, 2023).)
The Court previously found that Plaintiffs failed to “specify the alleged promises [Defendant] made to Plaintiffs.” (Doc. 31 at 11.) This is no longer the case. Plaintiffs allege that Defendant, as evidenced by its privacy policy, promised to take commercially reasonable steps to protect their PII. (Doc. 33 ¶ 221.) Defendant's disclaimer that a cyber-attack nonetheless remains possible does not negate their commitment to exercise commercially reasonable precautions. Thus, Plaintiffs adequately allege the terms of the purported implied contract.
2. Consideration
Under Arizona law, “[consideration is defined as bargained for exchange whereby the promisors . . . receive some benefit or the promisee . . . suffers a detriment.” Coup v. Scottsdale Plaza Resort, LLC, 823 F.Supp.2d 931, 943 (D. Ariz. 2011). Plaintiff's contend that they sufficiently allege consideration because they provided Defendant with their PII and Defendant promised to protect their PII. (Doc. 35 at 9.) Plaintiffs assert that they “only provided their PII because Defendant agreed to safeguard and protect their PII” in its privacy policy. (Id.) But Plaintiffs do not allege that they relied upon or read the privacy policy before entering into a business relationship with Defendant. (See Doc. 33 ¶¶ 218-232.) The privacy policy cannot have been part of the Parties' bargained for exchange if Plaintiffs did not rely upon it or were not aware of its existence.
3. Damages
Plaintiffs assert that they allege cognizable damages in the form of lost benefit of the bargain. (Doc. 35 at 7.) They state that “Plaintiffs lost the benefit of their bargain by providing valuable consideration for data security that was not provided.” (Doc. 35 at 7.) But as the Court has already noted, “Plaintiffs' allegations offer nothing to further a claim that [Defendant] promised or agreed to these expectations as part of a bargain. Indeed, it is difficult to imagine that Plaintiffs could provide as much; Plaintiffs purchased and sought physical storage and rental truck services, not data security.” (Doc. 31 at 8) (emphasis added.) In short, Plaintiffs do not allege that data security was part of their bargain. As mentioned, they do not even allege that they were aware of the privacy policy when the bargain was made.
Plaintiffs, as part of their negligence claim, allege that they suffered injury in the form of lost benefit of the bargain. As mentioned, though, they fail to argue in support of that allegation. They allege the same injury here in the context of their breach of implied contract claim. This time, however, they provide brief argument in support of the allegation. (Doc. 35 at 7.) As a result, the Court addresses it on the merits.
Additionally, Plaintiffs incorporate the damages alleged in their negligence claim. (Id.) They are not cognizable for the reasons already discussed in this Order. Because Plaintiffs fail to allege consideration or damages, their breach of implied contract claim must also fail.
C. Arizona Consumer Fraud Act
The ACFA prohibits fraudulent, deceptive, or misleading conduct in connection with the sale of consumer goods and services. A.R.S. § 44-1522(A). “To prevail [on an ACFA claim], a plaintiff must establish that (1) the defendant made a misrepresentation in violation of the Act, and (2) defendant's conduct proximately caused plaintiff to suffer damages.” Cheatham v. ADT Corp., 161 F.Supp.3d 815, 825 (D. Ariz. 2016) (citation omitted). The ACFA provides liability for affirmative misrepresentations and omissions. See Maurer v. Cerkvenik-Anderson Travel, Inc., 181 Ariz. 294, 297 (Ct. App. 1994).
As an initial matter, the Court must determine whether Plaintiffs' claim under the ACFA is subject to the heightened pleading requirements of Rule 9(b) of the Federal Rules of Civil Procedure. That rule applies to claims that allege fraud. Fed.R.Civ.P. 9(b); BHPH Capital LLC v. JV Wholesalers, LLC, No. CV-22-00143-PHX-DJH, 2023 WL 5932801, at *2 (D. Ariz. Sept. 12, 2023).
Claims brought under the ACFA sound in fraud because they require the plaintiff to demonstrate a misrepresentation. Cheatham, 161 F.Supp. 3 at 825. Accordingly, Rule 9(b) applies. BHPH Capital, No. CV-22-00143-PHX-DJH, 2023 WL 5932801, at *2. Plaintiffs attempt to avoid this requirement by alleging that Defendant has violated the ACFA not by making a misrepresentation, but by engaging in an unfair practice-namely, “failing to implement and maintain reasonable security measures to protect and secure Plaintiffs' . . . PII in a manner that complied with applicable laws, regulations, and industry standards.” (Doc. 33 ¶ 237.) But to the Court's knowledge, no court within the State of Arizona or the Ninth Circuit has ever held that an unfair practice alone constitutes a violation of the ACFA. This Court and other courts within the Ninth Circuit have consistently held that an ACFA claim must include a false promise or misrepresentation. See, e.g., Garner v. Medicis Pharmaceutical Corp., No. CV-21-00145-PHX-GMS, 2023 WL 6295052, at *2 (D. Ariz. Sept. 27, 2023); Gannon v. Truly Nolen of Am. Inc., No. CV-22-428-TUC-JAS, 2023 WL 6536477, at *4 (D. Ariz. Aug. 31, 2023); Sweidy v. Spring Ridge Academy, No. CV-21-08013-PHX-SPL, 2023 WL 5278680, at *3 (D. Ariz. Aug. 16, 2023); Creech v. Barrett Fin. Grp. LLC, No. CV-22-00871-PHX-SMB, 2023 WL 4847598, at *4 (D. Ariz. July 28, 2023). Arizona courts are in accord. See, e.g., Strojnik v. FlagExpress, LLC, No. 1 CA-CV 21-0074, 2021 WL 5183632, at *2-3 (Ariz.Ct.App. Nov. 9, 2021); Strojnik v. Best Western Int'l Inc., No. 1 CA-CV 22-0036, 2022 WL 7262416, at *2 (Ariz.Ct.App. Oct. 13, 2022). Because Plaintiffs do not allege that Defendant made a false promise or misrepresentation, they do not plead a violation of the ACFA. Thus, their claim must be dismissed.
D. California Consumer Privacy Act
The Court previously declined to dismiss Plaintiffs' claim under the CCPA. (Doc. 31 at 15-16.) Defendant again argues that Plaintiffs fail to adequately plead their claim. (Doc. 34 at 9-10.) Plaintiffs respond that Defendant effectively asks the Court to reconsider its prior decision and should have made that request in a motion for reconsideration. (Doc. 35 at 14.) Because it failed to do so, say Plaintiffs, the Court should reject its argument as procedurally defective. (Id.) Defendant responds that it is not asking the Court to reconsider its prior ruling, but to evaluate Defendant's new arguments which respond to Plaintiffs' FAC. (Doc. 38 at 6.)
Defendant is not, as Plaintiffs characterize, “attempting to file a motion for reconsideration within its motion to dismiss.” (Doc. 35 at 14.) The Court permitted Plaintiffs to amend and refile their complaint, including their allegations that Defendant violated the CCPA. (Doc. 31 at 27.) Plaintiffs took that opportunity. (Compare Doc. 18 ¶¶ 267-79 with Doc. 33 ¶¶ 243-55.) Defendant is permitted to raise new arguments about why that amended claim should be dismissed. Accordingly, the Court will consider the merits of Defendant's arguments.
The CCPA provides a private right of action to consumers whose “personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of [a] business's violation of the duty to implement and maintain reasonable security procedures and practices.” Cal. Civ. Code § 1798.150(a). To prevail on a CCPA claim, “a plaintiff must allege that his personal information was subject to ‘unauthorized . . . disclosure as a result of a business's failure to implement and maintain reasonable security procedures and practices.” Gershfeld v. Teamviewer US, Inc., No. SACV 21-00058-CJC (ADSx), 2021 WL 3046775, at *2 (C.D. Cal. June 24, 2021), aff'd, No. 21-55753, 2023 WL 334015 (9th Cir. Jan. 20, 2023) (internal marks and citation omitted).
The Court previously found “sufficient the Complaint's allegations that [Defendant] could have prevented the [d]ata [b]reach by encrypting Plaintiffs' PII.” (Doc. 31 at 15-16.) Defendant contends that this was inappropriate as “the CCPA applies only to consumers ‘whose nonencrypted and nonredacted personal information ... is subject to an unauthorized access.'” (Doc. 34 at 9 (quoting Cal. Civ. Code § 1798.150(a)(1).) Thus, Defendant argues that “the fact that the data at issue here was unencrypted is already a prerequisite to Plaintiffs' claim; the failure to encrypt information cannot also serve as the alleged unreasonable security practice.” (Id. at 9-10.) Plaintiffs do not dispute Defendant's interpretation of the statutory language but emphasize that the Court did not solely base its earlier decision upon Defendant's failure to encrypt Plaintiffs' PII. (Doc. 35 at 14-15.)
The Court need not determine whether Defendant's interpretation of the CCPA is correct because it finds that Plaintiffs allege a failure to implement reasonable security procedures, notwithstanding Defendant's failure to encrypt the PII. Plaintiffs allege that Defendant should have “destroyed the data it no longer had a reasonable need to maintain or only stored data in an Internet-accessible environment when there was a reasonable need . . . to do so and with proper safeguards.” (Doc. 33 ¶ 57.) Additionally, Plaintiffs identify fourteen cybersecurity best-practices that Defendant should have followed but allegedly did not. (Id. ¶¶ 58-59.) These allegations are sufficient to plead a “violation of the duty to implement and maintain reasonable security procedures and practices” independent of Defendant's failure to encrypt the PII. See Cal. Civ. Code § 1798.150(a).
Defendant also argues that Plaintiffs' CCPA claim must be dismissed because they do not allege a sufficient causal connection between Defendant's purported failure to implement reasonable security procedures and the hackers' ability to exfiltrate the PII. (Doc. 34 at 10.) Not so. Plaintiffs allege that their PII was stolen by hackers employing a phishing scheme. (Doc. 33 ¶ 44.) Defendant's alleged shortcomings directly relate to the hackers' ability to successfully utilize such a scheme. For example, if Defendant had utilized adequate filtering software, the phishing emails would never have reached the employees' inboxes. (Id. ¶ 44.) If Defendant's employees had been adequately trained, the phishing emails, even if they reached the employees' inboxes, would not have been successful. (Id. ¶ 40.) If Defendant had implemented multi-factor authentication, the hackers would not have been able to access Defendant's systems even if the phishing emails had been successful. (Id. ¶ 42.) If Defendant had not stored the PII in an unencrypted form in an internet-accessible system, the hackers would not have been able to access or read it even if they had gained access to Defendant's systems. (Id. ¶¶ 4, 42, 44.) Finally, if Defendant had destroyed the PII when it was no longer in use, much of the PII would not have been stolen regardless of how successful the hackers' scheme was. (Id. ¶ 44.) Thus, the Court will not dismiss Plaintiffs' CCPA claim.
“Phishing is a type of online scam that targets consumers by sending them an e-mail that appears to be from a well-known source - an internet service provider, a bank, or a mortgage company, for example. It asks the consumer to provide personal identifying information. Then a scammer uses the information to open new accounts, or invade the consumer's existing accounts.” Phishing Scams,, Federal Trade Commission, https://www.ftc.gov/news-events/topics/identity-theft/phishing-scams (last visited Oct. 19, 2023).
IV. LEAVE TO AMEND
Plaintiffs request leave to amend “to the extent any portion of [Defendant's] Motion is granted.” (Doc. 35 at 17.) District courts “shall grant leave to amend freely ‘when justice so requires.'” Lopez v. Smith, 203 F.3d 1122, 1130 (9th Cir. 2000) (en banc) (quoting Fed.R.Civ.P. 15 (a)). Courts in the Ninth Circuit are to apply this policy “with extreme liberality.” Morongo Band of Mission Indians v. Rose, 893 F.2d 1074, 1079 (9th Cir. 1990). To that end, “a district court should grant leave to amend even if no request to amend the pleading was made . . .” Lacey v. Maricopa Cnty., 693 F.3d 896, 926 (9th Cir. 2012) (internal marks and citation omitted). The Court, however, “may in its discretion deny leave to amend due to undue delay, bad faith or dilatory motive . . ., repeated failure to cure deficiencies . . ., undue prejudice to the opposing party by virtue of the allowance of the amendment, [and] futility of amendment.” Zucco Partners, LLC v. Digimarc Corp., 552 F.3d 981, 1007 (9th Cir. 2009) as amended (Feb. 10, 2009) (internal marks and citation omitted). Absent a “strong showing of any of [these] factors, there exists a presumption under Rule 15(a) in favor of granting leave to amend.” Eminence Capital, LLC v. Aspeon, Inc., 316 F.3d 1048, 1052 (9th Cir. 2003) (emphasis in original).
Having previously granted leave to amend, and considering the factors under Rule 15(a), the Court finds that leave to amend would be futile and unduly prejudicial to Defendant's interests in finality. Plaintiffs had the opportunity to remedy the deficiencies in their Complaint, which the Court specifically identified for them, by pleading additional facts. They did not do so. The only reasonable explanation for this is that those facts do not exist. Zucco Partners, 552 F.3d at 1007 (“The fact that Zucco failed to correct these deficiencies is a strong indication that the plaintiffs have no additional facts to plead.”) (cleaned up); see also Nguyen v. Endologix, Inc., 962 F.3d 405, 420 (9th Cir. 2020). Providing Plaintiffs with a third opportunity is unlikely to change this. Instead, it will prejudice Defendant by needlessly prolonging the litigation. Therefore, the Court will not grant Plaintiffs leave to amend. Anderson v. Peregrine Pharmaceuticals, Inc., 654 Fed.Appx. 281, 282 (9th Cir. 2016) (quoting Zuco Partners, 552 F.3d at 1007) (noting that where “‘the plaintiff has previously been granted leave to amend and has subsequently failed to add the requisite particularity to its claims, the district court's discretion to deny leave to amend is particularly broad'”).
V. CONCLUSION
Accordingly, IT IS ORDERED granting in part and denying in part Defendant U-Haul International Incorporated's Motion to Dismiss (Doc. 34).
IT IS FURTHER ORDERED that Plaintiffs' claims for negligence, breach of implied contract, and violation of the Arizona Consumer Fraud Act are dismissed with prejudice.
IT IS FINALLY ORDERED that the Motion is denied in all other respects.