Opinion
CV-22-00932-PHX-JJT
12-09-2022
John Feins, Plaintiff, v. Goldwater Bank NA, Defendant.
ORDER
HONORABLE JOHN J. TUCHI UNITED STATES DISTRICT JUDGE
At issue is Defendant Goldwater Bank, N.A.'s Motion to Dismiss Plaintiff's Amended Complaint (Doc. 16, Mot.), to which Plaintiff John Feins filed a Response (Doc. 20, Resp.) and Defendant filed a Reply (Doc. 21, Reply). At the Court's request, the parties also submitted supplemental briefs (Docs. 23, 24). No party requested oral argument, and the Court will resolve the Motion without oral argument. LRCiv 7.2(f).
I. BACKGROUND
In the Amended Class Action Complaint for Damages, Injunctive, and Equitable Relief (Doc. 15, Am. Compl.), Plaintiff alleges the following facts. Plaintiff-a citizen and resident of New Mexico-was a customer of Defendant-an Arizona bank with its principal office in Arizona. (Am. Compl. ¶¶ 17, 19, 24.) In May 2021, Defendant experienced “an attempted ransomware attack” by hackers (“Data Breach”), and, around November 2021, Defendant notified customers, including Plaintiff, who were potentially affected by the incident. (Am. Compl. ¶¶ 30, 35.) Defendant acknowledged the compromise of sensitive consumer information in the Data Breach. (Am. Compl. ¶ 31.) Specifically, the hackers accessed information containing customers' Personally Identifiable Information (“PII”), including names, addresses, telephone numbers, Social Security numbers, account numbers, and tax identification numbers. (Am. Compl. ¶ 33.) After an investigation, Defendant reported that the Data Breach compromised the PII of 11,376 individuals. (Am. Compl. ¶ 38.) In the November 2021 notification letter, Defendant offered twelve months of identity monitoring services to its customers. (Am. Compl. ¶ 67.)
In December 2021, Wells Fargo Bank notified Plaintiff that a fraudulent account was opened in his name, which Plaintiff links to the compromise of his PII in the Data Breach suffered by Defendant. (Am. Compl. ¶ 89.) Plaintiff claims he has experienced an increase in phishing attempts on his email, has spent considerable time on issues related to the Data Breach, and anticipates spending more time and money to mitigate and address harms caused by the Data Breach. (Am. Compl. ¶¶ 92-99.)
On behalf of himself and a putative nationwide class, Plaintiff now raises four state law claims against Defendant as a result of the Data Breach: (1) negligence; (2) invasion of privacy; (3) breach of implied contract; (4) unjust enrichment. (Am. Compl. ¶¶ 16, 100.) Plaintiff also raises a fifth claim on behalf of a putative subclass of New Mexico plaintiffs: violations of the New Mexico Unfair Trade Practices Act. (Am. Compl. ¶¶ 16, 100.) Defendant has now filed a Motion to Dismiss for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6).
II. LEGAL STANDARD
Rule 12(b)(6) is designed to “test[] the legal sufficiency of a claim.” Navarro v. Block, 250 F.3d 729, 732 (9th Cir. 2001). A dismissal under Rule 12(b)(6) for failure to state a claim can be based on either: (1) the lack of a cognizable legal theory; or (2) the absence of sufficient factual allegations to support a cognizable legal theory. Balistreri v. Pacifica Police Dep't, 901 F.2d 696, 699 (9th Cir. 1990). When analyzing a complaint for failure to state a claim, the well-pled factual allegations are taken as true and construed in the light most favorable to the nonmoving party. Cousins v. Lockyer, 568 F.3d 1063, 1067 (9th Cir. 2009). A plaintiff must allege “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citing Twombly, 550 U.S. at 556). “The plausibility standard is not akin to a ‘probability requirement,' but it asks for more than a sheer possibility that a defendant has acted unlawfully.” Id.
“While a complaint attacked by a Rule 12(b)(6) motion does not need detailed factual allegations, a plaintiff's obligation to provide the grounds of his entitlement to relief requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do.” Twombly, 550 U.S. at 555 (cleaned up and citations omitted). Legal conclusions couched as factual allegations are not entitled to the assumption of truth and therefore are insufficient to defeat a motion to dismiss for failure to state a claim. Iqbal, 556 U.S. at 679-80. However, “a well-pleaded complaint may proceed even if it strikes a savvy judge that actual proof of those facts is improbable, and that ‘recovery is very remote and unlikely.'” Twombly, 550 U.S. at 556 (quoting Scheuer v. Rhodes, 416 U.S. 232, 236 (1974)).
III. ANALYSIS
A. Choice of Law
To begin with, in their initial briefs, both parties cited legal authority principally from outside Arizona and neither party engaged in a choice of law analysis under Arizona law. See Patton v. Cox, 276 F.3d 493, 495 (9th Cir. 2002) (stating that a federal court sitting in diversity must apply the forum state's choice of law rules to determine the controlling substantive law). The starting point of any examination as to whether Plaintiff has stated a claim is to determine (and support by way of sufficient analysis) the applicable substantive state law-whether that is Arizona law, New Mexico law, or some other law-or show there is no meaningful difference. The determination must be made through analysis on a claim-by-claim basis, see Keene Corp. v. Ins. Co. of N. Am., 597 F.Supp. 934, 941 (D.D.C. 1984), and the parties cannot simply stipulate to the applicable state law without showing it is the appropriate one under the applicable choice of law rules, see, e.g., Phillips Petroleum Co. v. Shutts, 472 U.S. 797, 821 (1985). The Court therefore ordered a supplemental brief from each party addressing the choice of law for each of Plaintiff's claims (Doc. 22), which the parties timely filed (Docs. 23, 24).
Plaintiff brings this case as a putative class action. As the Court noted in its prior Order (Doc. 22), if this case proceeds to class certification, Plaintiff will then have the burden under Federal Rule of Civil Procedure 23 to conduct a choice of law analysis for each surviving claim involving the home states of Defendant and all the class action Plaintiffs; in other words, Plaintiff will be required to show that common questions of law predominate and “cannot meet this burden when the various laws have not been identified and compared.” Gariety v. Grant Thornton, LLP, 368 F.3d 356, 370 (4th Cir. 2004); see also Cole v. Gen. Motors Corp., 484 F.3d 717, 725 (5th Cir. 2007) (finding that plaintiffs did not sufficiently demonstrate predominance where they argued that the applicable state laws are “virtually the same” but failed to undertake the required “extensive analysis” of variations in state law).
With regard to Plaintiff's tort claims for negligence and invasion of privacy, “Arizona courts apply the principles of the Restatement (Second) of Conflict of Laws [(“Restatement”)] to determine the controlling law for multistate torts.” Bates v. Super. Ct. of Ariz., 749 P.2d 1367, 1369 (Ariz. 1988). Section 6 of the Restatement delineates the following general factors to consider when choosing the applicable rule of law:
(a) the needs of the interstate and international systems,
(b) the relevant policies of the forum,
(c) the relevant policies of other interested states and the relative interests of those states in the determination of the particular issue,
(d) the protection of justified expectations,
(e) the basic policies underlying the particular field of law,
(f) certainty, predictability and uniformity of result, and
(g) ease in the determination and application of the law to be applied.
Restatement § 6(2).
Restatement § 145 gives guidance for the application of the § 6 factors to tort claims.
Section 145 provides that courts are to resolve tort issues under the law of the state having the most significant relationship to both the occurrence and the parties with respect to any particular question. Section 145(2) lists some of the contacts which are to be considered in determining the choice of law applicable to a given issue. Those especially relevant contacts include:
1. The place where the injury occurred;
2. The place where the conduct causing the injury occurred;
3. The domicile, residence, nationality, place of incorporation and place of business of the parties;
4. The place where the relationship, if any, between the parties is centered. Bates, 749 P.2d at 1370.
With regard to Plaintiff's claims of breach of implied contract and unjust enrichment, Arizona again looks to the Restatement to determine the controlling law in a multi-state contract case. Swanson v. Image Bank, Inc., 77 P.3d 439, 441 (Ariz. 2003). Section 188 of the Restatement provides, in relevant part:
(1) The rights and duties of the parties with respect to an issue in contract are determined by the local law of the state which, with respect to that issue, has the most significant relationship to the transaction and the parties under the principles stated in § 6.
(2) In the absence of an effective choice of law by the parties (see § 187), the contacts to be taken into account in applying the principles of § 6 to determine the law applicable to an issue include:
(a) the place of contracting,
(b) the place of negotiation of the contract,
(c) the place of performance,
(d) the location of the subject matter of the contract, and
(e) the domicil, residence, nationality, place of incorporation and place of business of the parties.
These contacts are to be evaluated according to their relative importance with respect to the particular issue.Restatement § 188. Comment e of § 188 notes that the place of contracting “is the place where occurred the last act necessary . . . to give the contract binding effect,” and this, standing alone, “is a relatively insignificant contact.” Id. cmt. e. However, the state where the contract is to be performed “has an obvious interest in the nature of the performance.” Id.
In considering the claim of a plaintiff from one state-here, New Mexico-and a defendant from another-here, Arizona-the Court must first decide if there is a true conflict between the law of the two states as applied to the plaintiff's claim. See Waggoner v. Snow, Becker, Kroll, Klaris & Krauss, 991 F.2d 1501, 1506 (9th Cir. 1993). If so, the Court must apply the law of the state that has a significant contact or aggregation of contacts to the particular claim. See Bates, 749 P.2d at 1370.
In his supplemental brief, Plaintiff contends that, although the parties have not engaged in discovery yet and many facts remain to be uncovered, Arizona law likely applies to his tort and contract-based claims, both because (1) a consideration of the factual allegations in the Amended Complaint leads to the conclusion that Arizona has the most significant relationship with the occurrence underlying the alleged torts and the transaction underlying the alleged contract-based claims, and (2) in the absence of discovery identifying the location of a data breach, courts have applied the law of the forum state in data breach cases. (Doc. 23 at 1-4.) In reaching this conclusion, Plaintiff points to, among others, the fact that because Defendant is located in Arizona, “the relevant data is likely collected and stored in Arizona” and “decisions, policies, and promises relating to data security were made there.” (Doc. 23 at 4.)
In its supplemental brief, Defendant takes the view that “there is no outcome determinative difference and thus no conflict” between the laws of Arizona and New Mexico. (Doc. 24 at 2.) The Court agrees with Defendant's later clarification that there are differences in the applicable laws of the two states-for example, with regard to the scope of duty provided by the states' law in a negligence claim. (Doc. 24 at 5.) But Defendant contends that the differences do not matter to the Court's resolution of Defendant's motion to dismiss.
The scope of duty element in a negligence claim is even more varied when taking into account the laws of all the states, as may be required in the formation of a class of nationwide plaintiffs. Likewise, there are differences, from minor to significant, in the scope of damages that can be sought in a negligence claim among the different states.
The Court agrees with Plaintiff that, at this early stage, the allegations point to the application of Arizona law to both Plaintiff's tort and contract-based claims. The Court will thus apply Arizona law to the extent possible, using out-of-state sources as persuasive authority in the absence of on-point Arizona law.
B. Count One: Negligence
Aside from challenging Plaintiff's damages allegations, which the Court will address below, Defendant argues that Plaintiff fails to state a claim for negligence, focusing on a contention that Plaintiff does not allege sufficient facts from which the Court can plausibly infer proximate cause. (Mot. at 8.) Under Arizona law, “‘[t]o establish a claim for negligence, a plaintiff must prove . . .: (1) a duty requiring the defendant to conform to a certain standard of care; (2) a breach by the defendant of that standard; (3) a causal connection between the defendant's conduct and the resulting injury; and (4) actual damages.'” Diaz v. Phoenix Lubrication Serv., Inc., 230 P.3d 718, 721 (Ariz.Ct.App. 2010) (quoting Gipson v. Kasey, 150 P.3d 228, 230 (Ariz. 2007)). “The proximate cause of an injury is that which, in a natural and continuous sequence, unbroken by any efficient intervening cause, produces an injury, and without which the injury would not have occurred.” Robertson v. Sixpence Inns of Am., 789 P.2d 1040, 1047 (Ariz. 1990) (citations omitted). Proximate cause may be found even where the defendant's act or omission is not the singular cause of injury. Wisener v. State, 598 P.2d 511, 513 (Ariz. 1979).
Plaintiff alleges that the Data Breach has a causal relationship with two incidents: (1) a fraudulent account opened in his name at Well Fargo, and (2) an increase in phishing attacks on his email account purporting to be Wells Fargo. (Reply at 6.) Plaintiff argues that the fraudulent account was opened in his name seven months after the Data Breach, in which his PII was taken from Defendant, so the Data Breach could have been the proximate cause of the proceeding incidents. (Resp. at 10.) Defendant maintains that Plaintiff's allegations are mere speculation based on a purely temporal connection, which is insufficient to show causation. (Reply at 6.) Defendant also contends that, in December 2021, Wells Fargo itself reported a data breach incident when Plaintiff was a customer there. (Mot. at 9.)
The Court declines to take judicial notice of the California Office of the Attorney General's database identifying Wells Fargo data breaches, as proffered by Defendant. Thus, Defendant's contention in its Motion regarding a data breach incident at Wells Fargo is a hypothetical argument at this stage.
Taking Plaintiff's allegations as true for the purpose of resolving Defendant's Motion to Dismiss, the Court need only find it plausible that Plaintiff's alleged injury was proximately caused by the Data Breach. See Stollenwerk v. Tri-West Health Care Alliance, 254 Fed. App'x 664, 668 (9th Cir. 2007) (finding a causal relationship when hard drives containing claimant's personal information were stolen and an identity fraud incident happened afterwards). Plaintiff's factual allegations are sufficient for the Court plausibly infer a connection between the Data Breach and Plaintiff's alleged two incidents. Accordingly, the Court will deny Defendant's request to dismiss the negligence claim (Count 1) based on insufficient allegations of proximate cause.
C. Count Two: Invasion of Privacy
Defendant next argues that Plaintiff cannot establish an invasion of privacy claim because (1) Defendant did not disclose Plaintiff's PII, but rather hackers stole it; and (2) even if the Data Breach amounts to disclosure, such disclosure was not made public. (Mot. at 9-10.)
To begin with, of the four classifications of the tort of invasion of privacy laid out in the Restatement (Second) of Torts § 652, Plaintiff appears to allege the tort of intrusion upon seclusion. Arizona recognizes such a cause of action against a party who “intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs” and that intrusion “would be highly offensive to a reasonable person.” Hart v. Seven Resorts Inc., 947 P.2d 846, 854 (Ariz.Ct.App. 1997) (citing Restatement (2d) of Torts § 652B). Invasion of privacy contemplates a true invasion, such as “opening [] private or personal mail, searching [a] safe or [] wallet, examining [a] private bank account, or compelling [] by forged court order to permit an inspection of [] personal documents.” Restatement (Second) of Torts § 652B cmt. b.
Plaintiff argues that, although Defendant has not shared details about the Data Breach, it is plausible that Defendant disclosed Plaintiff's PII by responding to a phishing email. (Resp. at 12.) Plaintiff posits that responding to a phishing email amounts to an intentional act of disclosure, which is sufficient for Plaintiff to seek damages for an intrusion upon seclusion. (Resp. at 12.) Defendant counters that Plaintiff alleges a ransomware attack caused the Data Breach, which does not amount to an active disclosure by Defendant. (Reply at 7-8.) Defendant also contends that Plaintiff fails to allege any facts to support the otherwise conclusory allegation that Plaintiff's PII was intentionally disclosed to the public. (Reply at 8.)
The intrusion upon seclusion classification of the tort of invasion of privacy does not require that the personal information be widely published, as Defendant seems to argue, but rather that the information simply be disclosed to the public.
As Plaintiff argues, how a data breach occurs may be material in determining whether a defendant intentionally disclosed private information. If a third-party hacked into Defendant's network to obtain Plaintiff's PII, the hacker plausibly engaged in an intrusion upon seclusion. But in that instance, Defendant did not intrude upon Plaintiff's private affairs by intentionally disclosing Plaintiff's PII, and an invasion of privacy claim fails. See, e.g., Purvis v. Aveanna Healthcare LLC, 563 F.Supp.3d 1360, 1377 (N.D.Ga. 2021) (holding that a plaintiff failed to state an invasion of privacy claim by alleging a third party carried out a data breach and the defendant “failed to take sufficient precautions to prevent this intrusion”). By contrast, if a defendant took an action to intentionally leak a plaintiff's PII-an allegation not contained in the Amended Complaint-it is plausible such action could amount to an intrusion upon the plaintiff's seclusion by the defendant. See, e.g., Curry v. Schletter Inc., 2018 WL 1472485, at *5 (W.D. N.C. Mar. 26, 2018).
The Court finds this case akin to Purvis, 563 F.Supp.3d at 1377. Plaintiff in this case, as in Purvis, does not allege non-conclusory facts showing Defendant intended any PII disclosure; indeed, Plaintiff alleges that his PII “was contained, stored, and managed electronically by [Defendant's] records, computers, and databases that was intended to be secured from unauthorized access to third-parties.” (Am. Compl. ¶ 131.) The “central narrative” of Plaintiff's allegations is that Defendant failed “to adequately secure and safeguard” Plaintiff's PII from hackers (Am. Compl. ¶ 133). Purvis, 563 F.Supp.3d at 1377. This is not sufficient to show Defendant intentionally intruded upon Plaintiff's private affairs when, as Plaintiff alleges, Plaintiff's PII was stolen. (E.g. Am. Compl. ¶ 36.) As a result, the Court will dismiss Plaintiff's invasion of privacy claim (Count 2).
D. Count Three: Breach of Implied Contract
Defendant next challenges Plaintiff's breach of implied contract claim, arguing both that the Amended Complaint contains no nonconclusory allegations regarding what the supposed implied contract terms were and that, to the extent Plaintiff claims Defendant did not comply with its own privacy policy, that policy is simply a promise to do what the law requires and could not have created a separate implied agreement between Defendant and Plaintiff. (Mot. at 12-14.) The Court agrees with both arguments.
Under Arizona law, “[t]he distinction between an express contract and one implied in fact is that in the former the undertaking is made by words written or spoken, while in the latter conduct rather than words conveys the necessary assent and undertakings.” Barmat v. John & Jane Doe Partners A-D, 747 P.2d 1218, 1220 (Ariz. 1987) (quoting 1 A. Corbin, Corbin on Contracts § 18, at 43 (1963)). Aside from an agreement establishing the relationship between the parties, one party may have a duty to the other under the applicable law. For example, in relationships between professionals and their clients, “the law imposes special duties to all within the foreseeable range of harm as a matter of public policy, regardless of whether there is a contract, express or implied, and generally regardless of what its covenants may be,” and “breaches of such duties are generally recognized as torts.” Id. at 1221-22. That is, “the essential nature of actions to recover for the breach of such duties is not one ‘arising out of contract.'” Id. at 1222.
Although no account application, express contract, or other document is identified in the Amended Complaint, the Court can infer from the Amended Complaint that Plaintiff signed a document establishing some business relationship with Defendant (and disclosed his PII in the process). The document was the “mere inducement creating the state of things [the relationship] that furnishes the occasion for the [alleged] tort,” id., that is, the alleged breach of the duty to keep Plaintiff's PII secure. Indeed, in his negligence claim, Plaintiff alleges in multiple ways in the Amended Complaint that Defendant “had a duty under common law to have procedures in place to detect and prevent the loss or unauthorized dissemination of Plaintiffs' and Class Members' PII.” (Am. Compl. ¶ 114.) Beyond implying the establishment of an account with Defendant and identifying Defendant's common law duties arising from the relationship, Plaintiff does not make any non-conclusory factual allegations in the Amended Complaint as to conduct on the part of Defendant that somehow established an implied in fact contract with Plaintiff, let alone what the terms of that supposed additional contract were. Cf. Ariz. Bd. of Regents v. Ariz. York Refrigeration Co. 565 P.2d 518, 521 (Ariz. 1977) (finding an implied in fact contract was formed where, beyond an initial contract for repair of a steam boiler, an insurer engaged in conduct authorizing and directing additional repairs to be made by the contractor).
Relatedly, to the extent Plaintiff contends that Defendant breached some implied contract by not complying with its own written policies, the allegations do not suffice to show that any such non-compliance was beyond what was legally mandated. See In re Banner Health Data Breach Litig., No. CV-16-02696-PHX-SRB, 2017 WL 6763548, at *3 (D. Ariz. Dec. 20, 2017) (concluding that because the privacy policy “could not be read as a promise to do anything above and beyond what is required by law” and the defendant “was already under a preexisting duty to protect [the plaintiff's] information,” no implied contract was formed). For these reasons, Plaintiff's breach of implied contract claim (Count 3) fails, and the Court will dismiss it.
E. Count Four: Unjust Enrichment
Next, Defendant argues that Plaintiff has not stated an unjust enrichment claim because the facts pled do not plausibly imply an unjust enrichment on Defendant's part or an impoverishment on his part. (Mot. at 14-15.) Under Arizona law, “[u]njust enrichment occurs when one party has and retains money or benefits that in justice and equity belong to another.” Loiselle v. Cosas Mgmt. Group, LLC, 228 P.3d 943, 946 (Ariz.Ct.App. 2010). To plead an unjust enrichment claim, a party must allege: “(1) an enrichment, (2) an impoverishment, (3) a connection between the enrichment and the impoverishment, (4) the absence of justification for the enrichment and the impoverishment, and (5) the absence of a remedy provided at law.” Span v. Maricopa Cnty. Treasurer, 437 P.3d 881, 886 (Ariz.Ct.App. 2019).
Plaintiff alleges that the Data Breach shows Defendant employed inadequate security and safeguards to protect Plaintiff's PII. (Resp. at 16.) Because Plaintiff paid Defendant money for its services and expected part of his payment to be for data protection, Plaintiff asserts Defendant was unjustly enriched by failing to protect his data. (Resp. at 16.) In its Motion, Defendant argues that Plaintiff's claim errantly relies on the premise that because the Data Breach occurred, Defendant's data security services were inadequate. (Mot. at 15.) In other words, aside from the fact that a Data Breach occurred, Defendant contends the Complaint does not contain non-conclusory factual allegations to support the conclusion that Defendant did not provide what it allegedly promised-measures to protect customer data in accordance with industry standards-and without such allegations, Plaintiff was not impoverished and Defendant was not unjustly enriched. (Mot. at 15.)
As alleged by Plaintiff, Defendant's privacy policy provides that Defendant will take “reasonable steps” to retain, safeguard and protect clients' PII. (Am. Compl. ¶ 139.) Other than the fact that the Data Breach occurred, Plaintiff does not allege any facts to show that Defendant failed to take reasonable steps to protect PII, for example by alleging Defendant either failed to have or follow a privacy policy. The Court agrees with Defendant that a data security infrastructure in accordance with industry standards does not completely preclude the possibility of a data breach, and conversely a data breach does not by itself demonstrate an inadequate data security infrastructure. See Griffey v. Magellan Health Inc., 562 F.Supp.3d 34, 50 (D. Ariz. 2021) (“[T]he existence of an adequate data security infrastructure and two data breaches in the same year are not mutually exclusive.”) To the extent Defendant derived an enrichment for its privacy policy, it was not unjust because it was subject to terms and conditions set forth in the service agreement. Plaintiff thus fails to state a claim for unjust enrichment (Count 4) and the Court will dismiss it.
F. Count Five: New Mexico Unfair Trade Practices Act
Defendant also challenges Plaintiff's claim under the New Mexico Unfair Trade Practices Act (NMUPA) because, among other things, Plaintiff fails to allege nonconclusory facts showing that Defendant's representations in its privacy policy were false. (Mot. at 16.) The relevant section of NMUPA prohibits unfair or deceptive trade practices, including “any false or misleading oral or written statement, visual description or other representation of any kind knowingly made in connection with the sale . . . of goods or services or in the extension of credit . . . by any person in the regular course of his trade or commerce, which may, tends to or does deceive or mislead any person.” NMUPA § 57-12-2(D).
Plaintiff alleges that Defendant's privacy policy was false and misleading because the policy represented Defendant “would protect personal information from unauthorized access, it used security measures that comply with federal law, it has implemented safeguards and used secured files, and that it restricts access to PII to only those employees who need to know such information.” (Resp. at 17 (citing Am. Compl. ¶ 161).) As the Court discussed above, the Amended Complaint contains no non-conclusory allegations regarding how any of those terms are false or misleading other than the fact that the Data Breach occurred. As Defendant argues, the fact of a data breach is not sufficient by itself to show that Defendant made false or misleading statements in its privacy policy. See Griffey, 562 F.Supp.3d at 50. Without more, the claim fails, and the Court will dismiss Count 5.
G. Damages
The remaining question is whether Plaintiff has adequately alleged damages for its sole remaining claim of negligence. Plaintiff raises at least two species of damages that may apply to his negligence claim: out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft or other unauthorized use of PII (including monitoring services); and diminished value of his PII. (Resp. at 4-8.)
As a basis for his negligence claim, Plaintiff alleges that as a result of the Data Breach, he is experiencing an increased number of phishing emails and other fraudulent activity on his personal accounts, requiring him to pay for credit monitoring services beyond the one-year of service offered by Defendant. (E.g., Am. Compl. ¶ 67.) This plausibly constitutes a cognizable injury by way of a reasonable expenditure for harm Plaintiff allegedly suffered from the Data Breach and is thus an appropriate prayer for damages arising from his negligence claim. See In re Banner Health Data Breach Litig., 2017 WL 673548, at *8 (“A person whose legally protected interests have been endangered by the tortious conduct of another is entitled to recover for expenditures reasonably made or harm suffered in a reasonable effort to avert the harm threatened.” (internal citation omitted)). While uncertain future harm would be insufficient, see, e.g. Krottner v. Starbucks Corp., 406 Fed. App'x 129, 131 (9th Cir. 2010) (applying analogous Washington state law), Plaintiff pleads present damage with sufficient certainty.
Courts have also recognized the diminished value of PII as a cognizable injury resulting from a data breach, as small as that value may be. In Svenson v. Google Inc., the district court concluded the diminution of value in PII is a cognizable injury arising from a data breach so long as the plaintiff shows there is a “robust market” for the PII and the plaintiff has been deprived of the ability to sell personal data on the market. 2015 WL 1503429 (N.D. Cal. 2015) (citing In re Facebook Privacy Litig., 572 Fed. App'x 494 (9th Cir. 2014)). Here, Plaintiff alleges there is a high demand on the market for PII that includes Social Security numbers (Am. Compl. ¶ 61) and he has plausibly been deprived of the ability to sell his personal data by the Data Breach. As a result, Plaintiff's prayer for the diminished value of his PII also survives Defendant's Rule 12(b)(6) challenge.
H. No Leave to Amend
Because the Court finds the defects in Plaintiffs' dismissed claims cannot be cured by amendment when considering the context and thoroughness of Plaintiffs' allegations in the Amended Complaint, the Court will dismiss Counts 2 through 5 without leave to amend. See Lopez v. Smith, 203 F.3d 1122, 1130 (9th Cir. 2000).
IT IS THEREFORE ORDERED granting in part and denying in part Defendant Goldwater Bank, N.A.'s Motion to Dismiss Plaintiff's Amended Complaint (Doc. 16). Counts 2 through 5 of Plaintiff's Amended Complaint (Doc. 15) are dismissed.
IT IS FURTHER ORDERED that Defendant shall file an Answer to Count 1 of the Amended Complaint (Doc. 15) within the time specified in the Federal Rules of Civil Procedure. The Court will set a case management conference by separate Order.