Summary
holding that the plaintiff adequately alleged harm from unreasonable delay in notification by stating that the "delay prevented him from taking steps to protect his personal information from identify theft"
Summary of this case from In re Arthur J. Gallagher Data Breach Litig.Opinion
Case No. 3:19-cv-2284-H-KSC
05-07-2020
IN RE: SOLARA MEDICAL SUPPLIES, LLC CUSTOMER DATA SECURITY BREACH LITIGATION
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT'S MOTION TO DISMISS; GRANTING PLAINTIFFS THIRTY DAYS LEAVE TO AMEND
MARILYN L. HUFF, District Judge
This is a data privacy class action. On November 13, 2019, Solara Medical Supplies, LLC ("Solara") notified its customers of a security incident that may have compromised the information related to certain individuals associated with Solara. This class action seeks redress for that incident. On November 29, 2019, Plaintiff Juan Maldonado filed a complaint alleging various common law and other state law causes of action. (Doc. No. 1.) On January 7, 2020, the Court consolidated the Maldonado matter with two other pending actions related to the same security incident. (Doc. No. 10.) On January 23, 2020, Plaintiffs filed their Consolidated Class Action Complaint. (Doc. No. 24.) Plaintiffs seek to represent a nationwide class of all persons "whose Personal and Medical Information was compromised by the Data Breach." (Doc. No. 24 ¶147.) Alternatively, Plaintiffs propose representing subclasses based on state or on the type of personal and medical information compromised. (Id. ¶¶152-153.)
On March 9, 2020, Defendant Solara filed a motion to dismiss. (Doc. No. 31.) On March 30, 2020, Plaintiffs responded. (Doc. No. 32.) On April 6, 2020, Defendant replied. (Doc. No. 34.) On April 10, 2020, Plaintiffs filed a Notice of Supplemental Authority regarding the Ninth Circuit's recent decision in In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589 (9th Cir. 2020). (Doc. No. 35.) The Court held a hearing on April 13, 2020 and requested supplemental briefing from the parties on the application of In re Facebook to this case. (Doc. No. 37.) Stuart A. Davidson, William B. Federman, and William M. Sweetnam appeared for Plaintiffs and Jon Peter Kardassakis appeared for the Defendant. On April 24, 2020, Defendant filed its Objection to Plaintiffs' Notice of Supplemental Authority. (Doc. No. 40.) On May 1, 2020, Plaintiffs replied. (Doc. No. 41.) For the following reasons, the Court GRANTS in part and DENIES in part Defendant's motion to dismiss.
I. Background
In this putative class action, Plaintiffs are six individuals who allege that their personal and medical information was exposed after Solara's computer systems were compromised by cyber criminals in 2019. (Doc. No. 24.) Defendant Solara is a direct-to-consumer supplier of medical devices related to the care of diabetes as well as a registered pharmacy in the state of California. (Id. ¶1.) Solara's principle place of business is California. (Id. ) Plaintiffs allege that between April 2, 2019 and June 20, 2019, cyber criminals were able to gain access to Solara's computer systems which contained the health and personal information of tens of thousands of individuals (the "Breach"). (Id. ) Plaintiffs allege that a variety of personal information was exposed in the breach including names, addresses, dates of birth, Social Security numbers, Employee Identification Numbers, confidential medical information, health insurance information, Medicare and Medicaid IDs, as well as financial information for thousands of individuals. (Id. ¶2)
On or around November 11, 2019, Plaintiffs received a letter from Solara regarding the breach and offering "Plaintiffs and Class members twelve months of identity repair and monitoring services." (Id. ¶95.) On or around November 13, 2019, Solara issued a press release notifying the public that on June 14, 2019, it had "determined that an unknown actor gained access to a limited number of employee Office 365 accounts ...." (Id. ¶25.) Plaintiffs further allege that these Office 365 accounts were not encrypted. (Id. ¶30.)
Plaintiff Juan Maldonado, a citizen of Pennsylvania, received a letter from Solara on or around November 20, 2019, informing him that his "name, date of birth, medical information, and health insurance information" had been compromised in the Breach. (Id. ¶100.) Plaintiff Maldonado, alleges that on December 2, 2019, while visiting the hospital for urgent medical care, he learned that his health insurance and billing information had been changed. (Id. ¶101.) Plaintiff Maldonado alleges that he has also suffered stress and anxiety as a result of the Breach. (Id. ¶102.)
Plaintiff Adam William Bickford, a citizen of Connecticut, received a letter from Solara, on or around November 11, 2019, informing him that his "name, date of birth, and medical information" was present on a Solara employee's email account that was compromised in the Breach. (Id. ¶106.) Plaintiff Bickford alleges that he has spent over three hours responding to the threat posed by the data breach and has "noticed an increase in medical-related spam phone calls ...." (Id. ¶108.)
Plaintiff Jeffrey Harris, a citizen of North Carolina, received a letter from Solara informing him that his "name, date of birth, Social Security number, medical information, billing/claims information, health insurance information, and Medicare ID/Medicaid ID" was exposed by the Breach. (Id. ¶114.) Plaintiff Harris alleges that he has spent hours addressing the data breach and has suffered anxiety as a result. (Id. ¶116.)
Plaintiff Alex Mercado, a citizen of California, received a letter from Solara informing him that his "name, date of birth, Social Security number, medical information, billing/claims information, health insurance information, and Medicare ID/Medicaid ID" was exposed by the Breach. (Id. ¶125.) Plaintiff Mercado also alleges that he has suffered anxiety as a result of the Breach. (Id. ¶129.)
Plaintiff Thomas Wardrop, a citizen of Michigan, received a letter from Solara informing him that his "name, date of birth, medical information, billing and claims information, and health insurance information was compromised in the Data Breach." (Id. ¶132.) Plaintiff Wardrop alleges that he has "experienced unexplained credit inquiries and spam/phishing attempts that he believes are related to the Data Breach." (Id. ¶135.)
Plaintiff Kristi Keally, legal guardian of minor plaintiff M.K., a citizen of Pennsylvania, received a letter from Solara informing her that her minor child's "name, date of birth, medical information, medical insurance information, and billing and claims information was compromised in the Data Breach." (Id. ¶139.) Plaintiff Keally alleges that she has "expended time and suffered loss of productivity from taking time to address and attempt to" deal with the consequences of the Breach for M.K. (Id. ¶141.)
II. Legal Standards
Defendant moves to dismiss the claims of all Plaintiffs for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6). A defendant may move to dismiss a complaint for failing to state a claim upon which relief can be granted under Rule 12(b)(6). "Dismissal under Rule 12(b)(6) is appropriate only where the complaint lacks a cognizable legal theory or sufficient facts to support a cognizable legal theory." Mendiondo v. Centinela Hosp. Med. Ctr., 521 F.3d 1097, 1104 (9th Cir. 2008). To survive a 12(b)(6) motion, a plaintiff must plead "enough facts to state a claim to relief that is plausible on its face." Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). A claim is facially plausible when a plaintiff pleads "factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009).
In reviewing the plausibility of a complaint, courts "accept factual allegations in the complaint as true and construe the pleadings in the light most favorable to the nonmoving party." Manzarek v. St. Paul Fire & Marine Ins. Co., 519 F.3d 1025, 1031 (9th Cir. 2008). Nonetheless, courts do not "accept as true allegations that are merely conclusory, unwarranted deductions of fact, or unreasonable inferences." In re Gilead Scis. Secs. Litig., 536 F.3d 1049, 1055 (9th Cir. 2008) (quoting Sprewell v. Golden State Warriors, 266 F.3d 979, 988 (9th Cir. 2001) ). The Court also need not accept as true allegations that contradict matter properly subject to judicial notice or allegations contradicting the exhibits attached to the complaint. Sprewell, 266 F.3d at 988.
Additionally, claims sounding in fraud are subject to the heightened pleading requirements of Rule 9(b) of the Federal Rules of Civil Procedure, which requires that a plaintiff alleging fraud "must state with particularity the circumstances constituting fraud." Fed. R. Civ. P. 9(b) ; see Kearns v. Ford Motor Co., 567 F.3d 1120, 1124 (9th Cir. 2009). To satisfy the heightened standard under Rule 9(b), the allegations must be "specific enough to give defendants notice of the particular misconduct which is alleged to constitute the fraud charged so that they can defend against the charge and not just deny that they have done anything wrong." Semegen v. Weidner, 780 F.2d 727, 731 (9th Cir. 1985). Thus, claims sounding in fraud must allege "an account of the time, place, and specific content of the false representations as well as the identities of the parties to the misrepresentations." Swartz v. KPMG LLP, 476 F.3d 756, 764 (9th Cir. 2007) (per curiam) (internal quotation marks omitted); see also Vess v. Ciba-Geigy Corp. USA, 317 F.3d 1097, 1106 (9th Cir. 2003) ("Averments of fraud must be accompanied by the who, what, when, where, and how of the misconduct charged.") (internal quotation marks omitted).
Where a motion to dismiss is granted, "leave to amend should be granted ‘unless the court determines that the allegation of other facts consistent with the challenged pleading could not possibly cure the deficiency.’ " DeSoto v. Yellow Freight Sys., Inc., 957 F.2d 655, 658 (9th Cir. 1992) (quoting Schreiber Distrib. Co. v. Serv-Well Furniture Co., 806 F.2d 1393, 1401 (9th Cir. 1986) ). In other words, where leave to amend would be futile, the Court may deny leave to amend. See Desoto, 957 F.2d at 658 ; Schreiber, 806 F.2d at 1401.
III. Discussion
1. Negligence
Defendant argues that Plaintiffs cannot maintain a cause of action for negligence because the economic loss doctrine bars their claims and because Plaintiffs cannot adequately allege causation. (Doc. No. 31 at 4-6.) Plaintiffs argue that they fall within one of the exceptions to the economic loss doctrine. (Doc No. 32 at 3-4.) Specifically, Plaintiffs argue that they have: (1) pled non-economic harm, (2) that Solara owed them an independent duty to safeguard their information, and (3) that a special relationship existed between the parties. (Doc No. 32 at 3-4.) Plaintiffs also argue that they have adequately alleged causation. (Id. )
To state a claim for negligence in California, a plaintiff must establish the following elements: (1) the defendant had a duty, or an "obligation to conform to a certain standard of conduct for the protection of others against unreasonable risks," (2) the defendant breached that duty, (3) that breach proximately caused the plaintiff's injuries, and (4) damages. Corales v. Bennett, 567 F.3d 554, 572 (9th Cir. 2009).
Generally, purely economic losses are not recoverable in tort. Seely v. White Motor Co., 63 Cal. 2d 9, 16–17, 45 Cal.Rptr. 17, 403 P.2d 145 (1965). "[T]he economic loss rule prevent[s] the law of contract and the law of tort from dissolving one into the other." Robinson Helicopter Co. v. Dana Corp., 34 Cal. 4th 979, 988, 22 Cal.Rptr.3d 352, 102 P.3d 268 (2004) (quotation omitted). The rule serves to "limit liability in commercial activities that negligently or inadvertently go awry." Id. at 991 n.7, 22 Cal.Rptr.3d 352, 102 P.3d 268. "Economic loss consists of damages for inadequate value, costs of repair and replace of the defective product or consequent loss of profits—without any claim of personal injury or damages to other property." Id., 22 Cal.Rptr.3d 352, 102 P.3d at 272 (2004) (internal quotation marks omitted). Here, Plaintiffs have alleged they have lost time responding to the Breach as well as suffering from increased anxiety and so do not allege purely economic losses. (Doc. No. 24 ¶¶ 102, 108, 116, 129, 135, and 141.) The economic loss rule therefore does not apply. See Bass v. Facebook, Inc., 394 F.Supp. 3d 1024, 1039 (N.D. Cal. 2019). Since Plaintiffs have pled non-economic losses, the Court need not consider the remaining two exceptions to the economic loss doctrine.
Defendant also argues that the negligence cause of action should be dismissed for "the independent reason that plaintiffs are unable to allege" that the Breach caused them cognizable, non-speculative harm. (Doc. No. 31 at 14.) Plaintiffs argue that they have articulated specific "non-general damages in their costs and lost time caused by the breach." (Doc. No. 32 at 15.) The Court agrees. Increased time spent monitoring one's credit and other tasks associated with responding to a data breach have been found by others courts to be specific, concrete, and non-speculative. See Bass, 394 F. Supp 3d at 1039 ; Corona v. Sony Pictures Entertainment, Inc., No. 14-CV-09600, 2015 WL 3916744, at *4 (C.D. Cal. June 15, 2015). The Court denies Defendant's motion to dismiss Plaintiffs' negligence cause of action.
2. Negligence Per Se
Next, Defendant argues that Plaintiffs' negligence per se claim is not an independent cause of action but an evidentiary presumption. (Doc. No. 31 at 6-7.) Plaintiffs concede that it is not a separate cause of action but argue that in order to invoke the presumption they are "required to allege facts to support its application." (Doc. No. 32 at 16.)
In order to invoke negligence per se under California law, Plaintiffs must allege four essential elements: (1) Defendant violated a statute, ordinance or regulation of a public entity; (2) the violation was the proximate cause of Plaintiff's injury; (3) the injury resulted from an occurrence, the nature of which the statute, ordinance or regulation was designed to prevent; and (4) the person suffering the injury was one of the class of persons for whose protection the statute, ordinance or regulation was adopted. Carson v. Depuy Spine, Inc., 365 Fed.Appx. 812, 815 (9th Cir. 2010.) ; Cal. Evid. Code § 669.
Defendant is correct that negligence per se is not a separate cause of action but an evidentiary doctrine. Plaintiffs are also correct that they need to allege facts supporting application of the doctrine. Harris v. Burlington Northern Santa Fe Railroad., No. EDCV 09-197 ABC, 2013 WL 12122668, at *3 (C.D. Cal. July 12, 2013). To do so under the law, Plaintiffs should plead facts to support application of the negligence per se doctrine within the negligence cause of action in an amended complaint. As a result, the Court grants the Defendant's motion to dismiss the negligence per se cause of action without prejudice.
3. Breach of Contract
Defendant moves to dismiss Plaintiffs' breach of contract claim arguing Plaintiffs have not adequately alleged who entered into a contract with Solara. (Doc. No. 31 at 7.) Defendant also argues that Plaintiffs fail to plead facts "demonstrating cognizable damages." (Id. at 8-9.) Plaintiffs argue that they have alleged entering into contracts with Solara in exchange for medical supplies. (Doc. No. 32 at 7.)
Under California law, to state a claim for breach of contract, a plaintiff must plead "the contract, plaintiffs' performance (or excuse for nonperformance), defendant's breach, and damage to plaintiff therefrom." Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1028 (N.D. Cal. 2012). A plaintiff must plead "appreciable and actual damage" in relation to their breach of contract claim. Id. (citing Aguilera v. Pirelli Armstrong Tire Corp., 223 F.3d 1010, 1015 (9th Cir. 2000) ). "Nominal damages, speculative harm, or threat of future harm do not suffice to show legally cognizable injury." Id.
Plaintiffs' complaint alleges that "Defendant entered into contracts with Plaintiffs and Class Members." (Doc. No. 24 ¶207.) "In an action for breach of a written contract, a plaintiff must allege the specific provisions in the contract creating the obligation the defendant is said to have breached." Young v. Facebook, Inc., 790 F.Supp.2d 1110, 1117 (N.D. Cal. 2011) ; see also Miron v. Herbalife Int'l, Inc., 11 Fed.Appx. 927, 929 (9th Cir. 2001) ("The district court's dismissal of the Mirons' breach of contract claims was proper because the Mirons failed to allege any provision of the contract which supports their claim."). Plaintiffs argue that Solara's "Notice of Privacy Practices" and "Patient Bill of Rights" form the basis for their express contract claim. (Doc. No. 32 at 7-8.) Solara's Notice of Privacy Practices states that:
Solara Medical Supplies ... is committed to protecting your privacy and understands the importance of safeguarding your personal health information. We are required by federal law to maintain the privacy of health information that identifies you or that could be used to identify you ....
(Doc. No. 24 ¶37.) And Solara's Patient Bill of Rights enumerates the following rights:
The Client Bill of Rights is designed to recognize, promote, and protect, an individual's right to be treated with dignity and respect within the health care system.... As our client you have the right to ... Confidentiality of your records and Solara Medical Supplies, LLC policy for accessing and disclosure of records.
(Id. ¶38.) Plaintiffs allege that these documents form the basis for their express breach of contract claim and that every Plaintiff was provided with a copy of both documents. (Id. ) In reviewing a Rule 12(b)(6) motion to dismiss, this Court must accept as true all facts alleged in the complaint and draws all reasonable inferences in favor of the claimant. See Retail Prop. Trust v. United Bhd. of Carpenters & Joiners of Am., 768 F.3d 938, 945 (9th Cir. 2014). Accordingly, the Court declines to dismiss Plaintiffs' express breach of contract claim.
Next, Defendant argues that Plaintiffs have not pled facts "demonstrating cognizable damage." (Doc. No. 31 at 8.) Plaintiffs argue that they have adequately pled a diminution in the value of their personal information as a result of the Breach. (Doc. No. 32 at 8.) The dissemination of one's personal information can satisfy the damages element of a breach of contract claim. See In re Facebook Privacy Litigation., 572 Fed.Appx. 494 (9th Cir. 2014). As a result, the Court declines to dismiss Plaintiffs' breach of express contract claim.
4. Breach of Implied Contract
As an alternative theory, Plaintiffs plead breach of an implied contract. "An implied-in-fact contract requires proof of the same elements necessary to evidence an express contract: mutual assent or offer and acceptance, consideration, legal capacity and lawful subject matter." Northstar Financial Advisors Inc. v. Schwab Investments, 779 F.3d 1036, 1050–51 (9th Cir. 2015). Plaintiffs have adequately alleged facts to support a theory of breach of implied contract in the alternative to breach of express contract.
5. Breach of Implied Covenant of Good Faith and Fair Dealing
Defendant moves to dismiss Plaintiffs' claim for a breach of the implied covenant of good faith and fair dealing arguing that Plaintiffs fail to allege a conscious and deliberate act" by Solara to frustrate the purposes of the parties' agreement. (Doc. No. 31 at 11.) Plaintiffs argue that Solara's security failures were "conscious and deliberate." (Doc. No. 32 at 11.)
Under California law, "[e]very contract imposes on each party a duty of good faith and fair dealing in each performance and its enforcement." Carson v. Mercury Ins. Co., 210 Cal. App. 4th 409, 429, 148 Cal.Rptr.3d 518 (2012) (internal quotation marks omitted). "The covenant ‘is based on general contract law and the long-standing rule that neither party will do anything which will injure the right of the other to receive the benefits of the agreement.’ " Rosenfeld v. JP Morgan Chase Bank, N.A., 732 F. Supp. 2d 952, 968 (N.D. Cal. 2010) (quoting Waller v. Truck Ins. Exchange, Inc., 11 Cal. 4th 1, 36, 44 Cal.Rptr.2d 370, 900 P.2d 619 (1995) ). In order to establish a breach of the covenant of good faith and fair dealing, a plaintiff must show: "(1) the parties entered into a contract; (2) the plaintiff fulfilled his obligations under the contract; (3) any conditions precedent to the defendant's performance occurred; (4) the defendant unfairly interfered with the plaintiff's rights to receive the benefits of the contract; and (5) the plaintiff was harmed by the defendant's conduct." Id. "California law makes clear that establishing breach of the implied covenant requires proof of a conscious and deliberate act, which unfairly frustrates the agreed common purpose of the agreement." Claridge v. RockYou, Inc., 785 F.Supp.2d 855, 865 (N.D. Cal. 2011).
Plaintiffs argue that Solara's security failures are evidence of a conscious and deliberate act. They argue that Solara's actions were "plausibly conscious and deliberate since they contravened Solara's own policies and violated various laws and regulations including HIPPA requirements." (Doc. No. 32 at 11.) Plaintiffs argue that Solara should "have known about its weakness toward email-related threats" and yet failed to take action. (Doc. No. 1. ¶71.) In reviewing a Rule 12(b)(6) motion to dismiss, this Court must accept as true all facts alleged in the complaint and draws all reasonable inferences in favor of the claimant. See Retail Prop. Trust v. United Bhd. of Carpenters & Joiners of Am., 768 F.3d 938, 945 (9th Cir. 2014). Defendant's arguments are better suited for a motion for summary judgment when the record is more fully developed. Accordingly, the Court declines to dismiss Plaintiffs' claim for a breach of the covenant of good faith and fair dealing at this time.
6. Unjust Enrichment
Defendant moves to dismiss Plaintiffs' unjust enrichment claim arguing that "there is no cause of action in California for unjust enrichment. (Doc. No. 31 at 11.) Plaintiffs argue that this is not the case. (Doc. No. 32 at 12.) Plaintiffs are correct. "The California Supreme Court has clarified California law and allowed independent claims for unjust enrichment to proceed." Bruton v. Gerber Prod. Co., 703 Fed.Appx. 468, 470 (9th Cir. 2017) (citing Hartford Cas. Ins. Co. v. J.R. Mktg., 61 Cal. 4th 988, 1000, 190 Cal.Rptr.3d 599, 353 P.3d 319 (2015) ). Accordingly, the Court declines to dismiss Plaintiffs' unjust enrichment claim.
7. California Confidentiality of Medical Information Act Claim
Solara moves to dismiss Plaintiffs' California Confidential of Medical Information Act ("CMIA") claims, which arise under California Civil Code sections 56.101(a) and 56.36(b). Section 56.101(a) requires health care providers to maintain medical information "in a manner that preserves the confidentiality of the information contained therein" and creates a private right of action, enforced through section 56.36(b), for patients' whose health care provider "negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information." Cal. Civ. Code § 56.101(a).
Under section 56.36(b), "any individual may bring an action against any person or entity who has negligently released information concerning him or her in violation of this part for ... nominal damages of one thousand dollars ($1,000)." Cal. Civ. Code § 56.36(b)(1). When suing for nominal damages, plaintiffs do not have to prove they "suffered or [were] threatened with actual damages," Cal. Civ.Code § 56.36(b)(1), but they must plead that an unauthorized third party viewed or accessed their confidential information. Regents of the Univ. of Cal. v. Super Ct., 220 Cal.App. 4th 549, 570, 163 Cal.Rptr.3d 205 (2013) ; Sutter Health v. Super Ct., 227 Cal.App. 4th 1546, 1555, 174 Cal.Rptr.3d 653 (2014) ("[W]ithout an actual confidentiality breach, a health care provider has not violated section 56.101 and therefore does not invoke the remedy provided in section 56.36.").
Defendant argues that the CMIA claim should be dismissed because the statute requires an "affirmative act of communication" and that Plaintiffs do not plead that an unauthorized person actually viewed their confidential medical information. (Doc. No. 31 at 12-13.) Solara also argues that the employee email accounts at issue are not subject to the electronic health record system provision of California Civil Code § 56.101(b). (Id. ) Plaintiffs argue that they are not required to allege an "affirmative disclosure" by Solara at the pleading stage. (Doc. No. 32 at 13.) Furthermore, Plaintiffs argue that they have alleged that their "medical information was actually viewed in the breach." (Id. ) Plaintiffs also argue that email accounts are subject to California Civil Code § 56.101(b). (Id. at 15.)
The CMIA does not require an affirmative act of communication by the Defendant. Section 56.101(a) obligates every provider of health care "who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall do so in a manner that preserves the confidentiality of the information contained therein" and that any health care provider who "who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall be subject to the remedies and penalties provided under subdivisions (b) and (c) of Section 56.36." The plain text of the statute does not require an affirmative disclosure by the medical provider to create liability but in fact creates a remedy for those who store records negligently. California courts that have had occasion to consider Defendant's argument have rejected it. See Regents of Univ. of Cal. v. Superior Court, 220 Cal. App. 4th 549, 568, 163 Cal.Rptr.3d 205 (2013).
Next, Defendant's argument that Plaintiffs have not pled unauthorized viewing of their medical records is unavailing. Plaintiffs have plausibly pled facts that could give rise to the inference that their medical information has been viewed by an unauthorized third party. Plaintiffs attach to their complaint letters they received from Solara indicating that their information was exposed in the breach. (Doc. No. 24 Exh. 1-6.) Plaintiffs have also pled an increase in medical-related spam emails and phone calls following the data breach. (Id. ¶¶108, 117, 128, 135.) These events plausibly give rise to the inference that Plaintiffs' information was exposed in the Breach.
Finally, Defendant's argument that no electronic health record system is at issue in Plaintiffs' complaint is not persuasive. The text of the statute broadly defines "electronic medical record" as "an electronic record of health-related information on an individual that is created, gather, managed, and consulted by authorized health care clinicians and staff." § 56.101(c). Defendant's arguments are better suited for a motion for summary judgment when the record is more fully developed as to whether the communications are subject to the CMIA. In reviewing a Rule 12(b)(6) motion to dismiss, this Court must accept as true all facts alleged in the complaint and draws all reasonable inferences in favor of the claimant. See Retail Prop. Trust v. United Bhd. of Carpenters & Joiners of Am., 768 F.3d 938, 945 (9th Cir. 2014). Accordingly, the Court declines to dismiss Plaintiffs' CMIA claim.
8. California Consumer Records Act
Next, Defendant moves to dismiss Plaintiffs' California Records Act Claim ("CRA"). (Doc. No. 31 at 14.) The CRA "regulates businesses with regard to treatment and notification procedures relating to their customers' personal information." Corona v. Sony Pictures Ent'mt, 2015 WL 3916744, at *6 (C.D. Cal. June 15, 2015). Plaintiffs allege that Defendant violated § 1798.82 of the CRA. This provision provides, in relevant part:
A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person ....
Cal. Civ. Code § 1798.82(a). The statute requires that disclosure "shall be made in the most expedient time possible and without unreasonable delay." Id. The statute also describes the information that must be included in the security breach notification and the form that the security breach notification must take. See § 1798.82(d).
To allege a "cognizable injury" arising from Defendant's alleged failure to timely notify Plaintiffs of the Data Breach, Plaintiffs must allege "incremental harm suffered as a result of the alleged delay in notification," as opposed to harm from the Data Breach itself. Dugas v. Starwood Hotels & Resorts Worldwide, Inc., 2016 WL 6523428, at *7 (S.D. Cal. Nov. 3, 2016) ; see also In re Sony Gaming Networks, 996 F. Supp. 2d 942, 1010 (S.D. Cal 2014) ("[A] plaintiff must allege actual damages flowing from the unreasonable delay (and not the intrusion itself) in order to recover actual damages").
Where Plaintiffs have failed to allege injury arising from a Defendant's "delayed notification," courts have dismissed § 1798.82 claims. See, e.g., Dugas, 2016 WL 6523428, at *7 (dismissing § 1798.82 claim because Plaintiff did not allege "what, if any, concrete harm resulted from Defendants' alleged failure to promptly notify [its] customers of the data breach"); In re Sony Gaming Networks, 996 F. Supp. 2d at 1010 (dismissing § 1798.82 claim where plaintiffs "failed to allege how" a ten-day delay in notification caused plaintiffs' injuries).
Defendant argues that the CRA claim should be dismissed because Plaintiffs fail to allege damages as a result of the alleged delay in notification. (Doc. No. 31 at 14.) Plaintiffs argue that "Solara waited nearly five months after discovering the breach" to notify them and that this delay prevented Plaintiffs from taking steps to protect their personal information from identify theft. (Doc. No. 32 at 23.) Plaintiffs have adequately alleged incremental harm as a result of Solara's five-month delay in notification. See In re Yahoo! Inc. Customer Data Security Breach Litig., 2017 WL 3727318 (N.D. Cal. Aug. 30, 2017) (finding incremental harm adequately pled in a data breach case when plaintiffs plausibly alleged that they could not take mitigation steps based upon delay). Defendant's arguments are better suited for a motion for summary judgment when the record is more fully developed. As a result, the Court declines to dismiss Plaintiffs' CRA claim at this time.
9. California Unfair Competition Law
California's Unfair Competition Law ("UCL") provides a cause of action for business practices that are (1) unlawful, (2) unfair, or (3) fraudulent. Cal. Bus. & Prof. Code § 17200, et seq. Each prong of the UCL provides a "separate and distinct theory of liability." Lozano v. AT & T Wireless Servs., Inc., 504 F.3d 718, 731 (9th Cir. 2007). Plaintiffs allege that Defendant's conduct violated all three prongs of the UCL. Defendant argues that Plaintiffs' UCL claims fail for several reasons. First, Defendant argues that Plaintiffs lack standing to bring claims under the UCL. Second, Defendant argues that the UCL claim fails to satisfy Rule 9(b). Third, Defendant argues that Plaintiffs have not pled that Defendant's actions were either unlawful or unfair. The Court addresses each of these arguments below.
a. UCL Standing
In order to establish standing for a UCL claim, Plaintiffs must show that they personally lost money or property "as a result of the unfair competition." Cal. Bus. & Prof. Code § 17204 ; Kwikset Corp. v. Sup. Ct., 51 Cal. 4th 310, 330, 120 Cal.Rptr.3d 741, 246 P.3d 877 (2011). The California Supreme Court has explained standing.
There are innumerable ways in which economic injury from unfair competition may be shown. A plaintiff may (1) surrender in a transaction more, or acquire in a transaction less, than he or she otherwise would have; (2) have a present or future property interest diminished; (3) be deprived of money or property to which he or she has a cognizable claim; (4) be required to enter into a transaction, costing money or property, that would otherwise have been unnecessary.
Id. at 323, 120 Cal.Rptr.3d 741.
Defendant argues that "Plaintiffs fail to allege actual lost money or property." (Doc. No. 31 at 15.) Plaintiffs respond that they have all experienced injury under the UCL in two legally cognizable ways. First, Plaintiffs "acquired less in their transactions with Solara than they would have if Solara had sufficiently protected their Personal Information." (Doc. No. 32 at 16-17.) Second, Plaintiffs lost "their legally protected interest in their Personal Information" as a result of the breach. (Id. )
Plaintiffs first theory of damages is sufficient to establish standing under the UCL. Courts in California have consistently held that benefit of the bargain damages represents economic injury for purposes of the UCL. See In re Adobe Sys., Inc. Privacy Litig., 66 F.Supp.3d 1197, 1224 (N.D. Cal. 2014) (finding standing under the UCL because "[f]our of the six [p]laintiffs allege they personally spent more on Adobe products than they would had they known Adobe was not providing the reasonable security Adobe represented it was providing."); In re LinkedIn User Privacy Litig., 2014 WL 1323713, *4 (N.D. Cal. Mar. 28, 2014) (finding that benefit of the bargain losses are "sufficient to confer ... statutory standing under the UCL."). Taken together, Kwikset, In re Adobe, and In re LinkedIn demonstrate that benefit of the bargain losses, as alleged in the consolidated amended complaint, constitute economic injury cognizable under the UCL. Here, Plaintiffs have all pled that "they acquired less in their transactions with Solara than they would have if Solara had sufficiently protected their Personal Information." (Doc. No. 24 ¶¶78-95.) These allegations are enough to establish standing for purposes of the UCL.
b. Rule 9(b)
"To state a claim under the ‘fraud’ prong of [the UCL], a plaintiff must allege facts showing that members of the public are likely to be deceived by the alleged fraudulent business practice." Antman v. Uber Technologies, Inc., 2015 WL 6123054, *6 (N.D. Cal. Oct. 19, 2015). Claims stated under the fraud prong of the UCL are subject to the particularity requirements of Federal Rule of Civil Procedure 9(b). Kearns v. Ford Motor Co., 567 F. 3d 1120, 1125 (9th Cir. 2009). Under Rule 9(b), "[i]n alleging fraud or mistake, a party must state with particularity the circumstances constituting fraud or mistake." Fed. R. Civ. P. 9(b). Plaintiffs must include "an account of the time, place, and specific content of the false representations" at issue. Swartz v. KPMG LLP, 476 F.3d 756 (9th Cir. 2007). Lastly, a plaintiff must plead that he or she "actually relied on the misrepresentation or omission" to bring a UCL claim. Backhaut v. Apple, Inc., 74 F. Supp. 3d 1033, 1047 (N.D. Cal. 2014) (citing In re Tobacco II Cases, 46 Cal. 4th 298, 326, 93 Cal.Rptr.3d 559, 207 P.3d 20 (2009) ). "This showing of actual reliance under the UCL requires a plaintiff to allege that ‘the defendant's misrepresentation or nondisclosure was an immediate cause of the plaintiff's injury-producing conduct.’ " Perkins v. LinkedIn Corp., 53 F. Supp. 3d 1190, 1220 (N.D. Cal. 2014) (quoting In re Tobacco II, 46 Cal. 4th at 326, 93 Cal.Rptr.3d 559, 207 P.3d 20 ). Defendant argues that Plaintiffs' fraudulent misrepresentation and omission claims fail. The Court will address each now.
i. Fraudulent Misrepresentation
Plaintiffs' fraudulent misrepresentation claims stem from Solara's statements in (1) its Notice of Privacy Practices, (2) its patient Bill of Rights, (3) the Privacy Policy for its software application and (4) the Terms and Conditions for it's website. (Doc. No. 32 at 17-18.) Defendant argues that "no plaintiff alleges who they received these statements from, how they received them, when, or where." (Doc. No. 31 at 16.)
All Plaintiffs allege that they were given a copy of the Notice of Privacy Practices and the Patient Bill of Rights. However, Defendant is correct that Plaintiffs fail to adequately plead their misrepresentation claim to the extent they rely on statements in the Privacy Policy for Solara's software application and the Terms and Service of their website. Plaintiffs do not allege having been exposed to the statements in either the software application or Solara's website. Accordingly, to the extent Plaintiffs' UCL claim is premised on statements in the Privacy Policy and the Terms of Service, the Court grants Defendant's motion to dismiss the fraudulent misrepresentation claim.
Where a motion to dismiss is granted, "leave to amend should be granted ‘unless the court determines that the allegation of other facts consistent with the challenged pleading could not possibly cure the deficiency.’ " DeSoto v. Yellow Freight Sys., Inc., 957 F.2d 655, 658 (9th Cir. 1992) (quoting Schreiber Distrib. Co. v. Serv-Well Furniture Co., 806 F.2d 1393, 1401 (9th Cir. 1986) ). In other words, where leave to amend would be futile, the Court may deny leave to amend. See DeSoto, 957 F.2d at 658 ; Schreiber, 806 F.2d at 1401. The Court permits Plaintiffs an attempt to cure the deficiency under the UCL fraudulent misrepresentation prong under the standards of Rule 9(b) in an amended complaint if they can do so.
ii. Fraudulent Omission
For an omission to be actionable under the UCL, "the omission must be contrary to a representation actually made by the defendant, or an omission of a fact the defendant was obliged to disclose." Daugherty v. Am. Honda Motor Co., 144 Cal.App.4th 824, 835, 51 Cal.Rptr.3d 118 (2006) ; see also Berryman v. Merit Prop. Mgmt., Inc., 152 Cal.App.4th 1544, 1557, 62 Cal.Rptr.3d 177 (2007) ("[A] failure to disclose a fact one has no affirmative duty to disclose is [not] ‘likely to deceive’ anyone within the meaning of the UCL." (quoting Daugherty, 144 Cal.App.4th at 838, 51 Cal.Rptr.3d 118 )). There are four circumstances in which a duty to disclose may arise: "(1) when the defendant is the plaintiff's fiduciary; (2) when the defendant has exclusive knowledge of material facts not known or reasonably accessible to the plaintiff; (3) when the defendant actively conceals a material fact from the plaintiff; [or] (4) when the defendant makes partial representations that are misleading because some other material fact has not been disclosed." Collins v. eMachines, Inc., 202 Cal.App.4th 249, 255, 134 Cal.Rptr.3d 588 (2011). "[A] fact is deemed ‘material,’ and obligates an exclusively knowledgeable defendant to disclose it, if a ‘reasonable [consumer]’ would deem it important in determining how to act in the transaction at issue." Id. at 256, 134 Cal.Rptr.3d 588 (citing Engalla v. Permanente Med. Grp., Inc., 15 Cal.4th 951, 977, 64 Cal.Rptr.2d 843, 938 P.2d 903 (1997) ).
Plaintiffs claim that Solara had exclusive knowledge of the fact that its security practices fell short of industry standards, and that this fact was material. (Doc. No. 32 at 20.) Plaintiffs also claim that Solara had a duty to disclose this fact, and that Solara's failure to do so is an actionable omission under the UCL. (Id. ) Defendant argues that Plaintiffs fail to plead a duty to disclose. (Doc. No. 31 at 26.)
Plaintiffs have adequately pled a duty to disclose based upon Defendant's exclusive knowledge of the alleged inadequacy of its security measures. Plaintiffs adequately allege that the omission was a material fact. (Doc. No. 24 ¶¶24-35, 341.) As a result, the Court declines to dismiss Plaintiffs' fraudulent omission UCL claim.
iii. Unlawful
"The unlawful prong of the UCL prohibits anything that can properly be called a business practice and that at the same time is forbidden by law." In re Adobe, 66 F.Supp.3d at 1225 (internal quotation marks omitted). "Generally, violation of almost any law may serve as a basis for a UCL claim." Antman v. Uber Technologies, Inc., 2015 WL 6123054, *6 (N.D. Cal. Oct. 19, 2015) (internal quotation marks omitted). However, a UCL claim "must identify the particular section of the statute that was violated, and must describe with reasonable particularity the facts supporting the violation." Baba v. Hewlett–Packard Co., 2010 WL 2486353, *6 (N.D. Cal. June 16, 2010) (internal quotation marks omitted).
Defendant argues that Plaintiffs have failed to allege conduct that equates to a violation of another law. (Doc. No. 31 at 27.) Plaintiffs argue that they have alleged that Solara has unlawfully violated "the CMIA, the California Consumer Records Act, and several state laws." (Doc. No. 32.) The Court agrees. Defendant's arguments are better suited for a motion for summary judgment when the record is more fully developed. As a result, the Court denies Defendant's motion to dismiss Plaintiffs' unlawful UCL claim at this time.
iv. Unfair
The "unfair" prong of the UCL creates a cause of action for a business practice that is unfair even if not proscribed by some other law. Korea Supply Co. v. Lockheed Martin Corp., 29 Cal. 4th 1134, 1143, 131 Cal.Rptr.2d 29, 63 P.3d 937 (2003). "The UCL does not define the term ‘unfair’ ... [and] the proper definition of ‘unfair’ conduct against consumers ‘is currently in flux’ among California courts." Id.
The balancing approach requires the Court to "weigh the utility of the defendant's conduct against the gravity of the harm to the alleged victim." Davis v. HSBC Bank Nevada, N.A., 691 F.3d 1152, 1169 (9th Cir. 2012) (internal quotation marks omitted). Plaintiffs "may proceed with a UCL claim under the balancing test by either alleging immoral, unethical, oppressive, unscrupulous or substantially injurious conduct by Defendants or by demonstrating that Defendants' conduct violated an established public policy." In re Anthem, 162 F. Supp. 3d 953, 990 (N.D.Cal. 2016). In opposition, Defendant argues that Plaintiffs' claims are insufficient. (Doc. No. 31 at 19-20.)
At this stage of the proceeding, Plaintiffs' complaint sufficiently alleges that Defendant's conduct was unfair. Here, Plaintiffs allege that Solara advertised "adequate data privacy and security practices and procedures" when such practices were deficient. (Doc. No. 24 ¶241.) Plaintiffs allege that a variety of personal information was exposed in the breach including: names, addresses, dates of birth, Social Security numbers, Employee Identification Numbers, confidential medical information, health insurance information, Medicare and Medicaid IDs, as well as financial information for thousands of individuals. (Id. ¶2). They further allege that Solara promised to protect their privacy and understood the importance of protecting health information. Plaintiffs additionally allege that Solara's action were plausibly conscious and deliberate since they contravened Solara's own policies and violated various laws and regulations including HIPPA requirements." (Doc. No. 32 at 11.). Plaintiffs also allege that Solara should have known about its weakness toward email related threats and failed to take action to prevent the Breach.
Defendant's arguments are better suited for a motion for summary judgment when the record is more fully developed. Under Anthem, Plaintiffs have sufficiently alleged that Defendant's conduct has violated public policy. 162 F. Supp. 3d at 990. Accordingly, the Court declines to dismiss the unfair prong of Plaintiffs' UCL claim at this time.
10. Connecticut Unfair Trade Practices Claim
Defendant moves to dismiss Plaintiff Bickford's Connecticut Unfair Trade Practices Act ("CUTPA"). The CUTPA provides: "No person shall engage in unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce." Conn. Gen. St. § 42–110b(a). "Any person who suffers any ascertainable loss of money or property, real or personal, as a result of the use or employment of a method, act or practice prohibited by section 42–110b, may bring an action" to recover actual damages, punitive damages, and equitable relief. Conn. Gen. St. 42–110g(a).
Defendant argues that Plaintiff Bickford lacks standing and fails to allege a violation of the CUTPA. Plaintiff Bickford argues that his "benefit of the bargain" losses are sufficient to satisfy standing and that he has adequately alleged a violation of the CUTPA.
The Supreme Court of Connecticut held that "[w]henever a consumer has received something other than what he bargained for, he has suffered a loss of money or property." Hinchliffe v. American Motors Corp., 440 A.2d 810, 814 (Ct. 1981). Plaintiff Bickford alleges that he has suffered an injury based on "the difference in value between what Plaintiff Bickford should have received from Defendant when Defendant represented Plaintiff Bickford's Personal and Medical Information would be protected by reasonable data security and Defendant's defective and deficient performance of that obligation ...." (Doc. No. 24 ¶114.) These allegations are sufficient to satisfy CUPTA's standing requirement.
Next, Defendant argues that Plaintiff Bickford failed to plead a violation of the CUPTA. The elements are "substantially the same as those alleged under the California UCL claim." (Doc. No. 31 at 21.) Plaintiff Bickford argues that he has plausibly alleged that "Solara's inadequate security measures violated various statutes and the well-established public policy of protecting people's personal information ...." (Doc. No. 32.) The Court agrees.
The CUTPA is to be construed in accord with interpretations by the Federal Trade Commission and by the federal courts of the Federal Trade Commission Act. Conn. Gen. St. § 42–110b(b). The FTC weights the following factors in determining whether a practice is unfair:
1) Whether the practice, without necessarily having been previously considered unlawful, offends public policy as it has been established by statutes, the common law, or otherwise-whether, in other words, it is within at least the penumbra of some common law, statutory, or other established concept of unfairness; (2) whether it is immoral, unethical, oppressive, or unscrupulous; (3) whether it causes substantial injury to consumers ....
Cheshire Mortgage Serv. Inc. v. Montes, 223 Conn. 80, 612 A.2d 1130, 1143 (1992). Here, Plaintiff Bickford alleges that "Defendant engaged in unlawful, unfair, and deceptive acts and practices with respect to the sale of medical supplies by failing to disclose the Data Breach to the alternative Connecticut Class in a timely and accurate manner" and by "failing to take proper action following the Data Breach to enact adequate privacy and security measures and protect the alternative Connecticut Class' Personal and Medical Information from further unauthorized disclosure, release, data breach, and theft." (Doc. No. 24 ¶293.)
In reviewing a Rule 12(b)(6) motion to dismiss, this Court must accept as true all facts alleged in the complaint and draws all reasonable inferences in favor of the claimant. See Retail Prop. Trust, 768 F.3d 938, 945 (9th Cir. 2014). Defendant's arguments are better suited for a motion for summary judgment when the record is more fully developed. As a result, the Court denies Defendant's motion to dismiss Plaintiff Bickford's CUPTA claim.
11. Michigan Consumer Protection Act Claim
Defendant moves to dismiss Plaintiff Wardrop's Michigan Consumer Protection Act ("MCPA") claim. (Doc. No. 32 at 26). The MCPA prohibits "[u]nfair, unconscionable, or deceptive methods, acts, or practices in the conduct of trade or commerce [.]" Mich. Comp. Laws Ann. § 445.903(1). A plaintiff can pursue a claim under the MCPA based on fraud, deception, or breach of express or implied warranties. See Parsley v. Monaco Coach Corp., 327 F.Supp.2d 797, 807 (W.D. Mich. 2004).
Defendant argues that Plaintiff Wardrop lacks standing and fails to allege a violation of the MCPA. (Doc. No. 31 at 23.) Plaintiff Wardrop argues that his "benefit of the bargain" and non-economic losses are sufficient to satisfy standing. (Doc. No. 32 at 26-27.) Plaintiff is correct.
Courts in Michigan have interpreted the MCPA to allow for damages for a "frustration of the plaintiff's expectation" as well as other non-economic harms. Mayhall v. A.H. Pond Co., 129 Mich.App. 178, 341 N.W.2d 268, 271-72 (1983) ; Avery v. Indus. Mortg. Co., 135 F. Supp. 2d 840, 845 (W.D. Mich. 2001). Plaintiff Wardrop alleges that he has suffered damages in the form of the "the difference in value between what Plaintiff Wardrop should have received from Defendant when Defendant represented Plaintiff Wardrop's Personal and Medical Information would be protected by reasonable data security and Defendant's defective and deficient performance of that obligation." (Doc. No. 24 ¶138.) Plaintiff Wardrop also alleges anxiety as a result of the breach. (Doc. No. 24 ¶136.) These allegations are sufficient to satisfy the standing requirement of the MCPA.
Next, Solara argues that Plaintiff Wardrop has not "pled fraudulent conduct" and therefore "has not pled a violation of the MCPA based on fraudulent representation with the particularity required under Rule 9(b)." (Doc. No. 31 at 24.) Defendant also maintains that Plaintiff's allegations are "substantially the same as his allegations for fraudulent conduct under the California UCL." (Id. at 24.) The Court has granted the motion to dismiss the fraudulent misrepresentation claim under the UCL to the extent it is premised on statements in Solara's Privacy Policy and the Terms of Service but denied the remainder of Defendant's motion.
Plaintiff Wardrop alleges fraudulent acts consisting of misrepresentation and concealment but he fails to allege the fraudulent misrepresentation with the particularity required by Rule 9(b). Plaintiff Wardrop fails to adequately plead misrepresentation to the extent it is premised on statements in Solara's Privacy Policy and the Terms of Service. Plaintiff Wardrop has not alleged that he has been exposed to the statements in either document. As a result, the Court grants Defendant's motion to dismiss Plaintiff Wardrop's MCPA claim for failure to plead the fraudulent misrepresentation claim with particularity under Rule 9(b).
Where a motion to dismiss is granted, "leave to amend should be granted ‘unless the court determines that the allegation of other facts consistent with the challenged pleading could not possibly cure the deficiency.’ " DeSoto v. Yellow Freight Sys., Inc., 957 F.2d 655, 658 (9th Cir. 1992) (quoting Schreiber Distrib. Co. v. Serv-Well Furniture Co., 806 F.2d 1393, 1401 (9th Cir. 1986) ). In other words, where leave to amend would be futile, the Court may deny leave to amend. See DeSoto, 957 F.2d at 658 ; Schreiber, 806 F.2d at 1401. The Court grants leave to amend to cure the deficiency or to delete the fraudulent misrepresentation claim from an amended complaint.
12. Michigan Identify Theft Protection Act Claim
Next, Defendant moves to dismiss Plaintiff Wardrop's claim under the Michigan Identify Theft Protection Act ("ITPA"). (Doc. No. 31 at 28.) The ITPA requires businesses to provide notice of a security breach, "without unreasonable delay" to a Michigan resident if that resident's unencrypted and unredacted "personal information" was accessed by an unauthorized person. Mich. Comp. Laws § 445.72(1). "Personal information" is defined as a person's "first name or first initial and last name" linked to one or more data elements including a "credit or debit card number, in combination with any required security code, access code, or password that would permit access to any of the resident's financial accounts." Id. at § 445.63(r). The ITPA notice provision applies when the business discovers a security breach or receives notice of a security breach, unless the breach is not likely to cause harm. Id. at § 445.7
Defendant argues that Plaintiff Wardrop's claim must be dismissed because the statute only allows recovery of a fine through state prosecution. (Doc. No. 31 at 28.) Michigan law provides for a civil fine for a violation of the data-breach notice statute, and that the "attorney general or a prosecuting attorney may bring an action to recover" that fine. Mich. Comp. Laws § 445.72(13). However, the statute also provides that the quoted subsection 13 does "not affect the availability of any civil remedy for a violation of state or federal law." Id. § 445.72(15). Courts have found that consumers may bring a civil action to enforce Michigan's data-breach notice statute through Michigan's consumer-protection statute or other laws. In re Target Corp. Data Sec. Breach Litig., 66 F.Supp.3d 1154, 1169 (D. Minn. 2014).
Next, Defendant argues that Plaintiff Wardrop fails to allege an "unreasonable delay" by Solara in notifying him of the Breach. Plaintiff Wardrop alleges that Solara discovered the data breach on June 28, 2019 but did not notify him of its occurrence until nearly five months later. (Doc. No. 32 at 39.) Plaintiff Wardrop also alleges experiencing "unexplained credit inquires and spam/phishing attempts" as a result of the Breach. (Doc. No. 24 ¶135.) Plaintiff Wardrop further alleges that this delay prevented him from taking steps to protect his personal information from identify theft. (Doc. No. 32 at 23.) In reviewing a Rule 12(b)(6) motion to dismiss, this Court must accept as true all facts alleged in the complaint and draws all reasonable inferences in favor of the claimant. See Retail Prop. Trust v. United Bhd. of Carpenters & Joiners of Am., 768 F.3d 938, 945 (9th Cir. 2014). As a result, the Court denies the motion to dismiss Plaintiff Wardrop's ITPA claim.
13. North Carolina Deceptive Trade Practices Act Claim
Defendant also moves to dismiss Plaintiff Harris's claim under the North Carolina Unfair Deceptive Trade Practices Act ("NCUDTPA"). Under the NCUDTPA a plaintiff must demonstrate the following: (1) the defendant committed an unfair or deceptive trade practice; (2) the action in question was in or affecting commerce; and (3) the act proximately caused injury to the plaintiff. Spartan Leasing v. Pollard, 101 N.C.App. 450, 400 S.E.2d 476, 482 (1991). An act is unfair when it is unethical or unscrupulous, and it is deceptive if it tends to deceive. Marshall v. Miller, 302 N.C. 539, 276 S.E.2d 397, 403 (1981).
Defendant argues that the claim must be dismissed because Plaintiff Harris has failed to plead facts showing "actual damages." (Doc. No. 31 at 25.) Plaintiff Harris alleges that he has adequately alleged damages by describing significant distress and anxiety as a result of the Breach. (Doc. No. 24 ¶325.) Plaintiff Harris also alleges that he was "subjected to a barrage of spam calls" and was "prevented from protecting himself sooner." (Id. ) These allegations satisfy the injury requirement of the NCUDTPA. See e.g., Salami v. JPMorgan Chase Bank, N.A., 2019 WL 2526467, at *8 (M.D.N.C. June 19, 2019).
Defendant also argues that the NCUDTPA claim sounds in fraud and must be plead with particularity and therefore the claim fails "for the same reasons ... the California UCL claim" does. (Id. at 26.) The Court has granted the motion to dismiss the fraudulent misrepresentation claim under the UCL to the extent it is premised on statements in Solara's Privacy Policy and the Terms of Service but denied the remainder of Defendant's motion.
Plaintiff Harris alleges fraudulent acts consisting of misrepresentation and concealment but he fails to allege the fraudulent misrepresentation with the particularity required by Rule 9(b). Plaintiff Harris fails to adequately plead misrepresentation to the extent it is premised on statements in Solara's Privacy Policy and the Terms of Service. Plaintiff Harris has not alleged that he has been exposed to the statements in either document. As a result, the Court grants Defendant's motion to dismiss Plaintiff Harris's NCUDTPA claim for failure to plead the fraudulent misrepresentation claim with particularity under Rule 9(b).
Where a motion to dismiss is granted, "leave to amend should be granted ‘unless the court determines that the allegation of other facts consistent with the challenged pleading could not possibly cure the deficiency.’ " DeSoto v. Yellow Freight Sys., Inc., 957 F.2d 655, 658 (9th Cir. 1992) (quoting Schreiber Distrib. Co. v. Serv-Well Furniture Co., 806 F.2d 1393, 1401 (9th Cir. 1986) ). In other words, where leave to amend would be futile, the Court may deny leave to amend. See DeSoto, 957 F.2d at 658 ; Schreiber, 806 F.2d at 1401. The Court grants leave to amend to cure the deficiency or to delete the fraudulent misrepresentation claim from an amended complaint.
14. Pennsylvania Unfair Trade Practices Act Claims
Defendant moves to dismiss Plaintiff Maldonado's and Keally's claims for violating the Pennsylvania Unfair Trade Practices and Consumer Protection Law ("UTPCPL"). (Doc. No. 31 at 26.) To prevail on a claim under the catch-all provision of Pennsylvania's Uniform Trade Practices and Consumer Protection Law, a plaintiff need not establish common law fraud; he need only show (1) a deceptive act likely to deceive a reasonable consumer, (2) justifiable reliance on that act, and (3) a resulting ascertainable loss. Malibu Media, LLC v. Doe, 238 F.Supp.3d 638, 647 (M.D. Pa. 2017).
Pennsylvania courts have found that the lost benefit of the bargain can satisfy the "ascertainable loss" element of a UTPCPL claim. See e.g., Dibish v. Ameriprise Fin., Inc., 134 A.3d 1079, 1089 (Pa. Super. Ct. 2016). Plaintiff Maldonado and Plaintiff Keally each allege an ascertainable loss in the diminution in value of their personal information and the loss of the benefit of their bargain. (Doc. No. 24 ¶105, 142.) Accordingly, the Court declines at this time to dismiss the UTPCPL claims.
15. Declaratory or Injunctive Relief
Defendant moves to dismiss Plaintiffs' request for declaratory or injunctive relief. (Doc. No. 31 at 29-30.) Defendant argues that a claim for declaratory relief cannot survive independently of other claims. In this order, the Court grants in part and denies in part the Defendant's motion to dismiss. As a result, Plaintiffs' claim for declaratory relief stands.
Defendant also moves to dismiss Plaintiffs' claim for injunctive relief. The Court notes that a request for injunctive relief is more properly classified as a prayer for relief and not a separate cause of action. In an amended complaint, any request for injunctive relief should be in a prayer for relief and not a separate cause of action.
CONCLUSION
For the foregoing reasons, the Court GRANTS in part and DENIES in part Defendant's Motion to Dismiss. (Doc. No. 31.) The Court GRANTS Plaintiffs thirty days to file an amended complaint, to cure the deficiencies outlined above if they can do so.