Plaintiffs Kimberly Heines, Hashmatullah Essar, Paul Dugas, Matthew Ridolfo, Deana Ridolfo, Rajesh Garg, Scarleth Robles, Maria Corso, Jose Abitbol, Yaniv Rivlin, Mali Granot, and Brian Neff (collectively, "Plaintiffs") bring a putative class action against Defendant Yahoo! Inc. ("Yahoo"). Plaintiff Brian Neff also brings a putative class action against Defendant Aabaco Small Business, LLC ("Aabaco") (collectively with Yahoo, "Defendants").

Before the Court is Defendants' motion to dismiss Plaintiffs' Consolidated Class Action Complaint ("CCAC"). ECF No. 94 ("Mot."). Having considered the parties' submissions, the relevant law, and the record in this case, the Court hereby GRANTS in part and DENIES in part the motion to dismiss.

I. BACKGROUND

A. Factual Background

Defendant Yahoo was founded in 1994 and has since grown into a source for internet searches, email, shopping, news and many other internet services. CCAC ¶ 24. One of Yahoo's most important services is Yahoo Mail, a free email service. Id. ¶ 25. Plaintiffs allege that "[m]any users have built their digital identities around Yahoo Mail, using the service for everything from their bank and stock trading accounts to photo albums and even medical information." Id.

Yahoo also offers online services for small business, including website hosting and email services (hereinafter, "Small Business Services"). Id. ¶ 29. Users must pay for Small Business Services, and users are required to provide credit or debit card information for automatic monthly payments for Small Business Services. Id. Prior to November 2015, Yahoo provided these services through a division called Yahoo Small Business. Id. "Since November 2015, Yahoo has provided its small business services through its wholly owned subsidiary Aabaco." Id.

Plaintiffs allege that in order to obtain email services and Small Business Services from Defendants, users are required to provide personal identification information ("PII") to Defendant. This PII includes the user's name, email address, birth date, gender, ZIP code, occupation, industry, and personal interests. CCAC ¶¶ 1, 32. For some Yahoo accounts, including the small business accounts, users are required to submit additional PII, including credit or debit card numbers and other financial information. Id ¶ 32.

The CCAC also mentions other Yahoo services, including Yahoo Fantasy Wallet and Yahoo Messenger. See CCAC ¶¶ 24-28. However, the CCAC does not allege that any named Plaintiff used these services, and accordingly the Court does not discuss these services.

In addition to the PII that Plaintiffs submitted directly to Defendants, Plaintiffs also allege that users used their Yahoo email accounts to send and receive a variety of personal information. Each named Plaintiff alleges that he or she included sensitive PII in the content of his or her Yahoo emails. The individual allegations of the named Plaintiffs, including allegations regarding the personal information that these named Plaintiffs included in their Yahoo email accounts, are discussed further below.

1. Earlier 2012 Data Breach Putting Yahoo on Notice of Data Security Issues

Plaintiffs allege that Defendants have a long history of data security failures that should have put Defendants on notice of the need to enhance their data security. For example, although the Federal Trade Commission found as early as 2003 that "SQL injection attacks" were a known and preventable data security threat, "[i]n 2012, Yahoo admitted that more than 450,000 user accounts were compromised through an SQL injection attack—with the passwords simply stored in plain text." Id. ¶ 47-48. Plaintiffs allege that according to news stories at the time, "[s]ecurity experts were befuddled ... as to why a company as large as Yahoo would fail to cryptographically store the passwords in its database. Instead, [the passwords] were left in plain text, which means a hacker could easily read them." Id.

According to Plaintiffs, the 2012 hackers intended the 2012 attack as a wake-up call, and the hackers left a message stating "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat . . . There have been many security holes exploited in Web servers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly." Id ¶ 49. However, despite this warning, Plaintiffs allege that "Yahoo's internal culture actively discouraged emphasis on data security." Id. ¶ 50. Plaintiffs allege that "former Yahoo security staffers interviewed later told Reuters that requests made by Yahoo's security team for new tools and features such as strengthened cryptography protections were, at times, rejected on the grounds that the requests would cost too much money, were too complicated, or were simply too low a priority." Id. ¶ 50.

2. Three Data Breaches at Issue in the Instant Case

The instant lawsuit involves three data breaches that occurred between 2013 and 2016. According to Plaintiffs, Defendants represented to users that users' accounts with Defendants were secure. For example, Yahoo's website stated that "protecting our systems and our users' information is paramount to ensuring Yahoo users enjoy a secure user experience and maintaining our users' trust" and that "[w]e have physical, electronic, and procedural safeguards that comply with federal regulations to protect personal information about you." Id. ¶ 34. Similarly, Aabaco's website stated that "[w]e have physical, electronic, and procedural safeguards that comply with federal regulations to protect your Personal Information." Id. ¶ 35. Nonetheless, despite these representations, Plaintiffs allege that Defendants did not use appropriate safeguards to protect users' PII and that Plaintiffs' PII was thus exposed to hackers who infiltrated Defendants' systems. Specifically, Plaintiffs allege three separate data breaches: a breach that occurred in 2013, a breach that occurred in 2014, and a "forged cookie breach" that occurred in 2015 and 2016. The Court refers to these breaches collectively as the "Data Breaches." The Court discusses each below.

a. The 2013 Breach

The first breach occurred in August 2013 ("2013 Breach"). Id. ¶ 56. At that time, hackers gained access to more than one billion Yahoo accounts and stole users' Yahoo login, country code, recovery e-mail, date of birth, hashed passwords, cell phone numbers, and zip codes. Id. Plaintiffs allege that this 2013 Breach was particularly egregious "given the fact that 1 billion accounts were compromised, when there are only 3 billion people with Internet access in the world." Id. ¶ 59 (internal quotation marks and brackets omitted).

Significantly, the 2013 Breach also gave hackers access to the contents of users' emails, and thus exposed any PII or other sensitive information that users included in the contents of their emails. Id. Plaintiffs allege that users used their Yahoo emails for a variety of personal and financial transactions, and thus that Yahoo email accounts contained "records involving credit cards, retail accounts, banking, account passwords, IRS documents, and social security numbers from transactions conducted by email, in addition to other confidential and sensitive information contained therein." Id. ¶ 1.

Yahoo did not disclose the fact of the 2013 Breach until December 14, 2016, over three years after the 2013 Breach occurred in August 2013. Id. ¶ 78. Plaintiffs allege that the 2013 Breach occurred because Yahoo did not timely move away from an outdated encryption technology known as MD5. Id. ¶ 53. According to Plaintiffs, it was widely recognized in the data security industry long before the 2013 Breach that MD5 was "cryptographically broken and unsuitable for further use." Id. ¶ 55. Nevertheless, Yahoo did not begin to upgrade from MD5 until the summer of 2013. Id. ¶¶ 54-55. Plaintiffs allege, however, that Yahoo's move from MD5 in the summer of 2013 was too late to prevent the 2013 Breach. Id. ¶¶ 54-55.

b. The 2014 Breach

The second breach occurred in late 2014 ("2014 Breach"). Plaintiffs allege that "the 2014 breach began with a 'spear phishing' email campaign sent to upper-level Yahoo employees. One or more of these employees fell for the bait, and Yahoo's data security was so lax, that this action was enough to hand over the proverbial keys to the kingdom." Id. ¶ 91. Through this attack, hackers gained access to at least 500 million Yahoo user accounts. Id. ¶ 62. Many of the accounts breached in the 2014 Breach were accounts that had previously been breached in the 2013 Breach. Id. ¶ 63. In its motion to dismiss, Yahoo states that it received evidence from law enforcement that the criminal intruders responsible for the 2013 Breach were unrelated to the perpetrators of the 2014 Breach. See Mot. at 19.

For citations to the parties' briefs for the instant motion, the Court cites to the page numbers electronically generated at the top of each page by the Court's ECF docket management system.

According to Plaintiffs, in August 2016, hackers posted for sale on the dark web the personal information of 200,000,000 Yahoo users. Id. ¶ 70. Plaintiffs also allege that "a geographically dispersed hacking group based in Eastern Europe managed to sell copies of the database to three buyers for $300,000 apiece months before Yahoo disclosed the 2014 Breach." Id. ¶ 71.

Plaintiffs allege that Yahoo knew about the 2014 Breach as it was happening, but that Yahoo did not publicly disclose the existence of the 2014 Breach until September 22, 2016, approximately two years later. Plaintiffs allege that Yahoo's announcement of the 2014 Breach "came just two months after Yahoo announced Verizon's plan to acquire its operating assets, and just weeks after Yahoo reported to the SEC that it knew of no incidents of unauthorized access of personal data that might adversely affect the potential acquisition." Id. ¶ 73. Significantly, Plaintiffs allege that Yahoo delayed notifying users or the public about the 2014 Breach while "Yahoo solicited offers to buy the company. Reportedly, Yahoo wanted the offers in by April 19, 2016," and thus waited to disclose the breach until September 2016. Id. ¶ 69.

Plaintiffs also allege that "[b]y intentionally failing to disclose the breach in a timely manner as required by law, Yahoo misled consumers into continuing to sign up for Yahoo services and products, thus providing Yahoo a continuing income stream and a better chance of finalizing a sale of the company to Verizon." Id. In the September 22, 2016 announcement of the 2014 Breach, Yahoo stated that the affected "account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers." Id. ¶ 73.

Plaintiffs allege that Yahoo's claim that it had not known about the 2014 Breach for two years was "met with immediate skepticism." Id. ¶ 74. Indeed, in a recent 10-K filing with the SEC, Yahoo revealed that an independent investigation determined that Yahoo had contemporaneous knowledge of the 2014 Breach, yet failed to properly investigate and analyze the breach, due in part to "failures in communication, management, inquiry and internal reporting" that led to a "lack of proper comprehension and handling" of the 2014 Breach. Id. ¶ 4.

c. The Forged Cookie Breach

The third data breach occurred in 2015 and 2016 ("Forged Cookie Breach"). According to the CCAC, the attackers in the Forged Cookie Breach used forged cookies to access Yahoo users' accounts. "Cookies" are files that Yahoo places on users' computers to store login information so that users do not need to reenter login information every time the users access their accounts. Id. ¶ 67. By forging these cookies, hackers were able to access Yahoo accounts without needing a password to the accounts. Id. ¶ 68. Moreover, by forging cookies, hackers were able to remain logged on to accounts for long periods of time. Id. ¶ 68.

According to Plaintiffs, the attackers in the Forged Cookie Breach are "presumed to be the same parties involved in the 2014 Breach." Id. Specifically, Plaintiffs allege that "the 2014 Breach and Forged Cookie Breach have since been attributed to two Russian FSB agents, a Russian hacker, and a Canadian hacker." Id. ¶ 90. Plaintiffs allege that in a recent 10-K filing with the SEC, Yahoo disclosed that an independent committee of Yahoo's Board of Directors had determined that Yahoo's information security team knew, at a minimum, about the Forged Cookie Breach as it was happening, "but took no real action in the face of that knowledge." Id. ¶ 86. Instead, Plaintiffs allege, Yahoo "quietly divulged" the existence of the Forged Cookie Breach in Yahoo's 10-Q filing with the SEC filed on November 9, 2016 and did not begin notifying users about the Forged Cookie Breach until February 2017. Id. ¶ 80-81.

3. Allegations of Individual Named Plaintiffs

The CCAC is brought by eleven named Plaintiffs on behalf of four putative classes. The Court briefly discusses the allegations of these individual named Plaintiffs below.

a. Named Plaintiffs Representing the United States Class

Plaintiffs Kimberley Heines, Hasmatullah Essar, Paul Dugas, Matthew Ridolfo, Deana Ridolfo, and Rajesh Garg ("United States Plaintiffs") assert claims on behalf of the putative United States Class, which consists of all Yahoo account holders in the United States whose accounts were compromised in any of the Data Breaches. CCAC ¶¶ 10-14, 105.

Plaintiff Kimberley Heines ("Heines"), a resident of California, alleges that she used her Yahoo email account in conjunction with Direct Express, which is the service through which Heines receives her Social Security, and thus her Yahoo email account "included information relating to her account with Direct Express." Id. ¶ 10. In 2015, Heines discovered that her monthly Social Security benefits had been stolen from her Direct Express account and used to purchase gift cards. Id. As a result, Heines fell behind on her bills, and she paid late fees as a result. Id. After the theft, Heines began receiving debt collection calls for debts she herself had not incurred, and she saw unfamiliar debts appearing on her credit report, which harmed her credit score. Id. Heines alleges that she has spent over 40 hours dealing with the consequences of the identity theft. Id.

Plaintiff Hasmatullah Essar ("Essar"), a resident of Colorado, used two free Yahoo email accounts. Id. ¶ 11. Essar used these accounts "for all of his personal, financial, and business needs" including receiving bank statements, applying for jobs, and securing a mortgage. Id. Essar began receiving "phishing emails from a credit card company purporting to be affiliated with American Express, asking him to follow a link to log-in to his 'Serve' account," which Essar did not own. Id. After Essar was notified of the 2014 Breach, Essar signed up for and has paid $35.98 per month for LifeLock credit monitoring service. Id. In February 2017, "an unauthorized person fraudulently filed a tax return under his Social Security Number," and in March 2017 he was denied credit and had freezes placed on his credit. Id.

Plaintiff Paul Dugas ("Dugas"), a resident of California, used four Yahoo email accounts "for his banking, investment accounts, business emails, and personal emails." Id. ¶ 12. In April of 2016, Dugas was unable to file his personal tax returns because a tax return had already been filed under his Social Security Number. Id. As a result, "both of his college-aged daughters missed deadlines to submit" their financial aid applications, and accordingly Dugas was forced to pay $9,000 in educational expenses that he otherwise would not have had to pay. Id. Moreover, Dugas has also experienced numerous fraudulent charges on his credit cards, he has had to replace his credit cards, and he has had to pay money to three different credit bureaus to freeze his accounts. Id.

Plaintiffs Matthew Ridolfo and Deana Ridolfo, a married couple, are residents of New Jersey. Id. ¶ 13. They both "used their Yahoo accounts for nearly twenty years, for general banking, credit card management and communications, a mortgage refinance, and communication with friends and family." Id. Both Matthew and Deana Ridolfo experienced numerous instances of credit card fraud as a result of the Data Breaches. Id. Specifically, eleven credit card or bank accounts were opened or attempted to be opened in Matthew Ridolfo's name, and at least eleven credit card accounts were opened or attempted to be opened in Deana Ridolfo's name. Id. The Ridolfos experienced fraudulent charges on their credit cards. Id. The Ridolfos eventually purchased and enrolled in LifeLock to help monitor their credit and finances, and they each pay $30.00 per month for these services. Id. Nonetheless, as late as January 31, 2017, an unauthorized person opened an additional credit card in Matthew Ridolfo's name. Id.

Plaintiff Rajesh Garg ("Garg"), a citizen of Illinois, "used his Yahoo account for banking, investment accounts, business emails, banking, credit card, healthcare, social security, and for friends and family." Id. ¶ 14. Garg suffered significant embarrassment when unauthorized and inappropriate emails were sent on his behalf to his business and personal contacts. Id.

b. Named Plaintiffs Representing the Israel Class

Plaintiffs Yaniv Rivlin and Mali Granot ("Israel Plaintiffs") assert claims on behalf of the putative Israel Class, which consists of all Yahoo account holders in Israel whose accounts were compromised in any of the Data Breaches. Id. ¶¶ 15-16. 105.

Plaintiff Yaniv Rivlin ("Rivlin"), a resident of Tel Aviv, Israel, used his Yahoo email account "mainly for personal purposes, including banking, friends and family, credit card statements, and social security administration." Id. ¶ 15. Rivlin also pays Yahoo $20.00 per month for an email forwarding service and keeps a credit card on file with Yahoo to pay for the service. Id. After being notified that his account had been breached, Rivlin has noticed an increase in spam and unsolicited advertisements, and Rivlin has spent considerable time changing many user names and passwords on many accounts to prevent fraud. Id.

Plaintiff Mali Granot ("Granot"), a resident of Raanana, Israel, uses her Yahoo email account "to correspond with family, friends and school." Id. ¶ 16. Granot was unexpectedly locked out of her account and, when she regained access, Granot received numerous unsolicited chat requests and other unsolicited services. Id.

c. Named Plaintiffs Representing Australia, Venezuela, and Spain Class

Plaintiffs Scarleth Robles, Mara Corso, and Jose Abitbol ("Australia, Venezuela, and Spain Plaintiffs") assert claims on behalf of the putative Australia, Venezuela, and Spain Class, which consists of all Yahoo account holders in Australia, Venezuela, or Spain whose accounts were compromised in any of the Data Breaches. Id. ¶¶ 17-19, 105.

Plaintiff Scarleth Robles ("Robles"), a resident of Venezuela, uses her Yahoo account to "advise[] entrepreneurs on business ventures and ideas and requests that potential clients send their entrepreneurial and business proposals to her Yahoo email address." Id. ¶ 17. Around September 2016, Robles noticed that business proposals disappeared from her email account and unidentified persons "stole business ideas from her email account." Id. As a result, Robles alleges that she lost "approximately ten clients" from her business. Id.

Plaintiff Maria Corso ("Corso"), a resident of Clearview, South Australia, used her Yahoo email account to "send sensitive information, including financial documents, her tax security number, work history, and medical information." Id. ¶ 18. Corso was locked out of her account without warning, and after contacting Yahoo customer service, Corso was told that "Russian hackers tried over 60 times to gain access to her Yahoo email account." Id. Corso also purchased security protection and continues to pay an annual fee of $150 for that service. Id.

Plaintiff Jose Abitbol ("Abitbol") is a resident of New York but a citizen of Spain. Id. ¶ 19. Abitbol alleges that his "Yahoo email account contains sensitive and confidential information, including information about his bank accounts, business, investment accounts, credit cards, personal matters, and social security number." Id. After obtaining Abitbol's "bank account number through his Yahoo email account," an unknown person made at least two fraudulent wire transfer requests for a total of $50,000. Id.

d. Named Plaintiff Representing the Small Business Users Class

Plaintiff Brian Neff ("Small Business Users Plaintiff" or "Neff") asserts claims on behalf of a putative Small Business Users Class, which consists of all Yahoo business account holders in the United States whose accounts were compromised in any of the Data Breaches. Id. ¶¶ 20, 105. Plaintiff Neff, a resident of Texas, "contracted with Yahoo for two services, Yahoo! Web Hosting for www.TheInsuranceSuite.com and Yahoo! Business Email, for which he has paid Yahoo $13.94 every month . . . ." Id. ¶ 20. Neff has also used Yahoo and Aabaco's web hosting services "in connection with another 54 websites, paying anywhere from $3.94 to $15.94 per month for each website." Id. In May 2015, Neff incurred fraudulent charges on two of his credit cards, both of which were on file with Yahoo to pay for the services described above. Id. Additionally, a credit card was fraudulently opened in Neff's name. Neff has spent "significant time and incurred expenses mitigating the harm to him from these security breaches and identity theft." Id. Neff also "intends to migrate his insurance agency website, www.TheInsuranceSuite.com, to a more secure provider," which Neff alleges will require significant expenses. Id.

B. Procedural History

After the 2014 Breach was announced on September 22, 2016, a number of lawsuits were filed against Defendants. These lawsuits generally alleged that Yahoo failed to adequately protect its users' accounts, that Yahoo failed to disclose its inadequate data security practices, and that Yahoo failed to timely notify users of the data breach.

In late 2016, Plaintiffs in several lawsuits moved to centralize pretrial proceedings in a single judicial district. See 28 U.S.C. § 1407(a) ("When civil actions involving one or more common questions of fact are pending in different districts, such actions may be transferred to any district for coordinated or consolidated pretrial proceedings."). On December 7, 2016, the Judicial Panel on Multidistrict Litigation ("JPML") issued a transfer order selecting the undersigned judge as the transferee court for "coordinated or consolidated pretrial proceedings" in the multidistrict litigation ("MDL") arising out of the 2014 Breach. See ECF No. 1 at 1-3.

On December 14, 2016, one week after the JPML issued the transfer order for cases arising from the 2014 Breach, Yahoo announced the existence of the 2013 Breach. Plaintiffs in several lawsuits that had been filed regarding the 2014 Data Breach then amended their complaints to include claims regarding the 2013 Breach. Additionally, more lawsuits were filed in the Northern District of California regarding the 2013 Breach and the 2014 Breach. Again, these lawsuits generally alleged that Yahoo failed to adequately protect its users' accounts, that Yahoo failed to disclose its inadequate data security practices, and that Yahoo failed to timely notify users of the data breach.

This Court found that claims regarding the 2013 Breach were related under Civil Local Rule 3-12 to claims regarding the 2014 Breach, and therefore all lawsuits in the Northern District of California regarding the 2014 Breach were reassigned to the undersigned judge. ECF Nos. 7, 9, 30, 40, 64. Additionally, the JPML issued a conditional transfer order transferring one case regarding the 2013 Breach, Baker v. Yahoo, 17-CV-00135, to the undersigned judge. ECF No. 33.

On February 9, 2017, the Court held a hearing to appoint Lead Plaintiffs' Counsel. ECF No. 56. Following this hearing, the Court issued an order appointing a Plaintiffs' Executive Committee. ECF No. 58. At a case management conference on March 2, 2017, the Court ordered the Plaintiffs' Executive Committee to file a consolidated amended complaint by April 12, 2017. ECF No. 68. Plaintiffs then filed the instant Consolidated Class Action Complaint ("CCAC") on April 12, 2017. ECF No. 80. The CCAC asserts one federal statutory claim, five California statutory claims, and seven California common law claims. Id. At a further case management conference on May 4, 2017, the Court determined that because there is a "limited number of claims . . . , many of those claims contain overlapping elements, and the case involves only two defendants, one of which is a subsidiary of the other," the first motion to dismiss should "proceed without phasing." ECF No. 89.

On May 22, 2017, Defendants filed the instant motion to dismiss. ECF No. 94 ("Mot."). The same day, Defendants filed a request for judicial notice in connection with their motion to dismiss. ECF No. 95. On June 30, 2017, Plaintiffs filed an opposition to Defendants' motion to dismiss, ECF No. 117 ("Opp."), and a response to Defendants' request for judicial notice, ECF No. 118. On August 1, 2017, Defendants filed a reply in support of their motion to dismiss, ECF No. 121 ("Reply"), and a reply in support of their request for judicial notice, ECF No. 122. On August 10, 2017, Defendants filed a notice of errata to their reply in support of the motion to dismiss. ECF No. 124. On August 15, 2017, Plaintiffs filed an administrative motion for leave to file a sur-reply, ECF No. 126, and a statement of recent decision pursuant to Civil Local Rule 7-3(d)(2), ECF No. 127.

II. LEGAL STANDARD

A. Motion to Dismiss Under Rule 12(b)(6)

Pursuant to Federal Rule of Civil Procedure 12(b)(6), a defendant may move to dismiss an action for failure to allege "enough facts to state a claim to relief that is plausible on its face." Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged. The plausibility standard is not akin to a 'probability requirement,' but it asks for more than a sheer possibility that a defendant has acted unlawfully." Ashcroft v. Iqbal, 566 U.S. 662, 678 (2009) (internal citation omitted).

For purposes of ruling on a Rule 12(b)(6) motion, the Court "accept[s] factual allegations in the complaint as true and construe[s] the pleadings in the light most favorable to the nonmoving party." Manzarek v. St. Paul Fire & Marine Ins. Co., 519 F.3d 1025, 1031 (9th Cir. 2008). However, a court need not accept as true allegations contradicted by judicially noticeable facts, Shwarz v. United States, 234 F.3d 428, 435 (9th Cir. 2000), and a "court may look beyond the plaintiff's complaint to matters of public record" without converting the Rule 12(b)(6) motion into one for summary judgment, Shaw v. Hahn, 56 F.3d 1028, 1029 n.1 (9th Cir. 2011). Mere "conclusory allegations of law and unwarranted inferences are insufficient to defeat a motion to dismiss." Adams v. Johnson, 355 F.3d 1179, 1183 (9th Cir. 2004).

B. Leave to Amend

If the court concludes that a motion to dismiss should be granted, it must then decide whether to grant leave to amend. Under Rule 15(a) of the Federal Rules of Civil Procedure, leave to amend "shall be freely given when justice so requires," bearing in mind "the underlying purpose of Rule 15 . . . [is] to facilitate decision on the merits, rather than on the pleadings or technicalities." Lopez, 203 F.3d at 1127 (citation omitted). Nonetheless, a district court may deny leave to amend a complaint due to "undue delay, bad faith or dilatory motive on the part of the movant, repeated failure to cure deficiencies by amendments previously allowed, undue prejudice to the opposing party by virtue of allowance of the amendment, [and] futility of amendment." See Leadsinger, Inc. v. BMG Music Publ'g, 512 F.3d 522, 532 (9th Cir. 2008) (alteration in original).

III. REQUEST FOR JUDICIAL NOTICE

The Court first addresses Defendants' request for judicial notice. ECF No. 94. The Court may take judicial notice of matters that are either "generally known within the trial court's territorial jurisdiction" or "can be accurately and readily determined from sources whose accuracy cannot reasonably be questioned." Fed. R. Evid. 201(b). Public records, including judgments and other publicly filed documents, are proper subjects of judicial notice. See, e.g., United States v. Black, 482 F.3d 1035, 1041 (9th Cir. 2007) ("[Courts] may take notice of proceedings in other courts, both within and without the federal judicial system, if those proceedings have a direct relation to matters at issue."); Rothman v. Gregor, 220 F.3d 81, 92 (2d Cir. 2000) (taking judicial notice of a filed complaint as a public record).

However, to the extent any facts in documents subject to judicial notice are subject to reasonable dispute, the Court will not take judicial notice of those facts. See Lee v. City of L.A., 250 F.3d 668, 689 (9th Cir. 2001) ("A court may take judicial notice of matters of public record . . . But a court may not take judicial notice of a fact that is subject to reasonable dispute.") (internal quotation marks omitted), overruled on other grounds by Galbraith v. Cty. of Santa Clara, 307 F.3d 1119 (9th Cir. 2002).

Defendants request judicial notice of the following documents: Ex. A: "Security at Yahoo" subpage within Yahoo's "Privacy Center," https://policies.yahoo.com/us/en/yahoo/privacy/topics/security/index.htm; last accessed: May 18, 2017; Ex. B: Australia Universal Terms of Service, "Yahoo7 Terms of Service," https://policies.yahoo.com/au/en/yahoo/terms/utos/index.htm; last accessed: May 19, 2017; Ex. C: Additional Terms of Service, "Yahoo Communications Terms," https://policies.yahoo.com/xw/en/yahoo/terms/product-atos/comms/index.htm; last accessed: May 19, 2017; Ex. D: Venezuela Universal Terms of Service, "Condiciones del Servicio," https://policies.yahoo.com/e2/es/yahoo/terms/utos/index.htm; last accessed: May 19, 2017; Ex. E: Yahoo Press Release, "An Important Message to Yahoo Users on Security," dated Sept. 22, 2016, https://investor.yahoo.net/releasedetail.cfm?releaseid=990570; last accessed: May 19, 2017; Ex. F: Yahoo Press Release, "Important Security Information for Yahoo Users," dated Dec. 14, 2016, https://investor.yahoo.net/ReleaseDetail.cfm?releaseid=1004285; last accessed: May 18, 2017; Ex. G: Yahoo! Inc., Annual Report (Form 10-K) (Mar. 1, 2017); Ex. H: Yahoo! Inc., Quarterly Report (Form 10-Q) (May 9, 2017); Ex. I: Internal Revenue Service Taxpayer Guide to Identity Theft, dated Apr. 18, 2017, https://www.irs.gov/uac/taxpayer-guide-to-identity-theft; last accessed: May 18, 2017; Ex. J: Department of Justice Press Release, "U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts," dated Mar. 15, 2017, https://www.justice.gov/opa/pr/us-charges-russian-fsb-officers-and-theircriminal-conspirators-hacking-yahoo-and-millions; last accessed: May 18, 2017; Ex. K: Remarks of Acting Assistant Attorney General for National Security Mary B. McCord, "Acting Assistant Attorney General Mary B. McCord Delivers Remarks at Press Conference Announcing Charges Against Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo," dated Mar. 15, 2017, https://www.justice.gov/opa/speech/acting-assistant-attorney-general-mary-b-mccorddelivers-remarks-press-conference; last accessed: May 18, 2017; Ex. L: Second Amended Class Action Complaint, Dugas v. Starwood Hotels & Resorts Worldwide, Inc., S.D. Cal. Case No. 3:16-CV-00014, Dkt. No. 31; Ex. M: Legislative Counsel's Digest for Senate Bill 46; Ex. N: California Assembly, Committee on Judiciary, Analysis of Senate Bill 46; Ex. O: Privacy Rights Clearinghouse Letter to Senator Corbett in Support of Senate Bill 46, dated Apr. 16, 2013; Ex. P: California Assembly, Committee on Appropriations, Analysis of Senate Bill 46; Ex. Q: California Assembly, Judiciary Committee, Mandatory Information Worksheet for Senate Bill 46.

These documents fall into five categories: (1) Documents referenced in the complaint (Exhibits A-G); (2) Securities and Exchange Commission Filings (Exhibits G-H); (3) Information on government websites (Exhibits I-K); (4) Court filings (Exhibit L); and (5) Legislative history documents (Exhibits M-Q).

In Plaintiffs' response to Defendants' request for judicial notice, Plaintiffs state that they do not object to judicial notice of Exhibits A through G (documents referenced in the complaint), or Exhibits L through Q (court filings and legislative history documents). ECF No. 118 at 2-4. The Court agrees that these documents are proper subjects of judicial notice. See United States v. Ritchie, 342 F.3d 903, 908 (9th Cir. 2003) ("Even if a document is not attached to a complaint, it may be incorporated by reference into a complaint if the plaintiff refers extensively to the document or the document forms the basis of the plaintiff's claim."); Reyn's Pasta Bella, LLC v. Visa USA, Inc., 442 F.3d 741, 746 n.6 (9th Cir. 2006) (holding that a court "may take judicial notice of court filings and other matters of public record."); Anderson v. Holder, 673 F.3d 1089, 1094 n.1 (9th Cir. 2012) ("Legislative history is properly a subject of judicial notice."). Therefore, the Court GRANTS Defendants' unopposed request for judicial notice of Exhibits A through G and Exhibits L through Q.

As to Exhibits H through K, Plaintiffs concede that SEC filings (Exhibit H) and information on government websites (Exhibits I-K) are proper subjects of judicial notice. Ex. 118 at 2-3. However, Plaintiffs state that these documents contain disputed facts that are not proper subjects of judicial notice. Particularly, with respect to Exhibits I through K, Plaintiffs state that "[b]y excerpting specific self-serving statements, rather than referencing the documents as a whole, Defendants suggest that the references are being used to prove the truth of the cited 'facts.'" Id. at 3.

However, as discussed above, a court may take judicial notice of a document without taking judicial notice of reasonably disputed facts contained in the document. See Lee, 250 F.3d at 689 ("A court may take judicial notice of matters of public record . . . But a court may not take judicial notice of a fact that is subject to reasonable dispute."). As both parties concede, both SEC filings and documents on government websites are proper subjects of judicial notice. See Michery v. Ford Motor Co., 650 F. App'x 338, 341 n.2 (9th Cir. 2016) (taking judicial notice of the existence of documents on a government website); Dreiling v. Am. Exp. Co., 458 F.3d 942, 946 n.2 (9th Cir. 2006) (holding that "SEC filings" are "subject to judicial notice."). Thus, the Court GRANTS Defendants' request for judicial notice of Exhibits H through K, "not for the truth of the facts recited therein, but for the existence of the opinion, which is not subject to reasonable dispute over its authenticity." Lee, 250 F.3d at 690. Because Plaintiffs dispute facts contained within Exhibits H through K, the Court does not take judicial notice of any facts in these documents. The Court next turns to address the substance of Defendants' motion to dismiss the CCAC.

IV. DISCUSSION

As set forth above, Plaintiffs Kimberley Heines, Hasmatullah Essar, Paul Dugas, Matthew Ridolfo, Deana Ridolfo, and Rajesh Garg ("United States Plaintiffs") assert claims on behalf of the putative United States Class, which consists of all Yahoo account holders in the United States whose accounts were compromised in any of the Data Breaches. CCAC ¶¶ 10-14, 105.

Plaintiff Brian Neff ("Small Business Users Plaintiff) asserts claims on behalf of a putative Small Business Users Class, which consists of all Yahoo business account holders in the United States whose accounts were compromised in any of the Data Breaches. Id. ¶ 20, 105.

The CCAC asserts one federal statutory claim, five California statutory claims, and seven California common law claims on behalf of the four putative classes. Specifically, the CCAC asserts (1) a claim under the California Unfair Competition Law ("UCL") on behalf of the United States Class and the Israel Class; (2) a claim under the California Consumer Legal Remedies Act ("CLRA") on behalf of the United States Class and the Israel Class; (3) a claim under the California Customer Records Act ("CRA") on behalf of the United States Class and the Israel Class; (4) a claim under the federal Stored Communications Act on behalf of the United States Class and the Israel Class; (5) a claim under the California Online Privacy Protection Act on behalf of the United States Class and the Israel Class; (6) a claim for breach of express contract on behalf of the United States Class, the Israel Class, and the Small Business Users Class; (7) a claim for breach of implied contract on behalf of the United States Class, the Israel Class, and the Small Business Users Class; (8) a claim for breach of the implied covenant of good faith and fair dealing on behalf of the United States Class, the Israel Class, and the Small Business Users Class; (9) a claim for fraudulent inducement on behalf of the Small Business Users Class; (10) a claim for negligent misrepresentation on behalf of the Small Business Users Class; (11) a claim under the UCL on behalf of the Small Business Users Class; (12) a claim for negligence on behalf of the Australia, Venezuela, and Spain Class; and (13) a claim for declaratory relief on behalf of all classes. Id. ¶¶ 126-234. All of these claims relate to three data breaches: the 2013 Breach, the 2014 Breach, and the Forged Cookie Breach (collectively, "Data Breaches").

Defendants move to dismiss Plaintiffs' CCAC in its entirety. First, Defendants argue that Plaintiffs have not established that they have Article III standing to assert any of their claims. Next, Defendants raise particular objections to each of Plaintiffs' thirteen causes of action.

The Court first considers Defendants' arguments regarding Article III standing and then considers Defendants' challenges to each of Plaintiffs' causes of action in turn.

A. Article III Standing

Defendants first move to dismiss the CCAC in its entirety because, according to Defendants, Plaintiffs lack Article III standing to sue. Article III standing to sue requires that (1) the plaintiff suffered an injury in fact, i.e., "an invasion of a legally protected interest which is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical"; (2) the injury is "'fairly traceable' to the challenged conduct," and (3) the injury is "likely" to be "redressed by a favorable decision." Lujan v. Def. of Wildlife, 504 U.S. 555, 560-61 (1992). "The party invoking federal jurisdiction bears the burden of establishing these elements . . . with the manner and degree of evidence required at the successive stages of litigation." Id. at 561. At the pleading stage, "[g]eneral allegations" of injury may suffice. Id.

Defendants contend that Plaintiffs lack Article III standing because Plaintiffs cannot establish "injury in fact" and because Plaintiffs cannot establish that their injury is "fairly traceable" to the actions of Defendants. See Mot. at 20-25. The Court addresses these arguments in turn.

1. Injury In Fact

Defendants argue that Plaintiffs lack Article III standing because Plaintiffs have not suffered an injury in fact that is concrete and particularized. See Mot. at 21. In a class action, named plaintiffs representing a class "must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent." Warth v. Seldin, 422 U.S. 490, 502 (1975). "[I]f none of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class." O'Shea v. Littleton, 414 U.S. 488, 494 (1974).

According to Defendants, named Plaintiffs have not suffered an injury in fact because Plaintiffs allege only vague and unspecified harms, such as the loss of "unspecified information" and emails. Moreover, Defendants argue that Plaintiffs' other allegations of injury are speculative, and that any monetary injuries suffered by Plaintiffs have been reimbursed. Plaintiffs, by contrast, argue that all Plaintiffs have suffered concrete harms from the Data Breaches, and that several courts have found these harms sufficient to establish injury in fact in similar data breach cases. Specifically, Plaintiffs contend that all Plaintiffs have suffered harm in the form of (1) risk of future identity theft; and (2) loss of value of their PII. See Opp. at 15-18. In addition, Plaintiffs contend that several Plaintiffs—although not all Plaintiffs—have experienced additional injuries such as harm from identity theft, consequential out of pocket expenses, and loss of benefit of the bargain. See id.

For the reasons discussed below, the Court agrees with Plaintiffs that Plaintiffs have adequately alleged injury in fact. The Court first discusses the two injuries that all Plaintiffs allege that they have suffered: (1) the risk of future identity theft, and (2) the loss of value of their PII. The Court then briefly addresses the additional harms suffered by some, although not all, Plaintiffs.

a. Risk of Future Identity Theft

Plaintiffs argue that they have all suffered an injury in fact because Plaintiffs all have suffered an increased risk of future identity theft as a result of the Data Breaches. The Court agrees with Plaintiffs. In In re Adobe Systems, Inc. Privacy Litigation, 66 F. Supp. 3d 1197, 1214-15 (N.D. Cal. 2014), this Court held that plaintiffs whose PII was exposed during a data breach of Adobe's servers had standing to sue Adobe for the data breach, even though the plaintiffs' personal information had not yet been misused by the hackers. In Adobe, the plaintiffs alleged that Adobe's servers were hacked and that the hackers spent "several weeks collecting names, usernames, passwords, email addresses, phone numbers, mailing addresses, and credit card numbers and expiration dates." Id. at 1214. The Adobe plaintiffs alleged that their "personal information was among the information taken during the breach," and that "[s]ome of the stolen data ha[d] already surfaced on the Internet." Id. The Court held that the plaintiffs' allegations were sufficient "to establish Article III injury-in-fact at the pleadings stage" because the plaintiffs adequately alleged an "imminent" threat that their personal information would be misused by the hackers. Id. at 1215.

Several other courts have also found that similar allegations of future harm suffice to establish Article III standing at the motion to dismiss stage. For example, in Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010), the Ninth Circuit addressed for the first time "whether an increased risk of identity theft constitutes an injury-in-fact." The Ninth Circuit held that because the plaintiffs "alleged a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data," the plaintiffs "sufficiently alleged an injury-in-fact for purposes of Article III standing." Id. at 1143.

Furthermore, in Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir. 2015), the Seventh Circuit cited Adobe with approval and held that "[l]ike the Adobe plaintiffs, the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit- card fraud in order to give the class standing, because there is an 'objectively reasonable likelihood' that such an injury will occur." See also Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 967 (7th Cir. 2016) (holding that the plaintiffs had established Article III standing based on "the increased risk of fraudulent charges and identity theft they face because their data has already been stolen."). Similarly, in Galaria v. Nationwide Mut. Ins. Co., 663 F. App'x 384, 388 (6th Cir. 2016), the Sixth Circuit held that allegations of a risk of future harm were sufficient for Article III standing and noted that "[w]here a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims' data for the fraudulent purposes alleged in Plaintiffs' complaints."

Plaintiffs' allegations here are substantially similar to the plaintiffs' allegations in Adobe and other cases finding Article III standing based on the risk of future identity theft. Plaintiffs allege that in the 2013 Breach and the 2014 Breach, "hackers stole the names, email addresses, telephone numbers, birth dates, passwords, and security questions of Yahoo account holders." CCAC ¶ 1. As a result, hackers gained "access to the email contents of all breached Yahoo accounts." Id. Moreover, in the Forged Cookie Breach, the hackers were able to forge authentication cookies and thus "remain logged into the hacked [email] accounts for weeks or indefinitely." Id. ¶ 68.

Plaintiffs allege that, as a result of the Data Breaches, hackers were able to access the contents of Plaintiffs' email accounts, "and thus any private information contained within those emails, such as financial communications and records involving credit cards." Id. ¶ 1. Indeed, Plaintiffs allege that they used their Yahoo email accounts in connection with numerous personal financial transactions, including receiving Social Security payments, maintaining investment accounts, and filing income tax returns. See, e.g. id. ¶¶ 1, 10-14. Like the plaintiffs in Adobe, Plaintiffs here allege that their personal information was among the information taken during the Data Breaches. See id.; see also id. ¶ 1. Further, like the plaintiffs in Adobe, Plaintiffs here allege that the stolen data has appeared on the dark web, and has indeed remained for sale on the dark web "as late as March 17, 2017." Id. ¶ 84; Remijas, 794 F.3d at 694 ("[O]nce stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years.").

In these circumstances, Plaintiffs have alleged a "credible threat of real and immediate harm" stemming from the data breaches. Krottner, 628 F.3d at 1143. There is no dispute that Plaintiffs' Yahoo accounts were hacked. "Presumably, the purpose of the hack is, sooner or later, to . . . assume those consumers' identities" or to misuse Plaintiffs' PII in other ways. Remijas, 794 F.3d at 693. Indeed, as discussed below, several United States Plaintiffs allege that their stolen PII has already been misused by identity thieves, and they have experienced concrete harms as a result. See infra Part III.B.c.i.

Accordingly, as the Court found in Adobe, the Court finds that Plaintiffs have sufficiently alleged "a concrete and imminent threat of future harm suffic[ient] to establish Article III injury-in-fact at the pleadings stage." See Adobe, 66 F. Supp. 3d 1197, 1215.

b. Loss of Value of PII

In addition, Plaintiffs also argue that all Plaintiffs have suffered an injury in fact because the Data Breaches caused all Plaintiffs to suffer a loss of value of their PII as a result of the Data Breaches. See Opp. at 17. Again, the Court agrees with Plaintiffs. As the Court explained in In re Anthem, Inc. Data Breach Litigation ("Anthem II"), 2016 WL 3029783, at *14 (N.D. Cal. May 17, 2016), "the Ninth Circuit and a number of district courts have approved" allegations of damages arising from the loss of value of PII. For example, in In re Facebook Privacy Litigation, 72 F. App'x 494, 494 (9th Cir. 2014), the Ninth Circuit found that the plaintiffs plausibly alleged that they experienced harm where the plaintiffs' personal information was disclosed in a data breach, and the plaintiffs "los[t] the sales value of th[eir] [personal] information" as a result. Similarly, in Anthem II, this Court found that the plaintiffs plausibly alleged injury from the loss of value of their PII where the plaintiffs alleged that their PII was disclosed in a data breach, and that plaintiffs' PII was subsequently sold on the black market by hackers. Anthem II, 2016 WL 3029783, at *14-15; see also Svenson v. Google, Inc., 2015 WL 1503429, at *5 (N.D. Cal. Apr. 1, 2015) ("Svenson's allegations of diminution in value of her personal information are sufficient to show contract damages for pleading purposes.").

Plaintiffs allege here that "hackers stole the names, email addresses, telephone numbers, birth dates, passwords, and security questions of Yahoo account holders." CCAC ¶ 1. Plaintiffs allege that this PII is highly valuable to Defendants because Defendants use this information for "targeted advertising." Id. ¶ 36. Moreover, Plaintiffs allege that this PII is "highly valuable to identity thieves," and that hackers have sold this PII on the "dark web." Id. ¶ 41. Plaintiffs' CCAC includes several examples of hackers selling PII from Yahoo accounts on the dark web following the Data Breaches. See, e.g., ¶ 70. For example, "[i]n August 2016, a hacker identifying himself or herself as 'peace_of_mind' posted for sale on the dark web the PII from 200 million Yahoo accounts." Id. As recently as March 17, 2017, stolen information from the Data Breaches "was still for sale on underground hacker forums." Id. ¶ 84. Specifically, the CCAC contains screenshots of hackers selling documents labeled as "Yahoo, 100K, email: pass, decrypted," and "Yahoo, 5,737,977, decrypted, complete." Id. Plaintiffs allege that this PII is particularly valuable because hackers can use this information, and in many cases have used this information, to "gain[] access to the email contents of all breached Yahoo accounts and thus any private information contained within those emails." Id. ¶ 1. Plaintiffs allege that, as a result of their valuable PII being for sale on the dark web, Plaintiffs have lost the value of their PII. See, e.g., id. ¶¶ 135, 145.

Accordingly, as the Court found in Anthem II, Plaintiffs' allegations that their PII is a valuable commodity, that a market exists for Plaintiffs' PII, that Plaintiffs' PII is being sold by hackers on the dark web, and that Plaintiffs have lost the value of their PII as a result, are sufficient to plausibly allege injury arising from the Data Breaches. Anthem II, 2016 WL 3029783, at *15-16 (finding plaintiff plausibly alleged injury where plaintiffs alleged that their PII was a valuable commodity to identity thieves, that an economic market existed for the PII, and that the value of Plaintiffs' PII decreased as a result of the data breach).

c. Additional Harms

As set forth above, the Court finds that all Plaintiffs have suffered injury in fact in the form of (1) the risk of future identity theft; and (2) loss of value of their PII. In addition, the Court also finds that individual Plaintiffs, though not all Plaintiffs, have alleged additional injuries in fact as a result of the Data Breaches. Specifically, some individual Plaintiffs have also alleged (1) that their stolen PII has already been misused by identity thieves; (2) that they have paid out of pocket mitigation expenses; and (3) loss of benefit of the bargain. The Court briefly discusses these additional injuries below.

i. Plaintiffs who Allege their Stolen PII has Already been Misused

First, several United States Plaintiffs allege that their stolen PII has already been misused by identity thieves and that they have experienced concrete harms as a result. For example, Plaintiffs Essar and Dugas allege that they used their Yahoo email accounts to conduct their personal finances, and that their Social Security numbers were stolen from their Yahoo email accounts as a result of the Data Breaches. See, e.g., CCAC ¶¶ 11-12. Dugas alleges that a fraudulent tax return was filed under his Social Security number and that he was not able to timely file his own taxes as a result. Id. ¶ 12. Because Dugas could not file his own tax return, Dugas was unable to timely file a financial aid application for his daughters. Id. This resulted in Dugas needing to pay an additional $9,000 in tuition expenses that he would not otherwise have had to pay. Id.

Similarly, Plaintiffs Matthew and Deana Ridolfo allege that they used their Yahoo email account to manage their personal finances, that their credit card information was stolen from their Yahoo email accounts in the Data Breaches, and that unauthorized credit card accounts were subsequently opened in their names. Id. ¶ 13. The Ridolofos allege that at least $900.00 in unauthorized charges were made in their names. Id.

Further, Plaintiff Heines alleges that she used her Yahoo email account in connection with her Social Security Disability benefits, that this information was accessed in the Data Breaches, and that her Social Security Disability benefits were stolen from her Social Security Disability benefits account. Id. ¶ 10. As a result, Heines alleges that she was unable to pay her bills, and that she incurred late fees as a result. Id. ¶ 10.

The Court finds that these allegations are sufficient to allege injury in fact arising from the Data Breaches. See In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d at 1215 (reasoning that plaintiffs would clearly have suffered a sufficient injury in fact if the plaintiffs "could allege that their stolen personal information had already been misused"). Indeed, Defendants do not appear to contest that harms from misuse of personal data are generally sufficient to confer Article III standing. Defendants argue that here, however, Plaintiffs have failed to adequately allege Article III standing because the CCAC does not allege that the fees and charges discussed above went "unreimbursed." See Mot. at 22. Defendants' argument is not persuasive. Plaintiffs Essar, Dugas, Mathew Ridolfo, Deana Ridolfo, and Heines do not allege that the expenses discussed above were reimbursed. See CCAC ¶¶ 10-14. On a motion to dismiss, the Court must take Plaintiffs' factual allegations as true and make all reasonable inferences in Plaintiffs' favor. Thus, at this stage of the proceedings, the Court cannot assume that Plaintiffs have been compensated for the fraudulent charges and resulting fees that Plaintiffs allegedly incurred.

Defendants cite Whalen v. Michaels Stores, Inc., 2017 WL 1556116, at *2 (2d Cir. May 2, 2017), in support of Defendants' argument that Plaintiffs lack Article III standing, even though Plaintiffs allege that their personal information has already been misused. However, Defendants' reliance on Whalen is not persuasive. First, that case is an unpublished summary order from the Second Circuit, and it is accordingly not binding on this Court and indeed not binding in the Second Circuit itself. See id. (stating that rulings by summary order do not have precedential effect). Second, the facts alleged in Whalen are readily distinguishable from the instant case. The plaintiff in Whalen alleged that her credit card information was stolen in a data breach, and that her credit card was subsequently "physically presented for payment" in Ecuador on two occasions. Id. at *1. However, the plaintiff in Whalen "cancelled her card," and she did "not allege that any fraudulent charges were actually incurred on the card" or that "she was in any way liable on account of these presentations" of her credit card in Ecuador. Id. at *1. The Second Circuit affirmed the district court's dismissal of the complaint for lack of Article III standing because Whalen never alleged that fraudulent charges were actually incurred on her credit card, she never alleged a plausible threat of future fraud "because her stolen credit card was promptly cancelled," and Whalen did not allege that any other information—such as her birth date or Social Security number—was taken in the breach. Id. Moreover, Whalen did not allege "any time or effort that she herself has spent monitoring her credit." Id. Thus, the Second Circuit held that Whalen did not adequately allege that the data breach caused Whalen to suffer any injury that was concrete and particularized. Id.

Here, unlike the Plaintiff in Whalen, Plaintiffs Essar, Dugas, Matthew Ridolfo, Deana Ridolfo, and Heines have each alleged more than simply that their credit card was "presented for payment," without further allegations of identity theft or harm. Id. at 2. As set forth above, Plaintiffs Essar, Dugas, Matthew Ridolfo, Deana Ridolfo, and Heines allege that hackers obtained their Yahoo user names and passwords, dates of birth, credit and debit card account information, and/or Social Security number as a result of the Data Breaches, and that hackers used this information to steal benefits and/or to make a variety of fraudulent credit card charges and/or fraudulent tax filings in their names. See, e.g., CCAC ¶ 1 (alleging hackers "stole the names, email addresses, telephone numbers, birth dates, passwords, and security questions of Yahoo account holders, in addition to all of the "private information contained within those emails, such as financial communications and records involving credit cards" and "social security numbers"); id. ¶ 10 (alleging hackers accessed and stole Heines Social Security Disability benefits); id. ¶¶ 11-12 (alleging hackers accessed Essar and Dugas's Social Security Numbers and filed fraudulent tax returns under their Social Security Numbers, causing Essar and Dugas to experience harm). Further, Plaintiffs Essar, Dugas, Matthew Ridolfo, Deana Ridolfo, and Heines allege several consequential fees resulting from these fraudulent charges and filings, and allege that they were required to spend significant time and effort monitoring these charges and mitigating their fall out. See, e.g., CCAC ¶ 1, 10 (alleging Heines incurred late charges because she could not pay her bills as a result of hackers stealing her Social Security Disability benefits, and that she spent over 40 hours managing the consequences of her identity being stolen); id. ¶ 12 (alleging that Dugas used his Yahoo account for his tax returns, that hackers accessed his account and subsequently filed a fraudulent tax return under Dugas's Social Security number, and that Dugas faced additional costs and tax return problems as a result of the breach).

Thus, the alleged information stolen in this case, and the alleged harm that resulted, is far more significant than the information and harm alleged in Whalen, where the plaintiff alleged only that her credit card information was stolen and subsequently "presented for payment," but no fraudulent charges were incurred before the credit card was promptly cancelled. See Whalen, 2017 WL 1556116, at *2. Accordingly, the Court finds that Plaintiffs Essar, Dugas, Matthew Ridolfo, Deana Ridolfo, and Heines—who each allege that their stolen personal information has already been misused in the data breach—have adequately alleged injury in fact. See In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d at 1215 (reasoning that plaintiffs would clearly have suffered a sufficient injury in fact if the plaintiffs "could allege that their stolen personal information had already been misused").

ii. Plaintiffs Who Have Paid Out-of-Pocket Mitigation Expenses

Second, several Plaintiffs allege that, as a result of the Data Breaches, Plaintiffs have been required to spend money to monitor their credit and prevent future identity theft. Specifically, Plaintiff Essar alleges that his personal information was exposed during the Data Breaches and that he "signed up for and paid (and continues to pay) $35.98 per month for LifeLock credit monitoring service" to "limit the damage done to his credit and identity." CCAC ¶ 11. The Ridolfos also allege that they each pay $30.00 a month for LifeLock. Id. ¶ 13. Similarly, Plaintiff Corso alleges that she continues to pay an annual fee of $150 for account security protection after her personal information was exposed in the Data Breaches. Id. ¶ 18.

The Court finds that these allegations of out-of-pocket mitigation expenses are also sufficient to allege injury in fact arising from the Data Breaches. In other data breach cases, district courts have held that similar out-of-pocket mitigation expenses are sufficient to allege Article III injury in fact. See, e.g., In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d at 1216 (finding costs incurred to mitigate future identity theft sufficient to constitute injury in fact); Walters v. Kimpton Hotel & Rest. Grp., LLC, 2017 WL 1398660, at *1 (N.D. Cal. Apr. 13, 2017) (finding plaintiffs' allegations regarding efforts to "monitor his credit" following identity theft to be sufficient to demonstrate injury in fact). Indeed, Defendants' motion to dismiss does not address these out-of-pocket mitigation expenses, and Defendants do not argue that out-of-pocket mitigation expenses are insufficient to allege injury in fact. See Mot. at 21-22. Accordingly, for the reasons set forth above, the Court finds that Plaintiffs Essar, Matthew Ridolfo, Deana Ridolfo, and Corso—who each allege that they incurred costs to mitigate future identity theft as a direct result of the Data Breaches—have alleged an additional injury in fact.

iii. Benefit of the Bargain Losses

Finally, Small Business Users Plaintiff Neff alleges that he has suffered injury in fact from lost benefit of the bargain. As a user of Defendants' Small Business Services, Neff "has paid Yahoo $13.94 each month" since September 2009. CCAC ¶ 20. Neff uses Yahoo's Small Business Services to host Neff's online insurance agency business. Id. Neff alleges that Defendants represented to members of the putative Small Business Users Class that Defendants' Small Business Services were "secure." Id. ¶ 198. Neff alleges that he "would not have agreed to utilize and pay for the small business services and turn over [his] PII" had Neff known that Defendants' Small Business Services "were not as secure as represented or secure by any standard." Id. ¶ 199. Accordingly, Neff alleges that he has suffered harm because Neff has paid Defendants monthly fees for a product that Neff did not ultimately receive: "secure small business services." Id. ¶ 203.

The Court finds that Neff's allegations are sufficient to allege "benefit of the bargain" losses as a result of the Data Breaches, which courts in this district and elsewhere have found are sufficient to allege an injury in fact for purposes of Article III standing. See, e.g., In re Anthem, Inc. Data Breach Litig. ("Anthem I"), 162 F. Supp. 3d 953, 985 (N.D. Cal. 2016) (finding plaintiffs alleged benefit of the bargain losses where plaintiffs alleged that they did not receive full value of services for which they paid because of defendant's failure to implement promised security measures); In re LinkedIn User Privacy Litig., 2014 WL 1323713, at *6 (N.D. Cal. Mar. 28, 2014) (finding plaintiff alleged lost benefit of the bargain, and thus standing under Article III, where plaintiff alleged that she purchased defendant's services because defendant represented the services as secure, that defendant's services were not in fact secure, and thus plaintiff overpaid for defendant's services as a result of defendant's misrepresentations). Again, Defendants do not address Neff's benefit of the bargain losses in their motion to dismiss, and Defendants do not argue that these losses are insufficient to allege an injury-in-fact. See Mot. at 21-22. For these reasons, Neff's allegations of benefit of the bargain losses are sufficient to allege an Article III injury in fact.

d. Summary

To summarize, the Court finds that all Plaintiffs have adequately alleged an injury in fact sufficient for Article III standing because all Plaintiffs have alleged a risk of future identity theft, in addition to loss of value of their PII. Moreover, some Plaintiffs, although not all Plaintiffs, have adequately alleged additional injuries in fact in the form of (1) harm from the actual misuse of their PII; (2) out-of-pocket mitigation expenses; and (3) lost benefit of the bargain. The Court next turns to Defendants' traceability argument.

2. Traceability

Defendants next contend that, even assuming Plaintiffs have adequately alleged injuries in fact, Plaintiffs cannot establish Article III standing because Plaintiffs' injuries are not "fairly traceable" to Defendants' conduct. See Mot. at 22. Defendants make two primary arguments. First, Defendants contend that there is no "causal connection between the information stolen" from Defendants and the injuries claimed by Plaintiffs. Second, Defendants contend that "other causes" exist for Plaintiffs' alleged harms. The Court considers each of these arguments in turn.

a. Causal Connection between Information Stolen and Plaintiffs' Alleged Harms

First, Defendants argue that the sensitive personal information allegedly taken from Plaintiffs by hackers—such as Plaintiffs' Social Security Numbers—was not itself collected by Defendants. See Mot. at 23-24. Defendants contend that, "[t]o the extent Social Security numbers or any other specific personal information were communicated via Yahoo email at all," that information was contained in and accessed by hackers from Plaintiffs' emails inside of Plaintiffs' Yahoo email accounts. Id. Thus, Defendants argue, Plaintiffs' alleged harm is the result of "the pre-breach activities of Plaintiffs," rather than Defendants themselves. Id.

Defendants' argument is not persuasive. First of all, Yahoo itself possessed sensitive personal information, such as credit card numbers, for small business users such as Neff, who paid Yahoo $13.95 every month. As to other plaintiffs, "for Article III standing purposes, a 'causal chain does not fail simply because it has several links, provided those links are not hypothetical or tenuous and remain plausible.'" Moore v. Apple, Inc., 309 F.R.D. 532, 540 (N.D. Cal. 2015) (quoting Wsh. Env'tl Council v. Bellon, 732 F. 3d 1131, 1141-42 (9th Cir. 2013)). Here, as discussed above, Plaintiffs allege that they were all Yahoo account holders. Plaintiffs allege that, during the Data Breaches, hackers obtained the names, email addresses, recovery email accounts, telephone numbers, birth dates, passwords, security questions and answers, and account "nonce" (a cryptographic value unique to each account) of Yahoo account holders. CCAC ¶¶ 1, 92. As a result of gaining this information, the hackers were able to gain "access to the email contents of all breached Yahoo accounts and thus any private information contained within those emails." Id. Plaintiffs detail in the CCAC the numerous ways that Plaintiffs used their Yahoo emails for their personal communications and finances, and thus Plaintiffs allege that their Yahoo email accounts contained sensitive personal information, such as Plaintiffs' credit and debit card account information and Plaintiffs' Social Security numbers. See, e.g., id. ¶¶ 10-15, 42-44.

Plaintiffs thus allege a plausible "causal chain" of events that links the Data Breaches, which Plaintiffs allege resulted from Yahoo's failures to maintain appropriate data security measures, with the specific harms alleged by Plaintiffs. Indeed, Plaintiffs' allegations are substantially similar to the allegations in Anthem, in which this Court held that the plaintiffs had alleged a sufficiently plausible "logical connection between the Anthem data breach and the harm suffered by Plaintiffs." Anthem I, 162 F. Supp. 3d at 987. In Anthem, the plaintiffs alleged that (1) "they were enrolled in a particular health plan administered by" Anthem, that (2) plaintiffs "provided their PII to Anthem," (3) "that their PII was compromised as a result of the data breach," and (4) that their PII was used by hackers for "illicit financial gain." Id. Plaintiffs have alleged substantially the same chain of events here. See, e.g., CCAC ¶¶ 1, 10-15.

Defendants attempt to distinguish Anthem by arguing that the Anthem plaintiffs, unlike Plaintiffs here, provided their Social Security numbers and other sensitive personal information directly to Anthem. See Reply at 8. Accordingly, Defendants argue that the Anthem plaintiffs' sensitive personal information was directly disclosed to hackers when the hackers breached Anthem's servers. Id. In the instant Data Breaches, by contrast, Defendants argue that Plaintiffs' Social Security numbers and other sensitive PII was not directly collected by Defendants, and thus Plaintiffs' sensitive PII was not directly exposed to hackers during the breaches of Defendants' servers. Id. Rather, hackers stole from Defendants the names, email addresses, recovery email accounts, telephone numbers, birth dates, passwords, security questions and answers, and account nonce of Yahoo account holders, CCAC ¶¶ 1, 92, and then the hackers used that information to gain access to Plaintiffs' Yahoo emails where the hackers found Plaintiffs' Social Security numbers and other sensitive personal information. See Reply at 8.

However, this distinction does not defeat traceability for purposes of Article III standing. Although Plaintiffs in the instant case allege an additional link in the "causal chain"—specifically, that the hackers first stole Plaintiffs' log-in information from Yahoo and then accessed the sensitive personal information contained within Plaintiffs' email accounts—the links alleged by Plaintiffs nonetheless "remain plausible." Moore, 309 F.R.D. at 540 ("[A] 'causal chain does not fail simply because it has several links, provided those links are not hypothetical or tenuous and remain plausible.'"). Plaintiffs set forth numerous allegations in the CCAC that plausibly explain how Plaintiffs and other Yahoo users used their Yahoo email accounts for their personal and financial needs. See, e.g., CCAC ¶¶ 1, 10-15, 43-44. Plaintiffs allege that their email accounts contained Plaintiffs' sensitive personal and financial information, including their Social Security numbers and/or their credit and debit card account information. Id. ¶¶ 10-15. Plaintiffs allege that, as a result of Defendants' lax data security practices and the Data Breaches, hackers were able to continually access Plaintiffs' Yahoo email accounts and the sensitive information contained within Plaintiffs' Yahoo email accounts. Id. ¶ 68. Taking these allegations as true, Plaintiffs have sufficiently alleged a plausible chain of events that link Defendants' alleged misconduct with the injuries alleged by Plaintiffs.

The causal chain alleged in this case is distinguishable from the causal chain alleged in Antman v. Uber Technologies, Inc., 2015 WL 6123054, at *10-11 (N.D. Cal. Oct. 19, 2015), the case relied upon by Defendants. There, hackers breached Uber's servers and gained access to the names and drivers' license information of Uber drivers. Id. at *2. The Court in Antman held that the plaintiff failed to allege a sufficiently plausible causal connection between the breach of Uber's servers and the plaintiff's allegations of identity theft. Id. at *11. As the Court reasoned in Antman, the plaintiff alleged "disclosure only of his name and driver's license information," and it was not plausible that a hacker could open a credit card in the plaintiff's name only from this information. Id. The plaintiff in Antman alleged no further facts to suggest a connection between the information stolen—his name and driver's license information—and his allegations that the hackers stole his identity and opened a credit card in his name. Id.

In contrast to the plaintiff in Antman, Plaintiffs in the instant case have alleged that (1) Defendants' data security practices were insufficient; (2) hackers accordingly breached Defendants' servers and learned of Plaintiffs' names, email addresses, recovery email accounts, telephone numbers, birth dates, passwords, security questions and answers, and account nonce, CCAC ¶¶ 1, 92; and (3) hackers accordingly gained access to Plaintiffs' Yahoo email accounts, which contained additional PII, including PII such as Social Security numbers and debit and credit card account information. See CCAC ¶¶ 1, 10-15, 44. Plaintiffs allege that, as a result of this causal chain, Plaintiffs suffer from an increased risk of identity theft, loss of the value of their PII, harms from actual identity theft, out-of-pocket mitigation expenses, and lost benefit of the bargain, as detailed in the injury-in-fact discussion above. At this stage of the litigation, Plaintiffs' allegations are sufficient to show that Plaintiffs' alleged injuries are "fairly traceable" to Defendants' alleged misconduct.

b. "Other Causes" for Plaintiffs' Alleged Harms

Next, Defendants argue that Plaintiffs have failed to allege traceability because "other causes exist" for the harms alleged by Plaintiffs, such as other data breaches. See Mot. at 25-26. Defendants argue that these "other causes" are potentially likely here, given that Plaintiffs allege that their information was exposed as early as 2013, but Plaintiffs allege identity theft and unauthorized credit card charges beginning in 2016 and later. See id.

Again, the Court is not persuaded by Defendants' arguments. To the extent Defendants rely on the existence of other data breaches to defeat a causal connection between the Data Breaches here and Plaintiffs' injuries, this Court squarely rejected an identical argument in Anthem I, 162 F. Supp. 3d at 988. As the Court explained in Anthem I, to allow Defendants to rely on other data breaches to defeat a causal connection would "create a perverse incentive for companies: so long as enough data breaches take place, individual companies will never be found liable." Id. As set forth above, Plaintiffs have plausibly alleged that Plaintiffs had accounts with Yahoo, that Plaintiffs' account information was accessed in the Data Breaches, and that hackers used Plaintiffs' account information to gain access to Plaintiffs' Yahoo email accounts, which contained additional sensitive PII. The existence of other potential data breaches or causes for Plaintiffs' injuries does not defeat Plaintiffs' standing to sue Defendants. Anthem I, 162 F. Supp. 3d at 988 (rejecting defendants' argument that "scores of other cyber intrusions and data thefts" could have caused plaintiffs alleged injuries).

Defendants also argue that "[n]o Plaintiff has alleged that his or her email address (as well as certain other data elements) was not publicly available," and thus accessible regardless of the Data Breaches. See Mot. at 26. However, Defendants' argument is "little more than an end run around the rule that, on a motion to dismiss, the Court may generally 'consider only the contents of the complaint,'" and the Court must take the complaint's allegations as true and in the light most favorable to Plaintiffs. In re Anthem, Inc. Data Breach Litigation, 162 F. Supp. 3d at 988. Plaintiffs do not allege that their Yahoo email addresses, recovery email accounts, telephone numbers, birth dates, passwords, security questions and answers, and account nonce, CCAC ¶¶ 1, 92, were publicly available elsewhere, see CCAC ¶ 1, and the Court cannot infer otherwise on a motion to dismiss. See Manzarek, 519 F.3d at 1031 (holding that on a motion to dismiss, the court "accept[s] factual allegations in the complaint as true and construe[s] the pleadings in the light most favorable to the nonmoving party.").

Moreover, Defendants' reliance on temporal gaps in time between the Data Breaches and Plaintiffs' allegations of identity theft and unauthorized charges also does not defeat traceability in this case. For example, Plaintiff alleges that "[i]n August 2016, a hacker identifying himself or herself as 'peace_of_mind' posted for sale on the dark web the PII from 200 million Yahoo accounts." CCAC ¶ 70. As recently as March 17, 2017, stolen information from the Data Breaches "was still for sale on underground hacker forums." Id. ¶ 84. Specifically, the CCAC contains screenshots of hackers selling documents labeled as "Yahoo, 100K, email: pass, decrypted," and "Yahoo, 5,737,977, decrypted, complete." Id. Plaintiffs allege that "identity thieves will wait years before attempting to use the PII they have obtained." Id. ¶ 40. Accordingly, even though the Data Breaches themselves occurred as early as 2013, Plaintiffs have sufficiently alleged that the harms Plaintiffs are experiencing today are a direct result of the Data Breaches. Thus, the temporal gap between the Data Breaches and Plaintiffs' alleged harm does not defeat traceability.

To summarize, the Court concludes that Plaintiffs have sufficiently demonstrated both a logical and a temporal relationship necessary to establish traceability between Defendants' alleged misconduct and Plaintiffs' alleged injuries. Accordingly, because the Court found above that Plaintiffs have all adequately alleged an injury in fact, the Court finds that Plaintiffs have sufficiently alleged Article III standing to sue. Thus, Defendants' motion to dismiss on the basis of Plaintiffs' lack of Article III standing is DENIED. The Court next turns to address Plaintiffs' causes of action.

B. UCL

The United States Plaintiffs and Israel Plaintiffs allege in Count One a claim under the California UCL against Yahoo. Small Business Users Plaintiff Neff alleges in Count Eleven a claim under the UCL against both Yahoo and Aabaco, the wholly owned subsidiary of Yahoo that administered Yahoo's small business services. However, although alleged as separate counts, the allegations under Count One and Count Eleven are substantially the same. Accordingly, the Court considers Plaintiffs' UCL claims together below and specifies distinctions between the two UCL claims only when necessary.

California's UCL provides a cause of action for business practices that are (1) unlawful; (2) unfair; or (3) fraudulent. Cal. Bus. & Prof. Code § 17200, et seq. "The UCL's coverage is sweeping, and its standard for wrongful business conduct intentionally broad." Moore v. Apple, Inc., 73 F. Supp. 3d 1191, 1204 (N.D. Cal. 2014) (internal quotation marks omitted). Each prong of the UCL provides a "separate and distinct theory of liability." Lozano v. AT&T Wireless Servs., Inc., 504 F.3d 718, 731 (9th Cir. 2007). Although the UCL targets a wide range of misconduct, its remedies are limited because UCL actions are equitable in nature." Pom Wonderful LLC v. Welch Foods, Inc., 2009 WL 5184422, at *2 (C.D. Cal. Dec. 21, 2009). "Remedies for private individuals bringing suit under the UCL are limited to restitution and injunctive relief." Id.

Plaintiffs bring their UCL claims under all three prongs of the UCL. Defendants argue, however, that Plaintiffs' UCL claims fail for several reasons. First, Defendants argue that Plaintiffs lack standing to bring claims under the UCL. Second, Defendants argue that Plaintiffs have failed to plead that Defendants' actions were either unlawful, unfair, or fraudulent. Third, Defendants argue that Plaintiffs are not entitled to the remedies that they seek under the UCL, and thus their UCL claims must be dismissed. The Court addresses each of these three arguments below.

1. UCL Standing

In order to establish standing for a UCL claim, Plaintiffs must show that they personally lost money or property "as a result of the unfair competition." Cal. Bus. & Prof. Code § 17204; Kwikset Corp. v. Sup. Ct., 51 Cal. 4th 310, 330 (2011). As the California Supreme Court has explained:

There are innumerable ways in which economic injury from unfair competition may be shown. A plaintiff may (1) surrender in a transaction more, or acquire in a transaction less, than he or she otherwise would have; (2) have a present or future property interest diminished; (3) be deprived of money or property to which he or she has a cognizable claim; (4) be required to enter into a transaction, costing money or property, that would otherwise have been unnecessary.

Id. at 323.

According to Plaintiffs, all named Plaintiffs have experienced injury under the UCL. Specifically, Plaintiffs argue that Small Business Users Plaintiff Neff has adequately alleged lost money or property because Neff has "benefit of the bargain" losses as a result of Neff's payments to Defendants for Defendants' Small Business Services. Moreover, Plaintiffs argue that the United States Plaintiffs and Israel Plaintiffs, who did not pay Defendants to use Defendants' email services, have nonetheless alleged lost money or property because (1) five out of the six United States Plaintiffs have alleged out-of-pocket expenses resulting from the Data Breaches; and (2) all Plaintiffs have alleged a risk of future identity theft.

Israel Plaintiff Rivlin alleges in passing that he pays Yahoo annually $20.00 "to have Yahoo emails received forwarded to another email account." CCAC ¶ 15. However, Plaintiffs do not argue that Rivlin has suffered lost benefit of the bargain as a result of his $20.00 annual payment to Yahoo, and indeed Plaintiffs do not otherwise address Rivlin's $20.00 annual payment in their opposition or in the CCAC. See generally Opp.; CCAC. Accordingly, the Court considers only whether Neff has adequately alleged lost benefit of the bargain, and the Court does not address whether Rivlin can adequately allege lost benefit of the bargain based on his $20.00 annual payment to Yahoo.

The Court first discusses Neff's allegations of lost benefit of the bargain. The Court then discusses Plaintiffs' allegations regarding the United States Plaintiffs and the Israel Plaintiffs, and whether these Plaintiffs can allege lost money or property as a result of their out of pocket expenses or the risk of future identity theft.

a. Lost Benefit of the Bargain

Plaintiffs argue that Small Business Users Plaintiff Neff has adequately alleged standing under the UCL because Neff has alleged lost benefit of the bargain. The Court agrees.

Neff alleges that he has paid Defendants $13.94 each month since September 2009 for Defendants' Small Business Services. CCAC ¶ 20. Neff alleges that Defendants represented that Defendants' Small Business Services were "secure." Id. ¶ 198. Neff alleges that he "would not have agreed to utilize and pay for the small business services and turn over [his] PII" had Neff known that Defendants' Small Business Services "were not as secure as represented or secure by any standard." See, e.g., id. at ¶ 199. Accordingly, Neff alleges that he was "damaged by paying monthly fees to [Defendants] for something [Neff] did not receive: secure small business services." Id. ¶ 203.

As set forth above regarding Neff's Article III standing to sue, these allegations are sufficient to allege that Neff suffered "benefit of the bargain" losses. See, e.g., Anthem II, 2016 WL 3029783, at *15, 30 (finding allegations that plaintiffs spent more money on insurance premiums than plaintiffs would have spent had plaintiffs known of Anthem's inadequate security practices to be sufficient to allege benefit of the bargain losses). Benefit of the bargain losses are sufficient to allege "lost money or property," and thus standing, under the UCL. See id. (finding plaintiffs' alleged benefit of the bargain losses were sufficient to establish standing under the UCL); see also In re Adobe, 66 F. Supp. 3d at 1224 (finding allegations that plaintiffs "personally spent more on Adobe products than they would have had they known Adobe was not providing the reasonable security Adobe represented it was providing" to be sufficient to allege standing under the UCL). Accordingly, the Court finds that Small Business Users Plaintiff Neff has adequately alleged standing under the UCL, and the Court DENIES Defendants' motion to dismiss Neff's UCL claim for lack of UCL standing.

b. Out of Pocket Expenses and Risk of Future Harm

The Court next turns to whether the United States Plaintiffs and the Israel Plaintiffs have adequately alleged UCL standing. Unlike Small Business Users Plaintiff Neff, the United States Plaintiffs and the Israel Plaintiffs did not pay for their Yahoo email accounts, and accordingly these Plaintiffs cannot allege benefit of the bargain losses. However, Plaintiffs argue that the United States Plaintiffs and Israel Plaintiffs nonetheless can allege "lost money or property" as a result of Defendants' conduct. Specifically, five of the United States Plaintiffs allege that they incurred out-of-pocket expenses as a result of the Data Breaches. Moreover, Plaintiffs argue that all Plaintiffs have alleged a risk of future identity theft. For the reasons discussed below, the Court agrees with Plaintiffs that, to the extent Plaintiffs allege out-of-pocket expenses as a result of the Data Breaches, Plaintiffs have alleged lost money or property sufficient to establish UCL standing. However, the Court disagrees with Plaintiffs' argument that the risk of future identity theft is sufficient for UCL standing purposes.

First, Plaintiffs argue that United States Plaintiffs Heines, Essar, Dugas, Matthew Ridolfo, and Deana Ridolfo allege that they incurred out-of-pocket expenses as a result of the Data Breaches. For example, Plaintiffs Essar, Matthew Ridolfo, and Deana Ridolfo all allege that, as a result of the Data Breaches and their identities being stolen as a result of the Data Breaches, they have paid money for credit monitoring services. See, e.g., CCAC ¶¶ 11, 13. Moreover, Heines alleges that she was required to pay late fees because she was unable to pay her bills on time after her Social Security Disability benefits were taken from her Social Security Disability account. Id. ¶ 10. Dugas alleges that, as a result of his identity being stolen in the Data Breaches and a false tax return being filed in his name, Dugas paid credit bureaus to freeze his accounts, and he had to pay a Certified Public Accountant to "help sort out the tax return problems suffered as a result of the" Data Breaches. Id.

The Court finds that these allegations plausibly suggest that Plaintiffs Heines, Essar, Dugas, Matthew Ridolfo, and Deana Ridolfo were each "required to enter into a transaction, costing money or property, that would otherwise have been unnecessary" if not for Defendants' alleged misconduct. Kwikset, 246 P.3d at 885-86; see also Anthem I, 162 F. Supp. 3d at 986-87 (suggesting, without needing to decide, that out of pocket expenses resulting from a data breach would fall under Kwikset's definition of economic injury). Indeed, courts have held similar allegations of out of pocket expenses sufficient to establish standing under the UCL. See, e.g., Witriol v. LexisNexis Grp., 2006 WL 4725713, at *6 (N.D. Cal. Feb. 10, 2006) (finding plaintiffs adequately alleged economic injury under the UCL where plaintiffs alleged that they had "incurred costs associated with monitoring and repairing credit" after a data breach (internal quotation marks omitted)); Walters, LLC, 2017 WL 1398660, at *2 (finding plaintiff alleged economic injury sufficient to establish standing under the UCL where the plaintiff alleged that he was required to monitor his credit after the theft of his payment card data in a data breach). Accordingly, the Court DENIES Defendants' motion to dismiss for lack of UCL standing the UCL claims of Plaintiffs Heines, Essar, Dugas, Matthew Ridolfo, and Deana Ridolfo.

The Court next turns to the remaining United States Plaintiffs and Israel Plaintiffs, who do not allege any benefit of the bargain losses or out of pocket expenses resulting from the Data Breach. Specifically, United States Plaintiff Garg, and both Israel Plaintiffs Rivlin and Granot, do not allege that they lost any money or property as a result of Defendants' alleged misconduct. Nonetheless, Plaintiffs argue that Plaintiffs Garg, Rivlin, and Granot have standing under the UCL because all Plaintiffs face an "imminent risk of future costs" resulting from the Data Breaches. See Opp. at 21. Plaintiffs argue that this is sufficient under the UCL to allege "lost money or property," and thus UCL standing. Id.

As set forth above, Israel Plaintiff Rivlin alleges in passing that he pays Yahoo annually $20.00 "to have Yahoo emails received forwarded to another email account." CCAC ¶ 15. However, Plaintiffs do not address Rivlin's $20.00 annual payment in their opposition or in the CCAC, and Plaintiffs do not argue that this $20.00 constitutes a lost out of pocket expense or lost benefit of the bargain. See generally Opp.; CCAC. Accordingly, based on the allegations in the CCAC, Rivlin's $20.00 annual payment for forwarding services does not establish that Rivlin has lost money or property as a result of Defendants' unlawful conduct, and thus does not establish that Rivlin has standing under the UCL.

The Court disagrees with Plaintiffs. Plaintiffs' imminent risk of future costs as a result of the Data Breaches, although sufficient to establish standing under the broader injury-in-fact requirements of Article III, is not sufficient to allege "lost money or property" under the UCL. See Ehret v. Uber Tech., Inc., 68 F. Supp. 3d 1121, 1132 (N.D. Cal. Sept. 17, 2014) ("[A] federal plaintiff's [Article III] 'injury in fact' may be intangible and need not involve lost money or property . . . a UCL plaintiff's 'injury in fact' [must] specifically involve lost money or property."). Plaintiffs' "intangible" allegations of future costs do not show that Plaintiffs have "specifically . . . lost money or property" as a result of Defendants' misconduct. Id. Accordingly, the Court finds that Plaintiffs Garg, Rivlin, and Granot, have not sufficiently alleged standing under the UCL. Thus, the Court GRANTS Defendants' motion to dismiss the UCL claims of Garg, Rivlin, and Granot. The Court grants leave to amend because Plaintiffs Garg, Rivlin, and Granot may be able to allege facts sufficient to show that they have lost money or property as a result of Defendants' conduct, and thus amendment of these claims would not necessarily be futile. See Leadsinger, 512 F.3d at 532 (holding that leave to amend is proper when amendment is not futile).

The Court next turns to whether Plaintiffs have adequately alleged that Defendants violated the UCL, either under the unlawful, unfair, or fraudulent prongs. Significantly, because the Court has found that Plaintiffs Rivlin and Granot—the only Israel Plaintiffs—have not adequately alleged UCL standing, the Court's remaining UCL discussion below will consider the allegations of only the United States Plaintiffs and Small Business Users Plaintiff Neff. Because the Court has dismissed the UCL claims of the only two Israel Plaintiffs, the Israel Class cannot state a UCL claim. As stated above, the dismissal of the UCL claims of the Israel Plaintiffs, and thus the Israel Class, is without prejudice because amendment of these claims would not necessarily be futile.

2. Defendants' Liability Under Unlawful, Unfair, and Fraudulent Prongs

As set forth above, the UCL provides a cause of action for business practices that are (1) unlawful, (2) unfair, or (3) fraudulent. Cal. Bus. & Prof. Code § 17200. Each prong of the UCL provides a separate and distinct theory of liability. Lozano, 504 F.3d at 731. Plaintiffs allege that Defendants' conduct violated all three prongs of the UCL. See CCAC ¶¶ 127, 214. The Court addresses these three prongs below in turn.

a. Unlawful Prong

First, Plaintiffs argue that Defendants violated the unlawful prong. The "unlawful" prong of the UCL prohibits "anything that can properly be called a business practice and that at the same time is forbidden by law." Cal-Tech, 20 Cal. 4th at 180 (internal quotation marks omitted). By proscribing "any unlawful" business practice, the UCL permits injured consumers to "borrow" violations of other laws and treat them as unlawful competition that is independently actionable. Id.

As predicates for their claim under the "unlawful" prong, Plaintiffs allege that Defendants violated the California Legal Remedies Act, Cal. Civ. Code § 1750 ("CLRA"); the Customer Records Act, Cal. Civ. Code § 1798.80 ("CRA"); the Stored Communications Act, 18 U.S.C. § 2702 ("SCA"); and the Online Privacy Protection Act, Cal. Bus. & Prof. Code §§ 22576 ("OPPA"). See CCAC ¶ 134.

In addition to asserting violations of these statutes as predicates for the unlawful prong of Plaintiffs' UCL claims, the CCAC also asserts stand-alone causes of action for each of these statutes. CCAC ¶¶ 137-76 (Causes of Action 2-5). To the extent that Plaintiffs have sufficiently alleged these stand-alone causes of action, Plaintiffs have also alleged violations of the unlawful prong of the UCL. The Court addresses Plaintiffs' allegations under these statutes in detail below. See infra Part III.D-G. As explained below, the Court finds that Plaintiffs have adequately alleged that Defendants violated the CRA. "Accordingly, the Court finds that Plaintiffs have adequately alleged unlawful conduct that may serve as a basis for a claim under the UCL's unlawful prong, and [Defendants are] therefore not entitled to dismissal of the UCL unlawful claim." In re Adobe, 66 F. Supp. 3d at 1226 (finding Plaintiffs adequately alleged UCL claim under unlawful prong where plaintiff adequately alleged underlying CRA violation). Thus, the Court DENIES Defendants' motion to dismiss Plaintiffs' UCL claim under the unlawful prong.

b. Unfair Prong

The "unfair" prong of the UCL creates a cause of action for a business practice that is unfair even if not proscribed by some other law. Korea Supply Co. v. Lockheed Martin Corp., 29 Cal. 4th 1134, 1143 (2003). "The UCL does not define the term 'unfair' . . . [and] the proper definition of 'unfair' conduct against consumers 'is currently in flux' among California courts.'" Id.

Some California courts apply a balancing approach, which requires courts to "weigh the utility of the defendant's conduct against the gravity of the harm to the alleged victim." Davis v. HSBC Bank Nevada, N.A., 691 F.3d 1152, 1169 (9th Cir. 2012) (internal quotation marks omitted). Other California courts have held that "unfairness must be tethered to some legislatively declared policy or proof of some actual or threatened impact on competition." Lozano, 504 F.3d at 735 (internal quotation marks omitted). Finally, one California court has adopted the three-part test set forth in § 5 of the Federal Trade Commission Act: "(1) the consumer injury must be substantial; (2) the injury must not be outweighed by any countervailing benefits to consumers or competition; and (3) it must be an injury that consumers themselves could not reasonably have avoided." Camacho v. Auto. Club of Southern Cal., 48 Cal. Rptr. 3d 770, 777 (Cal. Ct. App. 2006). The Court refers to these tests as the "balancing test," the "tethering test," and the "FTC test," respectively.

The Court finds that Plaintiffs' allegations are sufficient at this stage of the proceedings to allege that Defendants' conduct violated the balancing test, at a minimum. Plaintiffs "may proceed with a UCL claim under the balancing test by either alleging immoral, unethical, oppressive, unscrupulous or substantially injurious conduct by Defendants or by demonstrating that Defendants' conduct violated an established public policy." Anthem I, 162 F. Supp. 3d at 990. Here, Plaintiffs allege that Defendants promised in their Privacy Policy to protect their customers' data, but that Defendants knowingly failed to employ adequate safeguards to protect their customers' data, in violation of Defendants' Privacy Policy. See, e.g., CCAC ¶¶ 128-33. Moreover, Plaintiffs allege that Defendants' knowing failure to employ adequate safeguards violated the policy of various California statutes, such as the Online Privacy Protection Act, that were intended to "reflect California's public policy of protecting customer data." Anthem I, 162 F. Supp. 3d at 990. Plaintiffs allege that Defendants' misconduct exposed Plaintiffs to a substantial risk of identity theft and other harms. See, e.g., CCAC ¶ 135.

District courts have found substantially identical allegations sufficient to allege "unfair" conduct under the balancing test. See, e.g., Anthem I, 162 F. Supp. 3d at 990 (finding plaintiffs adequately alleged unfair conduct under the balancing test where the complaint alleged that defendant failed to adequately protect customer data, which was allegedly in violation of several statutes that reflected California's public policy of protecting customer data); In re Adobe, 66 F. Supp. 3d at 1227 (finding plaintiffs adequately alleged unfair conduct under the balancing test where plaintiffs alleged Adobe's conduct violated various data breach statutes that embodied California's public policy of protecting customer data); Svenson v. Google, Inc., 2015 WL 1503429, at *10 (N.D. Cal. Apr. 1, 2015) (finding plaintiffs sufficiently alleged violation of UCL's unfair prong where plaintiffs alleged that "Google violated its own privacy policies" by failing to safeguard the plaintiff's data). As this Court recognized in Anthem I, whether Defendants' alleged "public policy violation is outweighed by the utility of their conduct under the balancing test is a question to be resolved at a later stage in this litigation." Anthem I, 162 F. Supp. 3d at 990 (N.D. Cal. 2016). Thus, based on the balancing test alone, the Court DENIES Defendants' motion to dismiss Plaintiffs' UCL claim under the unfair prong.

c. Fraudulent Prong

"To state a claim under the 'fraud' prong of [the UCL], a plaintiff must allege facts showing that members of the public are likely to be deceived by the alleged fraudulent business practice." Antman, 2015 WL 6123054, at *6. Claims stated under the fraud prong of the UCL are subject to the particularity requirements of Federal Rule of Civil Procedure 9(b). Kearns v. Ford Motor Co., 567 F. 3d 1120, 1125 (9th Cir. 2009). Under Rule 9(b), "[i]n alleging fraud or mistake, a party must state with particularity the circumstances constituting fraud or mistake." Fed. R. Civ. P. 9(b). Plaintiffs must include "an account of the time, place, and specific content of the false representations" at issue. Swartz v. KPMG LLP, 476 F.3d 756 (9th Cir. 2007).

Plaintiffs allege two theories of fraud under the UCL: (1) affirmative misrepresentations; and (2) fraudulent omissions. The Court considers each in turn.

i. Affirmative Misrepresentations

Plaintiffs allege that Defendants committed fraud through affirmative misrepresentations. Specifically, Plaintiffs allege that Defendants made affirmative misrepresentations to the United States Plaintiffs and Small Business Users Plaintiff Neff in Defendants' Privacy Policy. Moreover, Plaintiffs allege that Defendants made additional affirmative misrepresentations to Small Business Users Plaintiff Neff in Defendants' advertisements regarding Defendants' Small Business Services. The Court first addresses the representations in Defendants' Privacy Policy and then discusses Defendants' Small Business Services.

1. Privacy Policy

Plaintiffs allege Defendants made the following representations in Defendants' Privacy Policy:

• "[P]rotecting our systems and our users' information is paramount to ensuring Yahoo users enjoy a secure user experience and maintaining our users' trust."

• Defendants had "physical, electronic, and procedural safeguards that comply with federal regulations to protect personal information about you."

CCAC ¶ 128. Plaintiffs allege that these representations in Defendants' Privacy Policy were false because Defendants "knew or should have known [they] did not employ reasonable measures that would have kept Plaintiffs' and the other Class members' PII and financial information secure and prevented the loss of Plaintiffs' and the other class members' PII and financial information." Id. ¶ 130. Defendants argue, however, that Plaintiffs have failed to state a UCL claim based on Defendants' representations in its Privacy Policy because (1) Defendants' statements are not actionable misrepresentations; and (2) Plaintiffs have failed to adequately allege that they relied on the representations in Defendants' Privacy Policy. See Mot. at 28-29. The Court considers these arguments in turn.

First, Defendants contend that Plaintiffs cannot state a claim under the fraudulent prong because a reasonable consumer would not rely on the representations. Claims under "California consumer protection statutes are governed by the 'reasonable consumer' test." Ebner v. Fresh, Inc., 838 F.3d 958, 965 (9th Cir. 2016). "Under this standard, Plaintiff must 'show that members of the public are likely to be deceived.'" Id. (internal quotation marks and citations omitted). "[W]hether a business practice is deceptive will usually be a question of fact not appropriate for decision on demurrer." Williams v. Gerber Prods. Co., 552 F.3d 934, 938 (9th Cir. 2008). However, Plaintiff must allege "more than a mere possibility that the [statement] might conceivably be misunderstood by a few consumers viewing it in an unreasonable manner." Brod v. Sious Honey Ass'n, Co-Op, 927 F. Supp. 2d 811, 828 (N.D. Cal. 2013) (citing Lavie v. Proctor & Gamble Co., 105 Cal. App. 4th 496, 508 (Cal. 2003)). Rather, the reasonable consumer standard requires a probability "that a significant portion of the general consuming public or of targeted consumers, acting reasonably in the circumstances, could be misled." Lavie, 105 Cal. App. 4th at 508.

According to Defendants, a reasonable consumer could not have been deceived by the alleged misrepresentations because they are "non-actionable puffery." See Mot. at 28. "[G]eneralized, vague, and unspecified assertions[] constitute[] 'mere puffery' upon which a reasonable consumer could not rely," and thus are not actionable under the UCL. Glen Holly Entm't, Inc. v. Tektronix Inc., 343 F.3d 1000, 1005 (9th Cir. 2003). As the Ninth Circuit has explained, "[t]he common theme that seems to run through cases considering puffery in a variety of contexts is that consumer reliance will be induced by specific rather than general assertions." Cook, Perkiss and Liehe, Inc. v. No. Cal. Collection Serv., Inc., 911 F.2d 242, 246 (9th Cir. 1990) ("'Puffing' has been described by most courts as involving outrageous generalized statements, not making specific claims, that are so exaggerated as to preclude reliance by consumers."); see also Newcal Indus., Inc. v. Ikon Office Solution, 513 F.3d 1038, 1053 (9th Cir. 2008) ("A statement is considered puffery if the claim is extremely unlikely to induce consumer reliance. Ultimately, the difference between a statement of fact and mere puffery rests in the specificity or generality of the claim."). Consequently, a representation "which merely states in general terms that one product is superior is not actionable. However, misdescriptions of specific or absolute characteristics of a product are actionable." Cook, 911 F.2d at 246 (citations and internal quotation marks omitted).

As set forth above, the CCAC alleges that Defendants made two misrepresentations in its Privacy Policy: (1) that "protecting our systems and our users' information is paramount to ensuring Yahoo users enjoy a secure user experience and maintaining our users' trust"; and (2) that Defendants had "physical, electronic, and procedural safeguards that comply with federal regulations to protect personal information about you."

The Court agrees with Defendants that the first alleged misrepresentation—that "protecting our systems and our users' information is paramount to ensuring Yahoo users enjoy a secure user experience and maintaining our users' trust"—constitutes non-actionable puffery. This statement "say[s] nothing about the specific characteristics" of the products and services offered by Defendants. Elias v. Hewlett-Packard Co., 903 F. Supp. 2d 843, 855 (N.D. Cal. Oct. 11, 2012). Rather, the statement is a vague and "all-but-meaningless superlative[]" regarding how Defendants' prioritize the safety of their systems and their users' information. Id. (quoting Consumer Advocates v. Echostar Satellite Corp., 113 Cal. App. 4th 1351, 1361)). A reasonable consumer could not rely on this statement as describing the security of Defendants' servers. See, e.g., Lloyd v. CVB Fin. Corp., 811 F.3d 1200, 1206-07 (9th Cir. 2016) (finding company's statement that "strong credit culture and underwriting integrity remain paramount at CVB" to be non-actionable puffery). Thus, to the extent Plaintiffs base their fraudulent misrepresentation claim on Defendants' statement that "protecting our systems and our users' information is paramount to ensuring Yahoo users enjoy a secure user experience and maintaining our users' trust," the Court GRANTS Defendants' motion to dismiss. The Court grants with prejudice because, as a matter of law, the Court finds that this statement is mere puffery on which a reasonable consumer could not rely. See Baltazar v. Apple Inc., 2011 WL 6747884, at *4 (N.D. Cal. Dec. 22, 2014) ("If an alleged misrepresentation would not deceive a reasonable consumer or amounts to mere puffery, then the claim may be dismissed as a matter of law.").

However, the Court finds that the second alleged misrepresentation—that Defendants had "physical, electronic, and procedural safeguards that comply with federal regulations to protect personal information about you"—is not puffery. Unlike the statement discussed above, this second alleged misrepresentation makes a "specific, non-subjective guarantee" that Defendants use safeguards that complied with federal regulations to protect users' information. Andersen v. Griswold Int'l, LLC, 2014 WL 12694138, at *6 (N.D. Cal. Dec. 16, 2014). A reasonable consumer could rely on this statement as representing that Defendants did, in fact, use safeguards that complied with federal regulations. More generally, a reasonable consumer could rely on this statement as representing that Defendants' safeguards, which were represented to comply with federal regulations, were sufficient to protect users' information from ordinary data security threats. Plaintiffs allege that Defendants' privacy safeguards did not comply with applicable laws and regulations relating to data security, and that Defendants' privacy safeguards were not sufficient to protect users' information from ordinary data security threats. To the contrary, Plaintiffs allege that Yahoo's "data encryption protocol" was "widely discredited and had been proven, many years prior, easy to break." See, e.g., CCAC ¶ 133. Thus, in the context of the instant allegations, Defendants' representation that it used safeguards that complied with federal regulations to protect users' information is not puffery.

Defendants further contend in their motion that Defendants' statement that Defendants have "physical, electronic, and procedural safeguards that comply with federal regulations to protect personal information about you" is non-actionable because Defendants represented elsewhere in the Privacy Policy that Defendants' systems were not "100% secure," and that their systems have "inherent limitations." See Mot. at 29-30. The Court disagrees. A reasonable consumer could rely on Defendants' representations that Defendants had "physical, electronic, and procedural safeguards that comply with federal regulations to protect information about you," but still understand that no computer system is "100% secure" and that all computer systems have "inherent limitations." The crux of Plaintiffs' allegations is not that Defendants safeguards failed to be "100% secure." Rather, the crux of Plaintiffs' allegations is that Defendants' safeguards did not comply with applicable laws and regulations and that Defendants' data encryption protocol was "widely discredited and had been proven, many years prior, easy to break." See CCAC ¶ 133. In the context of Plaintiffs' allegations, Defendants' statement that Defendants had safeguards that complied "with federal regulations to protect information about you" is actionable as fraud, even though Defendants also represented that their systems were not "100% secure" and that they had "inherent limitations."

Second, Defendants contend that, even assuming Plaintiffs have alleged an actionable misrepresentation, Plaintiffs' UCL fraud claim fails because Plaintiffs have failed to adequately allege reliance. "California courts have held that when the 'unfair competition' underlying a plaintiff's UCL claim consists of a defendant's misrepresentation or omission," a plaintiff must plead that he or she "actually relied on the misrepresentation or omission" to bring a UCL claim. Backhaut v. Apple, Inc., 74 F. Supp. 3d 1033, 1047 (N.D. Cal. 2014) (citing In re Tobacco II Cases, 46 Cal. 4th 298, 326 (2009)). "This showing of actual reliance under the UCL requires a plaintiff to allege that 'the defendant's misrepresentation or nondisclosure was an immediate cause of the plaintiff's injury-producing conduct." Perkins v. LinkedIn Corp., 53 F. Supp. 3d 1190, 1220 (N.D. Cal. 2014) (quoting In re Tobacco II, 46 Cal. 4th at 326). "A plaintiff may establish that the defendant's misrepresentation is an immediate cause of the plaintiff's conduct by showing that in its absence the plaintiff in all reasonable probability would not have engaged in the injury- producing conduct." Id. (internal quotation marks omitted). "While a plaintiff need not demonstrate that the defendant's misrepresentations were 'the sole or even the predominant or decisive factor influencing his conduct,' the misrepresentations must have 'played a substantial part' in the plaintiff's decision making." Id.

As set forth above, the alleged misrepresentation that Defendants had "physical, electronic, and procedural safeguards that comply with federal regulations to protect personal information about you" is contained within Defendants' Privacy Policy. Defendants' Privacy Policy is incorporated via hyperlink into Defendants' Terms of Service. See CCAC, Ex. 2. Plaintiffs contend all users "were required to view and accept [Defendants' Terms of Service] prior to creating their accounts and providing their PII" to Defendants. See, e.g. CCAC ¶ 128. According to Plaintiffs, they have adequately alleged reliance on Defendants' Privacy Policy because they had to accept Defendants' Terms of Service to create their accounts. Defendants contend, however, that Plaintiffs have not adequately alleged actual reliance for purposes of their fraudulent prong claim because Plaintiffs do not allege that they actually read the Privacy Policy.

The Court agrees with Defendants. "[T]his Court has consistently held that plaintiffs in misrepresentation cases must allege that they actually read the challenged representations" in order to state a claim. Perkins, 53 F. Supp. 3d at 1220; see also, e.g., In re iPhone Application Litig., 6 F. Supp. 3d 1004, 1018 (N.D. Cal. 2013) ("[N]one of the Plaintiffs presents evidence that he or she even saw, let alone read and relied upon, the alleged misrepresentations contained in the Apple Privacy Policies . . . ."). As this Court explained in Perkins, "the fact that [] the alleged misrepresentations appeared on screens that all users had to click through to register" for the defendant's website does not "establish that any of the Plaintiffs actually read or relied on the misrepresentations in the absence of allegations that Plaintiffs read these statements." Perkins, 53 F. Supp. 3d at 1220.

Here, although all Plaintiffs had to click through Defendants' Terms of Service in order to create their accounts, see CCAC ¶ 116, Plaintiffs do not allege that they "actually read" Defendants' Terms of Service, let alone that Plaintiffs "actually read" the separate Privacy Policy containing the alleged misrepresentation at issue, which was accessible within Defendants' Terms of Service via an additional hyperlink. Id. Thus, as the Court held in Perkins, Plaintiffs have not adequately alleged a UCL fraud claim based on misrepresentations in Defendants' Privacy Policy because Plaintiffs have not adequately alleged that they "actually relied" on Defendants' misrepresentation contained within Defendants' Privacy Policy. Id.; see also, e.g., In re LinkedIn User Privacy Litig., 932 F. Supp. 2d 1089, 1093 (N.D. Cal. 2013) ("Plaintiffs do not even allege that they actually read the alleged misrepresentation—the Privacy Policy—which would be necessary to support a claim of misrepresentation.").

Accordingly, the Court GRANTS Defendants' motion to dismiss Plaintiffs' UCL fraud claim to the extent that it is based on Defendants' affirmative misrepresentation that Defendants had "physical, electronic, and procedural safeguards that comply with federal regulations to protect personal information about you." The Court grants Plaintiffs leave to amend this claim because Plaintiffs may be able to allege that Plaintiffs actually relied upon this alleged misrepresentation, and thus leave to amend is not necessarily futile. See Leadsinger, 512 F.3d at 532 (holding that leave to amend is proper when amendment is not futile).

2. Small Business Services Advertisements

In addition to the alleged misrepresentations contained within Defendants' Privacy Policy, Small Business Users Plaintiff Neff further alleges that Defendants made representations to users of Defendants' Small Business Services in Defendants' advertisements for their Small Business Services. See CCAC ¶¶ 98-99. Plaintiffs allege that Neff and all customers of Defendants' Small Business Services "were exposed to and read these advertisements and explanations, which appear on the webpages all customers must use to sign-up for the services." Id. ¶ 97.

Plaintiffs excerpt several representations in Defendants' Small Business Services advertisements, including:

• "It's easy to create a professional-looking website. Reassure customers with the VeriSign Verified Seal"

• "Password protection is available for your accounts and sections of your website (Advanced and Premier plans only)"

• "Your website runs on a Unix operating system and Apache servers"

• "Shared SSL certificates and encryption protect the information customers submit to your site (Advanced and Premier plans only)"

See CCAC ¶¶ 98-99. For several reasons, the Court finds that Plaintiffs have not adequately alleged a UCL fraud claim premised on these statements in Defendants' Small Business Services advertisements.

First, Defendants' statement that "[i]t's easy to create a professional-looking website" is a generalized and "highly subjective" statement, and thus constitutes mere puffery that is not actionable as a matter of law. See Southland Sod Farms v. Stover Seed Co., 108 F.3d 1134, 1145 (9th Cir. 1997) (noting that "highly subjective" statements that constitute "generalized boasting" are puffery "upon which no reasonable buyer would rely").

Second, in order to plead fraud with particularity under Rule 9(b), Plaintiffs "must explain why the statement or omission complained of was false and misleading." Mazur v. eBay Inc., 2008 WL 618988, at *13 (N.D. Cal. Mar. 4, 2008). Significantly, Plaintiffs' CCAC includes only screenshots of the above representations in Defendants' Small Business Services advertisements, but Plaintiffs do not explain why any of these statements are false and misleading. See CCAC ¶¶ 98-99. For example, Plaintiffs do not allege that Defendants' representations that"[s]hared SSL certificates and encryption protect the information customers submit to your site," that customers of small business websites can be "[r]eassure[d]" with a "VeriSign Verified Seal," and that small business websites "run[] on Unix operating system and Apache servers" are, indeed, false. See id. Absent any allegations in the CCAC explaining "what makes the representations false" or misleading, Plaintiffs have not adequately stated a fraud claim premised on these misrepresentations under Rule 9(b). Gallegos v. Wells Fargo Bank, N.A., 2013 WL 3166389, at *3 (E.D. Cal. June 20, 2013) (explaining that, to meet the heightened pleading standard of Rule 9(b), a plaintiff must "explain what makes the misrepresentations false"). Indeed, although Plaintiffs excerpt these advertisements in the CCAC's general factual allegations, Plaintiffs do not refer to Defendants' Small Business Services advertisements at all in Plaintiffs' UCL claims. See, e.g., CCAC ¶¶ 213-22.

Accordingly, the Court GRANTS Defendants' motion to dismiss Plaintiffs' UCL fraud claim to the extent it is premised on Defendants' alleged misrepresentations in its Small Business Services advertisements. The Court grants Plaintiffs leave to amend their claim because Plaintiffs maybe able to allege with particularity why Defendants' representations are false. See Leadsinger, 512 F.3d at 532 (holding that leave to amend is proper when amendment is not futile).

Small Business Users Plaintiff Neff also alleges in Count Nine and Count Ten a claim against Defendants for fraudulent inducement and negligent misrepresentation, respectively. Neff alleges in these counts that Defendants "made numerous representations, in advertising and in the Privacy Policy, regarding the supposed secure nature of their small business services," and that Neff "reasonably relied on the[se] representations." See, e.g. ¶¶ 198-99. Neff does not identity any specific misrepresentations. Thus, as set forth above, the Court concludes that Neff either cannot allege an actionable misrepresentation, or cannot allege reliance on an actionable misrepresentation. This holding defeats Neff's claims for fraudulent inducement and negligent misrepresentation, which also require an actionable misrepresentation and actual reliance. See, e.g., Hinesley v. Oakshade Town Ctr., 135 Cal. App. 4th 289, 367, 371 (Cal. Ct. App. 2005) (setting forth elements for fraudulent inducement, including a "misrepresentation" and "actual reliance"); B.L.M. v. Sabo & Deitsch, 55 Cal. App. 4th 823, 834-38 (Cal. Ct. App. 1997) (setting forth elements for negligent misrepresentation, including "misrepresentation" and "actual reliance"). Thus, for the reasons set forth above with regards to Neff's UCL claim for fraud, the Court GRANTS with leave to amend Defendants' motion to dismiss Neff's claims for fraudulent inducement and negligent misrepresentation.

ii. Fraudulent Omissions

Plaintiffs also allege that Defendants violated the UCL's fraudulent prong through fraudulent omissions. For an omission to be actionable under the UCL, "the omission must be contrary to a representation actually made by the defendant, or an omission of a fact the defendant was obliged to disclose." Daugherty v. Am. Honda Motor Co., 144 Cal. App. 4th 824, 835 (2006). The California Courts of Appeal have held that there are four circumstances in which a duty to disclose may arise: "(1) when the defendant is the plaintiff's fiduciary; (2) when the defendant has exclusive knowledge of a material fact not known or reasonably accessible to the plaintiff; (3) when the defendant actively conceals a material fact from the plaintiff; [or] (4) when the defendant makes partial representations that are misleading because some other material fact has not been disclosed." Collins v. eMachines, Inc., 202 Cal. App. 4th 249, 255 (2011). "[A] fact is deemed 'material,' and obligates an exclusively knowledgeable defendant to disclose it, if a 'reasonable [consumer]' would deem it important in determining how to act in the transaction at issue." Id. at 256 (citing Engalla v. Permanente Med. Grp., Inc., 15 Cal. App. 4th 951, 977 (1997)).

Plaintiffs contend that Defendants were required to disclose the fact of Defendants' "non-compliant and substandard security systems." See, e.g., CCAC ¶ 103. Defendants contend, however, that even assuming Defendants had a duty to disclose to Plaintiffs that Defendants' security systems were "non-compliant" and "substandard," Plaintiffs nonetheless cannot state a UCL claim because Plaintiffs fail to plead actual reliance on the omission of that information. For the reasons discussed below, the Court agrees with Defendants.

As discussed above, "California courts have held that when the 'unfair competition' underlying a plaintiff's UCL claim consists of a defendant's misrepresentation or omission," a plaintiff must plead that he or she "actually relied on the misrepresentation or omission" to bring a UCL claim. Backhaut, 74 F. Supp. 3d at 1047 (citing In re Tobacco II Cases, 46 Cal. 4th at 326). Actual reliance on the omission of material information can be shown where the plaintiff alleges that, "had the omitted information been disclosed, [the plaintiff] would have been aware of it and behaved differently." Ehrlich v. BMW of N.A., Inc., 801 F. Supp. 2d 908, 919 (C.D. Cal. 2010) (quoting Mirkin, 5 Cal. 4th at 1093).

As discussed above, Plaintiffs do not allege that they actually read Defendants' Privacy Policy. Accordingly, to the extent Plaintiffs' UCL fraudulent omission claim is based on Defendants' failure in their Privacy Policy to disclose that their security systems were non-compliant and substandard, Plaintiffs have not alleged that, had Defendants disclosed in their Privacy Policy that Defendants' security systems were non-compliant and substandard, Plaintiffs "would have been aware" of this disclosure. See id. (finding that plaintiff failed to plead actual reliance on omitted information where plaintiff failed to allege that "he reviewed any brochure, website, or promotional material that might have contained a disclosure of the cracking defect"). Accordingly, the Court GRANTS Defendants' motion to dismiss Plaintiffs' UCL fraud claim to the extent that it is based on Defendants' allegedly fraudulent omissions in their Privacy Policy. The Court grants Plaintiffs leave to amend because Plaintiffs may be able to allege that Plaintiffs would have been aware of the allegedly omitted information had Defendants disclosed that information in their Privacy Policy. See Leadsinger, 512 F.3d at 532 (holding that leave to amend is proper when amendment is not futile).

However, Small Business User Plaintiff Neff alleges that all customers of Defendants' Small Business Services, "including Plaintiff Neff, were exposed to and read [the Small Business Services] advertisements and explanations, which appear on the webpages all customers must use to sign-up for the services." CCAC ¶ 97. Neff alleges that Defendants' online security "was highly material to [his] decision to utilize Defendants' Small Business services," but that Defendants did not disclose to Neff that their online security was non-compliant and substandard. See id. Accordingly, Neff has alleged that, had Defendants disclosed in their Small Business Services advertisements that their security systems were non-compliant and substandard, Neff "would have been aware" of these disclosures, and Neff would have "behaved differently." Ehrlich, 801 F. Supp. 2d at 919 (quoting Mirkin, 5 Cal. 4th at 1093). Thus, to the extent Plaintiffs' UCL fraud claim is based on Defendants' allegedly fraudulent omissions to Small Business Plaintiff Neff and the putative Small Business Users Class in Defendants' Small Business Services advertisements, the Court DENIES Defendants' motion to dismiss.

3. Entitlement to UCL Remedies

Lastly, Defendants argue that Plaintiffs' UCL claim must be dismissed because Plaintiffs have not sufficiently alleged entitlement to equitable relief, which is the only relief available under the UCL. See Mot. at 30; see Pom Wonderful, 2009 WL 5184422, at *2 ("Although the UCL targets a wide range of misconduct, its remedies are limited because UCL actions are equitable in nature.").

However, as Defendants appear to concede, Neff has standing to seek restitution on behalf of the putative Small Business Users Class. See Reply at 11-12 (arguing only that Plaintiffs have failed to establish entitlement to seek injunctive relief). "Under the UCL, an individual may recover profits unfairly obtained to the extent that these profits represent monies given to the defendant or benefits in which the plaintiff has an ownership interest." Id. Here, Neff alleges that Defendants represented that their servers were secure and that Neff paid Defendants for Defendants' Small Business Services, but that Defendants knowingly failed to undertake reasonable security measures to protect Neff's personal information. As a result, Neff alleges that Neff lost the benefit of the bargain, and that Defendants unfairly obtained profits from Neff. These allegations are sufficient to demonstrate that Neff may seek restitution. See, e.g., Anthem I, 162 F. Supp. 3d at 986 (finding plaintiffs adequately alleged entitlement to restitution where plaintiffs adequately alleged lost benefit of the bargain as a result of defendant's lax data security measures).

Plaintiffs concede that the United States Plaintiffs, who did not pay for Defendants' services, cannot seek restitution from Defendants. See Opp. at 26. Because United States Plaintiffs did not pay for Defendants' services, the United States Plaintiffs did not give Defendants money "or benefits in which [Plaintiffs] have an ownership interest." See Pom Wonderful LLC, 2009 WL 5184422, at *2. Nonetheless, Plaintiffs argue that the United States Plaintiffs have standing to seek injunctive relief against Defendants. See Opp. at 26. The Court agrees. To establish standing for prospective injunctive relief, a plaintiff must demonstrate that he or she "has suffered or is threatened with a concrete and particularized legal harm, coupled with a sufficient likelihood that he [or she] will again be wronged in a similar way." Bates v. United Parcel Serv., Inc., 511 F.3d 974, 985 (9th Cir. 2007). "As to the second inquiry, [a plaintiff] must establish a 'real and immediate threat of repeated injury.'" Id. (quoting O'Shea v. Littleton, 414 U.S. 488, 496 (1974)). "[P]ast wrongs do not in themselves amount to [a] real and immediate threat of injury necessary to make out a case or controversy." City of Los Angeles v. Lyons, 416 U.S. 95, 111 (1983).

Defendants argue that Plaintiffs have alleged only a "past wrong" resulting from the Data Breaches, and Plaintiffs do not face a "real and immediate threat of" future injury. Lyons, 416 U.S. at 111. However, a fair reading of the CCAC is that, although Defendants "claim[] to have plugged the leaks" in their security systems, Plaintiffs cannot trust Defendants' representations regarding their security systems. Accordingly, Plaintiffs face a "real and immediate threat" of further disclosure of their PII, which remains in the hands of Defendants. See Lyons, 416 U.S. at 111; see, e.g., CCAC ¶¶ 84-85. Moreover, Plaintiffs allege that at least "as late as March 17, 2017," hackers have been actively selling the PII of Defendants' users on the dark web. CCAC ¶ 84. Plaintiffs allege that Defendants have not only failed to take any actions with regard to this information being on the dark web, but that Defendants have continued to dispute the scope of their responsibility. See id. ¶¶ 84-96. Taking these allegations as true and in the light most favorable to Plaintiffs, the Court finds that Plaintiffs have adequately alleged a "real and immediate threat of repeated injury" from Defendants. See Bates, 511 F.3d at 985. Accordingly, at this stage of the litigation, Plaintiffs have adequately alleged standing to seek injunctive relief under the UCL. Thus, the Court DENIES Defendants' motion to dismiss Plaintiffs' UCL claim for lack of entitlement to UCL remedies.

C. CLRA

In Count Two, the United States Plaintiffs and the Israel Plaintiffs assert a claim against Yahoo under the CLRA, which prohibits "unfair methods of competition and unfair or deceptive acts or practices undertaken by any person in a transaction intended to result or which results in the sale or lease of goods or services to any consumer." Cal. Civ. Code § 1770(a).

Defendants move to dismiss Plaintiffs' CLRA claim on three grounds. First, Defendants argue that "Yahoo accounts are free, so Plaintiffs are not 'consumers' under the CLRA." See Mot. at 30. Second, Defendants argue that Yahoo's email platform does not qualify as a "good" or "service" within the meaning of the CLRA. Id. Third, Defendants argue that Plaintiffs do not sufficiently allege reliance as required for a CLRA claim. Id. As discussed further below, the Court finds that dismissal is appropriate because Plaintiffs are not consumers under the CLRA, and thus the Court need not consider Defendants' remaining arguments.

As stated above, the CLRA prohibits certain unfair methods of competition "in the sale or lease of goods or services to any consumer." Cal. Civ. Code § 1770(a). The CLRA defines a "consumer" as "an individual who seeks or acquires, by purchase or lease, any goods or services for personal, family, or household purposes." Cal. Civ. Code § 1761(d). Thus, in order to state a claim under the CLRA, Plaintiffs must sufficiently allege, among other things, that they are "consumers" because they "purchase[d] or lease[d]" some good or service of Defendants. Id.

Significantly, only the United States Plaintiffs and Israel Plaintiffs assert a CLRA claim. However, these Plaintiffs used Yahoo's free email service and thus did not "purchase or lease" a good or service from Defendants. See Cal. Civ. Code § 1761(d). In their opposition, Plaintiffs insist that they can nonetheless state a CLRA claim because Defendants "collect and store tremendous amounts of PII, and use this information to maximize profits through targeted advertising and other means." See Opp. at 17-18. Accordingly, Plaintiffs argue that "use of their Yahoo accounts is not 'free.'" Id. Moreover, Plaintiffs argue that their allegations are sufficient given the CLRA's "liberal mandate." Id.

Small Business Users Plaintiff Neff does not assert a CLRA claim on behalf of the putative Small Business Users Class. This is likely because, as discussed above, the CLRA applies only to those who purchased or leased goods or services "for personal, family, or household purposes," and does not include purchasers of goods or services for business purposes. Cal. Civ. Code § 1761(d).

The Court notes that the CCAC alleges in passing that Plaintiff Rivlin, one of the Israel Plaintiffs, "pays Yahoo annually $20.00 to have Yahoo emails received forwarded to another email account." See CCAC ¶ 15. However, this is the only mention in the CCAC of this email forwarding service, and Plaintiffs do not mention this email forwarding service in Plaintiffs' opposition as a ground for their CLRA claim. To the extent Plaintiffs seek to state a CLRA claim based on Rivlin's use of this paid email forwarding service, the CCAC does not allege any "unfair methods of competition and unfair or deceptive acts or practices . . . intended to result or which results in the sale or lease" of this email forwarding service. See Cal. Civ. Code § 1770(a). Nor does the CCAC allege that this email forwarding service was for "personal, family, or household purposes," as required to state a CLRA claim. Id. § 1761(d). Accordingly, to the extent Plaintiffs seek to state a CLRA claim based on Rivlin's use of a paid email forwarding service, Plaintiffs have not adequately alleged such a claim.

Contrary to Plaintiffs' argument, the fact that Defendants store PII and use this PII for targeted advertising does not indicate that Plaintiffs "purchase[d] or lease[d]" some good or service within the meaning of the CLRA. See Cal. Civ. Code § 1761(d). Indeed, district courts in this Circuit have rejected substantially identical arguments. In Claridge v. RockYou, Inc., 785 F. Supp. 2d 855 (N.D. Cal. 2011), the plaintiff asserted a CLRA claim based on a data breach of RockYou, "a publisher and developer of online services and applications for use with social networking sites." Id. at 858. RockYou moved to dismiss the CLRA claim on the ground that plaintiff was not a consumer because the plaintiff's RockYou account was free and thus the plaintiff did not "purchase or lease" a good or service from RockYou. Id. at 864. In response, the plaintiff argued that "because his PII has an ascertainable value and constitutes both currency and property, his transfer of PII information to defendant in exchange for free applications, constitutes a purchase or lease under the CLRA." Id. (internal quotation marks omitted). However, the Claridge court rejected this argument, and found that the "notion that the phrase 'purchase' or 'lease' contemplates any less than tangible form of payment . . . finds no support under the specific statutory language of the CLRA, nor has plaintiff relied on any legal authority suggesting as much." Id. at 864.

Another court in this district, following Claridge, has also rejected a plaintiff's argument "that he purchased the defendant's services with his PII" for the purposes of the CLRA. See Yunker v. Pandora Media, Inc., 2013 WL 1282980, at *12 (N.D. Cal. Mar. 26, 2013); see also Song Fi, Inc. v. Google, Inc., 2016 WL 1298999, at *12 (N.D. Cal. Apr. 4, 2016) ("Providing consumer traffic for YouTube, Plaintiffs' alleged consideration, is certainly a less than tangible form of payment."). Additionally, the Third Circuit has followed Claridge and Yunker and come to a similar conclusion. In re Google Inc. Cookie Placement Consumer Privacy Litig., 806 F.3d 125, 153 (3d Cir. 2015), cert. denied, 137 S. Ct. 36 (2016) (rejecting plaintiffs argument that for the purposes of the CLRA, the plaintiffs engaged in a "'sale' whereby they gave their trackable internet history information in exchange for advertisements delivered to their browsers (i.e., the 'services')").

The Court finds the reasoning of these cases persuasive. The mere fact that Yahoo gained some profit from Plaintiffs' use of Yahoo's free email services does not by itself show that Plaintiffs "purchased" those services from Defendants. See Claridge , 785 F. Supp. at 864 (rejecting the "notion that the phrase 'purchase' or 'lease' contemplates any less than tangible form of payment" under the CLRA). Additionally, as in Claridge, Plaintiffs cite no legal authority—and the Court is not aware of any legal authority—to support Plaintiffs' theory that the mere transfer of PII renders Plaintiffs' use of a free service a "purchase" or "lease" of that service. See id. Furthermore, as the Court recognized in Claridge, Plaintiffs' references to the "CLRA's liberal mandate," see Opp. at 28, do not allow the Court to ignore the clear text of the CLRA, which requires a "purchase or lease." See Claridge, 785 F. Supp. 2d at 864 (noting that the "purchase or lease" of goods or services is "a strict requirement under the statute"). The Court cannot ignore the CLRA's "strict requirement" of a "purchase or lease" simply because Plaintiffs believe that the result is unfair in this case. See id.

Accordingly, the Court finds that United States Plaintiffs and Israel Plaintiffs have not alleged any "purchase or lease" and therefore cannot assert a CLRA claim. Thus, the Court GRANTS Defendants' motion to dismiss Plaintiffs' CLRA claim. The Court cannot find at this stage that amendment would necessarily be futile. Therefore, the Court grants leave to amend. See Leadsinger, 512 F.3d at 532 (holding that leave to amend is proper when amendment is not futile).

D. Customer Records Act

The United States Plaintiffs, Israel Plaintiffs, and Small Business Users Plaintiff assert a claim in Count Three under the California Customer Records Act ("CRA"), Cal. Civ. Code § 1798.80, et seq. The CRA "regulates businesses with regard to treatment and notification procedures relating to their customers' personal information." Corona v. Sony Pictures Ent'mt, 2015 WL 3916744, at *6 (C.D. Cal. June 15, 2015). Plaintiffs allege that Defendants violated § 1798.82 of the CRA. This provision provides, in relevant part:

A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person . . . .

Cal. Civ. Code § 1798.82(a). The statute requires that disclosure "shall be made in the most expedient time possible and without unreasonable delay." Id. The statute also describes the information that must be included in the security breach notification and the form that the security breach notification must take. See § 1798.82(d).

Section 1798.82(h) defines "personal information" for purposes of the CRA as the following:

(1) An individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

(A) Social security number.
(B) Driver's license number or California identification number.
(C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
(D) Medical information.
(E) Health insurance information
(F) Information or data collected through the use or operation of an automated license plate recognition system . . . .

(2) A user name or email address, in combination with a password or security question and answer that would permit access to an online account.

See Cal. Civ. Code § 1798.82(h).

Plaintiffs contend that the Data Breaches at issue constituted "breach[es] of the security" of Defendants' systems, that Plaintiffs' "personal information was," or was reasonable believed by Defendants to have been, "acquired by an unauthorized person" during the Data Breaches, and that Defendants unreasonably delayed informing Plaintiffs about the Data Breaches, in violation of § 1798.82. See Cal. Civ. Code § 1798.82; CCAC ¶¶ 151-52.

Defendants move to dismiss Plaintiffs' CRA claim on several bases. First, Defendants argue that the non-California Plaintiffs lack standing to bring a CRA claim. Second, Defendants argue that they were not required to notify Plaintiffs about the 2013 Breach. Third, Defendants argue that they were not required to notify Plaintiffs about the Forged Cookie Breach. Finally, Defendants argue that Plaintiffs have failed to allege damages resulting from Defendants' violation of the CRA. The Court considers each of these arguments in turn.

1. Standing for Non-California Residents

First, Defendants move to dismiss the CRA claims of non-California residents because, according to Defendants, non-California residents lack standing to bring claims under the CRA. The Court agrees with Defendants. As set forth above, the plain language of the CRA provides that a California business that owns computerized data that includes personal information "shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California " whose information was acquired by an unauthorized person. Cal. Civ. Code § 1798.82(a) (emphasis added). Given this language, district courts have dismissed CRA claims brought on behalf of non-California Plaintiffs because the CRA "is clear that it applies only 'to ensure the personal information [of] California residents is protected.'" In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 903 F. Supp. 942, 973 (S.D. Cal. Oct. 11, 2012) (quoting Cal. Civ. Code § 1798.81.5(a)); see also Antman, 2015 WL 6123054, at *5 ("Section 1798.82 has procedures for notifying California residents when their unencrypted personal information is disclosed in a data breach and thereby acquired (or reasonably believed to have been acquired by) an unauthorized person" (citing Cal. Civ. Code § 1798.82(a)(emphasis added)).

Plaintiffs make two primary arguments in opposition to Defendants, neither of which is persuasive. First, Plaintiffs argue that § 1798.84(b), which is the remedies provision of the CRA, provides that "[a]ny customer injured by a violation of this title may institute a civil action to recover damages." See Opp. at 31 (quoting Cal. Civ. Code § 1798.84(b)). Plaintiffs read the language "any customer" to mean that the CRA is not geographically limited. Id. (emphasis added). However, § 1798.84(b) provides a private right of action to "[a]ny customer injured by a violation" of the CRA. Cal. Civ. Code § 1798.84(b) (emphasis added). As set forth above, a business violates the CRA if the business fails to notify "a resident of California" that the resident's personal information was acquired or reasonably believed to have been acquired by an unauthorized person. See Cal. Civ. Code § 1798.82(a) (emphasis added). Accordingly, a non-California resident cannot as a matter of law be "injured by a violation" of the CRA, Cal. Civ. Code § 1798.84(b), because under the plain language of § 1798.82(a), a non-California resident has no right to receive notification of a data breach. See Cal. Civ. Code § 1798.82(a). Thus, Plaintiffs' reliance on the remedies provision of the CRA is unavailing.

Second, Plaintiffs argue that non-California Plaintiffs can bring claims under the CRA because Defendants have stipulated "to the nationwide application of California law." See Opp. at 31-32. However, as the Ninth Circuit has held, "[w]hen a law contains geographical limitations as to its application, courts will not apply it to parties falling outside those limitations even if the parties stipulate that the law should apply." Fred Briggs Distributing Co., Inc. v. California Cooler, Inc., 2 F.3d 1156, at *1 (9th Cir. 1993). As set forth above, § 1798.82 sets forth a geographical limitation that restricts the protections of the CRA to California residents. See Antman, 2015 WL 6123054, at *5("Section 1798.82 has procedures for notifying California residents . . . ." (emphasis added)). Thus, it is no matter whether "the parties [have] stipulate[d] that [the CRA] should apply" to the nationwide class. Fred Briggs Distributing Co., Inc., 2 F.3d at *1 (rejecting argument that non-California plaintiffs could bring a claim under the California Franchise Relations Act, even though the parties stipulated to the application of California law, because "[o]nly franchisees that are domiciled in California" were covered by the California Franchise Relations Act).

Plaintiffs cite Gravquick A/S v. Trimble Navigation Intern. Ltd., 323 F.3d 1219, 1222 (9th Cir. 2003), for the proposition that the parties can stipulate to the extraterritorial application of California statutes. In that case, however, the Ninth Circuit concluded that the statute at issue did not limit the statute's application to only California residents. See id. at 1223 (concluding that the California Equipment Dealers Act "include[d] no express requirement limiting its protection to dealers located in California."). Indeed, the Ninth Circuit in Gravquick A/S noted the rule that "[w]hen a law contains geographical limitations on its application . . . courts will not apply it to parties falling outside those limitations, even if the parties stipulate that the law should apply." Id. at 1223. As discussed above, the CRA contains geographical limitations on its application. Thus, Plaintiffs' reliance on Gravquick A/S is not persuasive.

Accordingly, the Court GRANTS Defendants' motion to dismiss the CRA claims of non-California Plaintiffs. Specifically, of the United States Plaintiffs, the Court GRANTS Defendants' motion to dismiss the CRA claims of Plaintiffs Essar, Matthew Ridolfo, Deana Ridolfo, and Garg, because these Plaintiffs are not residents of California. See CCAC ¶¶ 11-14 (alleging that Essar is a resident of Colorado, that Matthew Ridolfo and Deana Ridolfo are residents of New Jersey, and that Garg is a resident of Illinois). This leaves the CRA claims of only United States Plaintiffs Heines and Dugas, who are California residents. See CCAC ¶¶ 10, 12.

The Small Business Users Plaintiff, Neff, is a resident of Texas. Id. ¶ 20. The Israel Plaintiffs, Rivlin and Granot, are residents of Israel. CCAC ¶¶ 15-16. Accordingly, the Court GRANTS Defendants' motion to dismiss Neff, Rivlin, Granot's CRA claims.

Because Plaintiffs Essar, Matthew Ridolfo, Deana Ridolfo, Garg, Neff, Rivlin, and Granot are not California residents, they cannot bring a claim under § 1798.82 of the CRA as a matter of law. Thus, the Court finds that granting these Plaintiffs leave to amend their CRA claim would be futile, and the Court grants Defendants' motion to dismiss these Plaintiffs' CRA claims with prejudice.

Plaintiffs state in a footnote that, should the Court find "that non-California Plaintiffs lack standing to bring a CRA claim, Plaintiffs can amend their Complaint to assert claims, and avail themselves of remedies, under the security breach notification laws of over a dozen states, and request leave to do so." See Opp. at 31, n.31. However, to the extent Plaintiffs request leave to add new claims or new parties, Plaintiffs must file a separate motion for leave to amend and Plaintiffs must attach a proposed amended complaint to Plaintiffs' motion. Absent any indication of what additional "security breach notification" law claims Plaintiffs seek to allege against Defendants, or the proposed allegations supporting those claims, the Court cannot determine whether granting Plaintiffs leave to amend to add new claims under other security breach notification laws would be futile, in bad faith, cause undue delay, or be unduly prejudicial to Defendants. See Leadsinger, 512 F.3d at 532 (stating that a district court may deny leave to amend due to futility, undue delay, bad faith, or undue prejudice to the opposing party).

The Court next turns to address Defendants' remaining arguments regarding the CRA claims of United States Plaintiffs Heines and Dugas.

2. Requirement to Notify about the 2013 Breach

Next, Defendants argue that "CRA notice was not required for California residents potentially affected by the 2013 Breach" because, at the time of the 2013 Breach, the CRA did not require Defendants to notify California residents if an unauthorized individual accessed "[a] user name or email address, in combination with a password or security question and answer that would permit access to an online account." See Mot. at 32. Defendants' argument requires understanding an amendment to the CRA's definition of "personal information" that became effective on January 1, 2014. Accordingly, the Court first addresses the CRA's definition of "personal information" and the 2014 amendment to that definition. The Court then addresses the parties' arguments regarding the 2013 Breach.

As set forth above, the CRA establishes procedures for California businesses "to notify California residents when their unencrypted personal information is disclosed in a data breach and thereby acquired (or reasonably believed to have been acquired by) an unauthorized person." Antman, 2015 WL 6123054, at *5 (citing Cal. Civ. Code § 1798.82(a)) (emphasis added). "Personal information" is defined in § 1798.82(h) of the statute. In 2013, at the time of the 2013 Breach, the statute defined personal information as the following:

[A]n individual's first name or first initial and last name, in combination with" at least one or more of the following:

(1) the individual's social security number,

(2) driver's license number or California identification number,

(3) account number,

(4) credit or debit card number, in combination with any required security code, or password that would permit access to an individual's financial account,

(5) medical information, and

(6) health insurance information.

See RJN, Ex. N. Significantly, the definition of "personal information" in the 2013 version of the CRA did not include "[a] user name or email address, in combination with a password or security question and answer that would permit access to an online account." This language was added to the definition of "personal information" in § 1798.82(a) by an amendment signed into law on September 27, 2013, and effective January 1, 2014. See RJN, Ex. M (setting forth legislative history of Senate Bill No. 46, which made amendments to Cal. Civ. Code § 1798.82).

Defendants claim that the 2013 Breach revealed only "user name[s] and email address[es] in combination with . . . password[s] or security question[s] and answer[s]." Id. Thus, Defendants argue, the 2013 Breach did not reveal "personal information" as that term was defined in the 2013 version of the CRA, and so Defendants were not required to notify Plaintiffs of the 2013 Breach. See Mot. at 33-34. Defendants contend that, if the Court were to apply the 2014 amendments to the CRA to Plaintiffs' CRA claim regarding the 2013 Breach, the Court would be applying the amendments retroactively, which the Court may not do. Id.

However, Defendants' argument regarding the timing of the CRA's application is based on a misinterpretation of the CRA. As set forth above, under the CRA, a California business "that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California" whose personal information was accessed by an unauthorized individual during the breach. See Cal. Civ. Code § 1798.82(a)(2). The statute provides that disclosure of a data breach "shall be made in the most expedient time possible and without unreasonable delay" following discovery of the breach. Id. Thus, a business does not violate the CRA simply because a data breach occurred. Instead, a business violates the CRA only if the business "discover[s]" or is "notif[ied] of the breach" and thereafter "unreasonably delay[s]" in disclosing the data breach. Id. (emphasis added). Accordingly, in the instant case, the relevant date for purposes of Plaintiffs' CRA claim is not the date that the 2013 Breach occurred. Instead, it is the date that Defendants discovered the 2013 Breach and thereafter failed to adequately notify Plaintiffs. Thus, as long as Defendants discovered the 2013 Breach on January 1, 2014 or later, the 2014 amendment to the CRA applies to Plaintiffs' CRA claim because Defendants would have violated the CRA in 2014 or later, while the 2014 amendment was in effect.

Problematically, however, Plaintiffs' CCAC does not contain any allegations about when Defendants "discover[ed]" or were "notif[ied]" of the 2013 Breach. Id. Rather, the CCAC alleges only that Defendants "finally admitted" the 2013 Breach on December 14, 2016. See CCAC ¶ 79. Because the CCAC does not allege when Defendants discovered the 2013 Breach, the Court cannot determine which version of the CRA was in effect at the time that Defendants allegedly violated the CRA. More significantly, absent any allegations in the CCAC suggesting when Defendants learned of the 2013 breach, Plaintiffs have not adequately alleged that Defendants "unreasonably delay[ed]" in notifying Plaintiffs of the 2013 Breach on December 14, 2016. See Cal. Civ. Code § 1798.82(a). Thus, regardless of whether the 2014 amendments to the CRA apply, Plaintiffs' allegations regarding the 2013 Breach fail to state a claim under the CRA.

In a footnote, Plaintiffs assert that even if the 2013 version of the CRA applies to the 2013 Breach, Defendants were nonetheless required to notify Plaintiffs of the 2013 Breach because the 2013 Breach involved the exposure of "personal information" as that term was defined in the 2013 version of the statute. See Opp. at 29 n. 28. The Court need not reach this issue because Plaintiffs have failed to allege that Defendants unreasonably delayed in notifying Plaintiffs of the 2013 Breach. However, if Plaintiffs can allege unreasonable delay, then the Court would, as with the Forged Cookie Breach, likely find that the 2013 Breach exposed personal information as defined by the 2013 version of the CRA.

Thus, the Court GRANTS Defendants' motion to dismiss Plaintiffs' CRA claim to the extent that Plaintiffs' CRA claim is based on Defendants' failure to disclose the 2013 Breach. The Court affords Plaintiffs leave to amend this claim because Plaintiffs may be able to allege facts sufficient to show that Defendants unreasonably delayed in failing to notify Plaintiffs that the 2013 Breach occurred, and thus leave to amend this claim is not necessarily futile. See Leadsinger, 512 F.3d at 532 (holding that leave to amend is proper when amendment is not futile). The remainder of the Court's discussion of Plaintiffs' CRA claim therefore relates only to the 2014 Breach and the Forged Cookie Breach.

3. Requirement to Notify about the Forged Cookie Breach

Next, Defendants argue that the CRA does not apply to the Forged Cookie Breach, which occurred in 2015 and 2016, because the Forged Cookie breach did "not involve exposure of the statutory data elements of 'personal information.'" Mot. at 34. Again, Defendants' argument is based on the definition of "personal information" in § 1798.82(h) of the CRA. As set forth above, the definition of "personal information" in Cal. Civ. Code § 1798.82(h) includes an individual's name in combination with one or more of the following data elements: (1) Social Security number; (2) Driver's license number or California identification number; (3) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; (4) Medical information; (5) Health insurance information; or (6) Information or data collected through the use or operation of an automated license plate recognition system. See id. In addition, effective January 1, 2014, the definition of "personal information" also includes an individual's "user name or email address, in combination with a password or security question and answer that would permit access to an online account." See Cal. Civ. Code § 1798.82(h).

Defendants do not contest that the 2014 Breach involved hackers accessing Plaintiffs' "personal information." However, in the Forged Cookie Breach, hackers were able to forge authentication cookies, which allowed the hackers to access Plaintiffs' Yahoo email accounts "without needing to supply the account's password." CCAC ¶ 68. Defendants thus argue that, because hackers were able to access Plaintiffs' accounts without a password, the Forged Cookie Breach did not involve exposure of Plaintiffs' "user name or email address, in combination with a password or security question and answer that would permit access to an online account," Cal. Civ. Code § 1798.82(h), and thus did not involve the exposure of Plaintiffs' "personal information." Accordingly, Defendants argue they were not required by the CRA to notify Plaintiffs of the Forged Cookie Breach.

To resolve this issue, the Court first discusses "cookies," and then discusses Plaintiffs' allegations regarding the Forged Cookie Breach. The Court then turns to the parties' arguments.

A "cookie" is a small text file that a server creates and sends to a browser, which then stores the file in a particular directory on an individual's computer." In re Facebook Internet Tracking Litig., 140 F. Supp. 3d 922, 926 (N.D. Cal. Oct. 23, 2015); see also CCAC ¶ 67. "[C]ookies contain information about the user's session with" a particular server. See CCAC ¶ 67. "When an individual using a web browser contacts a server—often represented by a particular webpage or internet address—the browser software checks to see if that server has previously set any cookies on the individual's computer." In re Facebook Internet Tracking Litig., 140 F. Supp. 3d at 926; see also CCAC ¶ 67. "If the server recognizes any valid, unexpired cookies, then the computer 'sends' those cookies to the server." In re Facebook Internet Tracking Litig., 140 F. Supp. 3d at 926. "After examining the information stored in the cookie, the server knows if it is interacting with a computer with which it has interacted before." Id. "Since servers create database records that correspond to individuals, sessions, and browsers, the server can locate the database record that corresponds to the individual, session, or browser using the information from the cookie." Id. Accordingly, cookies allow Yahoo's servers to recognize a computer that has previously logged in to Yahoo, and thus allow a Yahoo user to revisit the Yahoo website without "need[ing] to log in each time." CCAC ¶ 67.

Plaintiffs allege that, during the Forged Cookie Breach, hackers "were able to forge" authentication cookies, which granted the hackers access to Yahoo users' email accounts "without needing to supply the account's password." CCAC ¶ 68. In addition, "a forged cookie allowed the hackers to remain logged into the hacked accounts for weeks or indefinitely." Id.

According to Defendants, because Plaintiffs allege that the Forged Cookie Breach involved users accessing Yahoo accounts "without needing to supply the account's password," the Forged Cookie Breach did not involve the hackers gaining unauthorized access to a California resident's "username or email address, in combination with a password or security question and answer that would permit access to an online account." Cal. Civ. Code § 1798.82(h). Thus, Defendants argue the Forged Cookie Breach did not involve the disclosure of "personal information" of Plaintiffs within the meaning of the CRA, and thus Defendants were not required to notify California residents about the Forged Cookie Breach.

Defendants' argument is not well taken. Plaintiffs allege that hackers forged authentication cookies, which hackers used as a proxy for Plaintiffs' passwords to gain unauthorized access to California resident's Yahoo email accounts. See CCAC ¶¶ 67-68. Significantly, once hackers gained access to Plaintiffs' Yahoo email accounts, hackers were able to "remain logged into the hacked accounts for weeks or indefinitely" and access all information contained in the accounts. Id. Plaintiffs Heines and Dugas allege that they used their Yahoo email accounts for personal and financial transactions, such as collecting Social Security payments and filing their tax returns. See CCAC ¶¶ 10, 12. Indeed, Plaintiffs allege that, in general, users of Yahoo's email service used their email for numerous sensitive personal and financial purposes. See id. ¶¶ 42-44. Plaintiffs allege that access to an individual's Yahoo email account could allow a hacker to access bank accounts, file hosting accounts, personal messages, and other information. See id. Accordingly, even if the Forged Cookie Breach did not involve hackers gaining access to users' passwords, Plaintiffs allege that the Forged Cookie Breach nonetheless involved hackers gaining access to other types of information that § 1798.82(h) defines as "personal information," such as "social security number[s]," "medical information," or "credit or debit card number[s]." See Cal. Civ. Code § 1798.82(h); see CCAC ¶¶ 10, 12, 42-44.

At the very least, even if Defendants did not know that this information was accessed in the Forged Cookie Breach, based on the allegations in the CCAC, Defendants should have "reasonably believed" that the hackers acquired this information in the Forged Cookie Breach. See Cal. Civ. Code § 1798.82(h) (requiring notification after a business learns that a California resident's "personal information was, or is reasonably believed to have been, acquired by an unauthorized person"). This inference is plausible in light of the fact that Plaintiffs allege that the Forged Cookie Breach involved prolonged and perhaps indefinite access to Plaintiffs' Yahoo email accounts and all the information contained in those accounts. See CCAC ¶ 68.

Thus, even if the Forged Cookie Breach did not involve hackers learning of Plaintiffs' passwords, Plaintiffs have adequately alleged that the Forged Cookie Breach nonetheless involved hackers accessing Plaintiffs' "personal information," as that information is defined in § 1798.82(h). Plaintiffs allege that Defendants have admitted in their recent 10-K filing with the SEC that Defendants knew of the Forged Cookie Breach as it was happening in 2015 and 2016 "but took no real action in the face of that knowledge." CCAC ¶ 86. Plaintiffs allege that Defendants "quietly divulged the Forged Cookie Breach in [Defendants'] 10-Q filing with the SEC filed November 9, 2016," but that Defendants "declined to notify any affected users at that time" and indeed did not begin notifying users until "February 2017." CCAC ¶¶ 80-81. Based on the CCAC's allegations, the Court finds that Plaintiffs have adequately alleged that Defendants "unreasonably delay[ed]" in notifying Plaintiffs that their "personal information" was accessed by unauthorized individuals in the Forged Cookie Breach. See Cal. Civ. Code § 1798.82(a). Accordingly, the Court DENIES Defendants' motion to dismiss Plaintiffs' CRA claim based on the Forged Cookie Breach.

4. Damages from Delayed Notice

Finally, Defendants argue that Plaintiffs' CRA claim fails because Plaintiffs have not alleged that their damages flowed from Defendants' delay in notifying Plaintiffs about the Data Breaches, rather than simply from the Data Breaches themselves. Mot. at 35.

As set forth above, § 1798.84 of the CRA, the remedies provision, provides that "[a]ny customer injured by a violation of this title may institute a civil action to recover damages." Cal. Civ. Code § 1798.84(b). "[W]here a plaintiff fails to allege a cognizable injury, the plaintiff 'lacks statutory standing' to bring a claim under § 1798.84, 'regardless of whether [the] allegations are sufficient to state a violation of the [statute]" itself. In re Adobe, 66 F. Supp. 3d at 1218; see also Dugas v. Starwood Hotels & Resorts Worldwide, Inc., 2016 WL 6523428, at *10 (S.D. Cal. Nov. 3, 2016) ("[P]roof of damages is a threshold hurdle for" a CRA cause of action). To allege a "cognizable injury" arising from Defendants' alleged failure to timely notify Plaintiffs of the Data Breaches, Plaintiffs must allege "incremental harm suffered as a result of the alleged delay in notification," as opposed to harm from the Data Breaches themselves. Dugas, 2016 WL 6523428, at *7; see also In re Sony Gaming Networks, 996 F. Supp. 2d at 1010 ("[A] plaintiff must allege actual damages flowing from the unreasonable delay (and not the intrusion itself) in order to recover actual damages"). Where Plaintiffs have failed to allege injury arising from the Defendants' "delayed notification," courts have dismissed § 1798.82 claims. See, e.g., Dugas, 2016 WL 6523428, at *7 (dismissing § 1798.82 claim because Plaintiff did not allege "what, if any, concrete harm resulted from Defendants' alleged failure to promptly notify [its] customers of the data breach"); In re Sony Gaming Networks, 996 F. Supp. 2d at 1010 (dismissing § 1798.82 claim where plaintiffs "failed to allege how" a ten-day delay in notification caused plaintiffs' injuries).

According to Defendants, "Plaintiffs have not pled facts showing how they were injured specifically as a result of Defendants' purported notification delay," as opposed to the "Data Breaches themselves." See Mot. at 35. The Court disagrees. Plaintiffs allege that, as a result of the 2014 Breach, hackers stole the names, email addresses, recovery email accounts, telephone numbers, birth dates, passwords, security questions and answers, and account "nonces" (cryptographic values unique to each account) of Yahoo account holders, and then "gained access to the email contents of all breached Yahoo accounts and thus any private information contained within those emails," such as credit card information. See CCAC ¶¶ 1, 92. Moreover, once a hacker obtained access to a users' email account the hacker could then "verify accounts and reset passwords" related to other accounts of Yahoo users. As a result of the Forged Cookie Breach, Plaintiffs allege that hackers remained logged into users' email accounts for "weeks or indefinitely." Id. ¶ 68. As a result of these Data Breaches, Plaintiffs Heines and Dugas experienced fraudulent charges on their accounts and fraudulent tax returns filed in their names, which resulted in harm to their credit scores and hours spent talking to the police, banks, and businesses. See CCAC ¶¶ 10, 12. According to the CCAC, Defendants were aware of the 2014 Breach as it was occurring in 2014, and yet Defendants did not notify Plaintiffs of the 2014 Breach until September 22, 2016, approximately two years later. See CCAC ¶ 73. Similarly, Plaintiffs allege that Defendants were aware of the Forged Cookie Breach as it was happening in 2015-2016, but that Defendants did not inform Plaintiffs of the Forged Cookie Breach until "February 2017," one to two years later. See id. ¶¶ 80-82, 86.

As discussed above, Plaintiffs have not alleged when Defendants discovered the 2013 Breach, and thus Plaintiffs have not sufficiently alleged that Defendants unreasonably delayed in notifying users of the 2013 Breach. For the same reason, Plaintiffs have not sufficiently alleged damages flowing from delay in notification of the 2013 Breach.

A reasonable inference from these allegations is that if Plaintiffs had been aware of the Data Breaches a year to two years earlier, Plaintiffs could have taken earlier measures to mitigate the harms that they suffered from the Data Breaches. Most significantly, Plaintiffs could have changed their passwords. If Plaintiffs were able to change their passwords following the Data Breaches, the account information stolen during the Data Breaches would be useless to hackers because the information would be outdated. Plaintiffs also could have cancelled their Yahoo email accounts entirely. Moreover, even if Plaintiffs could not take these steps immediately, and thus even if hackers did access Plaintiffs' Yahoo email accounts, Plaintiffs could have taken earlier steps to mitigate the fallout from their information being stolen, such as replacing their credit cards, freezing accounts, or placing credit alerts on their accounts. However, because Defendants delayed in notifying Plaintiffs of the Data Breaches for a year to two years, Plaintiffs could not take these mitigation steps, and thus Plaintiffs have plausibly alleged that they faced incremental harms.

Accordingly, the Court finds that Plaintiffs have plausibly alleged incremental damages arising from Defendants' unreasonable delay in notifying Plaintiffs of the 2014 Breach and the Forged Cookie Breach, as opposed to damages arising from only the Data Breaches themselves. Thus, the Court DENIES Defendants' motion to dismiss Plaintiffs' CRA claim for lack of CRA damages.

E. Stored Communications Act

The United States Plaintiffs, Israel Plaintiffs, and Small Business Users Plaintiff allege in Count Four a claim under the federal Stored Communications Act ("SCA"), 18 U.S.C. § 2702. The United States Plaintiffs and the Israel Plaintiffs assert this claim against Yahoo. The Small Business Users Plaintiff asserts this claim against Yahoo and Aabaco, the wholly owned subsidiary of Yahoo that administered Yahoo's small business services.

The SCA provides that "a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication" that is either stored by the service or is carried by the service "on behalf of and received by means of electronic transmission from . . . a subscriber or customer of the service." 18 U.S.C. § 2702(a)(1)-(2). Defendants move to dismiss Plaintiffs' SCA claim on two grounds. First, Defendants argue that Plaintiffs have not sufficiently alleged that Defendants "knowingly divulge[d]" any information. Second, Defendants argue that Plaintiffs have not sufficiently alleged that Defendants divulged the "contents of a communication." Id. (emphasis added). For the reasons discussed below, the Court finds that Plaintiffs have not sufficiently alleged that Defendants "knowingly divulge[d]" any information. Thus, the Court need not reach Defendants' second argument that Plaintiffs have not sufficiently alleged that Defendants divulged the "contents of a communication." Id.

As set forth above, defendant violates the SCA only if the defendant "knowingly divulge[s]" the contents of certain communications. 18 U.S.C. § 2702(a)(1)-(2). Plaintiffs allege that "[b]y failing to take commercially reasonable steps to safeguard" Plaintiffs' communications, Defendants "knowingly divulged" Plaintiffs' communications. See CCAC ¶¶ 165, 170.

The parties have not identified, and the Court is not aware of, any court in the Ninth Circuit that has addressed the scope of the term "knowingly" in 18 U.S.C. § 2702. However, courts outside the Ninth Circuit have found that reckless or negligent conduct is insufficient to constitute "knowing" disclosure of a communication under the SCA, and that plaintiffs accordingly cannot state claims under the SCA simply because a defendant failed to prevent a data breach. For example, in Worix v. MedAssets, Inc., 857 F. Supp. 2d 699, 703 (N.D. Ill. 2012), the court dismissed an SCA claim in a data breach case because "the failure to take reasonable steps to safeguard data does not, without more, amount to divulging that data knowingly." Similarly, in Willingham v. Glob. Payments, Inc., 2013 WL 440702, at *12 (N.D. Ga. Feb. 5, 2013), the court held that although the plaintiff alleged that the defendant "created or contributed to the breach of its data system," such conduct did not constitute "knowingly divulg[ing]" information within the meaning of the SCA. See also Muskovich v. Crowell, 1996 WL 707008, at *3 (S.D. Iowa Aug. 30, 1996) (holding that a defendant did not "knowingly divulge" information within the meaning of the SCA by "failing to implement adequate security procedures to prevent unauthorized access to the content of electronic information under its control."). More generally, after analyzing the statutory text and the legislative history, the Sixth Circuit has held that negligent or recklessness conduct is insufficient to state an SCA claim. See Long v. Insight Commc'ns of Cent. Ohio, LLC, 804 F.3d 791, 795-96 (6th Cir. 2015) (finding Time Warner Cable's mistaken disclosure of an IP address was not a violation of the SCA because "negligently or recklessly failing to ensure the accuracy of the information that [Time Warner Cable] disclosed" did not constitute Time Warner Cable "knowingly divulg[ing] this information" within the meaning of the SCA).

Based on the allegations in the CCAC, Plaintiffs have not plausibly alleged that Defendants' "knowingly divulge[d]" Plaintiffs' PII in the Data Breaches. As set forth above, Plaintiffs allege only that Defendants "fail[ed] to take commercially reasonable steps" to safeguard" Plaintiffs' communications. This allegation, without more, does not establish that Defendants "dilvuge[d]" Plaintiffs' PII and did so with a knowing state of mind. See 18 U.S.C. § 2702(a)(1)-(2). Thus, as currently alleged in the CCAC, Plaintiffs have not plausibly alleged that Defendants "knowingly divulg[ed]" Plaintiffs' information by "failing to take commercially reasonable steps" to safeguard Plaintiffs' communications. Accordingly, the Court GRANTS Defendants' motion to dismiss Plaintiffs' SCA claim. The Court affords leave to amend because amendment may not be futile. See Leadsinger, 512 F.3d at 532 (holding that leave to amend is proper when amendment would not be futile).

F. Online Privacy Protection Act

The United States Plaintiffs, Israel Plaintiffs, and the Small Business Users Plaintiff assert a claim in Count Five under the California Online Privacy Protection Act ("OPPA"), Cal. Bus. & Prof. Code § 22575, et seq. The United States Plaintiffs and Israel Plaintiffs assert this claim against Yahoo. The Small Business Users Plaintiff asserts this claim against Yahoo and Aabaco.

Defendants move to dismiss Plaintiffs' OPPA claims on three grounds. First, Defendants argue that the OPPA does not provide for a private right of action. Mot. at 37-38. Second, Defendants argue that "Plaintiffs cannot extend that claim beyond California residents." Id. at 38. Third, Defendants argue that the two California residents who assert an OPPA claim Plaintiffs Heines and Dugas, do not qualify as consumers as required under the OPPA. Id.

Plaintiffs do not contest that Plaintiffs have failed to plead a violation of the OPPA. Specifically, Plaintiffs do not dispute that there is no private right of action under the OPPA, or that Plaintiffs do not qualify as consumers under the OPPA. Instead of contesting these issues, Plaintiffs argue that the OPPA "evinces California's strong public policy of protecting privacy and customer data," and that Defendants' conduct in violation of this "public policy" is actionable under "the UCL's unfair prong." See Opp. at 33 (citations omitted).

Plaintiffs fail to respond to Defendants' argument that the OPPA applies only to California residents. The Court, however, is not persuaded by Defendants' argument. In support of their argument, Defendants note that the OPPA governs "an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site." Cal. Bus. & Prof. Code § 22575 (emphasis added). However, this provision limits only the defendants who are subject to the OPPA. It does not appear to limit the plaintiffs who can sue for violations by these defendants. Defendants cite no other authority in support of their argument. Nevertheless, the Court need not resolve this issue because, as discussed above, Plaintiffs' OPPA claim fails on other grounds.

As discussed supra in Part III.C, the Court finds that Plaintiffs have adequately alleged a violation of the unfair prong based on California's public policy of protecting consumer data. However, Defendants' violation of the "public policy" evinced by the OPPA does not justify bringing a separate cause of action for violation of the OPPA, which Plaintiffs have done here. Although case law interpreting the OPPA is limited, the California Court of Appeals has explained that "the OPPA itself does not provide for a private action or public prosecution for any violation of its provisions." People ex rel. Harris v. Delta Air Lines, Inc., 247 Cal. App. 4th 884, 891 (2016). Moreover, Plaintiffs do not dispute that the OPPA does not provide Plaintiffs with a private right of action. Thus, the Court GRANTS Defendants' motion to dismiss Plaintiffs' OPPA claim. This dismissal is with prejudice because, since Plaintiffs lack a private right of action under the OPPA, the Court finds that amendment of this claim would be futile. See Leadsinger, 512 F.3d at 532 (holding that leave to amend is proper when amendment would not be futile).

G. Express Contract Claim

The United States Plaintiffs, Israel Plaintiffs, and the Small Business Users Plaintiff assert in Count Six a cause of action for breach of express contract. The United States Plaintiffs and the Israel Plaintiffs assert this claim against Yahoo. The Small Business Users Plaintiff asserts this claim against Yahoo and Aabaco.

Under California law, to state a claim for breach of contract a plaintiff must plead "the contract, plaintiffs' performance (or excuse for nonperformance), defendant's breach, and damage to plaintiff therefrom." Gautier v. General Tel. Co., 234 Cal. App. 2d 302, 305 (1965). To establish contractual damages, a Plaintiff must establish "appreciable and actual damage." Aguilera v. Pirelli Armstrong Tire Corp., 223 F.3d 1010, 1015 (9th Cir. 2000); Patent Scaffolding Co. v. William Simpson Const. Co., 256 Cal. App. 2d 506, 511, 64 Cal. Rptr. 187 (1967) ("A breach of contract without damage is not actionable.").

In the CCAC, Plaintiffs allege that Yahoo breached the following provisions of Yahoo's Privacy Policy, which is incorporated by reference into Yahoo's Terms of Service, which form a contract between Yahoo and each user who creates an account with Yahoo:

• "We are committed to ensuring your information is protected and apply safeguards in accordance with applicable law."

• "Yahoo does not rent, sell, or share personal information about you with other people or non-affiliated companies except to provide products or services you've requested, when we have your permission, or under [certain inapplicable circumstances]."

• "We limit access to personal information about you to employees who we reasonably believe need to come into contact with that information to provide products or services to you or in order to do their jobs."

• "We have physical, electronic, and procedural safeguards that comply with federal regulations to protect personal information about you."

See CCAC ¶ 179. Plaintiffs further allege that Aabaco breached provisions of its Privacy Policy, which is incorporated by reference into Aabaco's Terms of Service, which form a contract between Aabaco and each user who purchases a service or product from Aabaco. CCAC ¶ 180. Specifically, Plaintiffs allege that Aabaco breached provisions of its Privacy Policy that are substantially identical to the second, third, and fourth provisions in Yahoo's Privacy Policy, discussed above. Id. Accordingly, because the allegedly breached contractual provisions are substantially identical, the Court considers Plaintiffs' claims against Yahoo and Aabaco together.

Plaintiffs allege that Defendants breached the contractual terms discussed above by failing to have reasonable safeguards in place for protection of Plaintiffs' accounts. Specifically, Plaintiffs allege that Defendants' "data encryption protocol" had been "widely discredited and had been proven, many years prior, easy to break." See, e.g., CCAC ¶ 133. Plaintiffs also allege that Defendants experienced several intrusions, but that "[n]one of these intrusions prompted [Defendants] to comprehensively review and ameliorate its shoddy security" and that in fact, Defendants' "internal culture actively discouraged emphasis on data security." Id. ¶¶ 50, 52. Plaintiffs allege that Defendants failed to put reasonable safeguards into place despite having been "repeatedly put on notice that [Defendants'] security measure were not up to par, leaving users' PII at risk of theft." Id. ¶ 45.

Defendants move to dismiss the breach of contract claim on two grounds. First, Defendants argue that disclaimers contained elsewhere in the Terms of Service demonstrate that Defendants did not breach the contract. Second, Defendants argue that because of limitations of liability in the Terms of Service, Plaintiffs cannot establish that they suffered damages from any breach. The Court considers these arguments in turn.

b. Disclaimers in the Terms of Service

Defendants argue that in claiming that Defendants breached the contractual terms discussed above, "Plaintiffs grossly mischaracterize Defendants' statements" because "Yahoo and Aabaco never guaranteed Plaintiffs a completely secure, hack-proof environment." Mot. at 39. Defendants point to several disclaimers in the Terms of Service that Defendants argue limit Defendants' obligations under the Terms of Service. Specifically, the Yahoo Terms of Service state that use of Yahoo services is "AT YOUR OWN RISK" and on an "AS IS" and "AS AVAILABLE" basis. Moreover, Yahoo's Terms of Service disclaimed warranties that the services were "UNINTERRUPTED, TIMELY, SECURE OR ERROR-FREE," and warned that "no data transmission over the Internet or information storage technology can be guaranteed to be 100% secure." See Mot. at 39; CCAC, Ex. 1, at 91. Similarly, the Aabaco Terms of Service also stated that use of Aabaco services was "AT YOUR OWN RISK" and on an "AS IS" and "AS AVAILABLE" basis, disclaimed warranties that the services were "UNINTERRUPTED, TIMELY, SECURE OR ERROR-FREE," and warned that any "SECURITY MECHANISMS IN THE SERVICES HAVE INHERENT LIMITATIONS." Id.

However, contrary to Defendants' argument, these disclaimers do not absolve Defendants of any contractual obligation to take reasonable steps to protect users' PII. See Mot. at 39-40 (arguing that the disclaimers "are the polar opposite of the promises Plaintiffs claim were made"). For example, Defendants' promised that Defendants "limit access to personal information about you." See CCAC ¶ 179. If this provision means anything, it means that Defendants promised to make reasonable effort to prevent third parties from accessing Plaintiffs' account information. Indeed, Defendants' disclaimer that security mechanisms have "inherent limitations" itself implies that there are at least some reasonable security mechanisms in place. Id.; see also In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1221 (N.D. Cal. 2014) ("Although Adobe contends that there can be no actionable dispute concerning the adequacy of Adobe's security controls because the Agreement expressly provides that no security measure is "100%" effective, this disclaimer does not relieve Adobe of the responsibility (also contained in the Agreement) to provide "reasonable" security.") (citations omitted). Thus, at a minimum, Plaintiffs have sufficiently alleged that Defendants violated their promise to "limit access to personal information" about Plaintiffs.

Therefore, despite Defendants' disclaimers, Plaintiffs have pointed to particular provisions of the Terms of Service that Defendants allegedly violated, and Plaintiffs have sufficiently alleged that Defendants violated these provisions by failing to put in place reasonable security measures to protect user data. See Anthem II, 2016 WL 3029783, at *10 ("The core message from these documents is the same: to take reasonable security measures to protect customer PII."). On a motion to dismiss, the Court must accept these allegations "as true and construe the pleadings in the light most favorable to the nonmoving party." Manzarek, 519 F.3d at 1031. For the reasons set forth above, the Court cannot say as a matter of law that Defendants did not breach the contractual terms discussed above simply because Defendants made certain caveats in their Privacy Policies, such as that their services were not "100% secure."

c. Limitations of Liability in the Terms of Service

Next, Defendants argue that Plaintiffs' breach of express contract claim fails because Plaintiffs cannot establish damages in light of the limitations of liability in Defendants' Terms of Service. Specifically, Defendants point out that Yahoo's Terms of Service contained the following clause limiting Yahoo's liability:

YOU EXPRESSLY UNDERSTAND AND AGREE THAT YAHOO . . . SHALL NOT BE LIABLE TO YOU FOR ANY PUNITIVE, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES (EVEN IF YAHOO HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), RESULTING FROM: . . . UNAUTHORIZED ACCESS TO OR ALTERATION OF YOUR TRANSMISSIONS OR DATA . . . OR . . . ANY OTHER MATTER RELATING TO THE YAHOO SERVICE.

CCAC, Ex. 1, at 91 (emphasis added). Similarly, Aabaco's Terms of Service contained the following clause limiting Aabaco's liability:

TO THE MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW, YOU EXPRESSLY UNDERSTAND AND AGREE THAT THE COMPANY . . . SHALL NOT BE LIABLE, UNDER ANY CIRCUMSTANCES OR LEGAL THEORIES WHATSOEVER, FOR ANY INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES . . . .

CCAC, Ex. 2, at 172 (emphasis added).

Defendants argue that because of these limitation-of-liability clauses, Plaintiffs' breach of express contract claim must be dismissed because Plaintiffs are not entitled to recover any damages under the breach of express contract claim. However, the plain language of Defendants' Terms of Service limits Defendants' liability only for "punitive, indirect, incidental, special, consequential or exemplary damages." See CCAC, Ex. 1, at 91. These limitations of liability clauses do not limit Defendants' liability for direct damages. See id. In their opposition, Plaintiffs concede that out-of-pocket mitigation costs are consequential damages. Opp. at 35. However, Plaintiffs claim that all other damages Plaintiffs seek "are direct and non-consequential damages that flow naturally from Defendants' breaches of their contractual obligations." Id. Defendants offer no argument regarding which of Plaintiffs' damages are consequential damages, and which of Plaintiffs' damages are direct damages. See Mot. at 40-41; Reply at 16.

Because the parties agree that Plaintiffs cannot seek consequential damages under Defendants' Terms of Service, and because Plaintiffs concede that out-of-pocket mitigation costs are consequential damages, the Court DISMISSES Plaintiffs' claim for out-of-pocket mitigation damages for Defendants' breach of the Terms of Service. See Opp. at 35 (admitting that "out of pocket mitigation costs" are consequential damages). The Court grants leave to amend because Plaintiffs may be able to allege that the limitations in Defendants' Terms of Service are unconscionable, and thus leave to amend is not necessarily futile. See Leadsinger, 512 F.3d at 532. The Court otherwise DENIES Defendants' motion to dismiss Plaintiffs' breach of express contract claim. The Court will address the issue of which of Plaintiffs' remaining claims for damages seek direct damages, as opposed to consequential damages, at a later stage of the proceedings when the issue has been properly presented by the parties. See Mehmet v. Paypal, Inc., 2009 WL 815676, at *5 (N.D. Cal. Mar. 27, 2009) ("The effect of the limitation of liability clause may very well . . . bar [Plaintiff's] claim . . . but that issue has not been addressed by the parties in a manner sufficient to enable the court to issue such a ruling at this time and is more properly reserved for resolution at a later stage of the proceedings.").

In their opposition, Plaintiffs argue that even consequential damages should not be dismissed because Plaintiffs have alleged in their declaratory relief claim that "the limitation of liability language is unconscionable, and thus, unenforceable." Opp. at 35. However, as the Court explains more fully, infra, regarding Plaintiffs' declaratory relief claim, Plaintiffs' claim for declaratory relief merely lists various provisions of Yahoo's Terms of Service and alleges that these provisions are "unconscionable and unenforceable, or precluded by federal and state law." CCAC ¶ 234. These "threadbare recitals" that various provisions are unconscionable are insufficient to state a claim. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) ("Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice."). Thus, Plaintiffs' reliance on their conclusory assertion that Defendants' Terms of Service are "unconscionable" is not sufficient to allege that Defendants' limitations on consequential damages are unconscionable, and is not sufficient to save Plaintiffs' request for consequential damages here.

H. Breach of Implied Contract

The United States Plaintiffs, Israel Plaintiffs, and Small Business Users Plaintiff assert in Count Seven a claim against Defendants for breach of implied contract. The United States Plaintiffs and the Israel Plaintiffs assert this claim against Yahoo. The Small Business Users Plaintiff asserts this claim against Yahoo and Aabaco.

Defendants argue that Plaintiffs' implied contract claim is "wholly duplicative of their express contract claim" and that therefore the claim should be dismissed. See Mot. at 41. However, the CCAC makes clear that Plaintiffs' implied contract claim is asserted in the alternative to Plaintiffs' express contract claim. CCAC ¶ 186 ("To the extent that Defendants' Terms of Service and Privacy Policies did not form express contracts, the opening of a Yahoo or Aabaco account created implied contracts . . . ."). Federal Rule of Civil Procedure 8 explicitly allows Plaintiffs to plead different theories of relief in the alternative, even if those theories are inconsistent. Fed. R. Civ. P. 8(d) ("A party may set out 2 or more statements of a claim or defense alternatively or hypothetically . . . . A party may state as many separate claims or defenses as it has, regardless of consistency."). Accordingly, courts routinely allow plaintiffs to plead both express contract and implied contract theories, as long as those theories are clearly pled in the alternative. See, e.g., SocialApps, LLC v. Zynga, Inc., 2012 WL 381216, at *3 (N.D. Cal. Feb. 6, 2012) ("While the allegations of the implied contract claim rely on the same allegations as the express contract claim, SA is entitled to plead different theories of recovery in the alternative."); Philips Med. Capital, LLC v. Med. Insights Diagnostics Ctr., Inc., 471 F. Supp. 2d 1035, 1047 (N.D. Cal. 2007) ("Although Counter-Claimants may not ultimately prevail on their claim for [implied contract] if, it turns out, there is a valid express contract between the parties, Counter-Claimants may plead in the alternative."); Doe v. John F Kennedy Univ., 2013 WL 4565061, at *8 (N.D. Cal. Aug. 27, 2013) ("Plaintiff may proceed with alternative claims at the pleading stage, but ultimately [Defendant] cannot be held liable for both breach of express contract and breach of implied contract on the same subject matter.").

The only case that Defendants cite in support of their argument, O'Connor v. Uber Techs., Inc., 2013 WL 6354534 (N.D. Cal. Dec. 5, 2013), is distinguishable precisely on this basis. In O'Connor, there is no indication that the plaintiff had alleged implied contract and express contract theories in the alternative.

Defendants' motion also argues, in a single sentence, that Plaintiffs' implied contract claim should be dismissed because Plaintiffs are required to "elaborate upon the nature and scope of the implied contract in the pleadings, rather than simply declare one existed." See Mot. at 41 (internal quotation marks omitted). However, the CCAC does much more than simply "declare" that an implied contract existed. The CCAC identifies the particular provisions of Defendants' Terms of Service that allegedly create the implied contract, identifies the conduct that constituted the formation of the implied contract, identifies the terms of the implied contract, and identifies the behavior that allegedly breached the contract. See CCAC ¶¶ 185-89 (alleging that an implied contract was created when Plaintiffs opened accounts with Defendants, that the terms of these implied contracts are set forth in the relevant Terms of Service and Privacy Policies, enumerating the terms of the implied contracts, and alleging that Defendants breached these implied contracts because Plaintiffs' PII was not adequately protected by Defendants). These allegations are sufficient to put Defendants on notice of the nature, source, and terms of the alleged implied contract, and are therefore sufficient to state a claim under Rule 12(b)(6). See Walters, 2017 WL 1398660, at *2 ("Walters plausibly alleged the existence of an implied contract arising from Kimpton's privacy policy, which states that Kimpton is 'committed' to safeguarding customer privacy and personal information.").

Finally, Defendants argue that, as with Plaintiffs' express contract claim, Plaintiffs' implied contract claim should be dismissed because of the disclaimers and limitations of liability in Defendants' Terms of Service. As discussed above, Defendants' Terms of Service prevents Plaintiffs from recovering consequential damages—such as out-of-pocket mitigation costs, which Plaintiffs concede are consequential—but allows Plaintiffs to recover direct damages. Plaintiffs offer no reason why this conclusion regarding Plaintiffs' damages for purposes of Plaintiffs' breach of express contract claim does not apply equally to Plaintiffs' breach of implied contract claim.

Thus, as set forth above with regards to Plaintiffs' breach of express contract claim, the Court DISMISSES Plaintiffs' claims for out-of-pocket mitigation costs for Defendants' breach of implied contract. As with the claim for breach of express contract, the Court grants leave to amend because Plaintiffs may be able to allege entitlement to consequential damages under the terms of the alleged implied contract. See Leadsinger, 512 F.3d at 532. The Court otherwise DENIES Defendants' motion to dismiss Plaintiffs' breach of implied contract claim, which is properly pled in the alternative to Plaintiffs' breach of express contract claim.

I. Implied Covenant of Good Faith and Fair Dealing Claim

The United States Plaintiffs, Israel Plaintiffs, and Small Business Users Plaintiff allege in Count Eight a claim for breach of the implied covenant of good faith and fair dealing. The United States Plaintiffs and the Israel Plaintiffs assert this claim against Yahoo. The Small Business Users Plaintiff asserts this claim against Yahoo and Aabaco.

Under California law, "[e]very contract imposes on each party a duty of good faith and fair dealing in each performance and its enforcement." Carson v. Mercury Ins. Co., 210 Cal. App. 4th 409, 429 (2012) (internal quotation marks omitted). "The covenant 'is based on general contract law and the long-standing rule that neither party will do anything which will injure the right of the other to receive the benefits of the agreement.'" Rosenfeld v. JP Morgan Chase Bank, N.A., 732 F. Supp. 2d 952, 968 (N.D. Cal. 2010) (quoting Waller v. Truck Ins. Exchange, Inc., 11 Cal. 4th 1, 36 (1995)). In order to establish a breach of the covenant of good faith and fair dealing, a plaintiff must show: "(1) the parties entered into a contract; (2) the plaintiff fulfilled his obligations under the contract; (3) any conditions precedent to the defendant's performance occurred; (4) the defendant unfairly interfered with the plaintiff's rights to receive the benefits of the contract; and (5) the plaintiff was harmed by the defendant's conduct." Id.

Defendants argue that Plaintiffs are attempting to improperly "add terms to [the] express agreement[]" and that Plaintiffs have not sufficiently alleged that Defendants exhibited bad faith. Mot. at 42. The Court addresses these arguments in turn.

First, Defendants argue that Plaintiffs have not identified a contractual term that Defendants violated, but instead have attempted to "impose extra-contractual duties by way of an implied covenant claim." Id.; see also Guz v. Bechtel Nat. Inc., 24 Cal. 4th 317, 349-50 (2000) ("It cannot impose substantive duties or limits on the contracting parties beyond those incorporated in the specific terms of their agreement."). Specifically, Defendants argue that Plaintiffs' implied covenant claim attempts to "rewrite the contract" to require Defendants to "employ specific password encryption standards; (2) employ specific protocols in cases of suspected or confirmed breaches; (3) employ a particular set of cybersecurity standards; or (4) invest a particular sum of time or money in any 'cybersecurity resources.'" Id. However, Plaintiffs' implied covenant claim does not impose these "extra-contractual duties." Id. Instead, Plaintiffs' implied covenant claim relies on the same promises and contractual provisions that Plaintiffs allege Defendants breached in the express contract and implied contract claims. See CCAC ¶ 194 ("Defendants . . . breached the implied covenant of good faith and fair dealing with respect to both the specific contractual terms in Yahoo's Privacy Policy and Aabaco's Privacy Policy and the implied warranties of their contractual relationships with their users."); see also Carma Developers (Cal.), Inc. v. Marathon Dev. California, Inc., 2 Cal. 4th 342, 373 (1992) ("It is universally recognized the scope of conduct prohibited by the covenant of good faith is circumscribed by the purposes and express terms of the contract."). As discussed above, Plaintiffs have sufficiently alleged that these contractual terms were violated. Although Defendants did not promise to employ "specific" cybersecurity measures or "invest a particular sum of time or money" in cybersecurity, Plaintiffs have sufficiently alleged that Defendants had a contractual duty to employ reasonable safeguards in protecting users' PII. Thus, as in the express contract claim and the implied contract claim, the Court finds that Plaintiffs have sufficiently alleged an interference with the benefits of the contract for purposes of Plaintiffs' claim under the implied covenant of good faith and fair dealing.

Next, Defendants argue that Plaintiffs have failed to allege that Defendants exhibited bad faith in violating these contractual duties. Specifically, Defendants claim that Plaintiffs have not alleged a "conscious and deliberate act, which unfairly frustrate[d] the purposes of the parties' written contract." Mot. at 42; Hougue v. City of Holtville, 2008 WL 1925249, at *4 (S.D. Cal. Apr. 30, 2008) (quotations omitted). However, Plaintiffs allege that Defendants "exhibited bad faith through their conscious awareness of and deliberate indifference to the risks to Class members' PII" by failing to take commercially reasonable steps to safeguard Plaintiffs' PII. Taking the allegations in the CCAC as true, as the Court must on a motion to dismiss, Defendants failed to put reasonable safeguards into place despite having been "repeatedly put on notice that [Defendants'] security measure were not up to par, leaving users' PII at risk of theft." Id. ¶ 45. Additionally, according to the CCAC, Defendants delayed notifying breached users of the 2014 Breach for years, leaving Plaintiffs' PII exposed while Defendants concealed their cybersecurity failures until compelled to do so when Yahoo sought acquisition by Verizon in 2016. Id. ¶ 4. Indeed, in a recent 10-K filing with the SEC, Yahoo included a report found several "failures in communication, management, inquiry and internal reporting" relating to the 2014 Breach. Id.

In short, contrary to Defendants' suggestion, Plaintiffs have not simply alleged that "Defendants engaged in bad faith by failing to assume a host of extra-contractual duties." Instead, Plaintiffs have alleged that Defendants engaged in bad faith by failing to employ minimal reasonable safeguards to protect users' PII in violation of Defendants' contractual duties. Thus, the Court finds that Plaintiffs have adequately alleged a bad faith breach of specific contractual provisions, and therefore the Court finds that Plaintiffs have sufficiently alleged a breach of the implied covenant of good faith and fair dealing. The Court therefore DENIES Defendants' motion to dismiss Plaintiffs' implied covenant of good faith and fair dealing claim.

J. Negligence

The Australia, Venezuela, and Spain Plaintiffs assert in Count Twelve a negligence claim against Yahoo. Defendants move to dismiss this claim on three grounds. First, Defendants argue that the Australia, Venezuela, and Spain Plaintiffs are subject to forum selection clauses that require dismissal. Second, Defendants argue that the negligence claim is barred by the economic loss rule because Plaintiffs have not alleged any physical harm. Third, Defendants argue that the negligence claim should be dismissed on forum non conveniens grounds. As set forth below, the Court finds that Plaintiffs' negligence claim is subject to the forum selection clauses and that dismissal is warranted on this basis. Therefore, the Court need not consider Defendants' other arguments. The Court thus turns to address the forum selection clauses.

Defendants argue that the Australia, Venezuela, and Spain Plaintiffs cannot assert a California negligence claim in this Court because the terms of service governing users in those countries contain forum selection clauses holding that certain foreign laws apply and that claims can only be brought in those foreign courts. Specifically, Yahoo users are governed by the "Additional Terms of Service" ("ATOS"), which Yahoo has attached to its request for judicial notice as Exhibit C. This ATOS first contains several paragraphs that apply to all users worldwide, followed by several paragraphs detailing particular terms for different geographic regions. The portion of the ATOS that is specific to Australian users provides as follows:

Where these introductory paragraphs are not generally applicable, the ATOS makes this clear. See, e.g., RJN, Ex. C, at 2 ("The prior sentence does not apply to you if you are using the German Services as detailed in Section 10.").

[T]he laws of New South Wales govern not only the interpretation of this ATOS and apply to claims for breach of it, regardless of conflict of laws principles, but also apply to all other claims, including claims regarding consumer protection laws, unfair competition laws, and in tort. You and Yahoo7 Pty Ltd irrevocably consent to the exclusive jurisdiction and venue of the New South Wales courts for all disputes arising out of or relating to this ATOS or arising out of or relating to the relationship between you and Yahoo regardless of the type of claim.

RJN, Ex. C, at 10-11. Similarly, the portion of the ATOS that is specific to Venezuela users provides as follows:

[T]he laws of the State of Florida govern not only the interpretation of this ATOS and applies to claims for breach of it, regardless of conflict of laws principles, but also applies to all other claims, including claims regarding consumer protection laws, unfair competition laws, and in tort. You and Yahoo! Hispanic Americas, LLC irrevocably consent to the exclusive jurisdiction and venue of the courts of Miami-Dade County for all disputes arising out of or relating to this ATOS or arising out of or relating to the relationship between you and Yahoo regardless of the type of claim.

RJN, Ex. C, at 6. Finally, the portion of the ATOS that is specific to Spain users provides as follows:

[T]he laws of Ireland govern this ATOS and any non-contractual obligations arising out of it. You and YEL [Yahoo! EMEA Limited] irrevocably consent to the exclusive jurisdiction and venue of the Irish courts for all disputes arising out of or in connection with this ATOS, any non-contractual obligation arising out of or in connection with this ATOS or any claim or dispute arising out of or relating

to the relationship between you and YEL regardless of the type of claim.

RJN, Ex. C, at 6. Similar provisions are contained in the "Universal Terms of Service" (UTOS) specific to each country. See, e.g., RJN, Ex. B, at 1. Defendants argue that Plaintiffs' negligence claim against Yahoo in the instant case is sufficiently related to these ATOS, and that therefore the forum selection clauses in these ATOS should be enforced. Mot. at 45 (internal quotation marks omitted).

In response, Plaintiffs argue that Yahoo cannot take advantage of these forum selection clauses because Yahoo was not a signatory to the ATOS to which Australia, Venezuela, and Spain users agreed. Instead, as seen in the passages quoted above, the signatories to these contracts were Yahoo subsidiaries: Yahoo7 in the case of Australia, Yahoo! Hispanic Americas in the case of Venezuela, and Yahoo! EMEA Limited in the case of Spain. See, e.g., RJN, Ex. C, ¶ 3 ("If you are using the Australian Services, you are contracting with Yahoo7 . . . .").

Contrary to Plaintiffs' argument, the Ninth Circuit has held that "where the alleged conduct of the nonparties is closely related to" a contract containing forum selection clauses, "'a range of transaction participants, parties and non-parties, should benefit from and be subject to forum selection clauses.'" Holland Am. Line Inc. v. Wartsila N. Am., Inc., 485 F.3d 450, 456 (9th Cir. 2007) (quoting Manetti-Farrow, Inc. v. Gucci America, Inc., 858 F.2d 509, 514 n.5 (9th Cir.1988)). Thus, the fact that Yahoo is not a party to the foreign ATOS does not alone establish that Yahoo cannot take advantage of these forum selection clauses contained within those ATOS. Instead, Yahoo may take advantage of the forum selection clauses contained within the ATOS if Plaintiffs' negligence claim against Yahoo "is closely related to the contractual relationship" between the foreign Plaintiffs and the foreign Yahoo subsidiaries who were signatories to the foreign terms of service. Id.

Plaintiffs seek leave to file a proposed sur-reply to respond to arguments that Plaintiffs claim were raised for the first time in Defendants' reply brief. ECF No. 126. Plaintiffs attach the sur-reply to the request for leave. ECF No. 126-1. The Court GRANTS this request to file a sur-reply and has considered the attached sur-reply in deciding the instant motion to dismiss.

In the instant case, it is clear that Plaintiffs' negligence claim against Yahoo is closely related to the ATOS signed by foreign users and the Yahoo subsidiaries providing Yahoo services in those countries. Id. Indeed, the ATOS makes extensive references to Yahoo itself and describes Yahoo's obligations and limitations on Yahoo's liability. For example, the ATOS states that "[y]our registration data and other information about you are also subject to the Yahoo Privacy Policy." RJN, Ex. C, at 3. The ATOS also contains a disclaimer stating that "Yahoo is not responsible for the security or privacy of communications sent via the Services." Id. at 4. These are just some of the many references to Yahoo and its obligations and liabilities contained in the ATOS governing all users. Additionally, the portions of the ATOS specific to Australia and Venezuela users explicitly state that the forum selection clauses apply to "all disputes arising out of or relating to this ATOS or arising out of or relating to the relationship between you and Yahoo regardless of the type of claim." RJN, Ex. C at 6-11 (emphasis added).

The Ninth Circuit's decision in Manetti-Farrow, Inc. v. Gucci America, Inc., 858 F.2d 509, 514 (9th Cir. 1988), is instructive. There, the Manetti-Farrow corporation entered an exclusive dealership contract with Gucci Parfums, but Gucci Parfums later terminated the contract. Id. at 510-11. Manetti-Farrow asserted a variety of tort and contract claims against Gucci Parfums and several of its affiliated entities, including Gucci America, which held the American rights to the Gucci trademark. Id. at 511. The exclusive dealership contract contained a forum selection clause, but "Manetti-Farrow argue[d] the forum selection clause c[ould] only apply to Gucci Parfums, which was the only defendant to sign the contract." Id. at 514 n.5. The Ninth Circuit rejected this argument and held that "the alleged conduct of the non-parties" in Manetti-Farrow's tort and contract claims was "so closely related to the contractual relationship [between Manetti-Farrow and Gucci Parfums] that the forum selection clause" in Manetti-Farrow's contract with Gucci Parfums "applie[d] to all defendants." Id.

Similarly, in the instant case, the alleged conduct of Yahoo in the Australia, Venezuela, and Spain Plaintiffs' negligence claim against Yahoo is "so closely related to the" ATOS between these Plaintiffs and Yahoo's subsidiaries "that the forum selection clause[s]" in the ATOS apply to Plaintiffs' negligence claim against Yahoo, even though it is not a party to the ATOS. For example, the CCAC alleges that "Yahoo owed a duty . . . to exercise reasonable care in safeguarding and protecting the Australia, Venezuela, and Spain Plaintiffs' PII and financial information in Yahoo's possession . . . ." CCAC ¶ 225. The Court cannot determine the scope of Yahoo's alleged duty to the Australia, Venezuela and Spain Plaintiffs without interpreting provisions of the ATOS that governed these Plaintiffs' use of Yahoo services, including provisions regarding Yahoo's privacy practices, obligations, liabilities, disclaimers, and other issues. See Columbus Univ. v. Tummala, 2014 WL 12675010, at *4 (C.D. Cal. July 15, 2014) (holding that a defendant could take advantage of a forum selection clause because the defendant "was held out to plaintiffs as being a shareholder or manager of" the signatory company).

In short, the allegations in the CCAC make clear that the negligence claim against Yahoo is "closely related" to the contractual relationship between foreign users and Yahoo subsidiaries, and that the Court must evaluate and "interpret[]" this contractual relationship to resolve Plaintiffs' negligence claim. Therefore, applying Ninth Circuit precedent, the Court determines that Yahoo "should benefit from and be subject to [the] forum-selection clauses." TAAG Linhas Aereas de Angola v. Transamerica Airlines, Inc., 915 F.2d 1351, 1354 (9th Cir. 1990) (quoting Clinton v. Janger, 583 F. Supp. 284, 290 (N.D. Ill. 1984)). Additionally, Plaintiffs do not argue that the forum selection clauses were "the product of fraud or overreaching" or that application of the forum selection clause would be unreasonable for any other reason. M/S Bremen v. Zapata Off-Shore Co., 407 U.S. 1, 15 (1972).

Therefore, the Court applies the forum selection clauses governing Australia, Venezuela, and Spain users and GRANTS Defendants' motion to dismiss Plaintiffs' California negligence claim, which is the only claim asserted by the Australia, Venezuela, and Spain Plaintiffs. Thus, the Court DISMISSES the Australia, Venezuela, and Spain Plaintiffs. Because these forum selection clauses forbid the application of California law, Plaintiffs cannot assert their California negligence claim as a matter of law. Therefore, this dismissal is with prejudice.

K. Declaratory Relief

Finally, all Plaintiffs assert in Count Thirteen a declaratory relief claim against Defendants. Plaintiffs' declaratory relief claim alleges that certain provisions of Defendants' Terms of Service are "unconscionable and unenforceable, or precluded by federal and state law." See, e.g., CACC ¶ 234.

Although Count Thirteen of the CCAC states that it is brought on behalf of all Plaintiffs, the CCAC does not explain how the claim for declaratory relief in Count Thirteen is connected to the Australia, Venezuela, and Spain Class. Additionally, any such claim on behalf of the Australia, Venezuela, and Spain Class would be foreclosed by the forum selection clauses discussed above in Part IV.J.

Defendants move to dismiss this claim on two grounds. First, Defendants argue that Plaintiffs have failed to state a claim under Rule 12(b)(6) because Plaintiffs have not sufficiently alleged that the contractual provisions at issue are unconscionable or otherwise unlawful. Second, Defendants argue that declaratory relief is improper because it is duplicative of other relief sought in the CCAC and because the claim merely anticipates an affirmative defense. For the reasons discussed below, the Court agrees with Defendants that Plaintiffs have not sufficiently alleged that the contractual provisions at issue are unconscionable or otherwise unenforceable. Thus, the Court need not reach Defendants' remaining argument that declaratory relief is improper because it is duplicative of other relief sought in the CCAC.

Indeed, as discussed below, because Plaintiffs have failed to plead any facts in support of their claim that Defendants' Terms of Service are unconscionable or enforceable, the Court cannot evaluate at this time whether Plaintiffs' declaratory relief claim is duplicative, or whether it instead "would serve a useful purpose 'in clarifying and settling the legal relations in issue." McGraw-Edison Co. v. Preformed Line Prod. Co., 362 F.2d 339, 343 (9th Cir. 1966). For this additional reason, the Court declines to reach Defendants' argument that declaratory relief is improper in this case.

Defendants argue that Plaintiffs' declaratory relief claim should be dismissed under Rule 12(b)(6). Specifically, Defendants argue that Plaintiffs offer only "threadbare recitals" and "bald assertions" that the contractual provisions at issue were unconscionable. Mot. at 47. Defendants also argue that Plaintiffs offer only a "vague allegation that the disputed provisions are 'precluded' by unspecified 'federal and state law.'" Mot. at 48.

The Court agrees with Defendants that Plaintiffs' allegations are insufficient to state a claim for relief. The CCAC offers no factual allegations at all to support Plaintiffs' claim for declaratory relief. Instead, Plaintiffs' claim for declaratory relief simply lists various provisions of Yahoo's Terms of Service and alleges that these provisions are "unconscionable and unenforceable, or precluded by federal and state law." CCAC ¶ 234. The CCAC does not identify the federal and state laws are at issue, and the CCAC does not describe how the listed Terms of Service provisions are unconscionable. See id. Additionally, although the declaratory relief claim incorporates the entirety of the CCAC by reference, the CCAC contains no other mention of unconscionability. See generally CCAC.

Plaintiffs' allegations are insufficient to state a claim for declaratory relief based on unconscionability and unenforceability. In order to state a claim that a contractual term is unconscionable, Plaintiffs must allege facts showing that the term is "both procedurally and substantively unconscionable." In re iPhone Application Litig., 2011 WL 4403963, at *7. "The procedural element of unconscionability focuses on two factors: oppression and surprise." Id. (quoting Aron v. U-Haul Co. of Cal., 143 Cal. App. 4th 796, 808 (Cal. Ct. App. 2006)). "The substantive element of unconscionability focuses on the actual terms of the agreement and evaluates whether they create 'overly harsh' or 'one-sided results as to 'shock the conscience.'" Id. The CCAC does not even mention these requirements, let alone plead facts to show that they are met. Instead, the CCAC only offers "threadbare recitals" that various provisions are unconscionable. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) ("Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.").

Similarly, Plaintiffs provide no explanation for their statement that the provisions at issue violate federal or state law, and in fact Plaintiffs do not even indicate which laws these provisions are supposed to have violated. Again, Plaintiffs' conclusory allegations are not sufficient to defeat a motion to dismiss. See Davidson v. Apple, Inc., 2017 WL 976048, at *13 (N.D. Cal. Mar. 14, 2017) (granting motion to dismiss because Plaintiffs did not sufficiently allege unconscionability); Biggins v. Wells Fargo & Co., 266 F.R.D. 399, 412 (N.D. Cal. 2009) ("[T]he claim must be dismissed, because the allegation that 'the hidden terms . . . are onerous to the point of being unconscionable' is a bare legal conclusion unsupported by facts.").

Indeed, even in their opposition to the motion to dismiss, Plaintiffs provide little indication of why the cited provisions of Defendants' Terms of Service are unconscionable or unenforceable. Plaintiffs make no mention in their opposition of the "federal and state laws" that allegedly render Defendants' Terms of Service unenforceable, and Plaintiffs offer no facts in their opposition demonstrating that Defendants' Terms of Service are unconscionable. Rather, Plaintiffs make only the conclusory statement that "Plaintiffs submit that the limitation clauses in the [the Terms of Service] are unenforceable. The clauses are both procedurally (clear adhesion contract) and substantively (one-sided and overly harsh) unconscionable." Opp. at 45. This is not sufficient.

In sum, Plaintiffs have failed to adequately allege facts to plausibly suggest that Defendants' Terms of Service are unconscionable or otherwise unenforceable. Accordingly, the Court GRANTS Defendants' motion to dismiss Plaintiffs' claim for declaratory relief. The Court affords Plaintiffs leave to amend because Plaintiffs may be able to sufficiently allege that Defendants' Terms of Service are unconscionable or otherwise unenforceable, and thus leave to amend this claim is not necessarily futile. See Leadsinger, 512 F.3d at 532; see also Davidson, 2017 WL 976048, at *13 ("Plaintiffs may amend the SACC to allege further facts in support of their unconscionability argument.").

V. CONCLUSION

For the foregoing reasons, the Court GRANTS IN PART AND DENIES IN PART Defendants' motion to dismiss. Specifically, the Court rules as follows:

• The Court DENIES Defendants' motion to dismiss Plaintiffs' CCAC for lack of Article III standing.

• The Court GRANTS with leave to amend Defendants' motion to dismiss the UCL claims of Plaintiffs Garg, Rivlin, and Granot. As to the remaining Plaintiffs, the Court DENIES Defendants' motion to dismiss the unlawful and unfair prongs of Plaintiffs' UCL claim. The Court GRANTS with leave to amend Defendants' motion to dismiss the fraudulent prong of Plaintiffs' UCL claim to the extent it is based on fraudulent misrepresentations and fraudulent omissions in Defendants' Privacy Policy. The Court DENIES Defendants' motion to dismiss the fraudulent

prong of Small Business Plaintiff Neff's UCL claim based on fraudulent omissions in Defendants' Small Business Services advertisements. As to Plaintiffs' request for restitution under the UCL, the Court DENIES Defendants' motion to dismiss Plaintiffs' request for restitution as to Small Business Plaintiff Neff, but GRANTS Defendants' motion to dismiss Plaintiffs' request for restitution for the United States Plaintiffs. The Court DENIES Defendants' motion to dismiss Plaintiffs' request for an injunction under the UCL.

• The Court GRANTS with leave to amend Defendants' motion to dismiss Plaintiffs' claim for fraudulent inducement.

• The Court GRANTS with leave to amend Defendants' motion to dismiss Plaintiffs' claim for negligent misrepresentation.

• The Court GRANTS with leave to amend Defendants' motion to dismiss Plaintiffs' CLRA claim.

• The Court GRANTS WITH PREJUDICE Defendants' motion to dismiss the CRA claim of Plaintiffs Essar, Matthew Ridolfo, Deana Ridolfo, Garg, Neff, Rivlin, and Granot. As to the remaining Plaintiffs, the Court GRANTS with leave to amend Defendants' motion to dismiss the CRA claim to the extent that the claim is based on the 2013 Breach and DENIES Defendants' motion to dismiss the CRA claim to the extent that the claim is based on the 2014 Breach or the Forged Cookie Breach.

• The Court GRANTS with leave to amend Defendants' motion to dismiss Plaintiffs' SCA claim.

• The Court GRANTS WITH PREJUDICE Defendants' motion to dismiss Plaintiffs' OPPA claim.

• The Court GRANTS with leave to amend Defendants' motion to dismiss Plaintiffs' express contract claim to the extent that the claim seeks to recover out-of-pocket mitigation costs. The Court otherwise DENIES Defendants' motion to dismiss Plaintiffs' express contract claim.

• The Court GRANTS with leave to amend Defendants' motion to dismiss Plaintiffs' implied contract claim to the extent that the claim seeks to recover out-of-pocket mitigation costs. The Court otherwise DENIES Defendants' motion to dismiss Plaintiffs' implied contract claim.

• The Court DENIES Defendants' motion to dismiss Plaintiffs' claim for violation of the implied covenant of good faith and fair dealing.

• The Court GRANTS WITH PREJUDICE Defendants' motion to dismiss Plaintiffs' negligence claim;

• The Court GRANTS with leave to amend Defendants' motion to dismiss Plaintiffs' claim for declaratory relief.

Should Plaintiffs elect to file an amended complaint curing the deficiencies identified herein, Plaintiffs shall do so within 30 days of the date of this Order. Failure to meet the 30 day deadline to file an amended complaint or failure to cure the deficiencies identified in this Order will result in a dismissal with prejudice. Plaintiffs may not add new causes of actions or parties without leave of the Court or stipulation of the parties pursuant to Federal Rule of Civil Procedure 15.

IT IS SO ORDERED.

Dated: August 30, 2017

/s/_________

LUCY H. KOH

United States District Judge

Summaries of

In re Yahoo! Inc. Customer Data Sec. Breach Litig.

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA SAN JOSE DIVISION

Aug 30, 2017

Case No. 16-MD-02752-LHK (N.D. Cal. Aug. 30, 2017)

holding that plaintiffs had adequately alleged injury in fact based on the loss of value of their personal information

Summary of this case from Klein v. Facebook, Inc.

finding claims adequate under one test and ending the analysis there at the pleadings stage

Summary of this case from Kellman v. Spokeo, Inc.

finding plaintiffs incurred out-of-pocket expenses on credit monitoring services after the data breach incident and therefore were “required to enter into a transaction, costing money or property, that would otherwise have been unnecessary”

Summary of this case from Schmitt v. SN Servicing Corp.

finding that the plaintiffs plausibly alleged injury in the form of diminution in value of PII when it was alleged that the PII was actually used by hackers

Summary of this case from Darnell v. Wyndham Capital Mortg.

finding that plaintiffs were "required to enter into a transaction, costing money or property, that would otherwise have been unnecessary" after incurring out-of-pocket expenses on credit monitoring to deal with the data breach

Summary of this case from Huynh v. Quora, Inc.

finding the plaintiffs alleged a "credible threat of real and immediate harm" when the data breached contained information about plaintiffs' "Yahoo login, country code, recovery e-mail, date of birth, hashed password, cell phone numbers, and zip codes"

Summary of this case from Jantzer v. Elizabethtown Cmty. Hosp.

finding incremental harm adequately pled in a data breach case when plaintiffs plausibly alleged that they could not take mitigation steps based upon delay

Summary of this case from In re Solara Med. Supplies, LLC

finding that alleged statement that Defendants had "physical, electronic, and procedural safeguards that comply with federal regulations to protect personal information about you" was not puffery because " reasonable consumer could rely on this statement as representing that Defendants did, in fact, use safeguards that complied with federal regulations"

Summary of this case from Ahern v. Apple Inc.

concluding plaintiffs alleged an Article III injury where hackers actually accessed the plaintiffs' private information and private information was being sold on dark web

Summary of this case from Hauck v. Advanced Micro Devices, Inc.

denying motion to dismiss UCL claim for unfair practices because, "at a minimum," one test for unfairness was met

Summary of this case from Brooks v. Bank of Am.

denying motion to dismiss unfair prong claim because, "at a minimum," one test for unfairness was met

Summary of this case from In re Zoom Video Commc'ns Inc. Privacy Litig.

rejecting UCL standing to victims of data breach who had failed to allege specific benefit-of-the-bargain losses or out-of-pocket expenses

Summary of this case from Mastel v. Miniclip SA

noting that the court was not aware of any court in the Ninth Circuit that had addressed the scope of the term "knowingly" in 18 U.S.C. § 2702 and holding based on, inter alia, Worix and Muskovich, that the plaintiffs could not state claims under the SCA "simply because a defendant failed to prevent a data breach."

Summary of this case from Damner v. Facebook Inc.

identifying an injury-in fact because the complaint "include[d] several examples of hackers selling [personal identification information] from Yahoo accounts on the dark web"

Summary of this case from Kylie S. v. Pearson PLC

distinguishing the payment-card breach in Whalen from a breach revealing broader categories of information

Summary of this case from Rudolph v. Hudson's Bay Co.

In re Yahoo! Inc. Customer Data Sec. Breach Litig.

Summary

Opinion

ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS

I. BACKGROUND

A. Factual Background

B. Procedural History

II. LEGAL STANDARD

A. Motion to Dismiss Under Rule 12(b)(6)

B. Leave to Amend

III. REQUEST FOR JUDICIAL NOTICE

IV. DISCUSSION

A. Article III Standing

B. UCL

C. CLRA

D. Customer Records Act

E. Stored Communications Act

F. Online Privacy Protection Act

G. Express Contract Claim

H. Breach of Implied Contract

I. Implied Covenant of Good Faith and Fair Dealing Claim

J. Negligence

K. Declaratory Relief

V. CONCLUSION

IT IS SO ORDERED.

In re Yahoo! Inc. Customer Data Sec. Breach Litig.

In re Yahoo! Inc. Customer Data Sec. Breach Litig.

Case Details

Citations

Citing Cases

In re Yahoo! Inc. Customer Data Sec. Breach Litig.

Summary

Opinion

ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS

I. BACKGROUND

A. Factual Background

B. Procedural History

II. LEGAL STANDARD

A. Motion to Dismiss Under Rule 12(b)(6)

B. Leave to Amend

III. REQUEST FOR JUDICIAL NOTICE

IV. DISCUSSION

A. Article III Standing

B. UCL

C. CLRA

D. Customer Records Act

E. Stored Communications Act

F. Online Privacy Protection Act

G. Express Contract Claim

H. Breach of Implied Contract

I. Implied Covenant of Good Faith and Fair Dealing Claim

J. Negligence

K. Declaratory Relief

V. CONCLUSION

IT IS SO ORDERED.

In re Yahoo! Inc. Customer Data Sec. Breach Litig.

In re Yahoo! Inc. Customer Data Sec. Breach Litig.

Case Details

CitationsCopy Citation

Citing Cases

Citations