Opinion
CASE NO. 17cv1718-LAB (WVG)
06-07-2018
SALAM RAZUKI, individually and on behalf of others similarly situated, Plaintiff, v. CALIBER HOME LOANS, INC., et al., Defendants.
ORDER OF DISMISSAL
Salam Razuki sued Caliber Home Loans after hackers breached Caliber's security and stole sensitive customer information like social security numbers. Razuki alleges a cybercriminal attempted to open credit cards in his name after the hack, and he's spent money and suffered emotional distress as a result. He blames Caliber for deploying second-rate security and waiting too long to notify customers like him. Caliber removed under the Class Action Fairness Act, and now asks the Court to dismiss for lack of standing and failure to state a claim. Razuki has standing, but he's failed to state a claim. Fed. R. Civ. P. 12(b)(6).
A. Standing
Caliber argues Razuki's increased risk of identity theft isn't an injury in fact. But the Ninth Circuit recently held that data-breach-victims pled "an injury in fact based on a substantial risk that hackers will commit identity fraud." In re Zappos.com, Inc., 888 F.3d 1020, 1029 (9th Cir. 2018). If pleading a substantial risk of identity fraud is enough to satisfy the injury requirement, then Razuki's allegation that his identity was "stolen and exploited" by "an unknown party [who] attempted to make numerous fraudulent transactions in his name, including the opening of new credit accounts" is sufficient. See also Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010).
Caliber also maintains Razuki can't show causation. It's true the criminal who used Razuki's information might have obtained it through open Wi-Fi on a train, a discarded bank statement, or some other data breach. But the Ninth Circuit rejected that argument in Zappos as well: "That hackers might have stolen Plaintiffs' [data] in unrelated breaches, and that Plaintiffs might suffer identity theft or fraud caused by the data stolen in those other breaches . . . is less about standing and more about the merits of causation and damages." 888 F.3d at 1029. The Court must draw all reasonable inferences in Razuki's favor at this stage. He alleges he gave Caliber his private data, a breach happened, and someone tried to open credit accounts in his name. In sum, his identity was "stolen and exploited." That's enough to reasonably infer causation for Article III standing.
Caliber's reply brief argued Razuki failed to allege the company still possessed his data during the breach, or that it was actually stolen. But Caliber admits it sent out "notice to those individuals whose information could potentially be affected." Razuki alleges he "received such a letter." That's sufficient. Caliber's opening brief also seems to acknowledge the point. And the argument is waived anyway—new counsel raised it for the first time in the reply. Caliber's motion to dismiss the complaint for lack of standing is denied.
B. Failure to State a Claim
1. Negligence
In Krottner v. Starbucks, the Ninth Circuit found risk of identity theft following a data breach sufficient to supply an injury-in-fact for standing, but insufficient to support actual damages for a negligence claim because the injuries "stem from the danger of future harm." Krottner v. Starbucks Corp., 406 F. App'x 129, 131 (9th Cir. 2010); but see Ruiz v. Gap, Inc., 540 F. Supp. 2d 1121, 1126 (N.D. Cal. 2008), aff'd, 380 F. App'x 689 (9th Cir. 2010). In Starbucks, one plaintiff alleged personal information was misused, but the court couldn't find any "loss related to the attempt to open a bank account in his name." Razuki makes the same allegations: his personal information was misused when someone attempted to open accounts in his name. Razuki hasn't distinguished his case from Starbucks.
In the published opinion, the plaintiffs made additional allegations that track Razuki's claims; for example, spending time monitoring accounts. Krottner, 628 F.3d at 1141.
What's more, his allegations are too vague for the Court or Caliber to evaluate. He says he "was informed that an unknown party attempted to make numerous fraudulent transactions in his name"; he "spent time, money, energy, and effort managing the fallout"; and he "took remedial measures." Who "informed him" and what "fraudulent transactions" were made? How did he "manage the fallout"? What "remedial measures" did he spend money on? Also, he sums up his damages in paragraph 22 by alleging, "Plaintiff and/or members of the Class" suffered harm. That's not good enough. This conjunctive-disjunctive formulation suggests class members may have suffered injuries Razuki didn't. As the class representative, he needs to allege his damages—not possible damages that happened to other, absent class members. Finally, his opposition alludes to purchasing some type of identity protection service. He didn't clearly allege that in his complaint. Plus, Caliber's offered free, two-year identity protection to affected customers.
Dkt. 16 ¶ 24; https://oag.ca.gov/system/files/Sample%20Notice_11.pdf. --------
Under Rule 8's "short and plain statement" standard, Razuki need not allege his allegations of harm in great specificity. See e.g., Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826 (7th Cir. 2018) (reversing trial court for dismissing data breach claim) (Easterbrook, J). And the Court must accept all allegations as true and draw inferences in Razuki's favor. But he needs to allege more than the cagey and indefinite allegations in his complaint. This claim is dismissed with leave to amend.
2. California Constitution (Art. I, § I)
Razuki argues Caliber violated his constitutional right to privacy by failing to protect his data. What matters here is whether Caliber committed "a serious invasion of privacy"; that is, "an egregious breach of the social norms underlying the privacy right." Hill v. Nat'l Collegiate Athletic Assn., 7 Cal. 4th 1, 37, 40 (1994). Losing personal data through insufficient security doesn't rise to the level of an egregious breach of social norms underlying the protection of sensitive data like social security numbers. "Even negligent conduct that leads to theft of highly personal information, including social security numbers, does not approach the standard of actionable conduct under the California Constitution and thus does not constitute a violation of Plaintiffs' right to privacy." In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1063 (N.D. Cal. 2012) (alterations omitted).
Razuki counters that he's alleged Caliber intentionally violated his privacy by choosing to implement low-budget security measures with an "absolute disregard of its consequences." Cope v. Davidson, 30 Cal. 2d 193, 201 (1947). The privacy damage here is serious. But Razuki's allegations don't suggest the type of intentional, egregious privacy invasion contemplated in Hill. 7 Cal. 4th at 93 (drug-test monitors watched college athletes provide urine sample). Other courts to consider the issue have reached similar results. See, e.g., Ruiz, 540 F. Supp. 2d at 1128. Razuki didn't distinguish these cases, nor did he point to any authority besides Cope v. Davidson—a case interpreting "willful misconduct within the meaning of section 403 of the Vehicle Code." 30 Cal. 2d at 195. This claim is dismissed with leave to amend.
3. Customer Records Act (Civ. Code § 1798.80)
The Customer Records Act requires businesses to protect customers' personal information by maintaining "reasonable security procedures," and if a data breach occurs, to notify affected customer's "without unreasonable delay" §§ 1798.81.5, 82. Razuki argues Caliber failed to address this claim, so it waived argument. The opposite is true. Caliber moved to dismiss this claim for failing to allege injury, and for conclusory allegations about security, data disposal, and notification. Razuki failed to address these arguments. The claim is deemed abandoned. See, e.g., Shull v. Ocwen Loan Servicing, LLC, 2014 WL 1404877, at *2 (S.D. Cal. Apr. 10, 2014). This claim is dismissed with leave to amend.
If Razuki amends, he needs to provide more facts to support his various theories for a CRA violation. The Court acknowledges Razuki probably can't make specific and definitive allegations about how Caliber's security was insufficient before discovery. But he needs to hum a few more bars about some of these allegations, like why mitigation was "inadequate" or disposal of customer information was "improper." The Court must accept his factual allegations as true, but he needs more than "[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements." Iqbal, 556 U.S. at 678. This claim is dismissed with leave to amend.
4. Consumers Legal Remedies Act (Cal. Civ. Code § 1750)
Razuki argues Caliber violated various provisions of § 1770(a)'s ban on unfair business practices that result "in the sale or lease of goods or services to any consumer." The CLRA unhelpfully defines "services" as "work, labor, and services for other than a commercial or business use, including services furnished in connection with the sale or repair of goods." § 1761. Caliber argues selling home loans doesn't count as the sale of a service under the Act. The Court agrees.
The California Supreme Court has held that "ancillary services that insurers provide to actual and prospective purchasers of life insurance" doesn't count as a "service" under the Act because the activity centers on a "contractual obligation to pay money." Fairbanks v. Superior Court, 46 Cal. 4th 56, 61, 65 (2009). If selling life insurance isn't a service, then neither is selling home loans—both center on contractual obligations to pay money.
Razuki says the Court should read the statute more broadly. But that reading would "defeat the apparent legislative intent" of the Act, since "ancillary services are provided by the sellers of virtually all intangible goods," like those who provide "loans." Id. at 65. Other courts agree. See, e.g., Alborzian v. JPMorgan Chase Bank, N.A., 235 Cal. App. 4th 29, 40 (2015) (mortgage loan not a service). This claim is dismissed without leave to amend.
5. Unfair Competition Law (Cal. Bus. & Prof. Code § 17200)
Razuki argues Caliber engaged in unfair business practices by failing to provide sufficient security for his data. The unfair competition law bans unlawful, unfair, and fraudulent business practices. Cal. Bus. & Prof. Code § 17200. Razuki's complaint doesn't explain which theory he's advancing. His opposition suggests he's relying on the CLRA and CRA violations above as predicates for an unlawful theory. Since those claims are out, this one is too. Plus, he hasn't sufficiently alleged "lost money or property." Cal. Bus. & Prof. Code § 17204. The motion to dismiss this claim is granted with leave to amend.
* * *
Given the Ninth Circuit's extremely liberal stance on amendment, the Court dismisses all of Razuki's claims with leave to amend, except his CLRA claim—amendment would be futile since home loans aren't covered under the statute. If Razuki doesn't file an amended complaint by July 6, 2018, this case will be dismissed.
IT IS SO ORDERED. Dated: June 7, 2018
/s/_________
HONORABLE LARRY ALAN BURNS
United States District Judge