Opinion
21-cv-03355-WHO
08-09-2021
DESIREE SCHMITT, et al., Plaintiffs, v. SN SERVICING CORPORATION, AN ALASKA CORPORATION, Defendant.
ORDER DENYING IN PART AND GRANTING IN PART MOTION TO DISMISS WITH LEAVE TO AMEND
Re: Dkt. No. 14
William H. Orrick United States District Judge
Plaintiffs Desiree Schmitt and James Furth bring this lawsuit against defendant SN Servicing Corporation (“SNSC”) on behalf of a nationwide class of impacted borrowers for claims arising out of a data breach incident that occurred on SNSC's system in late 2020. On SNSC's motion to dismiss, I find that although plaintiffs can assert California law claims as Ohio residents given allegations that SNSC's principal place of business is in California and that they were harmed by critical decisions SNSC made in California, they fail to plausibly plead the elements of those claims. The negligence claim fails because they do not allege that SNSC had a legal duty to protect the kind of information that was revealed in the data breach. For the same underlying reason, the invasion of privacy claim fails because they do not to allege a serious invasion of a protected privacy interest. And the conclusory allegations they provide are insufficient to state a claim for violation of California's Unfair Competition Law (“UCL”), Cal. Bus. & Prof. Code § 17200 et seq. For the “unlawful” prong, they simply allege that SNSC violated five statutes, without pleading with particularity how the facts of this case pertain to each specific statute and whether the statute can form a basis for a UCL claim. For the “unfair” prong, they do not sufficiently plead policy considerations based on California privacy statutes to satisfy either the “tethering test” or the “balancing test”. Accordingly, SNSC's motion to dismiss is DENIED in part and GRANTED in part with leave to amend.
BACKGROUND
SNSC is a financial services corporation that specializes in servicing of residential, small balance commercial, consumer, and unsecured loans. Complaint (“Compl.”) [Dkt. No. 1-1] ¶ 16. It is incorporated in Alaska, with a principal place of business in Eureka, California. Id. ¶ 3. Plaintiffs Desiree Schmitt and James Furth are residents of Ohio and were customers of SNSC's services. Id. ¶¶ 1-2.
On or about October 14, 2020, a ransomware-threat group known as “Mount Locker” (the “Unauthorized Party”) deployed ransomware into SNSC's system and successfully acquired a number of digital files maintained by SNSC (hereinafter the “data breach” incident). Id. ¶ 62. According to a third-party cybersecurity forensics investigator hired by SNSC, the exfiltration of data from SNSC by the Unauthorized Party ended on or about October 15, 2020. Id. ¶ 17. Plaintiffs allege that the Unauthorized Party was able to exfiltrate the “personal and financial information” of approximately 20, 155 borrowers, including citizens of the State of California. Id. ¶¶ 18-19. Despite learning of the data breach on or around October 15, 2020, SNSC did not send a “Data Beach Notification” letter to plaintiffs and class members until January 14, 2021. Id. ¶ 20; see id., Ex. 1.
This case was removed from San Francisco County Superior Court. The Data Breach Notification letter is not attached to the Complaint submitted along with SNSC's Notice of Removal. Plaintiffs shall attach a copy of the Data Breach Notification letter to their amended pleading so that it is properly before this court.
The Data Breach Notification letter, which Schmitt and Furth claim they received, states that “the preliminary investigation revealed that the data acquired by the Unauthorized Party includes March 2018 billings statements and fee notices that contain the borrower's personal and financial information including, among other information, borrower names, addresses, loan numbers, balance information, and billing information such as charges assessed, owed, and/or paid.” Id. ¶¶ 22, 40, 45. The Data Breach Notification letter further states that “SNSC is still in the process of conducting an investigation of the incident to determine if additional personal and financial information pertaining to [plaintiffs] was exfiltrated.” Id. ¶¶ 40, 45. In a separate January 14, 2021 letter to the New Hampshire Attorney General, SNSC stated that “it had hired a third party e-discovery vendor to conduct a ‘data mining' review of the documents that were identified to have been exfiltrated to determine whether additional personal and financial information was compromised.” Id.
Plaintiffs allege that personal and financial information is “such a valuable commodity to identity thieves that once information has been compromised, criminals often trade the information on the ‘cyber black-market' for years.” Id. ¶ 34. Accordingly, they contend, there is a “strong probability” that their stolen information is, or soon will be, on the cyber black-market, placing them and other class members “at an increased risk of fraud and identity theft for many years into the future.” Id. ¶ 35. As a result of the data breach, and as recommended by the Data Breach Notification letter, plaintiffs assert that they must now be “vigilant and review their credit reports for incidents of identity theft, and educate themselves about security freezes, fraud alerts, and other steps to protect themselves against identity theft.” Id. ¶ 24.
In particular, Schmitt alleges that she “purchased credit monitoring with Lifelock at an annual cost of more than $200.00, as well as LastPass password manager, which is a monthly password manager and password vault application subscription service that costs $3.00 per month, and YubiKey password protection at a cost of more than $90.00.” Id. ¶ 41. Furth contends that he too “purchased Lifelock identify protection at an annual cost of $99.48” after the data breach. Id. ¶ 46. Both claim that they have “spent time and energy protecting and monitoring [their] identity and credit” and will have to “spend additional time and energy in the future continuing to monitor and protect [their] identity and credit.” Id. ¶¶ 42, 47. Schmitt alleges that she “spent at least 10 hours changing hundreds of passwords related to her business and personal accounts.” Id. ¶ 42. Both allege that they “suffered anxiety, emotional distress, and loss of privacy” as a result of the data breach. Id. ¶¶ 42, 47.
Plaintiffs claim that SNSC started to undertake the “basic steps” recognized in the industry to protect their and other class members' personal and financial information only after an Unauthorized Party was able to exfiltrate a large amount of data. Id. ¶ 23. As the Data Breach Notification letter indicates, SNSC began bolstering its cybersecurity posture after the data breach incident “by replacing email filtering tools, malware software, and Internet monitoring tools with more robust solutions that utilizes AI to detect and block known and newly introduced malware, and block all inbound and outbound Internet, email, and network traffic to foreign countries.” Id. Because of SNSC's failure to “create, maintain, and/or comply with necessary cybersecurity requirements, ” plaintiffs allege that SNSC “was unable to protect borrower's information and confidentiality, and protect against obvious and readily foreseeable threats to information security and confidentiality or unauthorized access to personal and financial information, resulting in the Data Breach.” Id. ¶ 27.
Plaintiffs filed this lawsuit in San Francisco County Superior Court on March 12, 2021, bringing the following three claims on behalf a nationwide class of borrowers impacted by the data breach: (i) negligence; (ii) invasion of privacy; and (iii) relief under the “unlawful” and “unfair” prongs of the UCL. On May 5, 2021, SNSC removed the action to this court and subsequently filed a motion to dismiss for failure to state a claim. Notice of Removal [Dkt. No. 1]; Defendant SN Servicing Corporation's Motion to Dismiss Plaintiffs' Complaint [Dkt. No. 14].
LEGAL STANDARD
Under Federal Rule of Civil Procedure 12(b)(6), a district court must dismiss a complaint if it fails to state a claim upon which relief can be granted. To survive a Rule 12(b)(6) motion to dismiss, the plaintiff must allege “enough facts to state a claim to relief that is plausible on its face.” See Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). A claim is facially plausible when the plaintiff pleads facts that “allow the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” See Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citation omitted). There must be “more than a sheer possibility that a defendant has acted unlawfully.” Id. While courts do not require “heightened fact pleading of specifics, ” a plaintiff must allege facts sufficient to “raise a right to relief above the speculative level.” See Twombly, 550 U.S. at 555, 570.
In deciding whether the plaintiff has stated a claim upon which relief can be granted, the court accepts the plaintiff's allegations as true and draws all reasonable inferences in favor of the plaintiff. See Usher v. City of Los Angeles, 828 F.2d 556, 561 (9th Cir. 1987). However, the court is not required to accept as true “allegations that are merely conclusory, unwarranted deductions of fact, or unreasonable inferences.” See In re Gilead Scis. Sec. Litig., 536 F.3d 1049, 1055 (9th Cir. 2008).
DISCUSSION
I. CALIFORNIA CLAIMS BY NON-CALIFORNIA PLAINTIFFS
While California has a presumption against extraterritorial application of its own law, Sullivan v. Oracle Corp., 51 Cal.4th 1191, 1207 (2011), “state statutory remedies may be invoked by out-of-state parties when they are harmed by wrongful conduct occurring in California.” In re iPhone 4S Consumer Litig., No. C 12-1127 CW, 2013 WL 3829653, at *7 (N.D. Cal. Jul. 23, 2013) (quoting Norwest Mortg., Inc. v. Superior Ct., 72 Cal.App.4th 214, 224-225 (1999)). To determine whether sufficient wrongful conduct occurred in California, “courts consider where the defendant does business, whether the defendant's principal offices are located in California, where class members are located, and the location from which . . . decisions were made.” In re Toyota Motor Corp., 785 F.Supp.2d 883, 917 (C.D. Cal. 2011).
Plaintiffs offer the following to establish the nexus between California and the alleged wrongful conduct: (i) SNSC's principal place of business is in Eureka, California; (ii) the “nerve center” of SNSC's activities is in California, “the place where its high-level officers direct, control, and coordinate the company's activities, including its data security functions and policy, financial, and legal decisions”; and (iii) SNSC's response to the Data Breach at issue here, including investigation and notification to plaintiffs and class members from California, were made from and in California. See Compl. ¶¶ 56-61.
Other courts have found similar allegations sufficient to allow out-of-state plaintiffs to seek recovery under California law. See, e.g., Ehret v. Uber Techs., Inc., 68 F.Supp.3d 1121, 1132 (N.D. Cal. 2014) (finding “sufficient nexus between California and the misrepresentations which form the basis of Plaintiff's claims, ” where plaintiffs alleged that the deceptive practices were controlled from Uber's headquarters in San Francisco, California and the transactions for Uber's services were processed in its servers there); In re iPhone 4S Consumer Litig., 2013 WL 3829653, at *7 (out-of-state plaintiffs had standing to prosecute UCL and other California statutory claims because their alleged injuries were caused by Apple's wrongful conduct in false advertising that originated in California); In re Mattel, 588 F.Supp.2d 1111, 1119 (C.D. Cal. 2008) (out-of-state plaintiffs could bring California state law claims because they complained of “misrepresentations made in reports, company statements, and advertising that are reasonably likely to have come from or been approved by Mattel corporate headquarters in California”).
Plaintiffs also cite other data breach cases that have similarly applied the law of the state where the company had its headquarters. See, e.g., In re Premera Blue Cross Customer Data Sec. Breach Litig., No. 3:15-MD-2633-SI, 2019 WL 3410382, at *14 (D. Or. Jul. 29, 2019) (although some conduct underlying plaintiffs' negligence claim occurred by others in other locations, including plaintiffs providing their information in their home states and the hackers engaging in conduct in China, the alleged negligent conduct originated in the defendant company's headquarters in Washington, including decisions that led to the data breach); First Choice Fed. Credit Union v. Wendy's Co., No. CV 16-506, 2018 WL 2729264, at *6-7 (W.D. Pa. May 9, 2018), report and recommendation adopted, No. CV 16-506, 2018 WL 2721998 (W.D. Pa. Jun. 6, 2018) (finding the most significant factor in choice-of-law analysis in a data breach class action is the place of the alleged conduct that caused injury, i.e., “the alleged actions and inactions of Defendants at issue in this case took place at Defendants' headquarters in Ohio”); In re Target Corp. Customer Data Sec. Breach Litig., 309 F.R.D. 482, 486 (D. Minn. Sept. 15, 2015) (place of corporation's headquarters, where the computer servers were located and where decision regarding the data breach were made, constituted sufficient contacts to apply state law to out-of-state plaintiffs' claims).
SNSC does not dispute the case law cited above. In its reply brief, it only focuses on plaintiffs' additional allegation that the choice-of-law provision in SNSC's Terms and Conditions selects California law. See Compl. ¶ 61. While a selected choice-of-law provision may be insufficient on its own to create a nexus to California and confer standing on out-of-state residents, plaintiffs here have alleged more. See In re iPhone 4S Consumer Litig., 2013 WL 3829653, at *7.
SNSC's motion to dismiss on this ground is DENIED. As noted below, however, plaintiffs run into a potential pleading problem by relying on certain California data breach laws to the extent that those laws only cover California residents.
II. NEGLIGENCE
A. Duty of Care
SNSC argues that the California legislature limited duty “to provide reasonable security” to only certain types of sensitive personal identifying information (“PII”), not all personal data. See Cal. Civ. Code § 1798.81.5(d)(1). An actionable data breach must result in the disclosure of a person's name together with one of the following identifiers: (i) social security number, (ii) government-issued ID number, (iii) financial account number in combination with a code “or password that would permit access to an individual's financial account, ” (iv) biometric data, (v) medical and health insurance information, or (vi) an email or user name with a password combination that would permit account access. See Id. Because plaintiffs only allege the disclosure of “borrower names, addresses, loan numbers, balance information, and billing information such as charges assessed, owed, and/or paid, ” none of which amounts to a disclosure of PII, SNSC contends that a legal duty has been inadequately pleaded. Compl. ¶¶ 22, 40, 45.
Plaintiffs analogize their case to Bass v. Facebook, Inc., 394 F.Supp.3d 1024, 1031 (N.D. Cal. 2019), where the information consisted of, among other things, names, phone numbers or email addresses, gender, dates of birth, the types of devices used to access Facebook, and the last ten places the user “checked into” or was “tagged” in on Facebook. They summarily argue that the compromised information here is similarly “immutable, ” and therefore highly valuable, without explaining how access to names, addresses, loan numbers, balance information, and billing information can be considered “ammo” to commit future fraud as it did in Bass. Id. at 1035.
The plaintiff in Bass supported his negligence claim by engaging with the “Rowland factors” that California courts consider when determining the existence of a legal duty. See Regents of Univ. of Cal. v. Superior Court, 4 Cal. 5th 607, 628 (2018) (factors include “the foreseeability of harm to the plaintiff, the degree of certainty that the plaintiff suffered injury, the closeness of the connection between the defendant's conduct and the injury suffered, the moral blame attached to the defendant's conduct, the policy of preventing future harm, the extent of the burden to the defendant and the consequences to the community of imposing a duty to exercise care with resulting liability for breach, and the availability, cost, and prevalence of insurance for the risk involved) (citing Rowland v. Christian, 69 Cal.2d 108, 113 (1968)). The Bass court found that “[t]hese factors have been satisfied” because “[t]he lack of reasonable care in the handling of personal information can foreseeably harm the individuals providing the information” and “[f]urther, some of the information [at issue] was private, and plaintiff plausibly placed trust in Facebook to employ appropriate data security.” Bass, 394 F.Supp.3d at 1039. Plaintiffs here fail to engage in a similar analysis using the Rowland factors.
For the first time in their opposition, plaintiffs assert that their social security numbers were also compromised. That allegation appears nowhere in the Complaint. Plaintiffs do allege, however, that there is likely more data stolen than they know about because, as of January 14, 2021, SNSC indicated that it is still determining “whether additional personal and financial information was compromised.” Compl. ¶ 22. Without the benefit of discovery or further investigation, plaintiffs argue that they are unable to specifically allege whether additional personal and financial information, like social security numbers, was compromised.
I understand that plaintiffs are working with limited information at this juncture. That said, they need to provide more factual allegations from which I can draw a reasonable inference that PII (information SNSC had a legal duty to protect) was among the information compromised during the data breach. They can do so by, for example, pleading what kind of information they, and customers like them, provided to SNSC. With allegations that certain less sensitive information was released during the data breach (per the Data Breach Notification letter) and that SNSC at least had in its possession other more sensitive information (which rise to the level of PII), a reasonable inference could be drawn that PII was also among the information compromised during the data breach.
B. Breach
Assuming that plaintiffs can allege a plausible legal duty on amendment, I note that their burden to plead a corresponding breach based on SNSC's inadequate security measures is not high. Another data breach case out of this District recognized as much:
The consuming public has come to believe that the internet companies, which take in their private information, have taken adequate security steps to protect the security of that information from any and all hackers or interventions. The ordinary consumer, however, has no clue what internet companies' security steps are. There would be no way for users to know what security steps were actually in place. Therefore, when a breach occurs, the thing speaks for itself. The breach would not have occurred but for inadequate security measures, or so it can be reasonably inferred at the pleadings stage.Flores-Mendez v. Zoosk, Inc., No. C 20-04929 WHA, 2021 WL 308543, at *4 (N.D. Cal. Jan. 30, 2021).
SNSC distinguishes Flores-Mendez on grounds that the data breach in that case involved highly “sensitive information about sexual preferences, which . . . could plausibly lead to blackmail and embarrassment.” Id. The distinction in the type of information released only shows why plaintiffs have not plausibly pleaded the duty element of their claim, as discussed above. It does not undermine the point that plaintiffs need not cross a high bar to plead a corresponding breach once they are able to allege a valid legal duty to maintain their negligence claim.
C. Causation and Damages
I address the remaining negligence elements with the same assumption that plaintiffs are able to allege a valid legal duty and that the information revealed during the data breach sufficiently constitutes PII.
“Under California law, appreciable, nonspeculative, present harm is an essential element of a negligence cause of action.” Huynh v. Quora, Inc., 508 F.Supp.3d 633, 649 (N.D. Cal. 2020) (citing Aas v. Super. Ct., 24 Cal.4th 627, 646 (2000), superseded by statute on other grounds, Cal. Civ. Code § 895 et seq., as recognized in S. Cal. Gas Leak Cases, 7 Cal. 5th 391, 412 (2019)). Plaintiffs allege they have suffered actual damages in the following forms: “imminent risk of identify theft; expenses and/or time spent on credit monitoring for a period of years; time spent scrutinizing bank statements, credit card statements, and credit reports; time spent initiating fraud alerts and credit freezes and subsequently temporarily lifting credit freezes; an increased risk of future harm, ” “anxiety, emotional distress, loss of privacy, and other economic and non-economic losses.” Compl. ¶ 79. SNSC argues that voluntarily purchasing credit monitoring cannot suffice as cognizable damages, particularly when plaintiffs have not alleged that their PII was actually stolen as a result of the data breach.
A similar argument was raised in Huynh, 508 F.Supp.3d at 649, where the defendant moved for summary judgment on a data breach negligence claim because “Plaintiff has not suffered identity theft and asserts that she has voluntarily attempted to repair any hypothetical threat of future harm by temporarily purchasing credit monitoring services and monitoring her accounts.” The court noted that “California courts have not considered whether time and money lost to credit monitoring from the future threat posed by compromised PII are damages to support a negligence claim, ” but, after considering the case law, concluded that “time and money [the plaintiff] spent on credit monitoring in response to the Data Breach is cognizable harm to support her negligence claim.” Id. at 649-50. “Increased time spent monitoring one's credit and other tasks associated with responding to a data breach have been found by other[] courts to be specific, concrete, and non-speculative.” In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., No. 3:19-CV-2284-H-KSC, 2020 WL 2214152, at *4 (S.D. Cal. May 7, 2020) (citing cases, including Bass, 394 F.Supp.3d at 1039); see also Castillo v. Seagate Tech., LLC, No. 16-CV-01958-RS, 2016 WL 9280242, at *4 (N.D. Cal. Sept. 14, 2016) (finding cognizable injury where some plaintiffs bought a subscription to an identity protection service “because they wanted greater protection than that offered” by the defendant). The money and time plaintiffs spent on credit monitoring are both cognizable forms of harm.
SNSC further argues that the negligence claim is barred by the economic loss doctrine because plaintiffs do not allege strictly economic losses. It primarily relies on one case from the Southern District in support of this argument. See Dugas v. Starwood Hotels & Resorts Worldwide, Inc., No. 316CV00014GPCBLM, 2016 WL 6523428, at *12 (S.D. Cal. Nov. 3, 2016) (finding plaintiffs alleged “nothing more than pure economic loss” and “no personal injury or physical damage to property” where plaintiffs alleged injuries in the form of “theft of their credit card information, costs associated with prevention of identity theft, and costs associated with time spent and loss of productivity, among other injuries”).
Recent cases out of this District, however, have found that the economic loss doctrine does not apply where loss of time is alleged, as plaintiffs have alleged here. See, e.g., Bass, 394 F.Supp.3d at 1039 (“Here, plaintiff alleged his loss of time as a harm and so does not allege pure economic loss. The economic loss rule therefore does not apply.”); Huynh, 508 F.Supp.3d at 654 (“This Court previously held that the economic loss rule did not bar Plaintiff's negligence claim because she alleged loss of time as a harm, meaning she had not alleged pure economic loss.”); see also Flores-Mendez, 2021 WL 308543, at *4 (“[P]laintiffs adequately allege damages in the form of a heightened risk of future identity theft, loss of privacy with respect to highly sensitive information, loss of time, and risk of embarrassment.”). Other judges in the Southern District have also found the same in more recent opinions. See, e.g., In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., No. 3:19-CV-2284-H-KSC, 2020 WL 2214152, at *4 (S.D. Cal. May 7, 2020) (finding the economic loss doctrine does not apply because “[p]laintiffs have alleged they have lost time responding to the Breach as well as suffering from increased anxiety and so do not allege purely economic losses”).
With respect to the causation element, SNSC argues that plaintiffs have not made the requisite connection between the alleged breach and damages because they do not assert that they were victims of identity theft or fraud following the data breach or ruled out alternative causes by pleading that they did not suffer identity theft or fraud prior to the data breach. Without allegations of an actual improper use of their PII and lack of prior identify theft incidents, SNSC argues that the negligence claim must fail.
To the extent SNSC's causation argument relies on the premise that plaintiffs must allege an actual identity theft or fraud to maintain their negligence claim, it is flawed for the same reasons discussed above regarding cognizable injuries. To the extent the argument is premised on whether plaintiffs' decision to purchase credit monitoring services and spend time mitigating risk of harm was “reasonable” or “necessary” given the type of information revealed in the data breach, I agree that plaintiffs' allegations are lacking. Because plaintiffs have not plausibly pleaded that PII or identifiable information was disclosed (information that SNSC had a duty to protect), they have not plausibly pleaded that their decision to purchase credit monitoring services and spend time mitigating any risk of harm after the data breach was reasonable or necessary. But if they plausibly plead that their PII was compromised, a reasonable inference would follow that their decision to purchase monitoring services was “reasonable” and “necessary.”
SNSC's motion to dismiss the negligence claim is GRANTED with leave to amend.
III.INVASION OF PRIVACY
Under California law, to adequately state a claim for invasion of privacy, a plaintiff must demonstrate three elements: (1) a legally protected privacy interest; (2) a reasonable expectation of privacy under the circumstances; and (3) a serious invasion of the privacy interest. In re iPhone Application Litig., 844 F.Supp.2d 1040, 1063 (N.D. Cal. 2012) (citing Hill v. Nat'l Collegiate Athletic Assn., 7 Cal.4th 1, 35-37 (1994)). SNSC challenges the third element of plaintiff's claim.
Actionable invasions of privacy must be sufficiently “serious in their nature, scope, and actual or potential impact to constitute an egregious breach of the social norms underlying the privacy right.” Hill, 7 Cal.4th at 26 (finding rules requiring college football players to submit to drug testing were not egregious breaches of social norms) (emphasis added); Low v. LinkedIn Corp., 900 F.Supp.2d 1010, 1025 (N.D. Cal. 2012) (recognizing a “high bar” for pleading invasion of privacy claims) (citing cases). “Even negligent conduct that leads to theft of highly personal information, including social security numbers, does not ‘approach [the] standard' of actionable conduct under the California Constitution and thus does not constitute a violation of Plaintiffs' right to privacy.” iPhone Application Litig., 844 F.Supp.2d at 1063 (quoting Ruiz v. Gap, Inc., 540 F.Supp.2d 1121, 1127-28 (N.D.Cal. 2008) aff'd, 380 Fed.Appx. 689 (9th Cir. 2010)).
Plaintiffs contend that the criminal nature of the data breach and the information that was exposed or stolen in the data breach demonstrates that SNSC committed a serious violation of their privacy rights. Courts faced with similar data breach scenarios have found such allegations insufficient. See, e.g., Razuki v. Caliber Home Loans, Inc., No. 17CV1718-LAB (WVG), 2018 WL 2761818, at *2 (S.D. Cal. Jun. 8, 2018) (“Losing personal data through insufficient security doesn't rise to the level of an egregious breach of social norms underlying the protection of sensitive data like social security numbers . . . . [plaintiff's] allegations don't suggest the type of intentional, egregious privacy invasion contemplated in Hill.”); In re iPhone Application Litig., 844 F.Supp.2d at 1063 (finding information disclosed to third parties, including unique device identifier number, personal data, and geolocation information, did not constitute an egregious breach of social norms).
The cases plaintiffs cite are easily distinguishable. The invasion of privacy claim in Doe v. Beard, 63 F.Supp.3d 1159, 1170 (C.D. Cal. 2014) involved the disclosure of medical information, including the plaintiff's HIV-positive status, and thus was subject to a “lower threshold” for “egregious violations of social norms.” Similarly, Stasi v. Inmediata Health Grp. Corp., 501 F.Supp.3d 898, 926 (S.D. Cal. 2020) recognized that “some courts have dismissed privacy claims based on the state constitution given the ‘high bar' for such claims, ” but distinguished those cases on grounds that they “[did] not involve[] medical information that was ‘posted' on the internet.” Plaintiffs' remaining citations are outside the data breach context and, unlike the (at most) negligent conduct alleged here, those cases involved intentional disclosures of privileged information. See Strawn v. Morris, Polich & Purdy, LLP, 30 Cal.App. 5th 1087, 1093-98 (2019) (plaintiffs alleged that a State Farm representative demanded privileged tax returns from defendants and intentionally disclosed them to third parties); In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 606 (9th Cir. 2020) (plaintiffs challenged Facebook's use of programs to track users' web browsing and intentional accumulation of consumer information for sale to third parties).
Because plaintiffs have failed to establish that SNSC's conduct amounts to a serious invasion of a protected privacy interest, SNSC's motion to dismiss the invasion of privacy claim is GRANTED with leave to amend.
IV. UCL
A. Standing
To establish standing under the UCL, a plaintiff's claim must specifically involve lost money or property. See Kwikset Corp. v. Superior Ct., 51 Cal.4th 310, 323 (2011); Ehret v. Uber Techs., Inc., 68 F.Supp.3d 1121, 1132 (N.D. Cal. 2014) (“Whereas a federal plaintiff's injury in fact may be intangible and need not involve lost money or property, . . . a UCL plaintiff's injury in fact [must] specifically involve lost money or property.”) (internal quotation marks omitted).
In the data breach context, “payments toward enhanced credit monitoring that arise from a data breach and that are not reimbursed [] constitute economic injury, sufficient to confer UCL standing.” Huynh, 508 F.Supp.3d at 661 (internal quotation marks and citation omitted). That is exactly what plaintiffs have alleged here-both plaintiffs bought enhanced credit monitoring protection and other services after the data breach incident. See Compl. ¶¶ 41, 46; In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F.Supp.3d 447, 492 (D. Md. 2020) (lost money or property is sufficiently alleged where a plaintiff is “required to enter into a transaction, costing money or property, that would otherwise have been unnecessary”) (quoting Kwikset, 51 Cal.4th at 323).
SNSC distinguishes the summary judgment ruling in Huynh on grounds that plaintiffs here did not seek reimbursements from SNSC for the credit monitoring services they purchased. Huynh did not turn on whether plaintiffs directly sought reimbursements from the defendant company. Indeed, the line of cases cited in Huynh suggest that plaintiffs' allegations are sufficient for pleading purposes. To the extent that SNSC factually disputes whether plaintiffs' credit monitoring costs were “required” or “necessary, ” that cannot be resolved that this stage.
See In re Yahoo! Customer Data Sec. Breach Litig., No. 16-MD-02752-LHK, 2017 WL 3727318, *21-22 (N.D. Cal. Aug. 30, 2017) (finding plaintiffs incurred out-of-pocket expenses on credit monitoring services after the data breach incident and therefore were “required to enter into a transaction, costing money or property, that would otherwise have been unnecessary”); In re Anthem, Inc. Data Breach Litig., 162 F.Supp.3d 953, 986-87 (N.D. Cal. 2016) (finding the language in Kwikset favors the argument that money spent on credit monitoring to prevent fraud is sufficient to assert statutory standing under the UCL); Corona v. Sony Pictures Ent., Inc., No. 14-CV-09600 RGK EX, 2015 WL 3916744, at *5, *8 (C.D. Cal. Jun. 15, 2015) (finding UCL standing sufficiently alleged based on “costs relating to credit monitoring, identity theft protection, and penalties”); Witriol v. LexisNexis Grp., No. C05-02392 MJJ, 2006 WL 4725713, *6 (N.D. Cal. Feb. 10, 2006) (finding “costs associated with monitoring and repairing credit impaired by the unauthorized release of private information” constitute “monetary loss as a result of Defendants' actions”); Walters v. Kimpton Hotel & Rest. Grp., LLC, No. 16-CV-05387-VC, 2017 WL 1398660, at *2 (N.D. Cal. Apr. 13, 2017) (finding plaintiff sufficiently alleged economic injury resulting from breach to maintain UCL claim, including having to secure and maintain credit monitoring services and other out-of-pocket expenses and the value of time reasonably incurred to remedy or mitigate the breach) (internal quotation marks citation omitted).
The two cases SNSC provides are distinguishable. In Dugas v. Starwood Hotels & Resorts Worldwide, Inc., 2016 WL 6523428, at *11, the plaintiff only generally alleged that “unauthorized charges were made on his credit card, that he will incur damages to monitor identity theft, and that he has spent time responding to the unauthorized charges on his credit card.” In Bass, 394 F.Supp.3d at 1040, the plaintiff implausibly alleged “(i) loss of the value of the personal information and (ii) failure to receive the benefit of his bargain with Facebook, ” and did not claim any costs associated with credit monitoring.
SNSC's motion to dismiss the UCL claim for lack of statutory standing is DENIED.
B.Unlawful Prong
The unlawful prong of the UCL prohibits “anything that can properly be called a business practice and that at the same time is forbidden by law.” In re Yahoo! Inc. Customer Data Sec. Breach Litig., 2017 WL 3727318, at *23 (citation omitted). By proscribing “any unlawful” business practice, the UCL permits injured consumers to “borrow” violations of other laws and treat them as unlawful competition that is independently actionable. Id.
As predicates for their UCL claim under the unlawful prong, plaintiffs allege that SNSC violated five statutes in failing to implement reasonable security measures and safeguard customers' data: (i) section 5 of the Federal Trade Commission (“FTC”) Act, 15 U.S.C. § 45; (ii) and (iii) provisions of the California Customer Records Act (“CRA”), Cal. Civ. Code §§ 1798.81.5, 1798.82; (iv) the California Financial Information Privacy Act (“FIPA”), Cal. Fin. Code § 4052.5, and (v) an Ohio statute, Ohio Rev. Code 1349.19, that requires disclosure of breach of security system. See Compl. ¶¶ 86-89.
A UCL claim of any kind “must identify the particular section of the statute that was violated and must describe with reasonable particularity the facts supporting the violation.” Bros. v. Hewlett-Packard Co., No. C-06-02254 RMW, 2006 WL 3093685, at *7 (N.D. Cal. Oct. 31, 2006) (applying Khoury v. Maly's of California, Inc., 14 Cal.App.4th 612, 619 (1993)). Plaintiffs fail to do that here. They broadly claim that SNSC violated all five statutes by, among other things, “[f]ailing to establish adequate practices and procedures for maintaining and storing Plaintiffs' and Class members' personal and financial information, and storing Plaintiffs' and Class members' personal and financial information in an unsecure electronic environment.” See Compl. ¶ 86(a). Such conclusory allegations do not suffice. See Baba v. Hewlett-Packard Co., No. C 09-05946 RS, 2010 WL 2486353, at *6 (N.D. Cal. Jun. 16, 2010) (dismissing UCL claim where plaintiffs conclusorily alleged that defendants violated six statutes without considering that each “has its own line of case law and its own set of elements” and requiring plaintiffs to “plead with particularity how the facts of this case pertain to that specific statute”).
In addition to the conclusory nature of plaintiffs' allegations, SNSC further argues that plaintiffs cannot state a claim under any of the five statutes because many of them do not confer a private right of action. Plaintiffs respond that a private right of action is not required for a statute to form a basis for an unlawful UCL violation. For example, the data breach plaintiffs in Anthem, 162 F.Supp.3d at 989, pleaded unlawful conduct as violations of the FTC Act and other statutes, even though those statutes did not provide a private right of action. Thus, plaintiffs argue, “[i]t does not follow” that a private UCL action cannot borrow from another law enforceable only by public lawyers. LegalForce RAPC Worldwide P.C. v. UpCounsel, Inc., No. 18-cv-02573-YGR, 2019 WL 160335, at * 14 (N.D. Cal. Jan. 10, 2019) (quoting Stop Youth Addiction, Inc. v. Lucky Stores, Inc., 17 Cal.4th 553, 566 (1998)).
SNSC contends that plaintiffs' citations contradict the well-established principle that plaintiffs cannot use the UCL “to engineer” a private right of action when the underlying statute does not create it. O'Donnell v. Bank of Am., Nat. Ass'n, 504 Fed.Appx. 566, 568 (9th Cir. 2013). The Ninth Circuit in O'Donnell upheld the district court's dismissal of a UCL claim premised on the defendants' alleged violation of the FTC Act, reasoning that the “federal statute doesn't create a private right of action” and “plaintiffs can't use California law to engineer one.” Id. (citing Carlson v. Coca-Cola Co., 483 F.2d 279, 280 (9th Cir.1973), and Lucia v. Wells Fargo Bank, N.A., 798 F.Supp.2d 1059, 1072 (N.D. Cal. 2011) reversed on other grounds, 728 F.3d 878 (9th Cir. 2013)).
It appears that the district court's ruling in Anthem, 162 F.Supp.3d at 989, where an unlawful UCL claim predicated on the FTC Act was not dismissed, conflicts with the Ninth Circuit's disposition in O'Donnell, where dismissal of unlawful UCL claim predicated on the FTC Act was upheld. Notably however, the district court in Anthem did not directly address whether the FTC Act created a private right of action or expressly prohibited it. See LegalForce, 2019 WL 160335, at *13 (“[I]f a statute explicitly precludes private enforcement, or if a statute expressly provides immunity for the conduct alleged, a plaintiff may not plead around this bar by bringing a claim under the UCL.”). The Anthem court only stated that “a review of the complaint demonstrates that Plaintiffs' allegations ‘identify the particular section of the statute that was violated,' and other allegations in the consolidated amended complaint ‘describe with reasonable particularity the facts supporting the violation.'” Anthem, 162 F.Supp.3d at 989 (quoting Baba, 2010 WL 2486353, at *6). The Ninth Circuit's ruling in O'Donnell, therefore, carries more persuasive weight here. For purposes of alleging an unlawful business practice, plaintiffs cannot predicate their UCL claim on the FTC Act. But, as discussed below, they may be able to use the FTC Act to allege a claim under the unfair prong.
The applicability of the remaining four statutes, which plaintiffs fail to address in their opposition, is also questionable. SNSC argues that plaintiffs cannot use the CRA, California Civil Code sections1798.81.5 and 1798.82, as predicates because they have not alleged how SNSC violated those statutes. The case law suggests that non-California plaintiffs cannot use the CRA provisions to predicate their UCL “unlawful” claim. See In re Yahoo! Inc. Customer Data Sec. Breach Litig., 2017 WL 3727318, at *34 (dismissing standalone claims brought under California Civil Code section 1798.82 because “non-California residents lack standing to bring claims under the CRA”); In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 903 F.Supp. 942, 973 (S.D. Cal. Oct. 11, 2012) (dismissing CRA claims brought on behalf of non-California plaintiffs because the CRA “is clear that it applies only ‘to ensure the personal information [of] California residents is protected'”) (quoting Cal. Civ. Code § 1798.81.5(a)); see also Antman v. Uber Techs., Inc., No. 3:15-CV-01175-LB, 2015 WL 6123054, at *5 (N.D. Cal. Oct. 19, 2015) (“Section 1798.82 has procedures for notifying California residents when their unencrypted personal information is disclosed in a data breach and thereby acquired (or reasonably believed to have been acquired by) an unauthorized person.”) (citing Cal. Civ. Code § 1798.82(a) (emphasis added)).
Plaintiffs similarly fail to explain how the data breach conduct alleged here is within the scope of the FIPA, California Financial Code section 4052.5, which “prohibit[s] financial institutions from disclosing nonpublic personal information with ‘nonaffiliated third parties.'” Park v. Wells Fargo Bank, No. C 12-2065 PJH, 2012 WL 3309694, at *4 (N.D. Cal. Aug. 13, 2012) (citing Cal. Fin. Code § 4052.5). Nor do they explain why UCL violations can be predicated on another state's law, such as Ohio Rev. Code Ann. 1349.19.
SNSC's motion to dismiss the UCL claim under the unlawful prong is GRANTED with leave to amend.
C. Unfair Prong
The unfair prong of the UCL creates a cause of action for a business practice that is unfair even if not proscribed by some other law. In re Yahoo! Inc. Customer Data Sec. Breach Litig., 2017 WL 3727318, at *23 (citing Korea Supply Co. v. Lockheed Martin Corp., 29 Cal.4th 1134, 1143 (2003). “The UCL does not define the term ‘unfair' . . . [and] the proper definition of ‘unfair' conduct against consumers ‘is currently in flux' among California courts.” Id.
Some California courts apply a balancing approach, which requires courts to “weigh the utility of the defendant's conduct against the gravity of the harm to the alleged victim.” Davis v. HSBC Bank Nevada, N.A., 691 F.3d 1152, 1169 (9th Cir. 2012) (internal quotation marks omitted). Other California courts have held that “unfairness must be tethered to some legislatively declared policy or proof of some actual or threatened impact on competition.” Lozano v. AT & T Wireless Servs., Inc., 504 F.3d 718, 735 (9th Cir. 2007) (internal quotation marks omitted). These tests are typically referred to as the “balancing test” and the “tethering test”.
Under the tethering test, plaintiffs argue that they “need merely to show that the effects of [SNSC's] conduct ‘are comparable to or the same as a violation of the law, or otherwise significantly threaten or harm competition.'” In re Adobe Sys. Privacy Litig., 66 F.Supp.3d 1197, 1227 (N.D. Cal. 2014) (quoting Cel-Tech Commc'ns, Inc. v. Los Angeles Cellular Tel. Co., 20 Cal.4th 163, 187 (1999)) (internal alterations omitted). They contend that the effects of SNSC's conduct are comparable to a violation of the five laws mentioned in the Complaint-including 15 U.S.C. § 45, Cal. Civ. Code 1798.81.5-82, Cal. Fin. Code § 4052.5, and Ohio Rev. Code § 1349.19-which impose duties to maintain reasonable security over consumers' personal identifying information and require reasonable notification if a data breach occurs. As discussed above, their allegations with respect to these five statutes are vague and conclusory.
Plaintiffs “may proceed with a UCL claim under the balancing test by either alleging immoral, unethical, oppressive, unscrupulous or substantially injurious conduct by Defendants or by demonstrating that Defendants' conduct violated an established public policy.” Anthem, 162 F.Supp.3d at 990. For example, the plaintiffs in In re Yahoo! sufficiently pleaded an unfair business practice by alleging that “Defendants promised in their Privacy Policy to protect their customers ‘data, but that Defendants knowingly failed to employ adequate safeguards to protect their customers' data, in violation of Defendants' Privacy Policy.” In re Yahoo! Inc. Customer Data Sec. Breach Litig, 2017 WL 3727318, at *24. They also alleged that “Defendants' knowing failure to employ adequate safeguards violated the policy of various California statutes, such as the [OPPA], that were intended to ‘reflect California's public policy of protecting customer data.'” Id. (quoting Anthem, 162 F.Supp.3d at 990).
Plaintiffs' allegations here are not so detailed. See, e.g., Compl. ¶¶ 13-14, 23. In their opposition, they argue that SNSC purposefully delayed notification to impacted users for no legitimate or law enforcement reason and failed to conduct a thorough investigation to adequately notify them about the results of any investigations. But the Complaint does not plead that there was a duty to provide timely breach notifications, or that SNSC breached such duty.
SNSC's motion to dismiss the UCL claim under the unfair prong is GRANTED with leave to amend.
CONCLUSION
For the reasons discussed above, SNSC's motion to dismiss is DENIED in part and GRANTED in part with leave to amend within twenty (20) days of this order.
IT IS SO ORDERED.