Haskins v. Symantec Corporation
Filing
32
ORDER GRANTING MOTION TO DISMISS by Judge Jon S. Tigar, granting 22 Motion to Dismiss. (wsn, COURT STAFF) (Filed on 8/23/2013)
<![CDATA[
1
2
3
4
UNITED STATES DISTRICT COURT
5
NORTHERN DISTRICT OF CALIFORNIA
6
7
KATHLEEN HASKINS,
Case No. 13-cv-01834-JST
Plaintiff,
8
v.
ORDER GRANTING MOTION TO
DISMISS
9
10
SYMANTEC CORPORATION,
ECF No. 22
Defendant.
United States District Court
Northern District of California
11
12
Before the Court is Defendant Symantec Corporation’s (“Symantec”) Motion to Dismiss
13
14
Plaintiff’s First Amended Complaint (“Motion”). ECF No. 22. The Court has carefully
15
considered the papers filed in support of the motion and finds the matter appropriate for resolution
16
without oral argument. See Civil L.R. 7-1(b). The hearing scheduled for August 29, 2013 is
17
therefore VACATED.
18
I.
BACKGROUND
19
A.
Factual Background
20
The Court accepts the following allegations as true for the purpose of resolving
21
Defendant’s motion to dismiss. Cahill v. Liberty Mutual Ins. Co., 80 F.3d 336, 337–38 (9th Cir.
22
1996).
23
Symantec provides security, storage, and systems management to consumers, small
24
businesses, and large global organizations through its antivirus, data management utility and
25
enterprise software products. First Amended Complaint (“FAC”), ECF No. 17, ¶ 3. In 2006,
26
hackers infiltrated Symantec’s network and stole the source code for the 2006 versions of
27
pcAnywhere, Norton SystemWorks, Norton Antivirus Corporate Edition and Norton Internet
28
1
Security (which Plaintiff identifies in the FAC the “Compromised Symantec Products”1). Id. ¶ 18.
2
The stolen Symantec source code includes instructions written in various computer programming
3
languages, and comments made by engineers to explain the design of the software. Id. ¶ 12.
4
According to Plaintiff, the source code is considered the “crown jewel” of the software, and
5
Symantec’s “most precious asset.” Id. ¶ 13. “Symantec suspected in 2006 its network had been
6
breached and its source code stolen,” and did not disclose the breach or source code theft until the
7
hackers revealed the breach in January 2012. Id. ¶ 2. By not disclosing the breach and presenting
8
the “Compromised Symantec Products” as if no such breach occurred, Plaintiff and Class
9
Members were “[led] to believe the Compromised Symantec Products were secure and completely
functional as advertised.” Id. Therefore, Plaintiff alleges that the “Compromised Symantec
11
United States District Court
Northern District of California
10
Products” were not fully secure and functional as advertised. Id. ¶ 29.
12
Plaintiff Kathleen Haskins (“Plaintiff”) purchased Symantec’s Norton Antivirus software
13
online directly from Symantec during late 2007 or early 2008 and renewed the software annually.
14
Id. ¶ 8. Plaintiff's version of Norton Antivirus “contained all or a portion of the compromised
15
2006 source code.” Id. Plaintiff alleges that she purchased Norton Antivirus “for the reasons
16
advertised” and points to two statements on Symantec’s website that allegedly advertise a fully
17
functional Symantec product:
Symantec is “a global leader in providing security, storage and
systems management solutions” to consumers, small businesses and
large global organizations to “secure and manage their information
against more risks at more points, more completely and efficiently
than any other company” through its antivirus, data management
utility and enterprise software products. Symantec’s product “focus
is to eliminate risks to information, technology and processes
independent of the device, platform, interaction or location.”
18
19
20
21
22
Id. ¶¶ 8-9. As a result, “Plaintiff did not receive the fully functional Symantec data and system
23
security software for which she paid.” Id.
24
B.
Procedural Background
25
Plaintiff brings this proposed class action against Symantec on behalf of herself and a
26
27
28
1
The Court also uses this term throughout this order for ease of discussion. This does not reflect
any judgment by the Court regarding the appropriateness of the label.
2
1
proposed class (“Proposed Class”) of individuals who “purchased, leased and/or licensed
2
pcAnywhere, Norton SystemWorks (Norton Utilities and Norton GoBack), Norton Antivirus
3
Corporate Edition and Norton Internet Security software that contain all or a portion of the 2006
4
version of the source codes for such products.” FAC ¶ 1. Plaintiff alleges that because Symantec
5
failed to disclose the security breach, Plaintiff and the Proposed Class were deprived of the benefit
6
of their bargain because they did not receive a fully functional Symantec product. FAC ¶ 2.
7
Plaintiff asserts the following five claims against Symantec: (1) Violations of the Consumer Legal
8
Remedies Act, California Civil Code § 1750, et seq. (“CLRA”); (2) Unfair Competition,
9
California Business and Professions Code §17200, et seq. (“UCL”); (3) Breach of Contract (4)
10
United States District Court
Northern District of California
11
Breach of Warranty; and (5) Money Had and Received. FAC, ¶¶ 41-71.
Symantec has filed a Motion to Dismiss on the grounds that Plaintiff lacks Article III
12
standing, that Plaintiff has not pled her fraud-based claims with sufficient particularity to satisfy
13
Rule 9(b) of the Federal Rules of Civil Procedure, and that each of Plaintiff’s claims fail to state a
14
claim upon which relief can be granted.
15
C.
Jurisdiction
16
Plaintiff asserts, and Symantec does not deny, that Plaintiff is a citizen of Texas and that
17
Symantec is a Delaware corporation with its principal place of business in California. FAC ¶¶ 8-
18
9. Therefore, assuming that Plaintiff has standing, see Part II, infra., the Court would have
19
subject-matter jurisdiction over this action pursuant to the Class Action Fairness Act (“CAFA”),
20
28 U.S.C. § 1332(d), because there are 100 or more Class Members, at least one Class Member is
21
a citizen of a state diverse from Symantec’s citizenship, and the matter in controversy exceeds
22
$5,000,000 exclusive of interest and costs.
23
D.
Legal Standard
24
A motion to dismiss under Federal Rule of Civil Procedure 12(b)(1) tests the subject
25
matter jurisdiction of the Court. When subject matter jurisdiction is challenged, “the party seeking
26
to invoke the court's jurisdiction bears the burden of establishing that jurisdiction exists.” Scott v.
27
Breeland, 792 F.2d 925, 927 (9th Cir.1986); see also Kokkonen v. Guardian Life Ins. Co. of Am.,
28
511 U.S. 375, 377 (1994). “Article III’s case-or-controversy requirement . . . provides a
3
1
fundamental limitation on a federal court’s authority to exercise jurisdiction . . . [and] ‘the core
2
component of standing is an essential and unchanging part of the case-or-controversy requirement
3
of Article III.’” Nuclear Info. & Res. Serv. v. Nuclear Regulatory Comm’n, 457 F.3d 941, 949
4
(9th Cir. 2006) (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992)).
To establish Article III standing, plaintiffs must satisfy three elements: (1) “injury in fact
5
— an invasion of a legally protected interest which is (a) concrete and particularized and (b) actual
7
or imminent, not conjectural or hypothetical”; (2) causation — “there must be a causal connection
8
between the injury and the conduct complained of — the injury has to be fairly traceable to the
9
challenged action of the defendant, and not the result of the independent action of some third party
10
not before the court; and (3) redressability — “it must be likely, as opposed to merely speculative,
11
United States District Court
Northern District of California
6
that the injury will be redressed by a favorable decision.” Lujan, 504 U.S. at 560–61 (internal
12
quotation marks and citations omitted).
Although Plaintiff asserts her claims on behalf of a class, she must allege that she
13
14
personally suffered an injury. See Lierboe v. State Farm Mut. Auto. Ins. Co., 350 F.3d 1018, 1022
15
(9th Cir. 2003) (“if none of the named plaintiffs purporting to represent a class establishes the
16
requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or
17
any other member of the class.”). “That a suit may be a class action . . . adds nothing to the
18
question of standing, for even named plaintiffs who represent a class ‘must allege and show that
19
they personally have been injured, not that injury has been suffered by other, unidentified
20
members of the class to which they belong and which they purport to represent.’” Simon v. E.
21
Kentucky Welfare Rights Org., 426 U.S. 26, 40, n. 20 (1976) (quoting Warth v. Seldin, 422 U.S.
22
490, 502 (1975)).
23
II.
24
ANALYSIS
The Court addresses Article III standing before turning to any of Symantec’s alternative
25
grounds for dismissal, since “jurisdiction [must] be established as a threshold matter.” Steel Co. v.
26
Citizens for a Better Environment, 523 U.S. 83, 95 (1988).
27
Symantec argues that Plaintiff fails to adequately allege injury-in-fact for three reasons.
28
First, since Plaintiff has not alleged that she has actually suffered from any security breach as a
4
1
result of purchasing a compromised product, Symantec argues that Plaintiff has only alleged a
2
conjectural or hypothetical possibility of injury. But Plaintiff does not claim that her injury stems
3
from any current or future security breach; she argues instead that she “was deprived of the benefit
4
of her bargain; to wit, although Plaintiff paid for an uncompromised version of the Norton
5
Antivirus software, she received a compromised version of the Product . . . [and thus,] lost money
6
on the purchase of the product.” FAC, ¶ 8.
Second, Symantec argues that Plaintiff cannot show that she was deprived of the benefit of
7
8
the bargain because she has not identified any representations on which she relied when she
9
purchased Norton Antivirus. This is an argument that Plaintiff has failed to state a claim rather
than an argument about Plaintiff’s standing.2 Plaintiff argues that the facts, as pled, establish that
11
United States District Court
Northern District of California
10
she has suffered harm from the purchase of Symantec’s Norton Antivirus product. If she is right,
12
she has a viable claim, and if she is wrong, she does not. But there is nothing about her
13
relationship to the purported injury that renders the Court without jurisdiction to determine the
14
question. The purpose of standing doctrine is to ensure that “plaintiff’s claims arise in a ‘concrete
15
factual context’ appropriate to judicial resolution” and that “the suit has been brought by a proper
16
party.” Arakaki v. Lingle, 477 F.3d 1048, 1059 (9th Cir. 2007) (quoting Valley Forge Christian
17
Coll. v. Ams. United For Separation of Church & State, Inc., 454 U.S. 464, 472 (1982)). The
18
‘injury-in-fact’ analysis is not intended to be duplicative of the analysis of the substantive merits
19
of the claim.
20
Finally, Symantec argues that Plaintiff does not have standing because the software she
21
purchased, Norton Antivirus, is not one of the products Plaintiff identified as a “Compromised
22
Symantec Product[].” This is a valid standing argument, since “the injury in fact test . . . requires
23
that the party seeking review be himself among the injured.” Lujan, 504 U.S. at 563.
24
The FAC states that hackers “stole the source code for the 2006 versions of pcAnywhere,
25
Norton SystemWorks (Norton Utilities and Norton GoBack), Norton Antivirus Corporate Edition
26
27
28
2
In its motion, Symantec makes essentially the same arguments about ‘injury in fact’ that it makes
regarding Plaintiff’s failure to state a claim. Compare Motion, at 7:23-8:9 with id., at 14:2315:26, 16:16-25, 20:19-22:16.
5
1
and Norton Internet Security,” and the Proposed Class is comprised of persons and entities that
2
purchased those four products. FAC, ¶¶ 1-2. But Plaintiff purchased a different product: Norton
3
Antivirus. Id., ¶ 9.
The FAC fails to make clear the relationship between Norton Antivirus and the
5
“Compromised Symantec Products.” Plaintiff alleges that Norton Antivirus “contained all or a
6
portion of the compromised 2006 source code.” Id., ¶ 9. Later, the complaint states that the
7
hacker group “posted . . . confidential documentation pertaining to Norton Antivirus source code,”
8
“posted what they claimed was the complete source code tree file for Norton Antivirus -- although
9
it was later taken down,” and “published . . . a detailed technical overview of Norton Anti-Virus.”
10
Id., ¶¶ 15-17. These are the only allegations in the complaint that relate to Norton Antivirus. The
11
United States District Court
Northern District of California
4
gravamen of the complaint is that the products forming the basis of Plaintiff’s causes of action are
12
the four specifically identified “Compromised Symantec Products.” Id., ¶ 1-3, 20-24, 26, 30-31,
13
42, 47, 51, 59, 62-64, 66, 68-69, 71. And Plaintiff does not allege that she purchased any of those
14
four products.
In her opposition to Symantec’s motion to dismiss, Plaintiff states that “Plaintiff purchased
15
16
one of the Products and challenges Symantec’s business practice(s) common to all Products.”
17
Plaintiff’s Opposition to Defendant Symantec Corporation’s Motion to Dismiss Plaintiff’s First
18
Amended Class Action Complaint, ECF No. 28, at 9:6-8. This does not resolve the ambiguity.
19
The opposition brief mints a new definition of “Products”: Symantec’s “flagship computer
20
products that provide antivirus and security protection.” Id., at 1:2-3. This definition, presumably
21
crafted to encompass Norton Antivirus as well as the identified “Compromised Symantec
22
Products,” does not appear in the complaint. Plaintiff also submits a printout from Symantec’s
23
website in which Symantec indicates that Norton Antivirus was among the products compromised
24
by the security breach. Exh. 1 to Declaration of Timothy Blood, ECF No. 28-1.3 This does not
25
26
27
28
3
Since the information on the website is referred to in paragraph 20 of the FAC, the Court
GRANTS Plaintiff’s request to take judicial notice of the website printout. ECF No. 29. See
United States v. Ritchie, 342 F.3d 903, 908 (9th Cir. 2003). Since the Court does not need to refer
to documents submitted by Symantec in order to resolve this motion, the Court does not act on
Symantec’s request for judicial notice at this time. ECF No. 22.
6
1
change the fact that Plaintiff’s complaint revolves around four products that do not include Norton
2
Antivirus.
To be clear, the Court is not suggesting that there is any standing-related problem with
3
4
Plaintiff seeking to represent a class whose members purchased different products than she did.
5
See Clancy v. The Bromley Tea Co., Case No. 12-CV-03003-JST, 2013 WL 4081632, at *3-6
6
(N.D. Cal. Aug. 9, 2013) (concluding that as long as a named plaintiff has individual standing to
7
bring claims regarding products he actually purchased, the question of whether a proposed class
8
can bring claims related to other products is properly addressed at the class certification stage).4
9
But Plaintiff cannot assert standing on her own behalf without clearly alleging that the product she
purchased was among those that form the basis of her claim. Plaintiff has not demonstrated her
11
United States District Court
Northern District of California
10
standing to bring this action, and the complaint must be dismissed.
“[A] judge who concludes that subject matter jurisdiction is lacking has no power to rule
12
13
alternatively on the merits of a case.” Wages v. I.R.S., 915 F.2d 1230, 1234 (9th Cir. 1990).
14
Therefore, the Court will not proceed to address the other grounds on which Symantec has moved
15
to dismiss the complaint. However, if Plaintiff chooses to file an amended complaint, she should
16
make whatever amendments she thinks necessary in light of the arguments raised by Symantec in
17
its motion to dismiss.
18
IV.
CONCLUSION
Plaintiff’s complaint is DISMISSED WITHOUT PREJUDICE. Plaintiff has leave to file a
19
20
second amended complaint if she can allege additional facts that overcome the deficiencies
21
identified in this order. If she chooses to amend the complaint, Plaintiff is ORDERED to file the
22
second amended complaint within twenty-one days of the date of this order. Failure to meet this
23
///
24
///
25
///
26
27
28
4
However, the Court notes that it is hard to imagine how Plaintiff, the purchaser of one product,
can represent a class who are defined by having purchased four other products.
7
1
deadline will result in dismissal with prejudice pursuant to Rule 41(b) of the Federal Rules of
2
Civil Procedure.
3
4
IT IS SO ORDERED.
Dated: August 23, 2013
5
6
7
______________________________________
JON S. TIGAR
United States District Judge
8
9
10
United States District Court
Northern District of California
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
8
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
