Beyer v. Symantec Corporation
Filing
39
ORDER by Judge Edward M. Chen Granting in Part and Denying in Part 17 Defendant's Motion to Dismiss. (emcsec, COURT STAFF) (Filed on 9/21/2018)
1
2
3
4
UNITED STATES DISTRICT COURT
5
NORTHERN DISTRICT OF CALIFORNIA
6
7
MONTGOMERY BEYER,
Plaintiff,
8
9
10
United States District Court
Northern District of California
11
Case No. 18-cv-02006-EMC
v.
SYMANTEC CORPORATION,
ORDER GRANTING IN PART AND
DENYING IN PART DEFENDANT’S
MOTION TO DISMISS
Docket No. 17
Defendant.
12
13
14
I.
INTRODUCTION
Plaintiff Montgomery Beyer (hereafter “Beyer”) brings the instant action alleging that
15
certain network security software products sold by Defendant Symantec Corporation (hereafter
16
“Symantec”), specifically network security software products sold or licensed to consumers under
17
the Norton brand (“Norton Products”) and to businesses under the Symantec brand (“Enterprise
18
Products,” and together with the Norton Products, the “Affected Products”), contained critical
19
defects. See Docket No. 1 (“Compl.”) ¶¶ 1-2. Beyer’s allegations arise out of a report by Google
20
Inc.’s team of expert cybersecurity analysts, Project Zero, which detail alleged vulnerabilities in a
21
component of Symantec’s software, the AntiVirus Decomposer Engine. Id. ¶¶ 2, 25. Beyer
22
argues that Symantec advertises that the Affected Products “protects against the latest online
23
threats” or “protects against viruses, spyware, hackers, rootkits, identity theft, phishing scams, and
24
fraudulent Web sites” while knowing that its products suffered from a core decomposer engine
25
defect that exposed entire computer operating systems to various security vulnerabilities. Id. ¶¶
26
20-24. Beyer further argues that Symantec failed to disclose that it did not implement patches for
27
third-party source code that it used throughout its product line, and various Symantec
28
misrepresentations and omissions form the basis for his causes of action. Id.
1
Beyer asserts five causes of action, namely (i) a California Consumer Legal Remedies Act
2
(“CLRA”) claim, Cal. Civ. Code §§ 1750, et seq., (ii) a California Song-Beverly Consumer
3
Warranty Act claim, Cal. Civ. Code §§ 1790, et seq., (iii) a California False Advertising Law
4
(“FAL”) claim, Cal. Bus. & Prof. Code §§ 17500, et seq., (iv) a California Unfair Competition
5
Law (“UCL”) claim, Cal. Bus. & Prof. Code §§ 17200, et seq., and (v) a claim for “Quasi-
6
Contract/Unjust Enrichment.” Id. ¶¶ 51-96. Beyer purports to represent a nationwide class
7
combining persons who purchased and/or licensed an Affected Product between December 21,
8
2005 and September 19, 2016. Id. ¶¶ 1, 42-50. Beyer further asserts a consumer subclass for
9
purposes of the claims under the CLRA and the Song-Beverly Act. Id. ¶ 43.
10
Symantec has moved to dismiss for (i) failure to plead the facts and circumstances of the
United States District Court
Northern District of California
11
alleged fraud with particularity under Fed. R. Civ. P. 9(b), (ii) failure to state a claim under Fed. R.
12
Civ. P. 12(b)(6), and (iii) lack of Article III standing under Fed. R. Civ. P. 12(b)(1). For the
13
following reasons, the Court DISMISSES without prejudice the CLRA, FAL, UCL, and unjust
14
enrichment claims as to the Third Software. The Court also DISMISSES Beyer’s Song-Beverly
15
Act claim without prejudice. The Court otherwise DENIES the motion to dismiss. The motion to
16
strike is also DENIED.
17
II.
FACTUAL AND PROCEDRUAL BACKGROUND
18
The complaint alleges the following:
19
Symantec produces and sells security software under the Symantec and Norton brands.
20
Both the Symantec and Norton products contain a key component called the AntiVirus
21
Decomposer Engine. This component unpacks compressed executable files so that they can be
22
scanned for malicious code. Id. ¶ 2. On June 28, 2016, Google’s Project Zero team released a
23
report on alleged vulnerabilities in the AntiVirus Decomposer Engine. Id. ¶¶ 2, 25. Beyer alleges
24
that Project Zero discovered that the AntiVirus Decomposer Engine was defectively designed so
25
that it unpacked files in the computer operating system’s privileged core, which lies at the core of
26
the computing environment and has unrestricted access to and writing permissions for the
27
computer’s files (“High Privilege Defect”). Id. ¶ 25. Specifically, Beyer alleges this Engine
28
scanned for malicious files by unpacking and examining compressed executable files within the
2
1
kernel or the root, which resulted from Symantec unnecessarily assigning the highest privilege
2
levels to the file scanning and analysis function. Id. The exposure of potentially malicious files in
3
this high-privilege environment opened the operating systems up to corruption. Id. ¶ 3. As such,
4
Beyer suggests that Symantec violated a key cybersecurity best practice, the principle of least
5
privilege, which states that software should operate using the least amount of privilege necessary
6
to complete the task. Id. ¶ 26; see also id. ¶ 35-36 (it appears that Symantec also prescribes the
7
best practice of “run[ning] the principle of least privilege where possible to limit the impact of
8
exploit by threats” as far back as 2007.). Beyer further alleges that Symantec exposed users’
9
computers to a “critical vulnerability” by failing to implement industry-standard security measures
such as “sandboxing,” i.e., opening files in an isolated virtual environment separate from critical
11
United States District Court
Northern District of California
10
processes and programs. Id. ¶ 27. Beyer also alleges that Symantec relied on third party open
12
source code to design this Engine but had failed to update the open source code for at least seven
13
years, resulting in vulnerabilities that caused “total information disclosure” and “total compromise
14
of system integrity” (“Outdated Source Code Defect”). Id. ¶¶ 29-30. As a result, Beyer alleges
15
that Symantec sold software that did not conform to cybersecurity best practices, did not
16
reasonably protect users’ computer systems against online threats, and made users’ computer
17
systems more susceptible to cyberattacks than they would have otherwise been without the
18
software. Id. ¶ 7.
19
Beyer alleges he purchased five Norton Products containing these defects. See Compl. ¶¶
20
10, 20-24. He seeks recovery for the second and third purchases only. See Docket No. 22
21
(“Opp”), at 8 n.3. Beyer made his second purchase “in March 2009,” when he bought Norton 360
22
Premier, v. 2.0 (“Second Software”). Id. ¶ 21. Beyer alleges that prior to making his purchase he
23
reviewed the product page on Symantec’s website, which represented that Norton 360 Premier, v.
24
2.0, “‘defends you against a broad range of online threats’ through key technologies, including
25
antivirus, antispyware, rootkit detection, and automatic updates,” and “provides ‘enhanced
26
protection’ through ‘industry leading virus, spyware and firewall protection.’” Id. He does not
27
expressly allege that he relied on any of these statements. Id.
28
“That same year,” Beyer purchased another Norton 360 Premier, v. 2.0, from Best Buy
3
1
(“Third Software”). Id. ¶ 22. Prior to doing so, he “reviewed the relevant product page on Best
2
Buy’s website” and “relied on similar representations that the Third Software ‘[p]rotects against
3
viruses, spyware, rootkits, identity theft, phishing scams, and fraudulent Web sites.’” Id. Beyer
4
does not allege that Symantec was responsible for the publication of these representations as
5
opposed to, e.g., Best Buy. However, he does allege that, “[t]o the best of his knowledge, Mr.
6
Beyer also reviewed and relied upon the various comparable representations and statements on the
7
software’s packaging and box in connection with the purchase.” Id. Plaintiff also generally
8
alleges that “Plaintiff and the Consumer Subclass relied to their detriment on Defendant’s
9
misrepresentations and omissions in purchasing and licensing the Norton Products.” Compl. ¶ 62.
III.
10
United States District Court
Northern District of California
11
12
A.
DISCUSSION
Article III Standing as to the Enterprise Products
To satisfy Article III's case or controversy requirement, a plaintiff must demonstrate that
13
he or she has suffered an injury in fact, that the injury is traceable to the defendant's conduct, and
14
that the injury can be redressed by a favorable decision. See Fortyune v. Am. Multi-Cinema, Inc.,
15
364 F.3d 1075, 1081 (9th Cir. 2004). Here, Beyer purchased Norton Products and brings a
16
putative class comprising anyone who purchased a Norton or Enterprise Product that contained
17
critical defects. See Compl. ¶¶ 1-2, 42. Beyer alleges that both Norton Products and Enterprise
18
Products incorporate the AntiVirus Decomposer Engine and were affected by the alleged security
19
flaws. Id. ¶ 3. Symantec submits that Enterprise Products differ in that they permit the user to
20
centrally manage the security and data on multiple machines. See Docket No. 17 (“Mot.”) at 31
21
(citing Pulgram Decl., Ex. D). Symantec thus contends that there is no similarity in the potential
22
injury, the essential element of the inquiry for Article III standing. See id.
23
However, this does not necessary deprive Beyer of standing to bring class allegations for
24
purchasers of the Enterprise Products. The ability to centrally manage security data does not
25
gainsay the fundamental defect in the way the Symantec products were designed. The same
26
alleged defects exist in both lines of products. Compl. ¶ 3.
27
This Court, like others in the Northern District, has held that a plaintiff may proceed on
28
class claims against unpurchased products if they are “substantially similar” to products he has
4
1
purchased. Swearingen v. Late July Snacks LLC, No. 13-cv-4324-EMC, 2017 WL 4641896, at *5
2
(N.D. Cal. Oct. 16, 2017) (quoting Astiana v. Dreyer’s Grand Ice Cream, Inc., No. C-11-2901
3
EMC, 2012 WL 2990766 (N.D. Cal. July 20, 2012)).
4
5
6
7
8
9
10
In Astiana, the plaintiffs challenged food labels on Dreyer’s ice cream products, some of
which they had not purchased. In that case,
Plaintiffs are challenging the same kind of food products (i.e., ice
cream) as well as the same labels for all of the products—i.e., “All
Natural Flavors” for the Dreyer’s/Edy’s products and “All Natural
Ice Cream” for the Haagen-Dazs products. That the different ice
creams may ultimately have different ingredients is not dispositive
as Plaintiffs are challenging the same basic mislabeling practice
across different product flavors. Indeed, many of the ingredients are
the same . . . .
United States District Court
Northern District of California
11
Astiana, 2012 WL 2990766, at *13. As a result, the Court held that the plaintiffs had alleged
12
sufficiently similarity to survive the pleading stage and that “material differences are better
13
addressed at the class certification stage.” Id.
14
Similarly, this Court held in Swearingen that the plaintiff had pleaded sufficient similarity
15
between purchased and non-purchased cracker and snack chips, because “the non-purchased
16
products are different flavors of the same Multigrain Snack Chips product purchased by
17
Plaintiffs.” Swearingen, 2017 WL 4641896, at *5. “In addition, Plaintiffs have identified a
18
common mislabeling practice across all products.” Id. Swearingen distinguished Kane v.
19
Chobani, No. 12-cv-2425-LHK, 2013 WL 5289253 (N.D. Cal. Sept. 19, 2013), which Defendant
20
in this case also raises. See Mot. at 32-33. The Kane plaintiffs brought claims regarding Chobani
21
yogurts, some of which they had not purchased. The court there denied standing for the non-
22
purchased yogurts. But as noted in Swearingen, “the court did not hold that the different yogurt
23
products were not substantially similar. Rather, the court found that plaintiffs’ complaint
24
contained insufficient information for it ‘to discern . . . which products [p]laintiffs are contending
25
contained each representation and for which products these representations were false.’”
26
Swearingen, 2017 WL 4641896, at *6 (quoting Kane, 2013 WL 5289253, at *11).
27
28
This case is analogous to Astiana and Swearingen. As in Astiana, where the same kind of
food product (ice cream) was at issue, the same kind of software product is in dispute here, namely
5
1
antivirus software. And as in Astiana, where the different ingredients did not preclude standing
2
because the plaintiff challenged “the same basic mislabeling practice,” the fact that Enterprise
3
Products have central management features does not preclude standing, because Plaintiff alleges
4
the same security defects in the enterprise and consumer products.
Kane is distinguishable for the same reasons discussed in Swearingen: The Kane
6
complaint failed to specify which products contained the flawed labels, while Plaintiff here has
7
alleged that the AntiVirus Decomposer Engine is in both consumer and enterprise products. See
8
Compl. ¶ 1. Defendant’s citation of Romero v. HP, Inc., No. 16-cv-5415-LHK, 2017 WL 386237
9
(N.D. Cal. Jan. 27, 2017), is distinguishable for the same reason. See Mot. at 23 (citing Romero
10
for its holding that “plaintiff lacked standing for printers she did not purchaser where plaintiff did
11
United States District Court
Northern District of California
5
not plead facts that indicated what misrepresentations were made to each printer, and whether the
12
misrepresentations were false”).
Defendant raises a number of dissimilarities between the two product lines, i.e., different
13
14
purchasers (sophisticated business purchasers compared to lay consumer purchasers), different
15
sales materials, and different marketing channels. See Mot. at 31. To Defendant, these
16
dissimilarities would result in dissimilar injuries (though it does not explain how). See id. Such
17
arguments can be addressed at a later stage. See Astiana, 2012 WL 2990766, at *13. For
18
purposes of the motion to dismiss for standing (not, e.g., class certification), Plaintiff has alleged
19
sufficient similarity between the enterprise and consumer products to proceed. The Court
20
therefore DENIES Defendant’s 12(b)(1) motion. For the same reasons, the class allegations are
21
not “immaterial” or “impertinent,” and the Court DENIES Defendant’s 12(f) motion to strike
22
those allegations. See Mot. at 33-34.
23
B.
24
Beyer’s Fraud Claims Under the UCL, FAL, and CLRA
Beyer alleges that Symantec’s statements constitute misrepresentations about its products
25
in violation of the CLRA, the FLA, and the UCL’s fraudulent prong. Beyer also alleges that
26
Symantec’s failure to disclose the defects was an omission in violation of the same statutes.
27
28
The FAL prohibits businesses from disseminating statements that are “untrue or
misleading, and which is known, or which by the exercise of reasonable care should be known, to
6
1
be untrue or misleading.” Cal. Bus. & Prof. Code § 17500. The CLRA prohibits “‘unfair methods
2
of competition and unfair or deceptive acts or practices’ in transactions for the sale or lease of
3
goods to consumers.” Daugherty v. Am. Honda Motor Co., 144 Cal. App. 4th 824, 833 (2006)
4
(quoting Cal. Civ. Code. § 1770(a)). “The standards for determining whether a representation is
5
misleading under the False Advertising Law apply equally to claims under the CLRA.” Colgan v.
6
Leatherman Tool Grp., Inc., 135 Cal. App. 4th 663, 680 (2006). The UCL prohibits “any
7
fraudulent business act or practice,” as well as any “unfair, deceptive, untrue or misleading
8
advertising” or any violation of the FAL. Id. § 17200. Beyer also alleges that the CLRA and FLA
9
violations violated the UCL’s unlawful prong.
10
Because Beyer’s claims sound in fraud, the heightened pleading requirements of Rule 9(b)
United States District Court
Northern District of California
11
apply. Under Rule 9(b), the plaintiff must plead the “who, what, when, where, and how” of the
12
alleged misconduct. Kearns v. Ford Motor Co., 567 F.3d 1120, 1124-25 (9th Cir. 2009). This
13
requires the plaintiff to allege “an account of the time, place, and specific content” of the false or
14
misleading statements. Swartz v. KPMG LLP, 476 F.3d 759, 764 (9th Cir. 2007) (per curiam)
15
(internal quotation marks and citation omitted). In addition, the “plaintiff must set forth what is
16
false or misleading about a statement, and why.” Vess v. Ciba-Geigy Corp. USA, 317 F. 3d 1097,
17
1106 (9th Cir. 2003).
18
1.
Misrepresentation or Omission
19
Symantec contends that Beyer’s claims must be dismissed because Symantec’s statements
20
about Norton 360, v. 2.0, are mere puffery and would therefore not mislead a “reasonable
21
consumer,” as required by the statutes at issue. Consumer Advocate v. Echostar Satellite Corp.,
22
113 Cal. App. 4th 1351, 1360 (2003); Elias, 950 F. Supp. 2d at 854. Furthermore, Symantec
23
argues that even if the statements were not mere puffery, Beyer has failed to “set forth what is
24
false or misleading about a statement, and why” as required under Rule 9(b). See Coleman-
25
Anacleto v. Samsung Elecs. Am., Inc., No. 16-cv-02941-LHK, 2016 WL 4729302, at *14 (N.D.
26
Cal. Sept. 12, 2016).
27
28
a.
Affirmative Statements
For the purposes of this motion, the Court only needs to consider whether the following
7
1
representations are actionable1:
▪
2
The Second Software “defends you against a broad range of online threats through key
3
technologies, including antivirus, antispyware, rootkit detection, and automatic
4
updates.” See Compl. ¶ 21.
▪
5
The Second Software provides “enhanced protection” through “industry leading virus,
spyware and firewall protection.” Id.
6
▪
7
The statement on Best Buy’s website that the Third Software “[p]rotects against
8
viruses, spyware, hackers, rootkits, identity theft, phishing scams, and fraudulent Web
9
sites.” Id. ¶ 22; see Docket No. 23-1.
▪
10
and box. Id.
11
United States District Court
Northern District of California
The “comparable statements and representations” on the Third Software’s packaging
As an initial matter, the statements regarding the Third Software cannot support Beyer’s
12
13
claims. The statement that the software protects against various digital maladies was on Best
14
Buy’s website; the FAC does not allege that this statement is attributable to Symantec. In the
15
absence of allegations to the contrary, absent allegations that the statement is attributable to
16
Symantec and not just Best Buy, no claim against Symantec is stated.
In contrast, the “comparable statements and representations” on the packaging and box, id.,
17
18
are attributable to Symantec. However, that allegation runs afoul Rule 9(b), which requires Beyer
19
to identify the statements at issue with particularity. The mere allegation that the statements are
20
“comparable” to those on Best Buy’s website are insufficient.
The above claims regarding the Third Software are therefore DISMISSED. Because
21
22
Beyer may be able to make additional allegations to cure these defects, the dismissal is without
23
prejudice.
That leaves the statements regarding the Second Software. Symantec argues that these
24
25
statements are puffery.
26
27
28
1
Representations cited in paragraph 18 and 19 in the Complaint are not actionable as they are all
after Beyer’s dates of purchase. See Compl. ¶¶ 18-19. Beyer’s citation of these materials in his
opposition to Symantec’s motion to dismiss are thus irrelevant. See Docket No. 22, at 16-17.
8
1
A misrepresentation must be a “specific and measurable claim, capable of being proved
2
false or of being reasonably interpreted as a statement of objective fact.” Rasmussen, 27 F. Supp.
3
3d at 1039-40 (citing Coastal Abstract Serv., Inc. v. First Am. Title Ins. Co., 173 F.3d 725, 731
4
(9th Cir. 1999)). “Generalized, vague, and unspecified assertions constitute ‘mere puffery’ upon
5
which a reasonable consumer cannot rely, and hence are not actionable.” Anunziato v. eMachines,
6
Inc., 402 F. Supp. 2d 1133, 1139 (C.D. Cal. 2005) (citing Glen Hollywood Entm’t, Inc. v.
7
Tektronix, Inc., 343 F.3d 1000, 1005 (9th Cir. 2003)); accord Consumer Advocate, 113 Cal. App.
8
4th at 1361 n.3. “Ultimately, the difference between a statement of fact and mere puffery rests in
9
the specificity or generality of the claim. . . . Thus, a statement that is quantifiable, that makes a
claim as to the specific or absolute characteristics of a product, may be an actionable statement of
11
United States District Court
Northern District of California
10
fact while a general, subjective claim about a product is non-actionable puffery.” Demetriades v.
12
Yelp, Inc., 228 Cal. App. 4th 294, 311 (2014) (quoting Newcal Indus., Inc. v. Ikon Office Solution,
13
513 F.3d 1038, 1053 (9th Cir. 2008)).
14
For example, in Consumer Advocate, the plaintiffs brought a putative class action against a
15
satellite television company under the UCL, FAL, and CLRA for false or misleading ads. The
16
statements were that the service would provide “crystal clear digital video,” “CD-quality” audio,
17
an on-screen program guide showing the schedule “up to 7 days in advance,” and 50 channels of
18
content. Consumer Advocate, 113 Cal. App. 4th at 1353. The court held that the first two
19
statements were “mere puffing,” id. at 1361 n.3, and “all-but-meaningless superlatives,” as
20
opposed to “factual representations that a given standard is met.” Id. at 1361. In contrast, the
21
claims regarding 50 channels and 7 days were factual representations. Id. at 1361-62.
22
In Elias, a consumer brought a putative class action against Hewlett-Packard. He had
23
purchased a laptop from the manufacturer, and he had selected a customization option for a
24
graphics card that, unbeknownst to him, required a higher power supply than the laptop supplied.
25
This allegedly causes computers to overheat, freeze, crash, and even catch fire. As a result, the
26
plaintiff’s laptop malfunctioned and was damaged beyond repair. The plaintiff brought, inter alia,
27
claims under the CLRA, FAL, and the fraudulent prong of the UCL for the manufacturer’s alleged
28
misrepresentations in the laptop’s capabilities. In purchasing the laptop, the plaintiff had relied on
9
1
statements on the manufacturer’s website advertising that the computers at issue had “ultra-
2
reliable performance,” “full power and performance,” “versatile, reliable system[s],” and were
3
“packed with power” and “delivers the power you need.” Elias, 903 F. Supp. 2d at 854. The
4
court held that these were “[g]eneralized advertisements” that “say nothing about the specific
5
characteristics or components of the computer.” Id. at 855. See also Anunziato, 402 F. Supp. 2d
6
at 1140 (statements that a line of laptops has the “latest technology” and “outstanding quality,
7
reliability, and performance” are non-actionable puffery, where plaintiff alleged that the laptops
8
contained a defect that caused them to overheat).
In L.A. Taxi Cooperative, Inc. v. Uber Techs., Inc., 114 F. Supp. 3d 852, 861 (N.D. Cal.
10
2015), the court determined that some statements made by Uber were puffery while others were
11
United States District Court
Northern District of California
9
sufficiently specific to be actionable. The complaint alleged that Uber’s advertising made false or
12
misleading statements about the safety of its service compared to taxis. Of those statements, the
13
court found that “GOING THE DISTANCE TO PUT PEOPLE FIRST” and “BACKGROUND
14
CHECKS YOU CAN TRUST” were generalized, unmeasurable, and subjective claims amounting
15
to puffery. Id. However, other statements were actionable non-puffery:
22
For example, Uber claims that it is “setting the strictest safety
standards possible,” that its safety is “already best in class,” and that
its “three-step screening” background check procedure, which
includes “county, federal and multi-state checks,” adheres to a
“comprehensive and new industry standard.” Uber has historically
described its background check procedures as “industry-leading.”
Uber's statements also explicitly compare the safety of its services
with those offered by taxi cab companies. For example, a statement
on Uber's blog describing its “rigorous” background check
procedures reads, “Unlike the taxi industry, our background
checking process and standards are consistent across the United
States and often more rigorous than what is required to become a
taxi driver.”
23
Id. The court concluded that “[a] reasonable consumer reading these statements in the context of
24
Uber’s advertising campaign could conclude that an Uber ride is objectively and measurably safer
25
than a ride provided by a taxi or other competitor service, i.e., it is statistically most likely to keep
26
riders from harm.” Id.
16
17
18
19
20
21
27
Symantec’s statements about the Second Software while somewhat general are sufficiently
28
specific so as to not constitute mere puffery at the pleading stage. This case is similar to L.A. Taxi,
10
1
in which Uber’s description of its background checks as “industry-leading” contributed to an
2
actionable impression that an Uber ride is objectively safer. See id. Here, while the statement in
3
this case does not contain something akin to the more explicit comparison to competitors, as in
4
L.A. Taxi, Symantec’s statement that its software is “industry leading” could lead a reasonable
5
consumer to believe that Symantec software would adhere to industry best practices. That is a
6
reasonable inference for purposes of the motion to dismiss. Cf. L.A. Taxi (“industry-leading”
7
background checks implied degree of safety). Best practices may be sufficiently concrete to be
8
provable. For instance, Symantec had best-practice guidelines which were violated by the High
9
Privilege Defect and Outdated Source Code Defect. Compl. ¶ 35.
10
In contrast, Symantec’s alleged statement that the software “defends you against a broad
United States District Court
Northern District of California
11
range of online threats through key technologies, including antivirus, antispyware, rootkit
12
detection, and automatic updates,” Compl. ¶ 21, is similar to the claims in Elias that the laptops
13
have “ultra-reliable performance” and “full power and performance,” Elias, 903 F. Supp. 2d at
14
854, and the claims in Anunziato that the laptops there had “outstanding quality, reliability, and
15
performance.” Anunziato, 402 F. Supp. 2d at 1140. Those general descriptions are non-actionable
16
puffery.
17
As for the “industry leading” claim, its misleading nature is dependent on Symantec’s
18
failure to disclose the two Defects. The Court therefore turns to California law on misleading
19
omissions.
20
21
b.
Omissions
An omission is actionable “if the omitted fact is (1) contrary to a [material] representation
22
actually made by the defendant or (2) is a fact the defendant was obliged to disclose.” Gutierrez v.
23
Carmax Auto Superstores Cal., 19 Cal. App. 5th 1234, 1258 (2018) (alteration in original)
24
(internal quotation marks omitted) (quoting Daugherty, 144 Cal. App. 4th at 835); accord
25
Hodsdon, 891 F.3d at 861. The omitted fact must also be material. See id. at 1256. As for the
26
first prong, the Defects’ existence is contrary to Symantec’s representation that its products are
27
“industry leading,” as discussed above. The question for the first prong, then, is whether that
28
representation and the omitted fact are material. See id. at 1256, 1258. A statement is material “if
11
1
a reasonable consumer would deem it important in determining how to act in the transaction at
2
issue.” Gutierrez, 19 Cal. App. 5th at 1258. “[M]ateriality usually is a question of fact” that
3
should be left to the jury unless the statement at issue is “obviously unimportant.” Id. at 1262.
4
Symantec’s representation that its products provide “enhanced protection” through “industry
5
leading virus, spyware and firewall protection” is not obviously unimportant. Compl. ¶ 21. The
6
question of materiality survives the motion to dismiss.
The Defects are also material. The complaint alleges that the High Privilege Defect
8
opened up affected machines to “a wide variety of cyberattacks,” some of which qualify as
9
“critical” vulnerabilities and require “[v]ery little knowledge or skill” to exploit, according to a
10
standard vulnerability scoring system. Id. ¶ 28 (alteration in original). Likewise, the Outdated
11
United States District Court
Northern District of California
7
Source Code Defect allegedly exposed affected machines to “[d]ozens of public vulnerabilities,”
12
including some that were publicly known. Id. ¶ 29. These vulnerabilities were also rated
13
“critical” and required little knowledge to exploit. Id. ¶ 30. Symantec argues that there is no
14
indication that the Defects were ever actually exploited and so they cannot be material. It is true
15
that the complaint lacks any allegations of such exploits. However, Symantec’s argument is
16
factual in nature and is premature on a motion to dismiss. At the pleading stage, the court draws
17
reasonable inferences in the plaintiff’s favor. Given the allegations described above, it is
18
reasonable to infer that the Defects are important and material, because they affect the
19
effectiveness and function of Affected Products.
20
The second prong of omission under Gutierrez regards the duty to disclose even in the
21
absence of a particular representation. Traditionally under California law, “[t]o state a claim for
22
failing to disclose a defect, a party must allege ‘(1) the existence of a design defect; (2) the
23
existence of an unreasonable safety hazard; (3) a causal connection between the alleged defect and
24
the alleged safety hazard; and that the manufacturer knew of the defect at the time a sale was
25
made.’” Williams v. Yamaha Motor Co. Ltd., 851 F.3d 1015, 1025 (9th Cir. 2017) (quoting
26
Apodaca v. Whirlpool Corp., No. 13-0725 JVS (ANx), 2013 WL 6477821, at *9 (C.D. Cal. Nov.
27
8, 2013)).
28
The requirement in Williams that there be a safety hazard has been cast into doubt by
12
1
recent California Court of Appeal opinions. See Collins v. eMachines, Inc., 202 Cal. App. 4th
2
249, 134 Cal. Rptr. 3d 588 (2011); Rutledge v. Hewlett-Packard-Co., 238 Cal. App. 4th 1164
3
(2015). These recent appellate decisions extend liability for non-disclosure to beyond safety
4
hazards by “sanction[ing] a UCL omission claim when: the plaintiff alleges that the omission was
5
material; second, the plaintiff must plead that the defect was central to the product’s function; and
6
third, the plaintiff must allege one of the four LiMandri factors.” Hodsdon v. Mars, Inc., 891 F.3d
7
857, 863 (9th Cir. 2018) (citing Collins, 134 Cal. Rptr. 3d at 593-95). The LiMandri factors are:
8
“(1) when the defendant is in a fiduciary relationship with the plaintiff; (2) when the defendant had
9
exclusive knowledge of material facts not known to the plaintiff; (3) when the defendant actively
conceals a material fact from the plaintiff; and (4) when the defendant makes partial
11
United States District Court
Northern District of California
10
representations but also suppresses some material facts.” LiMandri v. Judkins, 52 Cal. App. 4th
12
326, 336 (1997) (quoting Heliotis v. Schuman, 181 Cal. App. 3d 646, 651 (1986)). Importantly,
13
the defect must not only be central to the product’s function; it must also be physical. See
14
Hodsdon, 891 F.3d at 864 (Collins and Rutledge require a “physical defect” and the alleged
15
existence of slave labor in chocolate supply chain “is not a physical defect at all, much less one
16
related to the chocolate’s function as chocolate”).
17
Although the Williams test was employed by the Ninth Circuit in Wilson v. Hewlett-
18
Packard Co., 668 F.3d 1136 (9th Cir. 2012), the California Court of Appeal’s decision in Rutledge
19
post-data Wilson. And the Ninth Circuit’s decision in Hodsdon considered whether Collins and
20
Rutledge effectively overruled Wilson’s safety-hazard requirement. In that case, Hodsdon had
21
sued the Mars chocolate manufacturer for failing to disclose that its suppliers used forced and
22
child labor. The district court had dismissed under 12(b)(6), and the Ninth Circuit affirmed. In
23
doing so, the court did not decide which of the two standards applied because the court found that
24
the complaint would fail under either standard. See Hodsdon, 891 F.3d at 864. Nevertheless, it
25
suggested that a non-disclosure claim may lie under either of the standards:
26
27
28
The recent California cases show that Wilson’s safety hazard
pleading requirement is not necessary in all omission cases, but that
the requirement may remain applicable in some circumstances. In
other words, Collins and Rutledge are not necessarily irreconcilable
with Wilson because, where the challenged omission does not
13
1
2
3
4
5
concern a central functional defect, the plaintiff may still have to
plead a safety hazard to establish that the defendant had a duty to
disclose. For example, . . . Wilson may still apply where the defect
in question does not go to the central functionality of the product,
but still creates a safety hazard.
Id. (footnote omitted).
Because the complaint in the instant case does not allege a safety hazard, the issue under
6
Collins and Rutledge is whether the High Privilege Defect and Outdated Source Code Defect
7
constitute “physical” defects that were “central” to the Affected Products’ function.
8
These Defects may be considered “physical.” As the California appellate court has noted
in the very context, “computer software . . . may be characterized as tangible property” because
10
the software is “‘recorded in a physical form which has physical existence, takes up space on the
11
United States District Court
Northern District of California
9
tape, disc, or hard drive, makes physical things happen, and can be perceived by the senses.’”
12
Microsoft Corp. v. Franchise Tax Bd., 212 Cal. App. 4th 78, 87 (2012) (quoting South Cent. Bell
13
Tel. Co. v. Barthelemy, 643 So.2d 1240, 1246 (La. 1994)). Software is “a certain arrangement of
14
matter,” which is “physically recorded on some tangible medium[] [and] constitutes a corporeal
15
body.” Id. (quoting Barthelemy, 643 So.2d at 1246). This is unlike the use of child labor in the
16
production of a chocolate bar in Hodson, which is non-physical. See Hodsdon, 891 F.3d at 864.
17
The next question is whether under Collins and Rutledge these High Privilege Defect and
18
Outdated Source Code Defect are central to the Affected Products’ function. In Collins plaintiffs
19
had complained that a computer chip in eMachine computers caused “critical data corruption” of
20
the hard drive. Id. at 862. In Rutledge, the plaintiffs alleged that defective inverters in Hewlett
21
Packard’s laptops caused the screens to darken. These defects are “central to the product’s
22
function” because they “render[] those products incapable of use by any consumer.” Id. at 864
23
(emphasis omitted). In contrast, the Hodsdon plaintiff’s opposition to the use of slave labor in
24
producing chocolate is “based on subjective preferences” which some consumers do not share. Id.
25
Here, the complaint sufficiently alleges the Defects are central to the function of the
26
Affected Products of safeguarding computers against online threats, virus, spyware, etc. The
27
Defects allegedly open up the operating systems to corruption, create a “critical vulnerability” to
28
online threats, and make computers more susceptible to cyberattacks than they would have
14
1
otherwise been without the software. Compl. ¶¶ 3, 7, 29-30. Although the complaint does not
2
identify specific instances of resulting damage to computers loaded with the Affected Products, cf.
3
Williams v. Yamaha Motor Co., Ltd., 851 F.3d 1015, 1028-29 (9th Cir. 2017) (alleged risk of fire
4
in defective motors was speculative where the complaint failed to allege that any customer
5
experienced such a fire), that is not dispositive to a motion to dismiss where all reasonable
6
inferences must be drawn in Plaintiff’s favor.2
7
2.
8
Reliance is required to achieve standing under the UCL, FAL, and CLRA. See Cal. Bus. &
9
Reliance
Prof. Code §§ 17204 (UCL), 17535 (FAL); Cal. Civ. Code. § 1780(a) (CLRA); In re Tobacco II
Cases, 46 Cal. 4th 298, 328 (2009). Reliance is alleged where the “misrepresentation or
11
United States District Court
Northern District of California
10
nondisclosure was ‘an immediate cause’ of the plaintiff’s injury-producing conduct,” such as
12
where “the plaintiff ‘in all reasonable probability’ would not have engaged in [that] conduct” in
13
the absence of the fraud. Id. at 326 (quoting Mirkin v. Wasserman, 5 Cal. 4th 1082, 1110-11
14
(1993) (Kennard, J., concurring in part and dissenting in part)). “[A] presumption, or at least an
15
inference, of reliance arises where there is a showing that a misrepresentation was material.” Id. at
16
327. Materiality is sufficiently alleged, as discussed above.
Symantec argues, however, that Beyer’s vague allegations of reliance fall short under Rule
17
18
9(b) because he fails to allege he actually read or relied on any representation. See Mot. at 18. It
19
is true that Beyer only alleges that he “reviewed the product page” for the Second Software and
20
does not explicitly allege that he saw the statement that the software was “industry leading.”
21
Compl. ¶ 21. Nevertheless, it is reasonable to infer for purposes of the motion to dismiss from the
22
fact that he reviewed the product page that he saw the “industry leading” statement on the page.3
23
24
25
26
27
28
2
This conclusion is without prejudice to future motions, e.g., for summary judgment or
adjudication which take into accord the factual record of, inter alia, the frequency of harm
suffered as a result of the defects.
3
Again, this ruling is without prejudice to any future motions or adjudication should the factual
record establish Plaintiff cannot meet his burden of proving, e.g., that he saw and read the product
statement.
15
1
3.
Knowledge of the Purported Defects at the Time of Sale
2
Symantec also argues that Beyer fails to sufficiently allege that it knew of the Defects at
3
the time of sale. As an initial matter, Symantec fails to note differences amongst the three statutes
4
as to the knowledge requirement. Knowledge of an undisclosed defect is required for a claim of
5
misrepresentation to lie under the CLRA. See Coleman-Anacleto v. Samsung Elecs. Am., Inc., No.
6
16-cv-2941-LHK, 2017 WL 86033 (N.D. Cal. Jan. 10, 2017) (citing Wilson v. Hewlett-Packard
7
Co., 668 F.3d 1136, 1145 (9th Cir. 2012)). A claim under the FAL requires that the defendant
8
have known or reasonably should have known that the statement in question was misleading. See
9
Cal. Bus. & Prof. Code § 17500. However, knowledge is not required under the UCL’s fraudulent
prong. See In re Tobacco II Cases, 46 Cal. 4th at 312 (holding that a claim under the UCL’s
11
United States District Court
Northern District of California
10
fraudulent prong, in order to fulfil its purpose of protecting the public, does not require that the
12
deception be “known to be false to the perpetrator” (quoting Day v. AT&T Corp., 63 Cal. App. 4th
13
325, 332 (1998)). The UCL claim therefore survives irrespective of knowledge of falsity.
14
As for the other claims, Symantec argues that the complaint does not allege that it knew of
15
the defects. It points out that the earliest specific allegation of knowledge is when Project Zero
16
revealed the defects in 2016, seven years after Beyer’s 2009 purchase of the Second Software.
17
The allegations that it knew of the defects at the time of sale, Symantec argues, are conclusory.
18
Symantec singles out ¶ 40 of the complaint, which alleges:
19
20
21
22
23
As the proprietary owner and licensor of the Affected Products,
Symantec knew, or was otherwise reckless or willfully blind in not
knowing, that its AntiVirus Decomposer Engine suffered from
extremely serious defects, i.e., the High Privilege Defect and the
Outdated Source Code Defect. Furthermore, Symantec knew, or was
otherwise reckless or willfully blind in not knowing, that its security
practices diverged significantly from its own best practices
recommendations.
24
Beyer’s Opposition merely parrots this paragraph. See Docket No. 22 (“Opp.”) at 16. Despite
25
this, the complaint sufficiently alleges knowledge, because it alleges that Symantec designed and
26
produced the software in question. It plausibly follows from this fact that Symantec knew how the
27
Second Software functioned, including that the software unpacked potentially malicious files in a
28
high-privilege environment. It also plausibly follows that Symantec knew it had used third-party
16
1
code and knew it did not patch that code when updates were released by the third parties.
2
Furthermore, as early as 2007, Symantec published best-practice guidelines advising readers to the
3
principle of least privilege and to keep third-party code updated. See Compl. ¶ 21. Together, this
4
suffices to establish knowledge, which need only be plead generally. See Fed. R. Civ. P. 9(b)
5
(“Malice, intent, knowledge, and other conditions of a person’s mind may be plead generally.”).
6
But the allegations suffice at the pleading stage. The CLRA and FAL claims therefore survive.
7
8
9
10
In sum, the Court DISMISSES without prejudice Beyer’s fraud claims as to the Third
Software. The motion is otherwise DENIED.
4.
Song-Beverly Act Claim
Under the Song-Beverly Act, “every sale of consumer goods that are sold at retail in this
United States District Court
Northern District of California
11
state shall be accompanied by the manufacturer’s and retail seller’s implied warranty that the
12
goods are merchantable,” unless such warranty is properly disclaimed. Cal. Civ. Code § 1792.
13
Consumer goods are those that are “primarily for personal, family, or household purposes, except
14
for clothing and consumables.” Id. § 1791(a). The warranty means that the goods:
15
(1) Pass without objection in the trade under the contract
description.
(2) Are fit for the ordinary purposes for which such goods are used.
(3) Are adequately contained, packaged, and labeled.
(4) Conform to the promises or affirmations of fact made on the
container or label.
16
17
18
19
Id. § 1791.1(a). Beyer alleges that Symantec’s Second Software violated each of these four
20
warranties. Compl. ¶ 72; see Opp. at 21.
21
Symantec argues that the Song-Beverly claim fails because Beyer failed to allege that the
22
Second Software was “sold at retail in this state.” It notes that Beyer is a resident of Michigan and
23
that Beyer alleges only that he “purchased an upgrade to Norton 360 Premier, v. 2.0.” Compl.
24
¶ 21. Beyer’s responds that the Second Software’s end user license agreement selects California
25
law in its choice of law provision. See id. ¶ 11. And under California law, title passes at the time
26
and place that “the seller completes his performance with reference to the physical delivery of the
27
goods.” Cal. Comm. Code § 2401(2). Where the contract does not require the seller to deliver the
28
goods to the buyer, “title passes to the buyer at the time and place of shipment.” Id. § 2401(2)(a).
17
1
Beyer states in his brief that he bought the Second Software on Symantec’s website, and that
2
Symantec “shipped” the product to him from California by electronic delivery, so that titled
3
passed—and thus was “sold at retail”—in California. However, as Symantec correctly points out,
4
these facts are missing from Beyer’s complaint. Neither does he allege that the product was
5
electronically delivered to him from California.4 The Song-Beverly claim is therefore
6
DISMISSED with leave to amend.
7
5.
8
Apart from the fraudulent and unlawful prongs of the UCL, Beyer also asserts claims
9
under the unfair prong:
90. Defendant’s actions as alleged in this Complaint constitute an
“unfair” practice, because they offend established public policy and
are immoral, unethical, oppressive, unscrupulous, and substantially
injurious to Defendant’s customers. The harm caused by
Defendant’s wrongful conduct outweighs any utility of such conduct
and has caused substantial injury to Plaintiff and the Nationwide
Class. Defendant could and should have chosen one of many
reasonably available alternatives, including not selling antivirus
products that contained fundamental defects with the core engine,
disclosing the defects to prospective purchasers, and/or not
representing that its products were suitable for ordinary consumer or
business use. Additionally, Defendant’s conduct was “unfair,”
because it violated the legislatively declared policies reflected by
California’s strong consumer protection and false advertising laws,
including the CLRA, CAL. CIV. CODE §§ 1750 et seq. and the
FAL, CAL. BUS. & PROF. CODE §§ 17500 et seq.
10
United States District Court
Northern District of California
11
12
13
14
15
16
17
18
19
UCL Claim
See Compl. ¶ 90.
20
As an initial matter, the Court agrees with Symantec that the “unfair” claim relies on the
21
same factual allegations as those underlying the “unlawful” and “fraudulent” claims, meaning it
22
sounds in fraud and Rule 9(b) applies. See Kearns v. Ford Motor Co., 567 F.3d 1120, 1127 (9th
23
Cir. 2009). Because the allegations regarding the Third Software are lacking under Rule 9(b) as
24
discussed above, those claims under the unfairness prong are DISMISSED without prejudice.
25
26
27
28
4
Symantec also argues that the cases Beyer cites are inapposite because they pertain to
conventional purchases not conducted online. See Docket No 24 (Reply) at 11. However,
California case law supports Beyer’s position that § 2401(2)(a) applies to online purchases. See
Cal. State Elecs. Ass’n v. Zeos Int’l Ltd., 41 Cal. App. 4th 1270, 1275-77 (1996); see also In re
Seagate Tech. LLC Litig., No. 16-cv-0523-JCS, 2017 WL 3670779, at *16 (N.D. Cal. Aug. 25,
2017).
18
1
However, the allegations regarding the Second Software are sufficient in this regard.5
Symantec also argues that Beyer’s unfairness claim fails the applicable substantive
2
standard. Since Cel-Tech Communications, Inc. v. Los Angeles Cellular Telephone Co., 20 Cal.
4
4th 163 (1999), the California Court of Appeal has been split on the appropriate standard to apply
5
in a consumer action under the unfair prong of the UCL. In Graham v. Bank of America, N.A.,
6
226 Cal. App. 4th 594 (2014), the court described the three lines of cases on the issue post-Cel-
7
Tech. While Graham endorsed a line of cases with a “more rigorous test” under which “a plaintiff
8
. . . must show the ‘defendant’s conduct is tethered to an[] underlying constitutional, statutory, or
9
regulatory provision, or that it threatens an incipient violation of an antitrust law, or violates the
10
policy or spirit of an antitrust law.’” Id. at 613 (quoting Wilson v. Hynek, 207 Cal. App. 4th 999,
11
United States District Court
Northern District of California
3
1008 (2012)), it acknowledged other court have applied a broader balancing test of unfairness, e.g.
12
weighing the utility of the defendant’s conduct against the gravity of the harm to the victim. Id. at
13
612-613.
Under either test, the complaint survives. Under the more rigorous test, Beyer has
14
15
sufficiently identified a California public policy against misleading marketing statements, as
16
embodied in the CLRA, FAL, and the UCL’s fraudulent prong. Because Symantec’s statements
17
regarding the Second Software, as alleged, contravene this public policy, Beyer has made out a
18
claim as to that product. Cf. In re Carrier IQ, Inc., 78 F. Supp. 3d 1051, 1116, 1117 (N.D. Cal.
19
2015).
20
6.
Quasi-Contract/Unjust Enrichment Claim
21
That leaves Beyer’s claim for unjust enrichment. California courts have stated that courts
22
may construe an unjust enrichment claim “as a quasi-contract claim seeking
23
restitution.” Rutherford Holdings, LLC v. Plaza Del Rey, 223 Cal. App. 4th 221, 231 (2014).
24
“The doctrine (of unjust enrichment) applies where plaintiffs, while having no enforceable
25
contract, nonetheless have conferred a benefit on defendant which defendant has knowingly
26
27
28
5
Symantec also argues that the unfairness claim should fail, because its factual basis overlaps
entirely with the fraudulent and unlawful claims, which fail. Because the fraudulent and unlawful
claims survive, this argument in inapposite.
19
1
accepted under circumstances that make it inequitable for the defendant to retain the benefit
2
without paying for its value.” Hernandez v. Lopez, 180 Cal. App. 4th 932, 938 (2009).
3
Symantec’s only argument against the unjust enrichment claim is that it fails because Beyer’s
4
other claims fail. Because Beyer’s other claims do survive as to the Second Software, the unjust
5
enrichment claim also survives as to that software. The motion is DENIED to that extent. But
6
because the claims as to the Third Software do not survive for lack of specificity under Rule 9(b),
7
the unjust enrichment claim is DISMISSED without prejudice as to the Third Software.
IV.
8
9
CONCLUSION
For the foregoing reasons, the Court DISMISSES without prejudice the CLRA, FAL,
UCL, and unjust enrichment claims as to the Third Software. The Court otherwise DENIES the
11
United States District Court
Northern District of California
10
motion to dismiss. The motion to strike is also DENIED.
12
This order disposes of Docket No. 17.
13
14
IT IS SO ORDERED.
15
16
Dated: September 21, 2018
17
18
19
______________________________________
EDWARD M. CHEN
United States District Judge
20
21
22
23
24
25
26
27
28
20
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?