Beyer v. Symantec Corporation
Filing
71
ORDER by Judge Edward M. Chen Granting 61 Defendant's Motion to Dismiss Plaintiffs' First Amended Complaint. (emcsec, COURT STAFF) (Filed on 2/26/2019)
1
2
3
4
UNITED STATES DISTRICT COURT
5
NORTHERN DISTRICT OF CALIFORNIA
6
7
MONTGOMERY BEYER, et al.,
Plaintiffs,
8
v.
9
10
SYMANTEC CORPORATION,
Defendant.
11
United States District Court
Northern District of California
Case No. 18-cv-02006-EMC
ORDER GRANTING DEFENDANT’S
MOTION TO DISMISS PLAINTIFFS’
FIRST AMENDED COMPLAINT
Docket No. 61
12
13
Plaintiffs Montgomery Beyer and Linda Cheslow (“Plaintiffs”) bring this putative class
14
action alleging that certain network security software products sold by Defendant Symantec
15
Corporation (“Symantec”) contained critical defects. The original complaint asserted five causes
16
of action: (i) a California Consumer Legal Remedies Act (“CLRA”) claim, (ii) a California Song-
17
Beverly Consumer Warranty Act (“SBA”) claim, (iii) a California False Advertising Law (“FAL”)
18
claim, (iv) a California Unfair Competition Law (“UCL”) claim, and (v) a claim for “Quasi-
19
Contract/Unjust Enrichment.” In May 2018, Symantec moved to dismiss the original complaint.
20
Docket No. 17. The Court granted in part and denied in part the motion. Docket No. 39.
21
Plaintiffs then filed the operative First Amended Complaint (“FAC”) on November 26, 2018.
22
Docket No. 52. Symantec has again moved to dismiss all of Plaintiffs’ claims. Docket No. 61
23
(“Mot.”).
24
25
26
27
28
For the reasons discussed below, the Court finds that Plaintiffs’ allegations fail to establish
standing and GRANTS the motion to dismiss.
I.
FACTUAL AND PROCEDURAL BACKGROUND
The Court’s Order on Symantec’s first motion to dismiss laid out the factual background of
this case, which is briefly summarized here. Symantec produces and sells network security
1
software to consumers under the Norton brand (“Norton Products”) and to businesses under the
2
Symantec brand (“Enterprise Products,” and together with the Norton Products, the “Affected
3
Products”). Docket No. 39 at 1. On April 28, 2016, a Google cybersecurity team notified
4
Symantec of alleged vulnerabilities in the AntiVirus Decomposer Engine, a key component in the
5
Affected Products. Id. at 2. In particular, the Google team discovered that the AntiVirus
6
Decomposer Engine was defectively designed to have unrestricted access to and writing
7
permissions for the computer’s files, opening the operating system up to corruption (“High
8
Privilege Defect”). Id. at 2–3. The High Privilege Defect allegedly violates the cybersecurity best
9
practice of “the principle of least privilege,” which dictates that software should operate using the
least amount of privilege necessary to complete its task. Id. at 3. Additionally, the AntiVirus
11
United States District Court
Northern District of California
10
Decomposer Engine contains third party open source code that Symantec failed to update for at
12
least seven years, resulting in critical vulnerabilities (“Outdated Source Code Defect”). Id.
13
Montgomery Beyer was the only named plaintiff in the original complaint. The FAC adds
14
Linda Cheslow as a second named plaintiff. FAC ¶ 11. Beyer alleges he purchased five Norton
15
Products containing the above defects. See id. ¶¶ 21–24. He seeks recovery for the second and
16
third purchases only. See id. ¶ 21 n.12, ¶ 24 n.21. Beyer made his second purchase in March
17
2009, when he bought Norton 360 Premier, v. 2.0 (“Beyer Second Software”) from Symantec’s
18
website. Id. ¶ 22. The same year, he purchased another Norton 360 Premier, v. 2.0 subscription
19
from Best Buy (“Beyer Third Software”). Id. ¶ 23. Cheslow alleges she purchased two Norton
20
Products containing the defects, and seeks recovery for both. She made her first purchase in June
21
2009, when she bought Norton Internet Security (“Cheslow First Software”) from Symantec’s
22
website. Id. ¶ 25. She made her second purchase, of Norton 350 Premier, v. 4.0, in December
23
2010, also from Symantec’s website. Id. ¶ 26.
24
Symantec and the Google team reported the Affected Products’ vulnerabilities to the public
25
on June 28, 2016, and simultaneously issued a security advisory describing software patches
26
Symantec was deploying to resolve the vulnerabilities. FAC ¶ 4.
27
28
Symantec’s first motion to dismiss contended that Beyer’s original complaint failed to
establish Article III standing as to the Enterprise Products under Federal Rule of Civil Procedure
2
12(b)(1), failed to plead the facts and circumstances of Symantec’s alleged fraud regarding its
2
software defects with the particularity required by Federal Rule of Civil Procedure 9(b), and failed
3
to state a claim under Federal Rule of Civil Procedure 12(b)(6). See Docket No. 17. The Court
4
held that Beyer had “alleged sufficient similarity between the enterprise and consumer products”
5
to establish standing for claims based on defects in the Enterprise Products, even though he had
6
never purchased an Enterprise Product himself. Docket No. 39 at 6. The Court dismissed claims
7
regarding Beyer’s Third Software purchase without prejudice because they were based on alleged
8
misrepresentations on Best Buy’s website, rather than statements attributable to Symantec. Id. at
9
8. The claims regarding the Beyer Second Software, on the other hand, were allowed to proceed
10
because Symantec’s statement that the software is “industry leading” may have been actionable
11
United States District Court
Northern District of California
1
non-puffery, and omitted mention of defects that Symantec had a duty to disclose. Id. at 11–15.
12
The Court further held that Beyer had adequately alleged reliance on Symantec’s
13
misrepresentations and Symantec’s knowledge of the defects at the time of sale under Rule 9(b).
14
Id. at 15–17. Finally, the Court dismissed Beyer’s SBA claim without prejudice because he failed
15
to allege that the Beyer Second Software was sold at retail in California. Id. at 18.
16
17
18
19
20
The instant motion seeks dismissal of the FAC on six grounds, different from those raised
in the first motion to dismiss. In particular:
(1) Plaintiffs lack Article III standing to bring any of their claims because they have not
suffered a concrete and actual injury as a result of the alleged software vulnerabilities;
(2) Plaintiffs’ CLRA, FAL, and UCL claims fail to plead with the particularity required by
21
Rule 9(b) any actionable, non-puffing Symantec misrepresentation upon which Plaintiffs
22
relied;
23
(3) the alleged vulnerabilities were not physical defects that were central to the functioning of
24
the Affected Products, and therefore did not give rise to a duty to disclose the
25
vulnerabilities;
26
27
28
(4) Plaintiffs have not alleged in their SBA claim that the Affected Products were
unmerchantable, or that they purchased the software in California;
(5) Plaintiffs’ UCL claims fail because they cannot establish any fraudulent, unlawful, or
3
unfair conduct on the part of Symantec; and
1
(6) Plaintiffs’ unjust enrichment claim is duplicative of and falls with their other claims. See
2
Mot. at 1–2.
3
II.
4
DISCUSSION
The Court begins by addressing the “jurisdictional question of standing,” which “precedes
5
6
. . . analysis of the merits.” Equity Lifestyle Props., Inc. v. Cnty. of San Luis Obispo, 548 F.3d
7
1184, 1189 n.10 (9th Cir. 2008). To satisfy Article III’s standing requirement, a plaintiff must
8
demonstrate that he or she has suffered an injury in fact, that the injury is traceable to the
9
defendant’s conduct, and that the injury can be redressed by a favorable decision. Lujan v. Defs.
of Wildlife, 504 U.S. 555, 560–61 (1992). The party asserting federal jurisdiction bears the burden
11
United States District Court
Northern District of California
10
of establishing these requirements at every stage of the litigation. Id. at 561. The dispute here
12
concerns whether Plaintiffs have established injury in fact, which requires a showing that they
13
suffered an invasion of a legally protected interest that is concrete, particularized, and actual or
14
imminent, not merely conjectural or hypothetical. Id. at 560.
Based on the allegations in the FAC, Plaintiffs invoke two theories of injury. The first is
15
16
the overpayment theory, whereby “a consumer alleges that he or she would not have purchased
17
[the product], or would have paid less for it, had the seller not misrepresented the [product] or
18
failed to disclose its limitations.” In re Chrysler-Dodge-Jeep Ecodiesel Mktg., Sales Practices, &
19
Prod. Liab. Litig., 295 F. Supp. 3d 927, 945 (N.D. Cal. 2018) (hereinafter Ecodiesel) (citing
20
Hinojos v. Kohl’s Corp., 718 F.3d 1098 (9th Cir. 2013)). The second is a theory of actual harm—
21
for example, that the alleged defects in the Affected Products caused Plaintiffs’ computer systems
22
to be infiltrated—or, absent actual harm, a “threatened injury [that is] certainly impending.”
23
Whitmore v. Arkansas, 495 U.S. 149, 158 (1990).
24
A.
25
Injury in Fact Based on Overpayment
Plaintiffs in their pleadings and briefing rely on the overpayment theory. They assert that
26
“but for Symantec’s material misrepresentations and omissions, which obscured critical
27
limitations in Symantec’s software, Plaintiffs would not have purchased a single Norton Product
28
or would have paid substantially less.” Docket No. 63 (“Opp.”) at 7. Symantec argues such an
4
1
assertion on its own is not enough, because the alleged vulnerabilities in the Affected Products
2
have not caused any malfunctioning in their computer systems. Indeed, not only have the named
3
Plaintiffs failed to allege any actual hacking or other harm; Plaintiffs fail to allege any instance of
4
such harm has occurred to any user. Mot. at 8. According to Symantec, standing cannot be
5
supported by a conclusory allegation of overpayment. See id. at 9.
6
The most recent and salient authority on this point is Cahen v. Toyota Motor Corp., 147 F.
Supp. 3d 955 (N.D. Cal. 2015). In Cahen, the plaintiffs alleged that the defendant motor
8
companies equipped their vehicles with computer technology that is susceptible to third-party
9
hacking. Id. at 958. But they did “not allege that any of their vehicles have actually been hacked,
10
or that they are aware of any vehicles that have been hacked.” Id. at 959. They pleaded the same
11
United States District Court
Northern District of California
7
overpayment theory of injury as Plaintiffs here, asserting that “they would not have purchased
12
their [vehicles] or would not have paid as much as they did to purchase them” had they known that
13
the defendants were misrepresenting the security of the technology. Id. at 966 (alteration in
14
original). The district court ruled that the plaintiffs failed to establish standing, because the “entire
15
threat [alleged] rests on the speculative premise that a sophisticated third party cybercriminal may
16
one day successfully hack one of plaintiffs’ vehicles.” Id. This “theory of future injury [was] too
17
speculative to satisfy the well-established requirement that threatened injury must be ‘certainly
18
impending,’” id. (quoting Clapper v. Amnesty Int’l USA, 568 U.S. 398, 401 (2013)) (emphasis and
19
alteration in original), and failed to identify a risk of harm that was “concrete and particularized as
20
to [the plaintiffs],” id. at 967 (quoting Birdsong v. Apple, Inc., 590 F.3d 955, 960 (9th Cir. 2009)).
21
The court concluded that “[w]hen economic loss is predicated solely on how a product functions,
22
and the product has not malfunctioned, . . . something more is required than simply alleging an
23
overpayment for a ‘defective’ product.” Id. at 970 (quoting In re Toyota Motor Corp. Unintended
24
Acceleration Litig., 790 F. Supp. 2d 1152, 1166 n.11 (C.D. Cal. 2011)).
25
The Ninth Circuit agreed and affirmed in an unpublished order. Cahen v. Toyota Motor
26
Corp., 717 F. App’x 720 (9th Cir. 2017). It reiterated that the alleged risks arising from the
27
alleged vulnerability were “speculative,” and had never manifested. Id. at 723. The plaintiffs did
28
not, “for example, allege[] a demonstrable effect on the market for their specific vehicles based on
5
1
documented recalls or declining Kelley Bluebook values,” nor “allege[] a risk so immediate that
2
they were forced to replace or discontinue using their vehicles, thus incurring out-of-pocket
3
damages.” Id. Accordingly, they “failed to sufficiently allege an injury due to overpaying for
4
their vehicles.” Id.
5
Although the Ninth Circuit’s decision in Cahen is unpublished and non-precedential, the
facts closely parallel those here, and the Court finds the analysis persuasive. The alleged product
7
defect in this case is a software vulnerability that, in theory, is susceptible to infiltration and
8
infection. But Plaintiffs have not “allege[d] that any of their [computers] have actually been
9
hacked, or that they are aware of any [computers] that have been hacked” as a result of the
10
vulnerability. Cahen, 147 F. Supp. 3d at 959. The best they can muster is two examples of
11
United States District Court
Northern District of California
6
computer problems: Beyer’s “computer failed to restart” after he installed the Beyer Fifth
12
Software and there was a subsequent “considerable slowdown of his operating system.” FAC ¶
13
24. Unspecified “users of the Affected Products” reported on Symantec’s online forums “a host of
14
problems with their computer systems,” including “severe slowdowns and degradation of
15
computer performance, rootkits, and other types of infections related to malware and viruses,” id.
16
¶ 39. Plaintiffs fail to allege a harm any more concrete than in Cahen. Beyer has explicitly stated
17
that he is not pursuing a claim based on the Beyer Fifth Software, for which he received a full
18
refund. See id. ¶ 24 & n.21. Nor does he link the performance problems with his computer with
19
the Beyer Second Software or Third Software, which are the basis of his claims. And Named
20
Plaintiffs do not suggest that they themselves experienced any of the problems reported on
21
Symantec’s forums, or that the reported problems have any causal connection with the High
22
Privilege or Outdated Source Code Defects they complain of. See Pirozzi v. Apple Inc., 913 F.
23
Supp. 2d 840, 846 (N.D. Cal. 2012) (“In the class action context, the named plaintiff must show
24
that she personally has suffered an injury, not just that other members of the putative class
25
suffered the injury.”) (citing Lierboe v. State Farm Mut. Auto. Ins. Co., 350 F.3d 1018, 1022 (9th
26
Cir. 2003)). Nor is there any evidence that the design defects alleged in this suit caused the
27
problems reported in the online forum.
28
In the absence of a product malfunction, all that Plaintiffs can offer is what was found
6
1
inadequate in Cahen—a bare assertion that they overpaid for the Affected Products. But they do
2
not allege that disclosure of the alleged defects had “a demonstrable effect on the market” for the
3
Affected Products, or that the vulnerabilities were such that “they were forced to replace or
4
discontinue using their [software].” Cahen, 717 F. App’x at 723. If anything, Plaintiffs’ case here
5
is even more tenuous. The Cahen plaintiffs could at least point to the fact that the vulnerabilities
6
in their vehicles had not yet been remedied, such that it was “‘just a question of when’ until
7
hackers start infiltrating” the vehicles. 147 F. Supp. 3d at 967. In contrast, Plaintiffs’ claims here
8
rest on a purported past risk of harm that has never been alleged to manifest and presumably never
9
will, given that the vulnerabilities were patched in 2016–17 and Plaintiffs had stopped using the
software long before that. “[A]n economic injury that rests on the risk presented by an underlying
11
United States District Court
Northern District of California
10
product defect fails to establish injury in fact if the underlying risk is itself speculative.” Id. at
12
970. The risk Plaintiffs cite have never materialized. Thus, Plaintiffs’ “economic loss theory is
13
not credible, as the allegations that the [Affected Products] are worth less are conclusory and
14
unsupported by any facts.” Cahen, 717 F. App’x at 724.
Plaintiffs argue that the “something more” requirement does not apply to them, because
15
16
they are not relying on a “market effect” theory of economic loss, i.e., the theory that the alleged
17
product defect caused the market value of the product to fall. Opp. at 9. For this proposition,
18
Plaintiffs cite In re LinkedIn User Privacy Litigation, No. 5:12-CV-03088-EJD, 2014 WL
19
1323713 (N.D. Cal. Mar. 28, 2014), which suggested that the “something more” requirement is
20
limited to “those plaintiffs who [are] seeking to establish an economic loss based on a ‘market
21
effect’ theory.” Id. at *5. But no other case reads such a limitation into the doctrine, and
22
Plaintiffs’ reliance on LinkedIn is undermined by the subsequent decision in Cahen, where the
23
court found that the plaintiffs failed to establish standing on either an overpayment or a market
24
effect theory of economic loss. See Cahen, 147 F. Supp. 3d at 966–68, 970.1
25
26
27
28
1
Plaintiffs also argue that they would not be able to invoke the market effect theory even if they
wanted to, because “there is no comparable resale market that would have provided a basis for
measuring a loss in market value” of their antivirus software. Opp. at 10. They point to In re
Volkswagen “Clean Diesel” Mktg., Sales Practices, & Prod. Liab. Litig., No. MDL 2672 CRB
(JSC), 2018 WL 4777134 (N.D. Cal. Oct. 3, 2018), where the court remarked that plaintiffs who
leased cars that the defendants equipped with emissions cheating software could not have resold
7
1
The other overpayment cases Plaintiffs cite only underscore the deficiencies in their own
2
complaint. Pirozzi v. Apple Inc., 913 F. Supp. 2d 840 (N.D. Cal. 2012) involved allegations that
3
Apple’s online App Store contained security flaws that allowed third-party software applications
4
to upload user information from their mobile devices without permission. Id. at 844. The court
5
held that the plaintiff did not have standing, because she did “not allege[] that a third-party App
6
developer actually misappropriated her personal information, only that her personal information is
7
at a greater risk of being misappropriated.” Id. at 847. In Papasan v. Dometic Corp., No. 16-CV-
8
02117-HSG, 2017 WL 4865602 (N.D. Cal. Oct. 27, 2017), the plaintiff alleged that the defendant
9
sold refrigerators with a “structural flaw” which “create[d] an unreasonable risk of fire and
explosion,” but the plaintiff had used her own refrigerator “without any apparent problem.” Id. at
11
United States District Court
Northern District of California
10
*1, *6. The court dismissed her claim for lack of standing, finding that she had failed to show
12
“she suffered tangible losses—economic, functional, or otherwise—from having purchased an
13
allegedly defective Dometic refrigerator.” Id. at *6.
14
In the two cases which found standing, the defendants’ alleged misconduct caused actual,
15
tangible harm. See Ecodiesel, 295 F. Supp. 3d at 950 (distinguishing Cahen because the “defeat
16
devices” installed in defendants’ vehicles to control emissions concealed that emissions were in
17
fact well over the legal limit); Maya v. Centex Corp., 658 F.3d 1060, 1069 (9th Cir. 2011) (finding
18
standing where defendants’ allegedly deceptive scheme for selling homes resulted in foreclosures
19
in plaintiffs’ neighborhoods and declines in the value of their homes). Ecodiesel and Maya are
20
thus distinguishable.
In sum, Plaintiffs have not established standing based on an overpayment theory of injury.
21
22
B.
Injury in Fact Based on Actual or Imminent Harm
23
Plaintiffs do not expressly invoke a theory of standing based on actual or future harm, but
24
the Court addresses this issue briefly for the sake of completeness. As discussed above, Plaintiffs
25
26
27
28
cars they never owned, and concluded that it was “plausible that these Plaintiffs were injured when
they paid money to lease vehicles that they otherwise would not have leased but for VW’s
emissions fraud.” Id. at *11. But Volkswagen Clean Diesel is inapposite because there the defect
actually manifested—the vehicles with the cheating software emitted pollutants “at levels up to 40
times the legal limit from the moment they were put in use.” Id. at *4.
8
1
have not adequately alleged actual harm from the defects in their software; the performance issues
2
arising from the Beyer Fifth Software and the vague complaints on Symantec’s online forums
3
have not been shown to be caused by the High Privilege and Outdated Source Code Defects in the
4
software versions for which Named Plaintiffs seek recovery. But the absence of actual harm is not
5
dispositive, because an injury supporting Article III standing can be “actual or imminent.”
6
Clapper, 568 U.S. at 409 (emphasis added) (citation omitted).
7
For instance, in a line of cases that is in many ways analogous to software vulnerability
8
cases, the Ninth Circuit has held that plaintiffs whose personal information has been compromised
9
in data breaches can establish standing without showing that their information was in fact misused.
However, in these cases, the plaintiffs must allege a “credible threat” of future harm arising from
11
United States District Court
Northern District of California
10
the data breach that is “real and immediate.” Krottner v. Starbucks Corp., 628 F.3d 1139, 1143
12
(9th Cir. 2010). In other words, “[a]lthough imminence is concededly a somewhat elastic concept,
13
it cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not too
14
speculative.” Lujan, 504 U.S. at 565 n.2 (internal quotation marks omitted). Thus, for example,
15
courts have found standing in data breach cases, even though the plaintiffs’ personal information
16
had not yet been misused by the hackers, where the hackers spent several weeks collecting
17
particularly sensitive personal data, and that the stolen data had already surfaced on the dark
18
web. In re Adobe Systems, Inc. Privacy Litigation, 66 F. Supp. 3d 1197, 1214–15 (N.D. Cal.
19
2014). These two considerations indicated that the threat of identity threat was credible, rather
20
than merely speculative.
21
Such indicia are absent here. Instead, this case is similar to Fernandez v. Leidos, Inc., 127
22
F. Supp. 3d 1078 (E.D. Cal. 2015), a data breach case in which there were no allegations of actual
23
misuse of the stolen data, even though “almost four years has elapsed since the Data
24
Breach.” Id. at 1087–88. Because years had passed since the breach without any evidence that the
25
data had been misused, the court concluded that the plaintiff had not demonstrated “a substantial
26
risk of imminent future harm of identity theft.” Id. at 1088. The same conclusion obtains here.
27
The alleged defects in the Affected Products were revealed in 2016, but despite the fact that the
28
defect here existed since 2005, see FAC ¶ 1, Plaintiffs have not cited a single example of computer
9
1
malfunction causally connected to the defect. The Named Plaintiffs also stopped using the
2
Affected Products years ago.2 Accordingly, they have not “alleged a credible threat of real and
3
immediate harm stemming from the [alleged defects].” Krottner, 628 F.3d at 1143.
As Plaintiffs have failed to establish the jurisdictional requirement of Article III standing,
4
5
their claims must be dismissed, and the Court need not reach Symantec’s remaining arguments for
6
dismissal. The Court, however, will allow Plaintiffs one more opportunity to amend their
7
complaint. Plaintiffs’ counsel stated at the February 14, 2019 hearing that with further
8
investigation, they may be able to allege that the computer malfunctions Beyer experienced after
9
installing the Beyer Fifth Software, as well as the performance issues reported on Symantec’s
online forums, are attributable to the High Privilege and Outdated Source Code Defects. While
11
United States District Court
Northern District of California
10
the Court cannot say at this point whether such allegations will be enough to establish standing as
12
to the Named Plaintiffs, leave to amend shall be freely given when justice so requires,” and
13
amendment would not clearly be futile. See Fed. R. Civ. P. 15(a). To that end, the parties
14
represented at the hearing that they could engage in limited and focused discovery: Plaintiffs will
15
be given: (1) documents in Symantec’s possession pertaining to known or suspected incidents of
16
third-party hacking or exploitation arising from the alleged defects, and (2) relevant source code
17
that would allow Plaintiffs to determine whether there is a causal link between the alleged defects
18
and reported malfunctions. Such discovery shall be produced within thirty (30) days of this order.
19
Plaintiffs shall have sixty (60) days from the order to file a Second Amended Complaint, provided
20
it can do so consistent with Rule 11.
21
///
22
///
23
///
24
///
25
///
26
///
27
28
2
Plaintiffs thus have no standing to seek injunctive relief. See City of Los Angeles v. Lyons, 461
U.S. 95, 106 (1983).
10
III.
1
2
3
4
CONCLUSION
For the foregoing reasons, Symantec’s motion to dismiss is GRANTED with respect to all
claims. Plaintiffs shall have leave to amend their complaint within sixty (60) days.
This order disposes of Docket No. 61.
5
6
IT IS SO ORDERED.
7
8
Dated: February 26, 2019
9
10
United States District Court
Northern District of California
11
______________________________________
EDWARD M. CHEN
United States District Judge
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
11
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?