In re San Francisco 49ers Data Breach Litigation
Filing
58
ORDER RE DISMISSAL. Signed by Judge James Donato on 8/15/2024. (jdlc3, COURT STAFF) (Filed on 8/15/2024)
<![CDATA[
1
2
3
4
UNITED STATES DISTRICT COURT
5
NORTHERN DISTRICT OF CALIFORNIA
6
7
IN RE SAN FRANCISCO 49ERS DATA
BREACH LITIGATION.
8
Case No. 3:22-cv-05138-JD
ORDER RE DISMISSAL
9
10
United States District Court
Northern District of California
11
12
Plaintiffs in this consolidated action say that their personally identifiable information (PII)
13
was hacked in a data breach of defendant San Francisco 49ers’ computer systems in February
14
2022. Dkt. No. 28 (consolidated amended complaint). They allege claims for negligence, breach
15
of implied contract, and violations of the California Consumer Records Act, Cal. Civ. Code §
16
1798.80 et seq. (CRA), Unfair Competition Law, Cal. Bus. Code § 17200 et seq. (UCL),
17
California Consumer Privacy Act, Cal. Civ. Code § 1798.150 (CCPA), and the Georgia Uniform
18
Deceptive Trade Practices Act, Ga. Code Ann. § 10-1-370 et seq. (Georgia UDTPA). The 49ers
19
ask to dismiss under Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). Dkt. No. 42.
20
The parties’ familiarity with the record is assumed. Overall, most of the claims are just
21
plausible enough to warrant a fully developed record for determination on summary judgment.
22
Negligence per se is dismissed with prejudice as a freestanding claim, and the Georgia UDTPA
23
claim is dismissed with leave to amend.
24
25
LEGAL STANDARDS
Under Rule 12(b)(1), dismissal is appropriate if the Court lacks subject matter jurisdiction.
26
Fed. R. Civ. P. 12(b)(1). Federal courts are courts of limited jurisdiction, and the “case or
27
controversy” requirement of Article III of the U.S. Constitution “limits federal courts’ subject
28
matter jurisdiction by requiring, inter alia, that plaintiffs have standing.” Chandler v. State Farm
1
Mut. Auto. Ins., 598 F.3d 1115, 1121 (9th Cir. 2010); see also Maystrenko v. Wells Fargo, N.A.,
2
No. 21-CV-00133-JD, 2021 WL 5232221, at *2 (N.D. Cal. Nov. 10, 2021). “[A] plaintiff must
3
demonstrate standing to sue by alleging the ‘irreducible constitutional minimum’ of (1) an ‘injury
4
in fact’ (2) that is ‘fairly traceable to the challenged conduct of the defendants’ and (3) ‘likely to
5
be redressed by a favorable judicial decision.’” Patel v. Facebook Inc., 290 F. Supp. 3d 948, 952
6
(N.D. Cal. 2018) (quoting Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016)). The “specific
7
element of injury in fact is satisfied when the plaintiff has suffered an invasion of a legally
8
protected interest that is concrete and particularized and actual or imminent, not conjectural or
9
hypothetical.” Id. (internal quotations and citations omitted).
“A Rule 12(b)(1) jurisdictional attack may be facial or factual. In a facial attack, the
United States District Court
Northern District of California
10
11
challenger asserts that the allegations contained in a complaint are insufficient on their face to
12
invoke federal jurisdiction. By contrast, in a factual attack, the challenger disputes the truth of the
13
allegations that, by themselves, would otherwise invoke federal jurisdiction.” Safe Air for
14
Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir. 2004) (citations omitted); see also Patel, 290 F.
15
Supp. 3d at 951-52. The 49ers’ attack on plaintiffs’ standing is facial, and the truth of the
16
allegations in the complaint will be assumed.
For Rule 12(b)(6) motion to dismiss, a plaintiff must allege “enough facts to state a claim
17
18
to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). This
19
calls for enough “factual content that allows the court to draw the reasonable inference that the
20
defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)
21
(citing Twombly, 550 U.S. at 556). The plausibility analysis is “context-specific” and not only
22
invites, but “requires the reviewing court to draw on its judicial experience and common sense.”
23
Id. at 679.
DISCUSSION
24
25
26
I.
STANDING
Plaintiffs have alleged a concrete and individualized injury sufficient to confer standing to
27
sue under Article III. Plaintiffs say that hackers obtained their Social Security numbers and
28
similar personal information, and that they have incurred “out-of-pocket expenses associated with
2
1
the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of
2
their PII.” Dkt. No. 28 ¶ 11; see also ¶¶ 40, 51. This is enough to establish standing. See
3
TransUnion LLC v. Ramirez, 594 U.S. 413, 436 (2021); Jones v. Ford Motor Co., 85 F.4th 570,
4
574 (9th Cir. 2023) (per curiam); In re Zappos.com, Inc., 888 F.3d 1020, 1027-28 (9th Cir. 2018).
Plaintiffs have also adequately alleged that their injuries are fairly traceable to the actions
5
6
of the 49ers. The theory of the complaint is that the 49ers did not encrypt or otherwise protect
7
plaintiffs’ PII with reasonable security protocols. See Dkt. No. 28 ¶¶ 9, 22. This is a sufficiently
8
clear causal chain to allege traceability. See Brill v. Chevron Corp., No. 15-CV-04916-JD, 2017
9
WL 76894, at *3 (N.D. Cal. Jan. 9, 2017).
10
United States District Court
Northern District of California
11
II.
NEGLIGENCE
For negligence, a plaintiff must plausibly allege: (1) the defendant had a duty, or an
12
“obligation to conform to a certain standard of conduct for the protection of others against
13
unreasonable risks,” (2) the defendant breached that duty, (3) that breach proximately caused the
14
plaintiff’s injuries, and (4) damages. Corales v. Bennett, 567 F.3d 554, 572 (9th Cir. 2009)
15
(quoting McGarry v. Sax, 158 Cal. App. 4th 983 (2008)).
16
For present purposes, plaintiffs have alleged enough to state a negligence claim. “The
17
general rule in California is that everyone is responsible for an injury occasioned to another by his
18
or her want of ordinary care or skill in the management of his or her property or person. In other
19
words, each person has a duty to use ordinary care and is liable for injuries caused by his failure to
20
exercise reasonable care in the circumstances.” Cabral v. Ralphs Grocery Co., 51 Cal. 4th 764,
21
771 (2011) (simplified); see also Cal. Civ. Code § 1714 (“Everyone is responsible, not only for the
22
result of his or her willful acts, but also for an injury occasioned to another by his or her want of
23
ordinary care or skill in the management of his or her property or person.”). As noted, plaintiffs
24
say that the 49ers obtained and stored their PII without implementing reasonable safeguards
25
against hacking and unauthorized access, and that they have incurred actual costs in following up
26
on the hacking. Plaintiffs also say they have already incurred, and will continue to incur,
27
monitoring costs. That is enough for pleading purposes to go forward, without prejudice to a
28
determination of duty, damages, and causation on a fully developed record at summary judgment.
3
The Court defers the question of whether the economic loss rule might apply to foreclose
1
2
the negligence claim. The 49ers contend that the amended complaint alleges purely economic
3
losses untethered to personal injury or a special relationship, and so recovery in tort is unavailable.
4
Dkt. No. 42 at 10-11; see Robinson Helicopter Co. v. Dana Corp., 34 Cal. 4th 979, 988 (2004).
5
The rule serves to “limit liability in commercial activities that negligently or inadvertently go
6
awry.” Robinson Helicopter, 34 Cal. 4th at 991 n.7. It is true that plaintiffs feature their out-of-
7
pocket losses in the amended complaint, but they also mention noneconomic injuries, albeit not
8
with crystal clarity. See, e.g., Dkt. No. 28 ¶¶ 63-70. Consequently, this question is better resolved
9
on a fully developed record later in the litigation.
With plaintiffs’ agreement, Dkt. No. 49 at 12, the negligence per se claim is dismissed as a
United States District Court
Northern District of California
10
11
freestanding claim.
12
III.
UCL
The UCL claim was not handled well by either side. The 49ers made a two-paragraph
13
14
argument for dismissal, and plaintiffs responded in kind with a series of cursory and rather
15
disjointed comments. The 49ers also raised for the first time in a reply brief the contention that
16
plaintiff Donelson cannot bring a UCL claim because the relevant conduct occurred outside of
17
California. That was not an appropriate tactic.
The Court declines to take up the UCL claim on this anemic record. The 49ers may
18
19
challenge it on summary judgment.
20
IV.
21
BREACH OF IMPLIED CONTRACT
“An implied contract is one, the existence and terms of which are manifested by conduct.”
22
Cal. Civ. Code § 1621. For this claim, plaintiffs must allege: “(1) the contract, (2) plaintiff’s
23
performance or excuse for nonperformance, (3) defendant’s breach, and (4) the resulting damages
24
to plaintiff.” Reichert v. Gen. Ins. Co. of Am., 68 Cal. 2d 822, 830 (1968) (citations omitted).
25
Plaintiffs have plausibly alleged these elements. The amended complaint states that
26
plaintiffs were required to disclose their PII to the 49ers, to the 49ers’ benefit, with the
27
understanding that the 49ers would reasonably protect their information. That is enough for the
28
implied contract claim to go forward.
4
1
V.
CCRA
The CCRA requires California businesses that own or license computerized data that
2
include personal information to disclose a data breach after discovering one “in the most expedient
3
time possible and without unreasonable delay, consistent with the legitimate needs of law
4
enforcement, . . . or any measures necessary to determine the scope of the breach and restore the
5
reasonable integrity of the data system.” Cal. Civ. Code § 1798.82. The amended complaint
6
alleges that the 49ers knew of the breach in February 2022, Dkt. No. 28 ¶ 25, but waited
7
approximately six months before disclosing it. Id. ¶¶ 3, 4. Specifically, plaintiffs say that the
8
9
10
United States District Court
Northern District of California
11
49ers had realized that the breach included “personal, unencrypted information of Plaintiffs and
the class, but waited approximately three months to notify them,” and that the delay of three
months is unreasonable under the circumstances as it “prevented Plaintiffs and the Class from
taking appropriate measure from [sic] protecting themselves against harm.” Id. ¶¶ 134-35. The
12
CCRA claim will go forward.
13
14
15
16
17
VI.
CCPA
The 49ers say that plaintiffs’ allegation that the 49ers failed to “implement and maintain
reasonable security procedures and practices” is conclusory. Dkt. No. 42 at 12. But the amended
complaint includes specific allegations regarding the 49ers’ security procedures and practices,
including their failure “to even encrypt or redact” their highly sensitive PII. Dkt. No. 28 ¶ 9. That
18
is enough for present purposes.
19
Whether plaintiffs may recover statutory damages under the CCPA remains in question.
20
The CCPA requires a 30-day notice-and-cure procedure prior to initiating an action. Cal. Civ.
21
Code § 1798.150(b). Materials outside of the amended complaint indicate plaintiffs mailed the
22
required notice after initiating litigation.1 Plaintiffs did not address this issue. The Court will not
23
make a final determination of these external facts at the pleadings stage, but the parties are
24
directed to confer on an agreement with respect to the date of mailing and whether that forecloses
25
statutory damages.
26
27
28
1
The 49ers attached pre-suit letters to its motion to dismiss. Dkt. Nos. 42-1, 42-2, 42-3.
5
1
2
3
4
5
VII.
GEORGIA UDTPA
The Georgia Uniform Deceptive Trade Practices Act provides that “a person likely to be
damaged by a deceptive trade practice of another may be granted” injunctive relief. O.C.G.A.
§ 10-1-373(a). Deceptive trade practices include representations that “goods or services have . . .
characteristics, ingredients, uses, [or] benefits . . . that they do not have.” O.C.G.A. § 10-1372(a)(5). The complaint does not identify which, if any, of the 49ers’ representations were
6
deceptive. The Georgia UDTPA claim is dismissed with leave to amend.
7
CONCLUSION
8
Plaintiffs may file a second amended complaint with respect to the Georgia UDTPA claim
9
by August 30, 2024. No new claims or parties may be added without the Court’s prior consent. A
10
failure to comply with this order or filing deadline will result in dismissal of the Georgia UDTPA
11
United States District Court
Northern District of California
claim with prejudice pursuant to Federal Rule of Civil Procedure 41(b).
12
IT IS SO ORDERED.
13
Dated: August 15, 2024
14
15
16
JAMES DONATO
United States District Judge
17
18
19
20
21
22
23
24
25
26
27
28
6
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
