In re LinkedIn User Privacy Litigation
Filing
100
ORDER granting in part and denying in part 81 Motion to Dismiss. The court schedules this action for a Case Management Conference at 10:00 a.m. on June 6,2014. The parties shall file a Joint Case Management Statement on or before May 30, 2014. Signed by Judge Edward J. Davila on 3/28/2014. (ejdlc2, COURT STAFF) (Filed on 3/28/2014)
1
2
3
4
5
6
7
8
9
United States District Court
For the Northern District of California
10
11
UNITED STATES DISTRICT COURT
NORTHERN DISTRICT OF CALIFORNIA
SAN JOSE DIVISION
12
13
14
15
16
17
18
19
20
IN RE LINKEDIN USER PRIVACY
LITIGATION
)
)
)
)
)
)
)
)
)
)
)
)
)
Case No.: 5:12-CV-03088-EJD
ORDER GRANTING IN PART AND
DENYING IN PART DEFENDANT’S
MOTION TO DISMISS
[Re: Docket No. 81]
Plaintiff Khalilah Wright (“Wright” or “Plaintiff”) brings this putative class action against
21
Defendant LinkedIn Corporation (“Defendant” or “LinkedIn”). Presently before the Court is
22
LinkedIn’s Motion to Dismiss Plaintiff’s Second Amended Consolidated Complaint (“SAC”). The
23
Court has fully reviewed the parties’ submissions and heard oral arguments of counsel presented at
24
the hearing on November 22, 2013. For the reasons explained below, the Court has determined
25
that LinkedIn’s Motion will be GRANTED IN PART and DENIED IN PART.
26
27
28
1
Case No.: 5:12-CV-03088-EJD
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT’S MOTION TO
DISMISS
1
I. BACKGROUND
2
3
The following facts are taken from Plaintiff’s SAC. LinkedIn owns and operates the
website www.LinkedIn.com, which provides an online community for professional networking.
4
Prospective members may sign up for a membership by providing a valid email address and
5
registration password, which LinkedIn stores on its database. Once registered, a member may
6
create a free online professional profile containing such information as employment and
7
educational history.
8
When members register, they are required to confirm that they agree to LinkedIn’s User
Agreement (“User Agreement”) and Privacy Policy (“Privacy Policy”). The Privacy Policy
10
United States District Court
For the Northern District of California
9
contains a statement that “[a]ll information that you provide will be protected with industry
11
standard protocols and technology.”
12
For a monthly fee, members can upgrade to a paid “premium” subscription which grants
13
them increased networking tools and capabilities. Members who purchase a premium subscription
14
agree to the same terms and services of the User Agreement and Privacy Policy as if they were
15
non-paying members.
16
Plaintiff alleges that sometime in 2012 hackers infiltrated LinkedIn’s computer systems and
17
services. On June 6, 2012, the hackers posted approximately 6.5 million stolen LinkedIn users’
18
passwords on the Internet. On or around June 9, 2012, LinkedIn released a statement on its blog
19
stating that it had recently completed a switch of its password encryption method from a system
20
that stored member passwords in a hashed format to one that used both salted1 and hashed2
21
passwords for increased security.
Plaintiff alleges that she paid for a premium subscription from March 2010 until
22
23
approximately August 2010. She alleges that her LinkedIn password was retrieved by the hackers
24
and posted on the Internet on June 6, 2012. She alleges that, prior to her purchase of the premium
25
1
26
27
28
According to the SAC, “salting” is an encryption process that protects information by concatenating a plaintext
password with a series of randomly generated characters prior to hashing.
2
According to the SAC, “hashing” is an encryption process that protects information by by applying a one-way
function or algorithm to it. Hash functions are designed to reveal no information about the underlying input and are
designed such that minor changes in inputs will result in major changes to outputs.
2
Case No.: 5:12-CV-03088-EJD
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT’S MOTION TO
DISMISS
1
subscription, she read LinkedIn’s User Agreement and Privacy Policy and that, had LinkedIn
2
disclosed its lax security practices, she would have viewed the premium subscription as less
3
valuable and would either have attempted to purchase a premium subscription at a lower price or
4
not at all.
5
II. LEGAL STANDARDS
6
7
a. Motion to dismiss under Rule 12(b)(1)
A Rule 12(b)(1) motion to dismiss tests whether a complaint alleges grounds for federal
8
subject matter jurisdiction. If the plaintiff lacks standing under Article III of the U.S. Constitution,
9
then the court lacks subject matter jurisdiction, and the case must be dismissed. See Steel Co. v.
United States District Court
For the Northern District of California
10
11
Citizens for a Better Env’t, 523 U.S. 83, 101-02 (1998).
A jurisdictional challenge may be facial or factual. Safe Air for Everyone v. Meyer, 373
12
F.3d 1035, 1039 (9th Cir. 2004). Where the attack is facial, the court determines whether the
13
allegations contained in the complaint are sufficient on their face to invoke federal jurisdiction,
14
accepting all material allegations in the complaint as true and construing them in favor of the party
15
asserting jurisdiction. See Warth v. Seldin, 422 U.S. 490, 501 (1975). Where the attack is factual,
16
however, “the court need not presume the truthfulness of the plaintiff’s allegations.” Safe Air for
17
Everyone, 373 F.3d at 1039. In resolving a factual dispute as to the existence of subject matter
18
jurisdiction, a court may review extrinsic evidence beyond the complaint without converting a
19
motion to dismiss into one for summary judgment. See id.; McCarthy v. United States, 850 F.2d
20
558, 560 (9th Cir. 1988) (holding that a court “may review any evidence, such as affidavits and
21
testimony, to resolve factual disputes concerning the existence of jurisdiction”). Once a party has
22
moved to dismiss for lack of subject matter jurisdiction under Rule 12(b)(1), the opposing party
23
bears the burden of establishing the Court’s jurisdiction. See Kokkonen v. Guardian Life Ins. Co.,
24
511 U.S. 375, 377 (1994); Chandler v. State Farm Mut. Auto. Ins. Co., 598 F.3d 1115, 1122 (9th
25
Cir. 2010).
26
27
28
3
Case No.: 5:12-CV-03088-EJD
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT’S MOTION TO
DISMISS
1
b. Motion to dismiss under Rule 12(b)(6) and Rule 9(b)
2
A complaint must contain “a short and plain statement of the claim showing that the pleader
3
is entitled to relief.” Fed. R. Civ. P. 8(a). A motion to dismiss pursuant to Rule 12(b)(6) of the
4
Federal Rules of Civil Procedure tests the legal sufficiency of the claims asserted in the complaint.
5
Fed. R. Civ. P. 12(b)(6); Navarro v. Block, 250 F.3d 729, 731 (9th Cir. 2001). The court must
6
accept all factual allegations pleaded in the complaint as true, and must construe them and draw all
7
reasonable inferences from them in favor of the nonmoving party. Cahill v. Liberty Mutual Ins.
8
Co., 80 F.3d 336, 337–38 (9th Cir. 1996). The Court is not bound, however, to accept “legal
9
conclusions” as true. Ashcroft v. Iqbal, 556 U.S. 662 (2009).
United States District Court
For the Northern District of California
10
To avoid a Rule 12(b)(6) dismissal, a complaint need not contain detailed factual
11
allegations; rather, it must plead “enough facts to state a claim to relief that is plausible on its face.”
12
Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). However, “a plaintiff’s obligation to
13
provide the ‘grounds’ of his ‘entitle[ment] to relief’ requires more than labels and conclusions, and
14
a formulaic recitation of the elements of a cause of action will not do.” Id. at 555 (citation
15
omitted). “Factual allegations must be enough to raise a right to relief above the speculative level,
16
on the assumption that all the allegations in the complaint are true (even if doubtful in fact).” Id.
17
(citation omitted). In spite of the deference the court is bound to pay to the plaintiff’s allegations, it
18
is not proper for the court to assume that “the [plaintiff] can prove facts that [he or she] has not
19
alleged or that defendants have violated the . . . laws in ways that have not been alleged.”
20
Associated Gen. Contractors of Cal., Inc. v. Cal. State Council of Carpenters, 459 U.S. 519, 526
21
(1983).
22
But “[w]hen there are well-pleaded factual allegations, a court should assume their veracity
23
and then determine whether they plausibly give rise to an entitlement to relief.” Iqbal, 556 U.S. at
24
679. A claim has “facial plausibility when the plaintiff pleads factual content that allows the court
25
to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. at 677
26
(citing Twombly, 550 U.S. at 556). “The plausibility standard is not akin to a ‘probability
27
requirement,’ but it asks for more than a sheer possibility that a defendant has acted unlawfully.”
28
4
Case No.: 5:12-CV-03088-EJD
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT’S MOTION TO
DISMISS
1
Id. “Where a complaint pleads facts that are ‘merely consistent with’ a defendant’s liability, it
2
‘stops short of the line between possibility and plausibility of entitlement to relief.’” Id. (quoting
3
Twombly, 550 U.S. at 557).
4
Complaints alleging fraud must satisfy the heightened pleading requirements of Federal
5
Rule of Civil Procedure 9(b). Rule 9(b) requires that in all averments of fraud or mistake, the
6
circumstances constituting fraud or mistake shall be stated with particularity. Malice, intent,
7
knowledge, and other conditions of a person’s mind may be alleged generally. A pleading is
8
sufficient under Rule 9(b) if it “state[s] the time, place and specific content of the false
9
representations as well as the identities of the parties to the misrepresentation.” Misc. Serv.
United States District Court
For the Northern District of California
10
Workers, Drivers & Helpers v. Philco–Ford Corp., 661 F.2d 776, 782 (9th Cir. 1981) (citations
11
omitted); see also Vess v. Ciba–Geigy Corp. USA, 317 F.3d 1097, 1106 (9th Cir. 2003) (quoting
12
Cooper v. Pickett, 137 F.3d 616, 627 (9th Cir. 1997)) (“Averments of fraud must be accompanied
13
by ‘the who, what, when, where, and how’ of the misconduct charged.”) Additionally, “the
14
plaintiff must plead facts explaining why the statement was false when it was made.” Smith v.
15
Allstate Ins. Co., 160 F.Supp.2d 1150, 1152 (S.D. Cal. 2001) (citation omitted); see In re GlenFed,
16
Inc. Sec. Litig., 42 F.3d 1541, 1549 (9th Cir. 1994) (en banc) (superseded by statute on other
17
grounds).
18
Regardless of the title given to a particular claim, allegations grounded in fraud are subject
19
to Rule 9(b)’s pleading requirements. See Vess, 317 F.3d at 1103–04. Even where fraud is not an
20
essential element of a consumer protection claim, Rule 9(b) applies where a complaint “rel[ies]
21
entirely on [a fraudulent course of conduct] as the bases of that claim . . . the claim is said to be
22
‘grounded in fraud’ or to ‘sound in fraud,’ and the pleading . . . as a whole must satisfy the
23
particularity requirement of Rule 9(b).” Kearns v. Ford Motor Co., 567 F.3d 1120, 1125 (9th Cir.
24
2009) (quoting Vess, 317 F.3d at 1103–04); Bros. v. Hewlett–Packard Co., 2006 WL 3093685, at
25
*7 (N.D. Cal. Oct. 31, 2006).
26
27
28
5
Case No.: 5:12-CV-03088-EJD
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT’S MOTION TO
DISMISS
1
2
3
4
III. DISCUSSION
LinkedIn moves to dismiss all claims in the SAC for lack of standing pursuant to Rule
12(b)(1) and failure to state a claim pursuant to Rule 12(b)(6).
The SAC contains three claims for: 1) violation of the fraud prong of California’s Unfair
5
Competition Law (“UCL”), Cal. Bus. & Prof. Code, § 17200 et seq., 2) violation of the unfair
6
prong of the UCL, and 3) breach of contract. Plaintiff concedes that her second and third claims
7
should be dismissed and asks that the Court do so without prejudice. Docket No. 87, Pl.’s Opp.
8
Brief at 3. LinkedIn asks that the Court dismiss all three claims with prejudice.
9
United States District Court
For the Northern District of California
10
11
12
For the reasons explained below, the Court DISMISSES Plaintiff’s second and third claims
with prejudice. LinkedIn’s motion is DENIED as to Plaintiff’s first claim.
a. Standing under Article III and the UCL
i. Background
13
The Court dismissed Plaintiff’s First Amended Complaint (“FAC”) for lack of Article III
14
standing. See Docket No. 72. Plaintiff had attempted to establish standing based on the theories
15
that she had suffered an injury in fact because 1) she did not receive the benefit of her bargain with
16
LinkedIn, and 2) she now faces an increased risk of future harm as a result of the 2012 hacking
17
incident. The Court rejected both standing theories, finding, inter alia, that the promise of industry
18
standard security had not been a part of Plaintiff’s bargain for premium services.
19
The parties continue to dispute whether Plaintiff has standing under Article III or under the
20
UCL. Plaintiff has abandoned the standing theories she previously advanced and now contends
21
that she has standing because she purchased her premium subscription in reliance on LinkedIn’s
22
misrepresentation and would not have done so but for the misrepresentation. Importantly, the SAC
23
(unlike the FAC) alleges that Plaintiff did, in fact, read and rely upon the statement in the Privacy
24
Policy regarding industry standard security.
25
26
With these amendments, the SAC’s allegations are sufficient to confer both standing under
Article III and statutory standing under the UCL.
27
28
6
Case No.: 5:12-CV-03088-EJD
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT’S MOTION TO
DISMISS
1
2
ii. The parties’ positions
The parties essentially divide the UCL standing and Article III standing cases into two
3
categories. Plaintiff relies primarily on a line of cases in which courts find standing under the UCL
4
and under Article III for plaintiffs who purchase deceptively labeled or advertised products in
5
reliance on the misinformation contained in the labels or advertisements.
6
As to UCL standing, in Kwikset Corp. v. Superior Court, the California Supreme Court
7
held that “[a] consumer who relies on a product label and challenges a misrepresentation contained
8
therein can satisfy the standing requirement of [the UCL] by alleging . . . that he or she would not
9
have bought the product but for the misrepresentation.” 51 Cal. 4th 310, 330 (2011). In Hinojos v.
United States District Court
For the Northern District of California
10
Kohl’s Corp., 718 F.3d 1098 (9th Cir. 2013), the Ninth Circuit Court of Appeals applied Kwikset
11
in “a straightforward manner” to hold that “when a consumer purchases merchandise on the basis
12
of false price information, and when the consumer alleges that he would not have made the
13
purchase but for the misrepresentation, he has standing to sue under the UCL and FAL because he
14
has suffered an economic injury.” 718 F.3d at 1107.
15
The Article III standing cases in the Ninth Circuit agree that plaintiffs who make allegations
16
similar to those made in Kwikset and Hinojos would also satisfy Article III’s standing
17
requirements. For example, Article III standing has been found for class members who “paid more
18
for [a product] than they otherwise would have paid, or bought it when they otherwise would not
19
have done so, because [the defendant] made deceptive claims and failed to disclose the [product’s]
20
limitations.” Mazza v. Am. Honda Motor Co., Inc., 666 F.3d 581, 595 (9th Cir. 2012) (citing
21
Stearns v. Ticketmaster Corp., 655 F.3d 1013, 1021 (9th Cir. 2011)). Another Ninth Circuit case
22
found Article III standing by applying the rule from Kwikset to the plaintiffs’ allegation that they
23
paid more for a product due to reliance on false advertising. See Degelmann v. Advanced Med.
24
Optics, Inc., 659 F.3d 835, 840 (9th Cir. 2011) vacated, 699 F.3d 1103 (9th Cir. 2012).
25
LinkedIn, on the other hand, distinguishes the labeling/advertising cases on the basis that
26
the representation in the Privacy Policy was not contained in a label or an advertisement. The
27
Privacy Policy applies to all members, both paying and non-paying and, according to LinkedIn,
28
7
Case No.: 5:12-CV-03088-EJD
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT’S MOTION TO
DISMISS
1
was not included or incorporated into the premium services contract that Plaintiff entered into.
2
Thus, LinkedIn argues, “[u]nder no plausible theory can this single sentence in the Privacy Policy
3
that applies to all LinkedIn members be considered an ‘inducement’ to the purchase of a premium
4
subscription, the ‘advertisement’ of premium services, or an ‘effective marketing technique’ for
5
premium service.” Docket No. 89, Def.’s Reply at 7.
6
LinkedIn instead points to a number of other consumer cases in which courts have rejected
theories of injury in fact that, like Plaintiff’s theory, were premised on payment or overpayment for
8
a product. In LinkedIn’s cases, courts have required plaintiffs to allege “something more” than
9
“overpaying for a ‘defective’ product” in order to establish an Article III injury in fact. In re
10
United States District Court
For the Northern District of California
7
Toyota Motor Corp., 790 F. Supp. 2d 1152, 1165 n.11 (C.D. Cal 2011); see also Whitson v.
11
Bumbo, 2009 WL 1515597 (N.D. Cal. Apr. 16, 2009); Boysen v. Walgreen Co., 2012 WL
12
2953069 (N.D. Cal. July 19, 2012); In re McNeil Consumer Healthcare, 877 F. Supp. 2d 254 (E.D.
13
Pa. 2012); Williams v. Purdue Pharma Co., 297 F. Supp. 2d 171 (D.D.C. 2003). Based on these
14
cases, LinkedIn contends that Plaintiff has not alleged sufficient facts to establish Article III
15
standing.
16
LinkedIn argues that the rationale behind the labeling/advertising cases is that “the
17
overpayment injury does not depend on how the product functions because ‘labels’ and ‘brands’
18
have independent economic value.” In re Toyota, 790 F. Supp. 2d at 1165 n.11. Based on that
19
rationale, LinkedIn argues, courts in such cases find economic harm when the consumer paid
20
money for a defendant’s product over a competitor’s product due to the mislabeling. Plaintiff
21
makes no such allegations here. She does not allege, for example, that she purchased LinkedIn’s
22
services over another networking website’s services because of the promise regarding industry
23
standard security.
24
iii. Application and conclusion
25
Having carefully considered the cases, the Court finds that Plaintiff has alleged facts
26
sufficient to confer standing. The critical distinction between Plaintiff’s theory of economic injury
27
and the theories of economic injury rejected in LinkedIn’s cited cases is that Plaintiff alleges her
28
8
Case No.: 5:12-CV-03088-EJD
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT’S MOTION TO
DISMISS
1
payment or overpayment was caused by LinkedIn’s alleged misrepresentations, which she alleges
2
she read and relied on in making her decision to purchase a premium subscription. The plaintiffs in
3
LinkedIn’s cases did not, or could not, attempt to establish standing under the same theory as
4
Plaintiff’s. In Williams and Whitson, although the plaintiffs alleged that the defendants had made
5
misrepresentations about the products at issue, the plaintiffs failed to allege that they were deceived
6
by or even that they were exposed to the misrepresentations. 297 F. Supp. 2d at 177; 2009 WL
7
1515597, at *4. Similarly, neither Boysen nor In re McNeil contained allegations that the plaintiffs
8
purchased the product in reliance on the defendant’s misrepresentations. In re Toyota is inapposite
9
because, while the court did require some plaintiffs to allege “something more” than pure
United States District Court
For the Northern District of California
10
economic loss, it did so only for those plaintiffs who were seeking to establish an economic loss
11
based on a “market effect” theory.3 790 F. Supp. 2d at 1165-1166. Plaintiff’s theory is not based
12
on a loss in market value.
13
The Court recognizes that there are significant differences between the “single sentence”
14
contained in LinkedIn’s Privacy Policy and the labels and advertisements from Kwikset and
15
Hinojos. Notwithstanding these differences, however, the Court finds that the representation in
16
LinkedIn’s Privacy Policy falls within the scope of the labeling/advertising cases.
17
First, it is not clear that the reach of the Kwikset line of cases is limited only to
18
misrepresentations that are also labels or advertisements. As the California Supreme Court put it,
19
to satisfy the UCL’s standing requirements, “a party must now (1) establish a loss or deprivation of
20
money or property sufficient to qualify as injury in fact, i.e., economic injury, and (2) show that
21
that economic injury was the result of, i.e., caused by, the unfair business practice or false
22
advertising that is the gravamen of the claim.” Kwikset, 51 Cal. 4th at 322 (emphasis added).
23
While it is true that the final holding in Kwikset specifically identified the type of “unfair business
24
25
3
26
27
28
Some plaintiffs attempted to establish an injury in fact based on a drop in value of their cars. They did not allege
experiencing any defects in their cars despite predicating their loss on the drop in value due to the defect. The court
agreed that those plaintiffs should allege “something more” and found that they had met this requirement by 1)
showing the reduction in trade-in value of their cars in sources such as Kelley Blue Book and 2) alleging that the drop
in value followed public awareness of the defect. 790 F. Supp. 2d at 1166.
9
Case No.: 5:12-CV-03088-EJD
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT’S MOTION TO
DISMISS
1
practice or false advertising” at issue4, that holding was an application of the broader rule identified
2
in the preceding sentence of this paragraph. The Kwikset court did not indicate that the
3
requirements for establishing UCL standing would be any different if the challenged
4
misrepresentation was contained in something other than a deceptive product label. And although
5
Kwikset was a California case concerning standing under the UCL, not Article III, the Ninth
6
Circuit cases indicate that plaintiffs whose allegations meet the Kwikset criteria will at least satisfy
7
the Article III injury in fact requirement. See Hinojos, 718 F.3d at 1104, n.3 (“There is no
8
difficulty in this case regarding Article III injury in fact, and neither party suggests otherwise. We
9
have explained that when, as here, ‘Plaintiffs contend that class members paid more for [a product]
United States District Court
For the Northern District of California
10
than they otherwise would have paid, or bought it when they otherwise would not have done so’
11
they have suffered an Article III injury in fact.”)
12
Second, even if the Kwikset line of cases was read to apply solely to advertisements and
13
labels, the term “advertisement” is defined broadly under California law. The UCL expressly
14
incorporates the Fair Advertising Law’s (“FAL”) prohibition on unfair advertising as one form of
15
unfair competition. Hinojos, 718 F.3d at 1103 (citing Cal. Bus. & Prof. Code § 17200). The FAL
16
is broadly written and broadly construed, and a wide range of statements can qualify as an
17
advertisement. Cal. Bus. & Prof. Code § 17500; see Chern v. Bank of Am., 15 Cal. 3d 866, 875
18
(1976). For example, a statement made in a letter denying a borrower’s request for a loan
19
modification qualifies as “advertising.” Gabali v. OneWest Bank, FSB, 2013 WL 1320770 (N.D.
20
Cal. Mar. 29, 2013). Applying one set of standing requirements to labeling/advertising and another
21
set of standing requirements to other types of misrepresentations, as LinkedIn advocates, would be
22
untenable given the lack of distinction California law places between misleading advertising and
23
other forms of misleading statements.
The opinions in Kwikset and Hinojos provided several examples of marketing practices,
24
25
including meat labeled as kosher and a product advertised as “not available in stores.” Like those
26
4
27
28
“A consumer who relies on a product label and challenges a misrepresentation contained therein can satisfy the
standing requirement of section 17204 by alleging, as plaintiffs have here, that he or she would not have bought the
product but for the misrepresentation.” Id. at 330.
10
Case No.: 5:12-CV-03088-EJD
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT’S MOTION TO
DISMISS
1
examples, the statement in LinkedIn’s Privacy Policy might be significant only to a small segment
2
of consumers and many consumers may not even care to read it before making their purchase. Yet
3
the California Supreme Court and the Ninth Circuit Court of Appeals have indicated that when
4
those representations are false, a consumer who is induced by them to purchase a product that she
5
otherwise would not have purchased has standing to bring an action under the UCL in federal
6
court.
7
Applying the cases discussed above, the Court finds that Plaintiff’s allegations are
8
sufficient to establish standing under the UCL and Article III. She alleges that she purchased her
9
premium subscription on the basis of LinkedIn’s statement that its users’ data will be secured with
United States District Court
For the Northern District of California
10
industry standards and technology, she alleges that the statement was false when she read and
11
relied on it, and she alleges that she would not have made the purchase (or that she would have
12
negotiated for a lower price) but for the misrepresentation. Her injury (the purchase induced by the
13
misrepresentation) is fairly traceable to LinkedIn’s conduct because LinkedIn made the
14
misrepresentation. And finally, her injury is likely to be redressed by a favorable decision because
15
restitution is an available remedy under the UCL. Cal. Bus. & Prof. Code § 17203.
16
17
18
b. Plaintiff’s first claim: Fraudulent business practices
i. Stating a claim
To state a claim under either the fraudulent business practices prong of the UCL, it is
19
necessary only to show that members of the public are likely to be deceived. In re Tobacco II
20
Cases, 46 Cal. 4th 298, 312 (2009) (internal quotations and citations omitted).
21
Plaintiff alleges that the representation in the Privacy Policy is likely to deceive the public
22
because consumers would believe that LinkedIn used a more effective method of securing its users’
23
data than it actually did.
24
LinkedIn attacks the materiality of the alleged misrepresentation, arguing that Plaintiff’s
25
claim should fail as a matter of law because “it is implausible that a single contractual promise in a
26
Privacy Policy applicable to all members—free, basic-account members and paying, premium-
27
28
11
Case No.: 5:12-CV-03088-EJD
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT’S MOTION TO
DISMISS
1
account members—would be seen as a material inducement leading a reasonable user to upgrade to
2
a premium account.”
3
A representation is material if a reasonable consumer would attach importance to it or if the
4
maker of the representation knows or has reason to know that its recipient regards or is likely to
5
regard the matter as important in determining his choice of action. Hinojos, 718 F.3d at 1107
6
(internal quotations and citations omitted). The materiality of a misrepresentation is typically an
7
issue of fact, and therefore should not be decided at the motion to dismiss stage. See In re Steroid
8
Hormone Product Cases, 181 Cal. App. 4th 145 (2010). In some circumstances, courts have found,
9
as a matter of law, that no reasonable consumer could have been misled by the misrepresentation.
United States District Court
For the Northern District of California
10
See Rice v. Fox Broad. Co., 330 F.3d 1170, 1181 (9th Cir. 2003) (false statements on videotape
11
cover were immaterial because videotape cover could not be observed by potential consumer and
12
therefore could not influence the purchasing decision).
13
LinkedIn points out that Plaintiff fails to allege that, even if LinkedIn had disclosed the fact
14
that it used unsalted, SHA-1 encryption, Plaintiff would have actually understood such a disclosure
15
to mean that LinkedIn was not employing industry standard security. However, Plaintiff does
16
allege that if LinkedIn had disclosed its security protocols, consumers would have learned that
17
those protocols did not meet the “industry standard” through word of mouth or the media. She
18
supports this reasoning by arguing, essentially, that even if the average consumer would not have
19
understood that unsalted, SHA-1 encryption was below the industry standard, the popular media
20
would have found that disclosure newsworthy and would have disseminated the information to
21
consumers.
22
Given the above, the Court does not find Plaintiff’s claim barred as a matter of law. The
23
only case that LinkedIn has cited on this point is Rice, and in Rice, it was impossible for the
24
representation to deceive a consumer when no consumer could have viewed the representation
25
prior to making a purchase. Here, the representation was available for the public to read, and, as
26
explained below, Plaintiff has alleged a plausible explanation for why it is likely to deceive the
27
public.
28
12
Case No.: 5:12-CV-03088-EJD
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT’S MOTION TO
DISMISS
1
2
ii. Rule 8
LinkedIn contends that the SAC does not satisfy Rule 8 of the Federal Rules of Civil
3
Procedure. A complaint must contain “a short and plain statement of the claim showing that the
4
pleader is entitled to relief.” Fed. R. Civ. P. 8(a). A court considering a motion to dismiss can
5
choose to begin by identifying pleadings that, because they are no more than conclusions, are not
6
entitled to the assumption of truth. Iqbal, 556 U.S. at 679. While legal conclusions can provide the
7
framework of a complaint, they must be supported by factual allegations. Id. When there are well-
8
pleaded factual allegations, a court should assume their veracity and then determine whether they
9
plausibly give rise to an entitlement to relief. Id.
United States District Court
For the Northern District of California
10
1. Whether Plaintiff plausibly alleges that she read LinkedIn’s
11
representation
12
In the SAC, Plaintiff alleges the following: “Before signing up for her LinkedIn Premium
13
Subscription, Wright—as she always does when signing up for a service online—read and agreed
14
to the [User Agreement] and Privacy Policy and the representations and obligations listed therein.”
15
Plaintiff also alleges that the User Agreement contained an integration clause, and that the User
16
Agreement governing her premium subscription also “incorporated by reference” LinkedIn’s
17
Privacy Policy and advised her to review and comply with the Privacy Policy.
18
LinkedIn argues that because the User Agreement was not part of the terms of the contract
19
Plaintiff entered into when she signed up for her premium subscription, the terms therefore did not
20
include the “incorporation by reference” term or the advisement to review the Privacy Policy.
21
Because those allegations are false, LinkedIn continues, there is no reason to accept as true the
22
conclusion-that Plaintiff read and relied on the Privacy Policy in purchasing her premium
23
subscription.
24
However, regardless of whether or not the User Agreement became a part of Plaintiff’s
25
contract for the premium subscription as a matter of contract law, Plaintiff alleges that she read and
26
relied on the User Agreement and the Privacy Policy before purchasing her premium subscription.
27
28
13
Case No.: 5:12-CV-03088-EJD
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT’S MOTION TO
DISMISS
1
Her understanding of contract law has no bearing on her allegation that she read and relied on those
2
documents.
3
4
2. Whether Plaintiff plausibly alleges that LinkedIn’s
representation was false
5
LinkedIn argues that Plaintiff’s allegation that LinkedIn failed to use industry standards to
6
encrypt member passwords is conclusory and unsupported. Plaintiff supports this conclusion with
7
the following factual allegations:
8
9
United States District Court
For the Northern District of California
10
1) When Plaintiff purchased her premium subscription, LinkedIn protected its
users’ personal information using the SHA-1 hash function. LinkedIn did
not salt the information.
11
2) Since at least 2006, industry standards have required that users’ personal
12
information, and login credentials in particular, be stored in salted and
13
hashed format.
14
3) The National Institute of Standards and Technology (“NIST”)
15
recommended that all government agencies stop using SHA-1.
16
4) Salting has been standard encryption practice since the 1970s, and salting
17
and hashing (with a stronger algorithm than SHA-1) together is the
18
preferred industry practice.
19
5) Three days after the breach, LinkedIn stated that it would transition from a
20
password database system that hashed passwords, i.e. provided one layer
21
of encoding, to a system that both hashed and salted the passwords, i.e.
22
provided an extra layer of protection that is a widely recognized best
23
practice within the industry.
24
6) The bare minimum practice within LinkedIn’s industry is to “salt” the
25
input before hashing it, preferably with a multi-digit salt long enough to
26
render rainbow tables (a method of encryption-breaking) entirely useless.
27
28
14
Case No.: 5:12-CV-03088-EJD
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT’S MOTION TO
DISMISS
1
7) The more common industry practice is to (1) salt passwords and then hash
2
them using a more recent and secure algorithm than SHA-1, (2) salt the
3
resulting hash value, and (3) then again run the resulting value through a
4
hashing function. Finally, that fully encrypted password should be stored
5
on a separate and secure server apart from all other user information.
6
LinkedIn points out that “Plaintiff never explicitly alleges that SHA-1 was below industry
7
standards during the class period. She instead alleges that the National Institute of Standards and
8
Technology [NIST] recommended that all government agencies stop using SHA-1.” Docket No.
9
81, Def.’s Memo ISO MTD at 19 (internal quotations omitted). LinkedIn then cites to an extrinsic
United States District Court
For the Northern District of California
10
document written by the NIST which purportedly states that the use of SHA-1 hashing is
11
acceptable.
12
However, even assuming that the Court must disregard Plaintiff’s allegations concerning
13
the NIST’s position on the use of SHA-1 hashing, the rest of Plaintiff’s allegations are sufficient to
14
support her conclusion that LinkedIn’s representation was false. She alleges that LinkedIn used a
15
particular security practice, is specific about what that security practice entailed, alleges that
16
LinkedIn’s practice fell below the “bare minimum” security practice in LinkedIn’s industry, and
17
she is specific about what that “bare minimum” security practice entails. Furthermore, LinkedIn
18
does not contend that the phrase “industry standard” amounts to puffery or is otherwise impossible
19
to define.
20
21
22
23
Accordingly, dismissal for this reason is unwarranted.
3. Whether Plaintiff plausibly alleges that she was denied the
benefit of her bargain
Next, LinkedIn contends that Plaintiff “does not plausibly allege that she did not receive all
24
of the benefits that she bargained for,” arguing that the promise of industry standard security was
25
not one of the benefits included in Plaintiff’s bargain because industry standard security is
26
available to all members whether or not they have upgraded to premium memberships. This was
27
28
15
Case No.: 5:12-CV-03088-EJD
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT’S MOTION TO
DISMISS
1
an argument that the Court found convincing and became one of the grounds for dismissal of the
2
FAC.
3
This contention is less relevant now that Plaintiff no longer seeks to establish standing
4
based on being deprived of the benefit of her bargain. Furthermore, when a plaintiff alleges
5
economic injury based on being induced by misrepresentations to purchase products that she would
6
not otherwise have purchased, the benefit of the bargain defense is permissible only if the
7
misrepresentation that the consumer alleges was not “material.” Hinojos, 718 F.3d at 1107. Thus,
8
LinkedIn’s contention that Plaintiff received all of the benefits she bargained for is not a sufficient
9
basis for dismissal of the SAC.
United States District Court
For the Northern District of California
10
iii. Rule 9
11
LinkedIn contends that the SAC’s averments of fraud do not satisfy Rule 9(b) after
12
disregarding the allegations discussed above on Rule 8 grounds. However, these allegations are
13
sufficiently pleaded and must be regarded as true at this stage in the proceedings.
14
15
In alleging fraud or mistake, a party must state with particularity the circumstances
constituting fraud or mistake. Fed. R. Civ. P. 9(b).
16
Plaintiff’s averments of fraud meet the requirements of Rule 9(b). She alleges that the
17
representation was made in LinkedIn’s Privacy Policy, which she read and relied on prior to
18
purchasing a premium subscription, and she alleges facts that explain why the representation was
19
false. Her allegations are specific enough to give LinkedIn “notice of the particular misconduct
20
which is alleged to constitute the fraud charged so that [it] can defend against the charge and not
21
just deny that [it has] done anything wrong.” Semegen v. Weidner, 780 F.2d 727, 731 (9th Cir.
22
1985).
23
24
25
26
c. Plaintiff’s second and third claims
As to the SAC’s second and third claims, the Court limits its decision to whether these
claims should be dismissed with or without prejudice.
Dismissal with prejudice and without leave to amend is not appropriate unless it is clear on
27
that the complaint could not be saved by amendment. Chang v. Chen, 80 F.3d 1293, 1296 (9th Cir.
28
16
Case No.: 5:12-CV-03088-EJD
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT’S MOTION TO
DISMISS
1
1996). Dismissal with prejudice may be appropriate where a plaintiff presents no new facts but
2
only “new theories” and “provided no satisfactory explanation for his failure to fully develop his
3
contentions originally.” Vincent v. Trend Western Technical Corp., 828 F.2d 563, 570-71 (9th Cir.
4
1987).
Here, although Plaintiff has added new, critical facts to her complaint (particularly, the
5
allegation that she read LinkedIn’s representation before purchasing her premium subscription),
7
she fails to explain how the new facts affect her second and third claims. She concedes that both
8
claims fall within the scope of the Court’s previous order dismissing the FAC. She provides no
9
explanation for why she should be given another chance to amend those claims, other than that she
10
United States District Court
For the Northern District of California
6
only became aware that her second and third claims fell within the scope of the previous dismissal
11
order after certain evidence was produced by LinkedIn and that she might discover facts through
12
discovery that would allow her to reassert the claims.
Accordingly, Plaintiff’s second and third claims are DISMISSED with prejudice because
13
14
15
allowing for further amendment would be futile.
IV. CONCLUSION
For the foregoing reasons, LinkedIn’s Motion to Dismiss Plaintiff’s Second Amended
16
17
Consolidated Complaint is GRANTED IN PART and DENIED IN PART. Plaintiff’s second and
18
third claims are DISMISSED with prejudice. LinkedIn’s Motion is DENIED as to Plaintiff’s first
19
claim.
20
The court schedules this action for a Case Management Conference at 10:00 a.m. on June 6,
21
2014. The parties shall file a Joint Case Management Statement on or before May 30, 2014.
22
IT IS SO ORDERED
23
Dated: March 28, 2014
24
25
_________________________________
EDWARD J. DAVILA
United States District Judge
26
27
28
17
Case No.: 5:12-CV-03088-EJD
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT’S MOTION TO
DISMISS
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?