In re Accellion, Inc. Data Breach Litigation

Filing 285

ORDER DENYING 244 , 277 MOTIONS TO DISMISS AND FOR RECONSIDERATION. Signed by Judge Edward J. Davila on 10/28/2024. (ejdlc2, COURT STAFF) (Filed on 10/28/2024)

Download PDF
1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 SAN JOSE DIVISION 7 8 IN RE ACCELLION, INC. DATA BREACH LITIGATION 9 10 United States District Court Northern District of California 11 Case No. 21-cv-01155-EJD ORDER DENYING MOTIONS TO DISMISS AND FOR RECONSIDERATION Re: ECF Nos. 244, 271 12 In December 2020 and January 2021, hackers breached a secure file transfer application 13 14 offered by Defendant Accellion, Inc. and widely used by entities who handled sensitive personal 15 information. This breach exposed millions of individuals’ private data. In response, Plaintiffs 16 filed this putative class action against Accellion. Now before the Court are two motions. First is 17 Accellion’s motion to dismiss Plaintiffs’ negligence claim. Second is Plaintiffs’ motion for 18 reconsideration of an earlier order dismissing their Confidentiality of Medical Information Act 19 (“CMIA”) claim. After reviewing the parties’ written submissions, the Court finds oral argument 20 to be unnecessary under Local Rule 7-1(b). The Court DENIES both motions. 21 I. BACKGROUND 22 A. Factual Allegations 23 Accellion is a “cloud solutions company” that develops and offers products for 24 “prevent[ing] data breaches and compliance violations from third party cyber risk.” Am. Consol. 25 Class Action Compl. (“Amended Complaint” or “Am. Compl.”) ¶ 25, ECF No. 248.1 Among 26 1 27 28 Plaintiffs initially filed a redacted version of the Amended Complaint at ECF No. 230. The Court cites to the unredacted version throughout this Order. Case No.: 21-cv-01155-EJD ORDER DEN. MOTS. TO DISMISS & FOR RECONSIDERATION 1 1 Accellion’s offerings is a product called the File Transfer Appliance (“FTA”). Id. ¶ 26. Accellion 2 designed the FTA to securely transfer files as an alternative to email, particularly in those 3 situations where file sizes exceed the limits for email attachments. Id. To use the FTA, a person 4 uploads the files to be transferred. Then, that person sends a link to the intended recipient from 5 which the recipient can view or download those files. Id. FTA file transfers often involved 6 sensitive personally identifiable information such as Social Security numbers, demographic 7 information, and medical records. Id. ¶ 32. 8 United States District Court Northern District of California 9 Accellion began offering the FTA in the early 2000s. Id. ¶ 26. By December 2020, the FTA was nearly 20 years old and approaching its end of life. Id. ¶ 34. Accellion allegedly 10 recognized that the FTA had become outdated and encouraged its clients to upgrade to a newer, 11 more secure file transfer product called Kiteworks. Id. Still, Accellion continued to make the 12 FTA available, albeit with fewer resources devoted to maintaining that older product. Id. ¶ 35. 13 On December 16, 2020, the FTA’s built-in anomaly detector notified an Accellion client 14 that unauthorized third parties had breached the system. Id. ¶ 39. The client alerted Accellion, 15 and when Accellion investigated the issue, it confirmed that the FTA contained security 16 vulnerabilities. Id. Over the following week, Accellion released patches to address those 17 vulnerabilities. Id. ¶ 40. Despite Accellion’s efforts, a second breach occurred on January 20, 18 2021. Id. ¶ 43. Accellion learned about this breach two days later and identified two more 19 security vulnerabilities. Id. ¶ 44. According to Plaintiffs, Accellion struggled to fix those 20 vulnerabilities. Id. ¶¶ 47–51. 21 22 Plaintiffs allege that these breaches exposed their personally identifiable information, subjecting them to injuries such as identity theft and fraudulent credit charges. Id. ¶ 4. 23 B. Procedural History 24 In their original Consolidated Class Action Complaint (“Original Complaint” or “Original 25 Compl.”), ECF No. 170, Plaintiffs raised eleven claims. Accellion moved to dismiss all eleven 26 claims, Mot. to Dismiss Original Compl., ECF No. 174, and the Court mostly granted Accellion’s 27 motion. Order Granting in Part & Den. in Part Mot. to Dismiss (“Prior Order”), ECF No. 217. As 28 Case No.: 21-cv-01155-EJD ORDER DEN. MOTS. TO DISMISS & FOR RECONSIDERATION 2 1 relevant here, the Court allowed Plaintiffs’ negligence claim to proceed and dismissed Plaintiffs’ 2 CMIA claim with leave to amend. Id. at 15, 24. When Plaintiffs filed their Amended Complaint, 3 they did not renew their CMIA claim or otherwise attempt to correct the deficiencies in their 4 CMIA claim. Instead, Plaintiffs only brought the two claims for which the Court had denied the 5 motion to dismiss: negligence and one other claim not pertinent here. Am. Compl. ¶¶ 122–56. Although the Court previously found that the Original Complaint stated a claim for United States District Court Northern District of California 6 7 negligence, Accellion moved again to dismiss that same claim from the Amended Complaint. 8 Mot. to Dismiss Am. Compl. (“MTD Mot.”), ECF No. 244. In its motion, Accellion challenges 9 only one element of Plaintiffs’ renewed negligence claim, arguing that the amended allegations do 10 not establish a special relationship between Accellion and Plaintiffs such that Accellion owed a 11 duty of care to Plaintiffs.2 After the parties finished briefing this second motion to dismiss, 12 Plaintiffs requested permission to file a motion for reconsideration of the Court’s Prior Order 13 dismissing their CMIA claim. Mot. for Leave to File, ECF No. 266. The Court granted leave to 14 file, ECF No. 269, and Plaintiffs subsequently filed their motion. Mot. for Reconsideration 15 (“Recon. Mot.”), ECF No. 271. 16 II. MOTION TO DISMISS 17 A. Legal Standard 18 To survive a Rule 12(b)(6) motion for failure to state a claim, a complaint must contain 19 sufficient factual allegations to make out a plausible legal claim. Ashcroft v. Iqbal, 556 U.S. 662, 20 678 (2009) (citation omitted). In determining whether the complaint states a plausible claim, 21 courts “accept as true all factual allegations in the complaint and draw all reasonable inferences in 22 favor of the nonmoving party.” Retail Prop. Tr. v. United Bhd. of Carpenters & Joiners of Am., 23 2 24 25 26 27 28 Accellion also raises choice of law issues. However, choice of law in this case is a fact-intensive exercise better suited for later stages of litigation when the parties may present evidence on the issue. In re Apple Inc. Device Performance Litig., 386 F. Supp. 3d 1155, 1170 (N.D. Cal. 2019). Deferring choice of law issues is all the more appropriate here because the parties should have completed most of their discovery on choice of law already, and class certification briefing is due in less than two months, providing an opportunity for Accellion to brief choice of law with the aid of evidence in the near future. Therefore, the Court declines to address choice of law in this Order. Case No.: 21-cv-01155-EJD ORDER DEN. MOTS. TO DISMISS & FOR RECONSIDERATION 3 1 768 F.3d 938, 945 (9th Cir. 2014). But courts “are not bound to accept as true a legal conclusion 2 couched as a factual allegation.” Iqbal, 556 U.S. at 678 (citation omitted). 3 4 United States District Court Northern District of California 5 B. Discussion 1. Law of the Case The Court begins by addressing Plaintiffs’ threshold argument that law of the case bars the 6 Court from granting Accellion’s motion to dismiss. Plaintiffs assert that law of the case applies 7 because the Court had previously rejected the sole argument that Accellion advances in its instant 8 motion. Opp’n to MTD Mot. (“MTD Opp’n”) 6, ECF No. 250. If Plaintiffs are correct that law of 9 the case applies, Accellion faces a higher burden to dismiss Plaintiffs’ negligence claim from the 10 Amended Complaint than it would typically face on a Rule 12(b)(6) motion. Namely, Accellion 11 would need to show that the Court’s prior special relationship finding was wrong due to “clear 12 error, changed law, new evidence, changed circumstances, or manifest injustice.” Askins v. U.S. 13 Dep’t of Homeland Sec., 899 F.3d 1035, 1043 (9th Cir. 2018). However, Plaintiffs are incorrect 14 about law of the case. Motion practice regarding an amended complaint “does not ask the court to 15 reconsider its analysis of the initial complaint” because an “amended complaint is a new 16 complaint.” This means that the parties are “entitl[ed] [] to judgment on the [new] complaint’s 17 own merits” rather than on the initial complaint’s merits. Id. As such, the Court “is not . . . bound 18 by any law of the case.” Id. 19 Although the Court is not bound in any way by its Prior Order, the Court’s earlier decision 20 is still relevant. So long as the Court does not hold Accellion to the higher standard for 21 overcoming law of the case, if the Court “determines the [A]mended [C]omplaint is substantially 22 the same as the initial complaint, the [Court] is free to follow the same reasoning” and to “decide 23 the second motion to dismiss in the same way it decided the first.” Id. Accellion asserts that the 24 Court should not even do that because there is a key difference between the Original and Amended 25 Complaints. The Original Complaint alleges that Accellion itself stored, transferred, and 26 maintained Plaintiffs’ personal information. Original Compl. ¶¶ 30, 62, 63, 114, 116. But the 27 Amended Complaint alleges that Accellion’s product (the FTA) stored, transferred, and 28 Case No.: 21-cv-01155-EJD ORDER DEN. MOTS. TO DISMISS & FOR RECONSIDERATION 4 1 maintained that personal information. Am. Compl. ¶¶ 32, 72, 73, 123, 125. Contrary to 2 Accellion’s suggestion, though, this is not a substantial difference that renders the Court’s prior 3 reasoning inapt. As the Court explains further below, it makes no material difference whether 4 Accellion or its product is alleged to have transferred Plaintiffs’ personal information since 5 Accellion is responsible for its product. Thus, the differences between the Original and Amended 6 Complaints are no basis for the Court to abandon its prior reasoning. 7 8 United States District Court Northern District of California 9 2. Special Relationship As the Court previously explained, California courts consider whether four factors are present when determining if a special relationship exists: (1) dependence, (2) control, (3) limits to 10 the scope of the community to which a duty of care is owed, and (4) benefits to the duty-holder. 11 Prior Order 6–7 (quoting Regents of Univ. of Cal. v. Superior Ct., 4 Cal. 5th 607, 620–21 (2018)). 12 While the Amended Complaint’s new allegations do not alter the Court’s earlier conclusions 13 regarding these four factors, Accellion has further developed its arguments since its first motion to 14 dismiss. Therefore, the Court discusses those newly developed arguments factor-by-factor. 15 Dependence. Special relationships typically involve “an aspect of dependency,” meaning 16 that “one party relies to some degree on the other for protection.” Regents, 4 Cal. 4th at 620. The 17 degree of reliance that justifies a special relationship is high; historically, courts have recognized 18 special relationships only where “the plaintiff is particularly vulnerable.” Id. at 621 (citations 19 omitted). The Original Complaint cleared this bar because its allegations showed “there [was] no 20 reason to believe that Plaintiffs could have secured their [personal information] themselves when 21 it was sent using Accellion’s FTA software.” Prior Order 7. Put differently, because there was 22 nothing Plaintiffs could have personally done to secure their information, they needed to rely on 23 the FTA’s security features to protect their information. By extension, Plaintiffs’ reliance on 24 Accellion’s FTA software meant that Plaintiffs depended on Accellion, the entity responsible for 25 developing and updating the FTA, for protection. This logic still applies with equal force now that 26 Plaintiffs allege Accellion’s FTA software, rather than Accellion itself, transferred and maintained 27 their personal information. If anything, Plaintiffs’ amendments reinforce the first link in that 28 Case No.: 21-cv-01155-EJD ORDER DEN. MOTS. TO DISMISS & FOR RECONSIDERATION 5 1 United States District Court Northern District of California 2 logical chain—that Plaintiffs relied on the FTA. The remainder of Accellion’s arguments on dependence are unconvincing. First, Accellion 3 argues there were no allegations that it created the risk of data breach, that it induced detrimental 4 reliance, or that it induced a false sense of security. MTD Mot. 13. Accellion confuses different 5 sources of tort duty. Creation of risk is a separate source of duty than a special relationship, 6 Brown v. USA Taekwondo, 11 Cal. 5th 204, 214–15 (2021), so whether Accellion was responsible 7 for the risk faced by Plaintiffs is not germane to the dependence analysis. Second, Accellion 8 claims that this case is analogous to Tristan v. Bank of America, No. 22-cv-1183, 2023 WL 9 4417271 (C.D. Cal. June 28, 2023), and to Moriarty v. Bayside Insurance Associates, Inc., No. 20- 10 56139, 2021 WL 4061105 (9th Cir. Sept. 7, 2021), two cases where courts found that no special 11 relationship existed. But Tristan and Moriarity are distinguishable from this case because the 12 plaintiffs there had the ability to protect themselves, unlike Plaintiffs here. In Tristan, the 13 plaintiffs were victims of scams that solicited money through the payment platform Zelle. 2023 14 WL 4417271, at *1–2. The Tristan plaintiffs were not particularly vulnerable, though, because the 15 scammers were in direct contact with them. Id. Thus, the Tristan plaintiffs could have protected 16 themselves through their own vigilance. Similarly, in Moriarty, which involved an alleged failure 17 to warn about unpaid insurance premiums, the plaintiffs could have protected themselves by 18 keeping closer track of their own insurance payments. 2021 WL 4061105, at *1. 19 Control. “The corollary of dependence in a special relationship is control.” Regents, 4 20 Cal. 5th at 621. That is, plaintiffs depend on the defendant in a special relationship because the 21 defendant “has superior control over the means of protection.” Id. Like the Original Complaint, 22 the Amended Complaint establishes that Accellion had control over the FTA because Accellion 23 had the power to issue patches for security vulnerabilities in the FTA. Am. Compl. ¶¶ 40, 43. 24 Accellion suggests that this is not enough control because Accellion’s customers (such as the 25 government agencies and banks that collected Plaintiffs’ personal information) had the ultimate 26 responsibility for ensuring security, and because those customers could have rejected Accellion’s 27 security patches. MTD Mot. 13–14. The latter defies common sense. See Iqbal, 556 U.S. at 28 Case No.: 21-cv-01155-EJD ORDER DEN. MOTS. TO DISMISS & FOR RECONSIDERATION 6 1 663–64 (“[D]etermining whether a complaint states a plausible claim is context specific, requiring 2 the reviewing court to draw on its experience and common sense.”). As a practical matter, it is 3 highly unlikely that entities like banks, which deal with sensitive information and require high 4 levels of security, would refuse to implement critical security patches offered by Accellion. More 5 fundamentally, control requires a defendant to be in a “unique position to protect the plaintiff from 6 injury.” Brown, 11 Cal. 5th at 216. It does not require the defendant to be the only one capable of 7 offering protection. Accellion’s customers may have been able to offer additional protection to 8 Plaintiffs, but it is Accellion who was uniquely positioned to patch security vulnerabilities in the 9 FTA. There is no indication that any other party could have provided the necessary patches. United States District Court Northern District of California 10 Scope. Special relationships must also be “limited to specific individuals.” Regents, 4 11 Cal. 5th at 621. As the Court previously held, the relationship proposed by Plaintiffs here satisfies 12 that requirement because it “exists only between Accellion and those specific individuals whose 13 information the FTA software ferries.” Prior Order 8. Accellion resists this conclusion, arguing 14 that under this definition, the identities of those individuals benefiting from the proposed special 15 relationship are unknown. MTD Mot. 15. “Unknown,” however, does not have the same meaning 16 as “unlimited” or “unknowable.” If the beneficiaries of Plaintiffs’ proposed relationship were 17 truly unlimited or unknowable, the proposed relationship would be problematic. But that is not 18 the case here. The special relationship’s scope is not unlimited because the FTA did not transfer 19 everyone’s data. And the special relationship’s scope is not unknowable because discovery from 20 Accellion’s clients could reveal the specific beneficiaries of this relationship. The fact that the 21 exact identities of the beneficiaries are unknown at this very moment, or that it might be difficult 22 to ascertain those identities, does not improperly broaden the scope of the proposed special 23 relationship. 24 Benefit. As Accellion concedes, it “benefitted from its commercial activity of providing 25 the FTA to customers.” MTD Mot. 15. So this last factor also supports finding that a special 26 relationship exists. 27 28 * * * Case No.: 21-cv-01155-EJD ORDER DEN. MOTS. TO DISMISS & FOR RECONSIDERATION 7 Based on the Amended Complaint, all four factors support finding a special relationship, United States District Court Northern District of California 1 2 just as all four factors supported finding a special relationship under the Original Complaint.3 3 Therefore, Accellion’s argument fails, and the Court DENIES its motion to dismiss. 4 III. MOTION FOR RECONSIDERATION 5 A. Legal Standard 6 A motion for reconsideration is an “extraordinary remedy” that “should not be granted[] 7 absent highly unusual circumstances.” Dairy v. Bonham, 25 F. Supp. 3d 1284, 1286 (N.D. Cal. 8 2014) (citations omitted). It is usually only appropriate to grant reconsideration in one of three 9 circumstances: (1) there is newly discovered evidence; (2) the court previously committed clear 10 error or made a manifestly unjust decision; or (3) there is an intervening change in controlling law. 11 Hiramanek v. Clark, No. 5:13-cv-00228-RMW, 2016 WL 11033962, at *1 (N.D. Cal. Mar. 29, 12 2016). Plaintiffs move for reconsideration under only the third ground. Recon. Mot. 4. 13 B. Discussion 14 Plaintiffs ask for reconsideration4 of the Court’s earlier decision to dismiss their CMIA 15 claim. In its Prior Order, the Court found that Plaintiffs failed to state a CMIA claim because they 16 did not allege facts showing that Accellion was a “provider of health care” covered by the CMIA. 17 Prior Order 22–24. Specifically, the Court held that Accellion did not meet the definitions for a 18 provider of health care under either of California Civil Code §§ 56.06(a) or (b). Plaintiffs now 19 claim that the California Court of Appeal’s recent decision in J.M. v. Illuminate Education, Inc., 20 103 Cal. App. 5th 1125 (2024), changes the landscape for § 56.06. But even if Illuminate changed 21 22 23 24 25 26 27 28 Accellion also briefly argues that no duty exists because Plaintiffs’ amendments show that Accellion had no “threshold level of interaction[]” with Plaintiffs. MTD Mot. 16. Accellion misreads the Court’s Prior Order. There, the Court held that a duty of care can extend beyond “those with whom [a defendant] shares privity” and can also extend beyond relationships with “some threshold level of interactions.” Prior Order 9. Thus, the Court did not hold that special relationships require some minimum interaction. 4 Accompanying Plaintiffs’ reconsideration motion is a motion for leave to amend. The request to amend the complaint to add a CMIA claim is an extension of the reconsideration motion, so the Court does not address it separately—the Court’s ruling on the reconsideration motion applies equally to the motion for leave to amend. Case No.: 21-cv-01155-EJD ORDER DEN. MOTS. TO DISMISS & FOR RECONSIDERATION 8 3 1 United States District Court Northern District of California 2 the law, it did not do so in a way that affects the Court’s previous CMIA ruling. To begin, § 56.06(a) defines a “provider of health care” in relevant part as a “business 3 organized for the purpose of maintaining medical information.” The Court held that, in the 4 Original Complaint, Plaintiffs failed to show that Accellion fell under the § 56.06(a) definition 5 because Plaintiffs’ allegations were insufficient. Prior Order 22–23. Plaintiffs made only two 6 allegations about Accellion’s purpose. The first allegation was conclusory and therefore 7 insufficient under Iqbal. Id. at 22 (quoting allegation in Original Compl. ¶ 167 that “Accellion is 8 organized in part for the purpose of maintaining medical information”). The second allegation 9 was not conclusory, but it was insufficient to plead purpose by itself. Plaintiffs alleged that 10 Accellion sold its file-sharing services to hospitals and other medical professionals. Id. at 23 11 (quoting Original Compl. ¶ 167). But this showed only that hospitals and medical professionals 12 had discovered that Accellion’s products could be useful, not that Accellion had purposefully 13 designed its products to appeal to medical professionals. So, the Court accepted Accellion’s 14 argument that there was a “lack of pleaded facts suggesting that Accellion is organized at all for 15 [the] purpose” required by § 56.06(a). Reply in Support of Mot. to Dismiss Original Compl. 9, 16 ECF No. 187. 17 Accellion’s motion for reconsideration does not address this pleading defect. Instead, 18 Accellion focuses on a statutory interpretation dispute that the parties had raised in their briefs on 19 the first motion to dismiss but that the Court did not address in the Prior Order: Whether 20 § 56.06(a) requires Plaintiffs to plead that maintaining medical information was Accellion’s sole 21 purpose or if it is enough that maintaining such information was one of Accellion’s purposes. 22 Recon. Mot. 5–6. According to Plaintiffs, Illuminate establishes that the latter interpretation is 23 correct. However, because the Court did not dismiss Plaintiffs’ CMIA claim on the basis that 24 § 56.06(a) covers only companies whose sole purpose is to maintain medical information, even 25 assuming that Illuminate changed the law as Plaintiffs suggests, Illuminate is not relevant to the 26 Court’s prior ruling on § 56.06(a). Thus, Illuminate cannot be a basis for reconsidering the 27 Court’s § 56.06(a) ruling. 28 Case No.: 21-cv-01155-EJD ORDER DEN. MOTS. TO DISMISS & FOR RECONSIDERATION 9 1 Illuminate does not change the Court’s § 56.06(b) analysis either. In its Prior Order, the 2 Court found that Accellion was not a provider of health care under § 56.06(b) because it did not 3 offer its software directly to individual consumers. Prior Order 23. Section 56.06(b) applies to 4 businesses that offer software to “consumers,” Cal. Civ. Code § 56.06(b), which the Court 5 construed to mean “individual consumers.” Prior Order 23. Illuminate did not construe the word 6 “consumer” in § 56.06(b), so it is not relevant to the Court’s prior § 56.06(b) ruling, either. Accordingly, the Court DENIES Plaintiffs’ motion for reconsideration. 7 8 9 10 United States District Court Northern District of California 11 12 IV. CONCLUSION The Court DENIES Accellion’s motion to dismiss and Plaintiffs’ motion for reconsideration. IT IS SO ORDERED. Dated: October 28, 2024 13 14 15 EDWARD J. DAVILA United States District Judge 16 17 18 19 20 21 22 23 24 25 26 27 28 Case No.: 21-cv-01155-EJD ORDER DEN. MOTS. TO DISMISS & FOR RECONSIDERATION 10

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.


Why Is My Information Online?