In re Accellion, Inc. Data Breach Litigation
Filing
285
ORDER DENYING 244 , 277 MOTIONS TO DISMISS AND FOR RECONSIDERATION. Signed by Judge Edward J. Davila on 10/28/2024. (ejdlc2, COURT STAFF) (Filed on 10/28/2024)
1
2
3
4
UNITED STATES DISTRICT COURT
5
NORTHERN DISTRICT OF CALIFORNIA
6
SAN JOSE DIVISION
7
8
IN RE ACCELLION, INC. DATA
BREACH LITIGATION
9
10
United States District Court
Northern District of California
11
Case No. 21-cv-01155-EJD
ORDER DENYING MOTIONS TO
DISMISS AND FOR
RECONSIDERATION
Re: ECF Nos. 244, 271
12
In December 2020 and January 2021, hackers breached a secure file transfer application
13
14
offered by Defendant Accellion, Inc. and widely used by entities who handled sensitive personal
15
information. This breach exposed millions of individuals’ private data. In response, Plaintiffs
16
filed this putative class action against Accellion. Now before the Court are two motions. First is
17
Accellion’s motion to dismiss Plaintiffs’ negligence claim. Second is Plaintiffs’ motion for
18
reconsideration of an earlier order dismissing their Confidentiality of Medical Information Act
19
(“CMIA”) claim. After reviewing the parties’ written submissions, the Court finds oral argument
20
to be unnecessary under Local Rule 7-1(b). The Court DENIES both motions.
21
I.
BACKGROUND
22
A.
Factual Allegations
23
Accellion is a “cloud solutions company” that develops and offers products for
24
“prevent[ing] data breaches and compliance violations from third party cyber risk.” Am. Consol.
25
Class Action Compl. (“Amended Complaint” or “Am. Compl.”) ¶ 25, ECF No. 248.1
Among
26
1
27
28
Plaintiffs initially filed a redacted version of the Amended Complaint at ECF No. 230. The
Court cites to the unredacted version throughout this Order.
Case No.: 21-cv-01155-EJD
ORDER DEN. MOTS. TO DISMISS & FOR RECONSIDERATION
1
1
Accellion’s offerings is a product called the File Transfer Appliance (“FTA”). Id. ¶ 26. Accellion
2
designed the FTA to securely transfer files as an alternative to email, particularly in those
3
situations where file sizes exceed the limits for email attachments. Id. To use the FTA, a person
4
uploads the files to be transferred. Then, that person sends a link to the intended recipient from
5
which the recipient can view or download those files. Id. FTA file transfers often involved
6
sensitive personally identifiable information such as Social Security numbers, demographic
7
information, and medical records. Id. ¶ 32.
8
United States District Court
Northern District of California
9
Accellion began offering the FTA in the early 2000s. Id. ¶ 26. By December 2020, the
FTA was nearly 20 years old and approaching its end of life. Id. ¶ 34. Accellion allegedly
10
recognized that the FTA had become outdated and encouraged its clients to upgrade to a newer,
11
more secure file transfer product called Kiteworks. Id. Still, Accellion continued to make the
12
FTA available, albeit with fewer resources devoted to maintaining that older product. Id. ¶ 35.
13
On December 16, 2020, the FTA’s built-in anomaly detector notified an Accellion client
14
that unauthorized third parties had breached the system. Id. ¶ 39. The client alerted Accellion,
15
and when Accellion investigated the issue, it confirmed that the FTA contained security
16
vulnerabilities. Id. Over the following week, Accellion released patches to address those
17
vulnerabilities. Id. ¶ 40. Despite Accellion’s efforts, a second breach occurred on January 20,
18
2021. Id. ¶ 43. Accellion learned about this breach two days later and identified two more
19
security vulnerabilities. Id. ¶ 44. According to Plaintiffs, Accellion struggled to fix those
20
vulnerabilities. Id. ¶¶ 47–51.
21
22
Plaintiffs allege that these breaches exposed their personally identifiable information,
subjecting them to injuries such as identity theft and fraudulent credit charges. Id. ¶ 4.
23
B.
Procedural History
24
In their original Consolidated Class Action Complaint (“Original Complaint” or “Original
25
Compl.”), ECF No. 170, Plaintiffs raised eleven claims. Accellion moved to dismiss all eleven
26
claims, Mot. to Dismiss Original Compl., ECF No. 174, and the Court mostly granted Accellion’s
27
motion. Order Granting in Part & Den. in Part Mot. to Dismiss (“Prior Order”), ECF No. 217. As
28
Case No.: 21-cv-01155-EJD
ORDER DEN. MOTS. TO DISMISS & FOR RECONSIDERATION
2
1
relevant here, the Court allowed Plaintiffs’ negligence claim to proceed and dismissed Plaintiffs’
2
CMIA claim with leave to amend. Id. at 15, 24. When Plaintiffs filed their Amended Complaint,
3
they did not renew their CMIA claim or otherwise attempt to correct the deficiencies in their
4
CMIA claim. Instead, Plaintiffs only brought the two claims for which the Court had denied the
5
motion to dismiss: negligence and one other claim not pertinent here. Am. Compl. ¶¶ 122–56.
Although the Court previously found that the Original Complaint stated a claim for
United States District Court
Northern District of California
6
7
negligence, Accellion moved again to dismiss that same claim from the Amended Complaint.
8
Mot. to Dismiss Am. Compl. (“MTD Mot.”), ECF No. 244. In its motion, Accellion challenges
9
only one element of Plaintiffs’ renewed negligence claim, arguing that the amended allegations do
10
not establish a special relationship between Accellion and Plaintiffs such that Accellion owed a
11
duty of care to Plaintiffs.2 After the parties finished briefing this second motion to dismiss,
12
Plaintiffs requested permission to file a motion for reconsideration of the Court’s Prior Order
13
dismissing their CMIA claim. Mot. for Leave to File, ECF No. 266. The Court granted leave to
14
file, ECF No. 269, and Plaintiffs subsequently filed their motion. Mot. for Reconsideration
15
(“Recon. Mot.”), ECF No. 271.
16
II.
MOTION TO DISMISS
17
A.
Legal Standard
18
To survive a Rule 12(b)(6) motion for failure to state a claim, a complaint must contain
19
sufficient factual allegations to make out a plausible legal claim. Ashcroft v. Iqbal, 556 U.S. 662,
20
678 (2009) (citation omitted). In determining whether the complaint states a plausible claim,
21
courts “accept as true all factual allegations in the complaint and draw all reasonable inferences in
22
favor of the nonmoving party.” Retail Prop. Tr. v. United Bhd. of Carpenters & Joiners of Am.,
23
2
24
25
26
27
28
Accellion also raises choice of law issues. However, choice of law in this case is a fact-intensive
exercise better suited for later stages of litigation when the parties may present evidence on the
issue. In re Apple Inc. Device Performance Litig., 386 F. Supp. 3d 1155, 1170 (N.D. Cal. 2019).
Deferring choice of law issues is all the more appropriate here because the parties should have
completed most of their discovery on choice of law already, and class certification briefing is due
in less than two months, providing an opportunity for Accellion to brief choice of law with the aid
of evidence in the near future. Therefore, the Court declines to address choice of law in this
Order.
Case No.: 21-cv-01155-EJD
ORDER DEN. MOTS. TO DISMISS & FOR RECONSIDERATION
3
1
768 F.3d 938, 945 (9th Cir. 2014). But courts “are not bound to accept as true a legal conclusion
2
couched as a factual allegation.” Iqbal, 556 U.S. at 678 (citation omitted).
3
4
United States District Court
Northern District of California
5
B.
Discussion
1.
Law of the Case
The Court begins by addressing Plaintiffs’ threshold argument that law of the case bars the
6
Court from granting Accellion’s motion to dismiss. Plaintiffs assert that law of the case applies
7
because the Court had previously rejected the sole argument that Accellion advances in its instant
8
motion. Opp’n to MTD Mot. (“MTD Opp’n”) 6, ECF No. 250. If Plaintiffs are correct that law of
9
the case applies, Accellion faces a higher burden to dismiss Plaintiffs’ negligence claim from the
10
Amended Complaint than it would typically face on a Rule 12(b)(6) motion. Namely, Accellion
11
would need to show that the Court’s prior special relationship finding was wrong due to “clear
12
error, changed law, new evidence, changed circumstances, or manifest injustice.” Askins v. U.S.
13
Dep’t of Homeland Sec., 899 F.3d 1035, 1043 (9th Cir. 2018). However, Plaintiffs are incorrect
14
about law of the case. Motion practice regarding an amended complaint “does not ask the court to
15
reconsider its analysis of the initial complaint” because an “amended complaint is a new
16
complaint.” This means that the parties are “entitl[ed] [] to judgment on the [new] complaint’s
17
own merits” rather than on the initial complaint’s merits. Id. As such, the Court “is not . . . bound
18
by any law of the case.” Id.
19
Although the Court is not bound in any way by its Prior Order, the Court’s earlier decision
20
is still relevant. So long as the Court does not hold Accellion to the higher standard for
21
overcoming law of the case, if the Court “determines the [A]mended [C]omplaint is substantially
22
the same as the initial complaint, the [Court] is free to follow the same reasoning” and to “decide
23
the second motion to dismiss in the same way it decided the first.” Id. Accellion asserts that the
24
Court should not even do that because there is a key difference between the Original and Amended
25
Complaints. The Original Complaint alleges that Accellion itself stored, transferred, and
26
maintained Plaintiffs’ personal information. Original Compl. ¶¶ 30, 62, 63, 114, 116. But the
27
Amended Complaint alleges that Accellion’s product (the FTA) stored, transferred, and
28
Case No.: 21-cv-01155-EJD
ORDER DEN. MOTS. TO DISMISS & FOR RECONSIDERATION
4
1
maintained that personal information. Am. Compl. ¶¶ 32, 72, 73, 123, 125. Contrary to
2
Accellion’s suggestion, though, this is not a substantial difference that renders the Court’s prior
3
reasoning inapt. As the Court explains further below, it makes no material difference whether
4
Accellion or its product is alleged to have transferred Plaintiffs’ personal information since
5
Accellion is responsible for its product. Thus, the differences between the Original and Amended
6
Complaints are no basis for the Court to abandon its prior reasoning.
7
8
United States District Court
Northern District of California
9
2.
Special Relationship
As the Court previously explained, California courts consider whether four factors are
present when determining if a special relationship exists: (1) dependence, (2) control, (3) limits to
10
the scope of the community to which a duty of care is owed, and (4) benefits to the duty-holder.
11
Prior Order 6–7 (quoting Regents of Univ. of Cal. v. Superior Ct., 4 Cal. 5th 607, 620–21 (2018)).
12
While the Amended Complaint’s new allegations do not alter the Court’s earlier conclusions
13
regarding these four factors, Accellion has further developed its arguments since its first motion to
14
dismiss. Therefore, the Court discusses those newly developed arguments factor-by-factor.
15
Dependence. Special relationships typically involve “an aspect of dependency,” meaning
16
that “one party relies to some degree on the other for protection.” Regents, 4 Cal. 4th at 620. The
17
degree of reliance that justifies a special relationship is high; historically, courts have recognized
18
special relationships only where “the plaintiff is particularly vulnerable.” Id. at 621 (citations
19
omitted). The Original Complaint cleared this bar because its allegations showed “there [was] no
20
reason to believe that Plaintiffs could have secured their [personal information] themselves when
21
it was sent using Accellion’s FTA software.” Prior Order 7. Put differently, because there was
22
nothing Plaintiffs could have personally done to secure their information, they needed to rely on
23
the FTA’s security features to protect their information. By extension, Plaintiffs’ reliance on
24
Accellion’s FTA software meant that Plaintiffs depended on Accellion, the entity responsible for
25
developing and updating the FTA, for protection. This logic still applies with equal force now that
26
Plaintiffs allege Accellion’s FTA software, rather than Accellion itself, transferred and maintained
27
their personal information. If anything, Plaintiffs’ amendments reinforce the first link in that
28
Case No.: 21-cv-01155-EJD
ORDER DEN. MOTS. TO DISMISS & FOR RECONSIDERATION
5
1
United States District Court
Northern District of California
2
logical chain—that Plaintiffs relied on the FTA.
The remainder of Accellion’s arguments on dependence are unconvincing. First, Accellion
3
argues there were no allegations that it created the risk of data breach, that it induced detrimental
4
reliance, or that it induced a false sense of security. MTD Mot. 13. Accellion confuses different
5
sources of tort duty. Creation of risk is a separate source of duty than a special relationship,
6
Brown v. USA Taekwondo, 11 Cal. 5th 204, 214–15 (2021), so whether Accellion was responsible
7
for the risk faced by Plaintiffs is not germane to the dependence analysis. Second, Accellion
8
claims that this case is analogous to Tristan v. Bank of America, No. 22-cv-1183, 2023 WL
9
4417271 (C.D. Cal. June 28, 2023), and to Moriarty v. Bayside Insurance Associates, Inc., No. 20-
10
56139, 2021 WL 4061105 (9th Cir. Sept. 7, 2021), two cases where courts found that no special
11
relationship existed. But Tristan and Moriarity are distinguishable from this case because the
12
plaintiffs there had the ability to protect themselves, unlike Plaintiffs here. In Tristan, the
13
plaintiffs were victims of scams that solicited money through the payment platform Zelle. 2023
14
WL 4417271, at *1–2. The Tristan plaintiffs were not particularly vulnerable, though, because the
15
scammers were in direct contact with them. Id. Thus, the Tristan plaintiffs could have protected
16
themselves through their own vigilance. Similarly, in Moriarty, which involved an alleged failure
17
to warn about unpaid insurance premiums, the plaintiffs could have protected themselves by
18
keeping closer track of their own insurance payments. 2021 WL 4061105, at *1.
19
Control. “The corollary of dependence in a special relationship is control.” Regents, 4
20
Cal. 5th at 621. That is, plaintiffs depend on the defendant in a special relationship because the
21
defendant “has superior control over the means of protection.” Id. Like the Original Complaint,
22
the Amended Complaint establishes that Accellion had control over the FTA because Accellion
23
had the power to issue patches for security vulnerabilities in the FTA. Am. Compl. ¶¶ 40, 43.
24
Accellion suggests that this is not enough control because Accellion’s customers (such as the
25
government agencies and banks that collected Plaintiffs’ personal information) had the ultimate
26
responsibility for ensuring security, and because those customers could have rejected Accellion’s
27
security patches. MTD Mot. 13–14. The latter defies common sense. See Iqbal, 556 U.S. at
28
Case No.: 21-cv-01155-EJD
ORDER DEN. MOTS. TO DISMISS & FOR RECONSIDERATION
6
1
663–64 (“[D]etermining whether a complaint states a plausible claim is context specific, requiring
2
the reviewing court to draw on its experience and common sense.”). As a practical matter, it is
3
highly unlikely that entities like banks, which deal with sensitive information and require high
4
levels of security, would refuse to implement critical security patches offered by Accellion. More
5
fundamentally, control requires a defendant to be in a “unique position to protect the plaintiff from
6
injury.” Brown, 11 Cal. 5th at 216. It does not require the defendant to be the only one capable of
7
offering protection. Accellion’s customers may have been able to offer additional protection to
8
Plaintiffs, but it is Accellion who was uniquely positioned to patch security vulnerabilities in the
9
FTA. There is no indication that any other party could have provided the necessary patches.
United States District Court
Northern District of California
10
Scope. Special relationships must also be “limited to specific individuals.” Regents, 4
11
Cal. 5th at 621. As the Court previously held, the relationship proposed by Plaintiffs here satisfies
12
that requirement because it “exists only between Accellion and those specific individuals whose
13
information the FTA software ferries.” Prior Order 8. Accellion resists this conclusion, arguing
14
that under this definition, the identities of those individuals benefiting from the proposed special
15
relationship are unknown. MTD Mot. 15. “Unknown,” however, does not have the same meaning
16
as “unlimited” or “unknowable.” If the beneficiaries of Plaintiffs’ proposed relationship were
17
truly unlimited or unknowable, the proposed relationship would be problematic. But that is not
18
the case here. The special relationship’s scope is not unlimited because the FTA did not transfer
19
everyone’s data. And the special relationship’s scope is not unknowable because discovery from
20
Accellion’s clients could reveal the specific beneficiaries of this relationship. The fact that the
21
exact identities of the beneficiaries are unknown at this very moment, or that it might be difficult
22
to ascertain those identities, does not improperly broaden the scope of the proposed special
23
relationship.
24
Benefit. As Accellion concedes, it “benefitted from its commercial activity of providing
25
the FTA to customers.” MTD Mot. 15. So this last factor also supports finding that a special
26
relationship exists.
27
28
*
*
*
Case No.: 21-cv-01155-EJD
ORDER DEN. MOTS. TO DISMISS & FOR RECONSIDERATION
7
Based on the Amended Complaint, all four factors support finding a special relationship,
United States District Court
Northern District of California
1
2
just as all four factors supported finding a special relationship under the Original Complaint.3
3
Therefore, Accellion’s argument fails, and the Court DENIES its motion to dismiss.
4
III.
MOTION FOR RECONSIDERATION
5
A.
Legal Standard
6
A motion for reconsideration is an “extraordinary remedy” that “should not be granted[]
7
absent highly unusual circumstances.” Dairy v. Bonham, 25 F. Supp. 3d 1284, 1286 (N.D. Cal.
8
2014) (citations omitted). It is usually only appropriate to grant reconsideration in one of three
9
circumstances: (1) there is newly discovered evidence; (2) the court previously committed clear
10
error or made a manifestly unjust decision; or (3) there is an intervening change in controlling law.
11
Hiramanek v. Clark, No. 5:13-cv-00228-RMW, 2016 WL 11033962, at *1 (N.D. Cal. Mar. 29,
12
2016). Plaintiffs move for reconsideration under only the third ground. Recon. Mot. 4.
13
B.
Discussion
14
Plaintiffs ask for reconsideration4 of the Court’s earlier decision to dismiss their CMIA
15
claim. In its Prior Order, the Court found that Plaintiffs failed to state a CMIA claim because they
16
did not allege facts showing that Accellion was a “provider of health care” covered by the CMIA.
17
Prior Order 22–24. Specifically, the Court held that Accellion did not meet the definitions for a
18
provider of health care under either of California Civil Code §§ 56.06(a) or (b). Plaintiffs now
19
claim that the California Court of Appeal’s recent decision in J.M. v. Illuminate Education, Inc.,
20
103 Cal. App. 5th 1125 (2024), changes the landscape for § 56.06. But even if Illuminate changed
21
22
23
24
25
26
27
28
Accellion also briefly argues that no duty exists because Plaintiffs’ amendments show that
Accellion had no “threshold level of interaction[]” with Plaintiffs. MTD Mot. 16. Accellion
misreads the Court’s Prior Order. There, the Court held that a duty of care can extend beyond
“those with whom [a defendant] shares privity” and can also extend beyond relationships with
“some threshold level of interactions.” Prior Order 9. Thus, the Court did not hold that special
relationships require some minimum interaction.
4
Accompanying Plaintiffs’ reconsideration motion is a motion for leave to amend. The request to
amend the complaint to add a CMIA claim is an extension of the reconsideration motion, so the
Court does not address it separately—the Court’s ruling on the reconsideration motion applies
equally to the motion for leave to amend.
Case No.: 21-cv-01155-EJD
ORDER DEN. MOTS. TO DISMISS & FOR RECONSIDERATION
8
3
1
United States District Court
Northern District of California
2
the law, it did not do so in a way that affects the Court’s previous CMIA ruling.
To begin, § 56.06(a) defines a “provider of health care” in relevant part as a “business
3
organized for the purpose of maintaining medical information.” The Court held that, in the
4
Original Complaint, Plaintiffs failed to show that Accellion fell under the § 56.06(a) definition
5
because Plaintiffs’ allegations were insufficient. Prior Order 22–23. Plaintiffs made only two
6
allegations about Accellion’s purpose. The first allegation was conclusory and therefore
7
insufficient under Iqbal. Id. at 22 (quoting allegation in Original Compl. ¶ 167 that “Accellion is
8
organized in part for the purpose of maintaining medical information”). The second allegation
9
was not conclusory, but it was insufficient to plead purpose by itself. Plaintiffs alleged that
10
Accellion sold its file-sharing services to hospitals and other medical professionals. Id. at 23
11
(quoting Original Compl. ¶ 167). But this showed only that hospitals and medical professionals
12
had discovered that Accellion’s products could be useful, not that Accellion had purposefully
13
designed its products to appeal to medical professionals. So, the Court accepted Accellion’s
14
argument that there was a “lack of pleaded facts suggesting that Accellion is organized at all for
15
[the] purpose” required by § 56.06(a). Reply in Support of Mot. to Dismiss Original Compl. 9,
16
ECF No. 187.
17
Accellion’s motion for reconsideration does not address this pleading defect. Instead,
18
Accellion focuses on a statutory interpretation dispute that the parties had raised in their briefs on
19
the first motion to dismiss but that the Court did not address in the Prior Order: Whether
20
§ 56.06(a) requires Plaintiffs to plead that maintaining medical information was Accellion’s sole
21
purpose or if it is enough that maintaining such information was one of Accellion’s purposes.
22
Recon. Mot. 5–6. According to Plaintiffs, Illuminate establishes that the latter interpretation is
23
correct. However, because the Court did not dismiss Plaintiffs’ CMIA claim on the basis that
24
§ 56.06(a) covers only companies whose sole purpose is to maintain medical information, even
25
assuming that Illuminate changed the law as Plaintiffs suggests, Illuminate is not relevant to the
26
Court’s prior ruling on § 56.06(a). Thus, Illuminate cannot be a basis for reconsidering the
27
Court’s § 56.06(a) ruling.
28
Case No.: 21-cv-01155-EJD
ORDER DEN. MOTS. TO DISMISS & FOR RECONSIDERATION
9
1
Illuminate does not change the Court’s § 56.06(b) analysis either. In its Prior Order, the
2
Court found that Accellion was not a provider of health care under § 56.06(b) because it did not
3
offer its software directly to individual consumers. Prior Order 23. Section 56.06(b) applies to
4
businesses that offer software to “consumers,” Cal. Civ. Code § 56.06(b), which the Court
5
construed to mean “individual consumers.” Prior Order 23. Illuminate did not construe the word
6
“consumer” in § 56.06(b), so it is not relevant to the Court’s prior § 56.06(b) ruling, either.
Accordingly, the Court DENIES Plaintiffs’ motion for reconsideration.
7
8
9
10
United States District Court
Northern District of California
11
12
IV.
CONCLUSION
The Court DENIES Accellion’s motion to dismiss and Plaintiffs’ motion for
reconsideration.
IT IS SO ORDERED.
Dated: October 28, 2024
13
14
15
EDWARD J. DAVILA
United States District Judge
16
17
18
19
20
21
22
23
24
25
26
27
28
Case No.: 21-cv-01155-EJD
ORDER DEN. MOTS. TO DISMISS & FOR RECONSIDERATION
10
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?