Dugas v. Starwood Hotels & Resorts Worldwide, Inc. et al
Filing
28
ORDER Granting in Part and Denying in Part Defendants' 22 Motion to Dismiss. The Court grants Plaintiff twenty days from the issuance of this Order to file a Second Amended Complaint. Failure to meet the twenty-day deadline to file an amended complaint or failure to cure the deficiencies identified in this Order will result in a dismissal with prejudice. Signed by Judge Gonzalo P. Curiel on 11/3/16. (dlg)
1
2
3
4
5
6
7
8
UNITED STATES DISTRICT COURT
9
SOUTHERN DISTRICT OF CALIFORNIA
10
11
PAUL DUGAS,
Case No.: 3:16-cv-00014-GPC-BLM
Plaintiff,
12
13
14
ORDER GRANTING IN PART AND
DENYING IN PART DEFENDANTS’
MOTION TO DISMISS
v.
STARWOOD HOTELS & RESORTS
WORLDWIDE, INC., HST LESSEE
SAN DIEGO, LP; HST GP SAN DIEGO,
LLC,
15
16
17
[ECF No. 22]
Defendants.
18
19
Before the Court is Defendants Starwood Hotels and Resorts Worldwide, Inc.
20
(“Starwood”), HST Lessee San Diego, LP, and HST GP San Diego, LLC’s (collectively
21
“Defendants”) Motion to Dismiss. ECF No. 22. Upon review of the moving papers and
22
the applicable law, and for the reasons set forth below, the Court GRANTS in part,
23
without prejudice, and DENIES in part Defendants’ Motion to Dismiss.
24
FACTUAL BACKGROUND
25
This case arises from a series of attacks by criminal hackers upon the United States
26
hospitality industry. First Amended Class Action Complaint (“FACC”), ECF No. 21 ¶ 8.
27
Plaintiff Paul Dugas (“Plaintiff”) alleges that customer systems of Starwood Hotels and
28
Resorts Worldwide, Inc. (“Starwood”) had malicious software installed on them and that
1
3:16-cv-00014-GPC-BLM
1
they have been compromised since “at least November 2014.” Id. ¶ 22. Plaintiff alleges
2
that this data breach (the “Starwood breach”) “adversely affected hundreds of thousands
3
of customers of the Starwood Hotel system.” Id. ¶ 4. According to Plaintiff, although
4
Starwood “discovered the first data breach on or around April 13, 2015,” they failed to
5
notify customers or regulators of the data breach “until November 20, 2015 via [] internet
6
press release.” Id. ¶¶ 22–23. Within said press release, Starwood revealed “that hackers
7
had breached its database containing sensitive records including: names, credit card
8
numbers, security codes and expiration dates.” Id. ¶ 2.
9
Plaintiff alleges that as a “member in the hotel chain’s rewards program,” he has
10
frequented the spa at the Sheraton San Diego Hotel & Marina on a “continuous and
11
ongoing basis.” Id. ¶ 21. Plaintiff further alleges that during visits to the spa, “he
12
provided personal identifying information and consumer information” to the hotel,
13
operating under the “reasonable belief that [the information] would be held private.” Id.
14
Because of the approximately seven-month delay between discovering the data breach
15
and notifying affected customers, Plaintiff alleges that hackers were given “months to use
16
the information without the customers being able to take any steps to protect themselves.”
17
Id. ¶ 23.
18
The Sheraton San Diego Hotel & Marina was named as one of the hotels affected
19
by the Starwood breach. See id. ¶ 24. As a customer of the hotel, Plaintiff alleges that
20
his records “were among the records exposed.” Id. Plaintiff alleges that during the time
21
period between Starwood’s initial discovery of the data breach and their disclosure that a
22
breach had occurred, “[Plaintiff’s] credit card . . . used for purchases at the Sheraton San
23
Diego . . . was compromised by an unknown third party and used for unauthorized
24
purchases, exposing him to losses, frustration and on-going requirements to protect
25
himself from identity theft.” Id. ¶ 26.
26
Plaintiff alleges that although “Starwood was fully aware of the consequences
27
awaiting their customers if this information was accessed by third parties,” “they failed to
28
take even the basic precautionary measure of encrypting the data.” Id. ¶ 28. As a result,
2
3:16-cv-00014-GPC-BLM
1
Plaintiff alleges that he and thousands of other Starwood customers have been “exposed
2
. . . to violations of privacy, economic loss and risks of identity theft” for the rest of their
3
lives. Id. ¶ 29.
4
PROCEDURAL BACKGROUND
5
On January 5, 2016, Plaintiff filed his First Amended Class Action Complaint
6
alleging: (1) violation of the California Customer Records Act (“CRA”), Cal. Civ. Code
7
§§ 1798.81.5, 1798.82; (2) violation of California’s Unfair Competition Law (“UCL”),
8
Cal. Bus. & Prof. Code §§ 17200, et seq.; (3) invasion of privacy; (4) negligence; and (5)
9
negligence per se. FACC ¶¶ 39–84. Plaintiff has named Starwood Hotels & Resorts
10
Worldwide, Inc., HST Lessee San Diego, LP and HST GP San Diego, LLC
11
(“Defendants”) as the collective defendants, alleging that Starwood is “the franchisor of
12
the Sheraton brand,” id. ¶ 14, while HST Lessee San Diego, LP and HST GP San Diego,
13
LLC are concurrent “owner[s] or operator[s] of the Sheraton San Diego Hotel and
14
Marina,” id. ¶¶ 15–16. Plaintiff further alleges that each of the three defendants “ratified
15
and approved” all the “actions of each defendant.” Id. ¶ 19.
On February 26, 2016, Defendants moved to dismiss Plaintiff’s Class Action
16
17
Complaint. ECF No. 19. On March 18, 2016, Plaintiff filed his FACC. On April 1,
18
2016, Defendants filed a Motion to Dismiss Plaintiff’s FACC (“Motion to Dismiss”)
19
based on (1) Plaintiff’s failure to establish Article III standing and (2) Plaintiff’s failure to
20
state a claim on which relief can be granted. ECF No. 22. Plaintiff filed an opposition to
21
Defendants’ Motion to Dismiss on May 13, 2016. ECF No. 25. On June 3, 2016,
22
Defendants filed a Reply to Plaintiff’s Opposition. ECF No. 26.
23
24
25
DISCUSSION
I.
STANDING TO SUE
26
A.
Legal Standard
In order to invoke the subject matter jurisdiction of this Court, Plaintiff is required
27
to establish standing to sue. Under Federal Rule of Civil Procedure (“Rule”) 12(b)(1), a
28
defendant may seek dismissal of a complaint for lack of subject matter jurisdiction. See
3
3:16-cv-00014-GPC-BLM
1
F.R.C.P. 12(b)(1). The federal court is one of limited jurisdiction. See Gould v. Mut. Life
2
Ins. Co. of N.Y., 790 F.2d 769, 774 (9th Cir. 1986). Each federal court has an
3
“affirmative obligation to ensure that it is acting within the scope of its jurisdictional
4
authority.” Grand Lodge of Fraternal Order of Police v. Ashcroft, 185 F. Supp. 2d 9, 13
5
(D.D.C. 2001).
6
Plaintiff, as the party seeking to invoke jurisdiction, bears the burden of
7
establishing jurisdiction. See Kokkonen v. Guardian Life Ins. Co. of Am., 511 U.S. 375,
8
377 (1994). To meet this burden, Plaintiff must show:
9
13
(1) that he or she has suffered an ‘injury in fact’ that is (a) “an invasion of a legally
protected interest” that is concrete and particularized and (b) actual or imminent,
not conjectural or hypothetical; (2) that the injury is fairly traceable to the
challenged action of the defendant; and (3) that it is likely, as opposed to merely
speculative, that the injury will be redressed by a favorable decision.
Lujan v. Defenders of Wildlife, 504 U.S. 555, 559–60 (1992) (internal citations omitted).
14
Because these elements are “not mere pleading requirements but rather an indispensable
15
part of the plaintiff's case,” Plaintiff bears the burden of proving — “with the manner and
16
degree of evidence required at the successive stages of litigation” — that he has Article
17
III standing. See id. at 561. At the pleading stage, general factual allegations of injury
18
are sufficient for standing purposes because courts, on a motion to dismiss, will
19
“presum[e] that general allegations embrace those specific facts that are necessary to
20
support the claim.” See Lujan v. Defenders of Wildlife, 497 U.S. 871, 889 (1990).
10
11
12
21
With regard to injury in fact, a plaintiff must show that he suffered “an invasion of
22
a legally protected interest” that is “concrete and particularized” and “actual or imminent,
23
not conjectural or hypothetical.” Lujan, 504 U.S. at 560 (internal citations omitted). A
24
“concrete” injury must be “de facto,” meaning, it must actually exist. Spokeo, Inc. v.
25
Robins, 136 S. Ct. 1540, 1548 (2016). The “threatened injury must be certainly
26
impending to constitute injury in fact” and “allegations of possible future injury are not
27
sufficient.” Clapper v. Amnesty Intern. USA, 133 S. Ct. 1138, 1147 (emphasis in
28
original) (quoting Whitmore v. Arkansas, 495 U.S. 149, 158 (1990)). In Clapper, the
4
3:16-cv-00014-GPC-BLM
1
Supreme Court held that respondents’ reliance on a “highly attenuated chain of
2
possibilities,” involving a “highly speculative fear” that a number of third party actors
3
would take certain actions, did not amount to the “certainly impending” injury required
4
for Article III standing. Clapper, 133 S. Ct. at 1148.
5
To prove “causation,” a plaintiff must show that the injury is fairly traceable to the
6
challenged action of the defendant, and that the injury is not the result of the independent
7
action of a third party not before the court. Lujan, 504 U.S. at 560.
8
The third and final element of standing, redressability, does not appear in the text
9
of the Constitution. Rather, it is a judicial creation of the past twenty-five years and an
10
interpretation of the “case” requirement of Article III standing. See Simon v. Eastern Ky.
11
Welfare Rights Org., 426 U.S. 26, 38, 41–46 (1976). To demonstrate redressability, a
12
plaintiff must show that the injury “is likely to be redressed by a favorable decision.” Id.
13
at 38, 41. Consequently, the Supreme Court has found that “psychic satisfaction is not an
14
acceptable Article III remedy because it does not redress a cognizable Article III injury.”
15
Steel Co. v. Citizens for a Better Env’t, 523 U.S. 83, 107 (1998) (explaining that because
16
respondent sought “vindication of the rule of law” rather than “remediation of its own
17
injury” it had not established redressability because “[r]elief that does not remedy the
18
injury suffered cannot bootstrap a plaintiff into federal court; that is the very essence of
19
the redressability requirement”).
20
B. Injury in Fact
21
Injury-in-fact analysis is highly case-specific. This is particularly true in the
22
context of data breach. To determine whether or not a plaintiff was, in fact, injured by a
23
defendant’s data breach, various courts have found one or more of following factors
24
persuasive: (1) the type and volume of stolen information1; (2) the likelihood that the
25
26
27
28
1
See Krottner v. Starbucks Corp., 628 F.3d 1139, 1141–43 (9th Cir. 2010) (holding that theft of
plaintiffs’ names, addresses, and social security numbers amounted to injury in fact because acquisition
of that information exposed plaintiffs to an increased risk of future identity theft, which was a “credible
threat of real and immediate harm”).
5
3:16-cv-00014-GPC-BLM
1
information was stolen for misuse2; (3) the degree of attenuation between the theft and
2
the harm3; (4) whether the stolen information has been misused4; and (5) whether
3
unauthorized purchases were reimbursed5.
Defendant argues that the gravamen of Plaintiff’s allegations amounts to nothing
4
5
more than a “fear[ ] of hypothetical future harm,” see Clapper, 133 S. Ct. at 1151, that
6
could be inflicted by future unauthorized expenditures. A plaintiff, however, cannot
7
manufacture standing by causing harm to oneself based on “hypothetical future harm that
8
is certainly not impending.” Id.; see also In re Adobe Systems, Inc. Privacy Litig., 66 F.
9
Supp. 3d 1197, 1216 (N.D. Cal. 2014). In Clapper, the respondents’ “feared” that: “(1)
10
the Government will decide to target the communications of non-U.S. persons with
11
whom they communicate; (2) in doing so, the Government will choose to invoke its
12
authority under [Section 702] rather than utilizing another method of surveillance; (3) the
13
Article III judges who serve on the Foreign Intelligence Surveillance Court will conclude
14
15
2
16
17
18
19
20
21
22
23
24
25
26
27
28
See In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1214–15 (N.D. Cal. 2014) (concluding
that likelihood that plaintiff’s personal information would be misused was “certainly impending” given
that third-parties had targeted defendants’ servers, spent weeks collecting personal information, had
decrypted credit card numbers, and given that some stolen information had surfaced on the Internet).
3
See Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3rd Cir. 2011) (finding that plaintiffs lacked standing
because their allegations of harm were hypothetical and relied on speculation that the hacker read,
copied, and understood their personal information; that they intended to use the information to commit
future criminal acts; and that they had the capacity to make unauthorized transactions in the future).
4
See Key v. DSW, Inc., 454 F. Supp. 2d 684, 689–90 (S.D. Ohio 2006) (concluding that no injury in fact
occurred when plaintiff had alleged that unauthorized persons had obtained access to personal customer
information because the allegations amounted only to the “possibility of harm at a future date”); see also
Hinton v. Heartland Payment Sys., Inc., 2009 WL 704139, at *1 (D.N.J. Mar. 16, 2009) (sua sponte
dismissing case because plaintiff failed to assert that a third party has actually used his credit
information to either open a credit card account or otherwise secure a fraudulent benefit and because
allegations of increased risk of identity theft and fraud “amount[ed] to nothing more than mere
speculation”); Bell v. Acxiom Corp., 2006 WL 2850042, at *2 (E.D. Ark. Oct. 3, 2006) (rejecting
plaintiff's allegation of increased risk of identity theft where plaintiff had not alleged that she had
suffered anything greater than an increased risk of identity theft).
5
See Whalen v. Michael Stores Inc., 153 F. Supp. 2d 577, 580–81 (E.D.N.Y. 2015) appeal docketed,
No. 16-352 (2d Cir. Feb. 5, 2016) (finding failure to allege injury in fact because, among other things,
plaintiff had failed to allege that she suffered an unreimbursed charge); see also Hammond v. Bank of
New York Mellon Corp., 2010 WL 2643307, at *8 (S.D.N.Y. June 25, 2010) (Article III standing lacking
where unauthorized charges from misuse of personal information were reimbursed).
6
3:16-cv-00014-GPC-BLM
1
that the Government’s proposed surveillance procedures satisfy [Section 702’s] many
2
safeguards and are consistent with the Fourth Amendment; (4) the Government will
3
succeed in intercepting the communications of respondents’ contacts; and (5) respondents
4
will be parties to the particular communications that the Government intercepts.” 133
5
S. Ct. at 1148. Given the level of attenuation between this feared action and the
6
likelihood of harm, the court concluded that the future harm was too hypothetical to
7
qualify as injury in fact. Meanwhile, the instant case involves more than unrealized or
8
hypothetical actions by third parties. Here, Plaintiff’s name and credit card information
9
have been stolen and an unauthorized individual has already made charges on Plaintiff’s
10
credit card. Thus, the question before the Court is whether the theft of Plaintiff’s
11
personal identifying information (“PII”) and the subsequent unauthorized purchases
12
sufficiently establish a “concrete and particularized” harm that is “actual or imminent, not
13
conjectural or hypothetical.”
14
15
Plaintiff claims various forms of harm individually and on behalf of the class
members. They include:
16
(1) theft of their names and credit card information; (2) costs associated with the
detection and prevention of identity theft or unauthorized use of financial accounts
and credit card records; (3) lost opportunity costs and loss of productivity from
efforts to mitigate the actual and future consequences of the data theft, including
fraudulent charges, cancelling and reissuing credit cards, purchasing credit
monitoring and identity theft protection, and the stress of dealing with all issues
resulting from the data theft; (4) cost associated with the inability to use credit;
(5) future costs in terms of time, effort, and money that will be expended to prevent
and repair the impact of the data breach; (6) damages to and diminution in value of
information entrusted to Defendants for the purpose of deriving health care from
Defendants6; (7) the imminent and certainly impending injury flowing from
potential fraud and identity theft posed by the data breach; and (8) the continued
risk to their credit card information, which is subject to further breaches so long as
Defendants fail to undertake adequate measures to protect data in their possession.
17
18
19
20
21
22
23
24
25
26
27
28
6
Plaintiff has alleged this form of harm even though it is confined to cases involving medical
information under Cal. Civ. Code § 56.10 et seq. While Plaintiff references this section in identifying
common issues of fact, there are no allegations that Defendants are health care providers and that
§ 56.10 applies to them. FACC ¶¶ 38, 70.
7
3:16-cv-00014-GPC-BLM
1
FACC ¶¶ 56, 70, 74.
2
These claimed injuries can be summarized as (1) past financial costs associated
3
with detecting and preventing identity theft or unauthorized use of credit cards; (2) future
4
costs in terms of time, effort and money to prevent or repair identity theft or future
5
unauthorized use of credit cards; (3) theft of personal identifying information and; (4)
6
past loss of productivity from efforts to mitigate consequences of data theft.
7
1. Past Financial Costs
8
9
As to past financial costs, other than conclusory allegations, Plaintiff has not
specifically alleged out-of-pocket losses or monetary damages resulting from the data
10
breach due to Defendants’ negligence or “failure to maintain reasonable security
11
procedures.” See generally Cal. Civ. Code § 1798.81.5(b).7 As to fraudulent charges,
12
Plaintiff does not assert that he suffered any unreimbursed losses from the unauthorized
13
use of his credit card or that he was unable to use credit thereafter. Plaintiff merely
14
alleges that he was “exposed” to economic losses. Id. ¶¶ 26, 29. Such indirect
15
allegations do not demonstrate injury in fact. The FACC instead offers only oblique
16
references to “unauthorized purchases” and “damages” suffered by Plaintiff and the
17
putative class. See, e.g., FACC ¶¶ 1, 12, 26. But these “conclusory allegations” and
18
“general averments” are inadequate to establish standing. See Friends of the Earth, Inc.
19
v. Laidlaw Envtl. Servs., Inc., 528 U.S. 167, 184 (2000) (citations omitted).
20
2. Future Harm
21
With respect to future damages and mitigating future loss in data theft cases, the
22
Ninth Circuit has identified the types of data breaches which constitute a “real and
23
immediate harm” as opposed to a merely “conjectural or hypothetical” harm. Krottner v.
24
Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010). In Krottner, Plaintiffs were
25
Starbucks employees whose personal information, including names, addresses, and social
26
27
7
28
In his FACC, Plaintiff only seeks injunctive relief, declaratory relief, and attorney fees, and only
reserves a right to seek damages. FACC ¶¶ 45, 64, 72, 84.
8
3:16-cv-00014-GPC-BLM
1
security numbers were compromised as a result of the theft of a company laptop. Id. at
2
1140. The Ninth Circuit found that the Krottner plaintiffs satisfied the injury-in-fact
3
requirement because they had “alleged a credible threat [of future identity theft] of real
4
and immediate harm stemming from the theft of a laptop containing their unencrypted
5
personal data.” Id. at 1143. Thus, where sensitive personal data, such as names,
6
addresses, social security numbers, and credit card numbers are improperly disclosed or
7
disseminated into the public — thereby increasing the risk of future harm to plaintiff —
8
injury in fact has been sufficiently alleged. Id. at 1139; Doe 1 v. AOL, 719 F. Supp. 2d
9
1102, 1109–11 (N.D. Cal. 2010).
10
A similar conclusion was reached in In re Adobe, 66 F. Supp. 3d at 1214, where
11
plaintiffs alleged that “hackers deliberately targeted Adobe’s servers and spent several
12
weeks collecting names, usernames, passwords, emails addresses, phone numbers,
13
mailing addresses, credit card numbers and expiration dates.” The Adobe court
14
concluded that the risk that the plaintiffs’ personal data would be misused by the hackers
15
was “immediate and very real” because it was clear that the hackers “intend[ed] to misuse
16
the personal information stolen” and that they had the ability to do so. Id. at 1214–15.
17
Accordingly, the court concluded that Article III standing to bring a CRA claim for
18
violations of Section 1798.81.5 did exist because plaintiff had adequately alleged injury
19
in fact, causation, and redressability. Id. at 1217.
20
Here, the theft of personal information is far more limited than that in Krottner and
21
In re Adobe, and notably, does not involve the theft of social security information or the
22
theft of usernames, passwords, or emails. Plaintiff only alleges that the Starwood breach
23
jeopardized the names, addresses, billing information, and credit card numbers of the
24
members of the hotel’s chain rewards program. FACC ¶ 2. This fact is salient with
25
respect to future identity theft because the information stolen during the Starwood breach
26
is insufficient, for example, for a third party to open up a new account in Plaintiff’s name
27
or to gain access to personal accounts likely to have the information needed to open such
28
an account (e.g., a social security number). Thus, in order for the Court to conclude that
9
3:16-cv-00014-GPC-BLM
1
there is any credible, future risk of identity theft it would have to speculate as to whether
2
a third-party with only Plaintiff’s name and address could engage in wholesale identity
3
theft. What’s more, as is made clear by Plaintiff’s request to be compensated for the time
4
and money he lost in the process of cancelling his compromised credit card, see FACC ¶¶
5
70, 71, 82, the theft of Plaintiff’s credit card poses no future threat of identity theft as it is
6
no longer active. Thus, unlike in In re Adobe where it was clear that the third-party had
7
the ability to engage in future identify theft, here, the Court would have to engage in a
8
hypothetical line of reasoning in order to conclude that Plaintiff remains at risk of
9
imminent identity theft given the small amount of useful personal information that a
10
third-party potentially has at its fingertips. See Antman v. Uber Techs., Inc., 2015 WL
11
6123054, *11 (N.D. Cal. Oct. 19, 2015) (concluding that theft of plaintiff’s name and
12
driver’s license was insufficient to demonstrate injury in fact because any harm that
13
would result from such a misappropriation posed no credible risk of identity theft).
14
Accordingly, because the PII stolen was limited only to Plaintiff’s name, address, and
15
credit card information, and because the credit card has since been cancelled, the Court
16
finds that Plaintiff has not sufficiently alleged the credible threat of future identity theft
17
needed in order to plead injury in fact for his causes of action.
18
19
3. Theft of PII
Plaintiff alleges that he incurred a recognizable loss by the theft of his personal
20
identifying information. In so doing, Plaintiff claims a property right to personal
21
identifying information, but fails to identify any authority to support this proposition.
22
Without more, the Court finds that the claimed loss of PII does not constitute a concrete
23
harm sufficient for standing purposes. Cf. Lewert v. P.F. Chang's China Bistro, Inc., 819
24
F.3d 963, 968 (7th Cir. 2016) (refusing to recognize a property right to personally
25
identifiable data as a basis for standing to sue in a data breach case). Nor does the mere
26
violation of a consumer protection statute establish a “concrete” injury. See Spokeo, Inc.
27
v. Robins, 136 S. Ct. 1540, 1549–50 (2016) (“Congress’ role in identifying and elevating
28
intangible harms does not mean that a plaintiff automatically satisfies the injury-in-fact
10
3:16-cv-00014-GPC-BLM
1
requirement whenever a statute grants a person a statutory right and purports to authorize
2
that person to sue to vindicate that right.”). Thus, the Court concludes that alleging theft
3
of PII, without more, is inadequate to demonstrate a harm that qualifies as an injury in
4
fact for standing purposes.
5
4. Past Anxiety and Loss of Time to Mitigate or Avoid Harm
In this case, the FACC alleges lost time and expenses associated with “mitigat[ing]
6
7
the actual . . . consequences of the data theft.” FACC ¶¶ 70, 82. Defendants, in turn,
8
argue that the FACC does not allege any facts demonstrating that Plaintiff suffered such
9
lost time and expense. Plaintiff, however, has indicated that the alleged source of the
10
injury is the stress and costs associated with “cancelling and reissuing credit cards,” id.
11
¶ 70, and the “loss of productivity from efforts to mitigate the actual and future
12
consequences of the theft of their identifying information and credit card records,” id.
13
¶ 56.
14
The Supreme Court has observed that “concrete” for purposes of standing is not
15
necessarily synonymous with “tangible.” Spokeo, Inc., 136 S. Ct. at 1549 (“Although
16
tangible injuries are perhaps easier to recognize . . . intangible injuries can nevertheless
17
be concrete.”) Although the Ninth Circuit has not yet decided whether anxiety or lost
18
time to avoid financial loss qualifies as concrete injury, the Seventh Circuit has held that
19
the loss of time resulting from a plaintiff taking action to mitigate the misuse of a credit
20
card constitutes injury in fact. In Remijas v. Neiman Marcus Grp., LLC, the Seventh
21
Circuit concluded that the time and money class members spent on resolving fraudulent
22
charges and protecting against future identity theft was sufficient for standing purposes,
23
even if the bank ultimately repaid the charges, because the customers “suffered the
24
aggravation and loss of value of the time needed to set things straight, to reset payment
25
associations after credit card numbers are changed, and to pursue relief for unauthorized
26
charges.” 794 F.3d 688, 693–94 (7th Cir. 2015); accord Lewert, 819 F.3d at 967.
27
Likewise, other district courts in the Ninth Circuit have ruled similarly. Recently, Judge
28
Lucy Koh, relying on Lewert and Remijas, extended her ruling in In re Adobe to conclude
11
3:16-cv-00014-GPC-BLM
1
that a Plaintiff’s “us[e] [of] their own time for credit monitoring” in response to a data
2
breach was a recoverable harm. See In re Anthem, Inc. Data Breach Litig., 2016 WL
3
3029783, at *26 (N.D. Cal. May 27, 2016).
4
Here, Plaintiff has alleged that his credit card information was stolen and misused
5
and that he arranged to cancel and reissue the compromised credit card after learning that
6
his PII was misused. He further alleges that the need to mitigate his exposure to
7
fraudulent charges and potential identity theft resulted in a loss of productivity. These
8
allegations present a concrete, non-speculative harm that befell Plaintiff as a result of the
9
Starwood breach. Accordingly, to the extent Plaintiff seeks relief for the loss of time and
10
money spent to avoid losses caused by the data breach, his allegations are sufficient to
11
state an injury in fact.
12
C. Causation
13
With regards to Plaintiff’s claim arising under Section § 1798 of the California
14
Customer Records Act, FACC ¶¶ 39–47, Defendants argue that the FACC asserts no
15
factual basis for the conclusion that Defendants’ alleged delayed in notifying Starwood
16
customers of the data breach caused any harm. The Court agrees.
17
Section 1798.82 of the CRA requires businesses to “disclose a breach of the
18
security of the system following discovery or notification of the breach . . . in the most
19
expedient time possible and without unreasonable delay.” Cal. Civ. Code § 1798.82(a).
20
While Plaintiff alleges that Defendants’ “failure to provide prompt notice contributed to
21
his losses,” Plaintiff does not provide any further factual support demonstrating that
22
Defendants’ alleged violation of Section 1798.82 resulted in a cognizable injury in fact to
23
himself or other class members. See ECF No. 25 at 6–7. Reviewing the FACC and
24
Plaintiff’s Opposition to Defendant’s Motion to Dismiss, it is entirely unclear how any of
25
the injuries identified by Plaintiff have been caused or compounded by Defendants’
26
alleged failure to promptly notify Plaintiff or other class members of the Starwood
27
breach. Plaintiff also does not allege any incremental harm suffered as a result of the
28
////
12
3:16-cv-00014-GPC-BLM
1
alleged delay in notification. As such, Plaintiff has failed to allege any harm resulting
2
from Defendants’ purported delay in notifying Starwood customers of the breach.
3
This conclusion, moreover, comports with the court’s decision in In re Adobe,
4
where it concluded that plaintiffs had failed to plausibly allege that Adobe’s delay in
5
notifying customers of a 2013 data breach resulted in injury. 66 F. Supp. 3d at 1218
6
(“Plaintiffs have not alleged any injury traceable to Adobe’s alleged failure to notify
7
customers of the 2013 data breach in violation of Section 1798.82, because [p]laintiffs do
8
not allege that they suffered any incremental harm as a result of the delay”). Just as the
9
In re Adobe court concluded that Plaintiff had failed to allege injury in fact because
10
Plaintiff had not traced any injury from the delayed notification, the Court, here,
11
concludes that Plaintiff has not alleged injury in fact because he does not indicate what, if
12
any, concrete harm resulted from Defendants’ alleged failure to promptly notify
13
Starwood customers of the data breach. Accordingly, because Plaintiff has failed to trace
14
any harm from Defendants’ delayed notification or to demonstrate a nexus between the
15
alleged harm flowing from the delayed notification and Defendants’ actions, Plaintiff has
16
failed to adequately alleged causation with respect to his CRA § 1798.82 claim.
17
Defendants further argue that Plaintiff has also failed to sufficiently allege that
18
Defendants’ failure to maintain reasonable security practices, or Defendants’ alleged
19
violation of Section 1798.81.5(b) of the CRA, caused Plaintiff any injury in fact.
20
Defendants point out that the FACC does not allege that the Starwood breach — as
21
opposed to another contemporaneous data breach or other possible source of fraud —
22
actually caused the unspecified fraudulent charges that Plaintiff allegedly suffered on his
23
credit card. Yet the fact that other data breaches might have caused Plaintiff’s private
24
information to be exposed does nothing to negate Plaintiff’s standing to sue here, given
25
that Plaintiff has made a plausible showing, sufficient for pleading purposes, to
26
demonstrate that his injuries are “fairly traceable” to the Starwood breach. See Neiman
27
Marcus, 794 F.3d 688, 693–94 (7th Cir. 2015); see also In re Target Corp. Data Sec.
28
Breach Litig., 66 F. Supp. 3d 1154, 1159 (D. Minn. 2014) (“Plaintiffs' allegations
13
3:16-cv-00014-GPC-BLM
1
plausibly allege that they suffered injuries that are ‘fairly traceable’ to Target's conduct.
2
This is sufficient at this stage to plead standing. Should discovery fail to bear out
3
Plaintiffs' allegations, Target may move for summary judgment on the issue.”) (citations
4
omitted); Lewert, 819 F.3d at 969 (stating that “[m]erely identifying potential alternative
5
causes does not defeat standing”).
6
The Court, therefore, finds that Plaintiff has insufficiently alleged causation for
7
standing purposes as to his § 1798.82 claim and sufficiently alleged it as to his §
8
1798.81.5, UCL, right of privacy, and negligence claims.
9
D. Redressability
10
To demonstrate redressability, a plaintiff must show that the injury “is likely to be
11
redressed by a favorable decision.” Simon v. Eastern Ky. Welfare Rights Org., 426 U.S.
12
26, 38, 41 (1976). In the context of a class action suit, plaintiffs must also “allege and
13
show that they personally have been injured, not that injury has been suffered by other,
14
unidentified members of the class to which they belong and which they purport to
15
represent.” Warth v. Seldin, 422 U.S. 490, 503 (1975). Consequently, “if none of the
16
named plaintiffs purporting to represent a class establishes the requisite of a case or
17
controversy with the defendants, none may seek relief on behalf of [herself] or any other
18
member of the class.” O’Shea v. Littleton, 414 U.S. 488, 494 (1974) (citations omitted);
19
see also Bailey v. Patterson, 369 U.S. 31, 32–33 (1962); Indiana Emp’t Sec. Div. v.
20
Burney, 409 U.S. 540, 544–45 (1973).
21
1. Damages
22
A plaintiff’s injuries cannot be redressed by a judicial decision to the extent that
23
they have already been reimbursed for fraudulent charges. However, while this may be
24
true for the fraudulent charges, it is not necessarily true for the mitigation expenses or the
25
future injuries. Remijas, 794 F.3d at 697; Lewert, 819 F.3d at 969 (in establishing
26
redressability, all class members should have the chance to show that they spent time and
27
resources tracking down the possible fraud, changing automatic charges, and replacing
28
cards as a prophylactic measure).
14
3:16-cv-00014-GPC-BLM
1
Here, the Court has concluded that Plaintiff’s allegations that he lost time and
2
money in the process of mitigating financial losses caused by the Starwood breach are
3
sufficient to state an injury in fact. Because Plaintiff has not been reimbursed in any way
4
for that expenditure of time and money, the Court concludes that the injury is redressible
5
by judicial decision and, thus, is sufficient to allege the final element of Article III
6
standing as to Plaintiff’s request for damages.
7
2. Injunctive Relief
8
9
Plaintiff must demonstrate standing for each form of relief he seeks. See Friends
of the Earth, Inc., 528 U.S. at 185. Plaintiff, thus, bears the burden of showing that he
10
“personally would benefit in a tangible way” from the prospective injunctive and
11
declaratory relief he requests. Steel Co. v. Citizens for a Better Env’t, 523 U.S. 83, 103
12
n.5 (1998). Furthermore, where a named plaintiff seeks injunctive relief, the plaintiff
13
must demonstrate that he or she — and any other proposed class members — are
14
“realistically threatened by a repetition of the violation.” Gest v. Bradbury, 443 F.3d
15
1177, 1181 (9th Cir. 2006) (citing Armstrong v. Davis, 275 F.3d 849, 860–61 (9th Cir.
16
2001)); see also City of Los Angeles v. Lyons, 461 U.S. 95, 109 (1983) (“If Lyons has
17
made no showing that he is realistically threatened by a repetition of his experience . . .
18
he has not met the requirements for seeking an injunction in a federal court.”); DeFunis v.
19
Odegaard, 416 U.S. 312, 319 (1974) (explaining that the named plaintiff must make a
20
reasonable showing that he will again be subjected to the alleged illegality).
21
In the instant case, Plaintiff fails to establish “redressability” as to the request for
22
injunctive relief because Plaintiff does not sufficiently allege that he is “realistically
23
threated by a repetition of his experience” that is “likely to be redressed by a favorable
24
decision” by this Court. Simon, 426 U.S. at 38, 41. Plaintiff contends that the relief he
25
seeks via an injunction is obtainable because of his “fear of on-going data breaches” and
26
“inten[t] to continue as a customer if his data can be adequately protected.” ECF No. 25
27
at 4. However, as Defendants point out, “an order requiring Defendants to enhance their
28
cybersecurity in the future (or an equivalent declaratory judgment) will not provide any
15
3:16-cv-00014-GPC-BLM
1
relief for past injuries or injuries incurred in the future because of a data breach that has
2
already occurred.” ECF No. 22 at 12. The Court agrees with Defendants in this regard.
3
If the Court were to issue injunctive relief based on Defendants’ alleged past violations of
4
§ 1798.81.5(b) and § 1798.82 of the CRA, the relief afforded would be mostly “psychic
5
satisfaction.” See Steel Co., 523 U.S. at 107 (“psychic satisfaction is not an acceptable
6
Article III remedy because it does not redress a cognizable Article III injury”).
7
Accordingly, the Court concludes that Plaintiff has failed to establish redressability as to
8
his request for injunctive relief.
9
To conclude: in view of the foregoing analysis of the standing factors, the Court
10
GRANTS Defendants’ Rule 12(b)(1) motion to dismiss as to Plaintiff’s § 1798.82 CRA
11
claim and Plaintiff’s request for injunctive relief and DENIES Defendants’ 12(b)(1)
12
motion to dismiss as to Plaintiff’s § 1798.81.5, UCL, negligence, and invasion of privacy
13
causes of action.
14
II. FAILURE TO STATE A CLAIM
15
A. Legal Standard
16
A motion to dismiss under Rule 12(b)(6) tests the sufficiency of a complaint.
17
Navarro v. Block, 250 F.3d 729, 732 (9th Cir. 2001). Dismissal is warranted where the
18
complaint lacks a cognizable legal theory. Robertson v. Dean Witter Reynolds, Inc., 749
19
F.2d 530, 534 (9th Cir. 1984); see Neitzke v. Williams, 490 U.S. 319, 326 (1989) (“Rule
20
12(b)(6) authorizes a court to dismiss a claim on the basis of a dispositive issue of law.”).
21
Alternatively, a complaint may be dismissed where it presents a cognizable legal theory
22
yet fails to plead essential facts under that theory. Robertson, 749 F.2d at 534. While a
23
plaintiff need not give “detailed factual allegations,” a plaintiff must plead sufficient facts
24
that, if true, “raise a right to relief above the speculative level.” Bell Atlantic Corp. v.
25
Twombly, 550 U.S. 544, 545 (2007).
26
“To survive a motion to dismiss, a complaint must contain sufficient factual
27
matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft
28
v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Twombly, 550 U.S. at 547). A claim is
16
3:16-cv-00014-GPC-BLM
1
facially plausible when the factual allegations permit “the court to draw the reasonable
2
inference that the defendant is liable for the misconduct alleged.” Id. In other words,
3
“the non-conclusory ‘factual content,’ and reasonable inferences from that content, must
4
be plausibly suggestive of a claim entitling the plaintiff to relief.” Moss v. U.S. Secret
5
Serv., 572 F.3d 962, 969 (9th Cir. 2009).
6
“Determining whether a complaint states a plausible claim for relief will . . . be a
7
context-specific task that requires the reviewing court to draw on its judicial experience
8
and common sense.” Iqbal, 556 U.S. at 679. In reviewing a motion to dismiss under
9
Rule 12(b)(6), a court must assume the truth of all factual allegations and must construe
10
all inferences from them in the light most favorable to the nonmoving party. Thompson
11
v. Davis, 295 F.3d 890, 895 (9th Cir. 2002); Cahill v. Liberty Mut. Ins. Co., 80 F.3d 336,
12
337–38 (9th Cir. 1996). Legal conclusions, on the other hand, need not be taken as true
13
merely because they are cast in the form of factual allegations. Ileto v. Glock, Inc., 349
14
F.3d 1191, 1200 (9th Cir. 2003); Western Mining Council v. Watt, 643 F.2d 618, 624 (9th
15
Cir. 1981). When ruling on a motion to dismiss, a court may consider the facts alleged in
16
the complaint, documents attached to the complaint, documents relied upon but not
17
attached to the complaint when authenticity is not contested, and matters of which the
18
court takes judicial notice. Lee v. City of Los Angeles, 250 F.3d 668, 688–89 (9th Cir.
19
2001).
20
Where a motion to dismiss is granted, “leave to amend should be granted ‘unless
21
the court determines that the allegation of other facts consistent with the challenged
22
pleading could not possibly cure the deficiency.’” DeSoto v. Yellow Freight Sys., Inc.,
23
957 F.2d 655, 658 (9th Cir. 1992) (quoting Schreiber Distrib. Co. v. Serv-Well Furniture
24
Co., 806 F.2d 1393, 1401 (9th Cir. 1986)). In other words, where leave to amend would
25
be futile, a court may deny leave to amend. See DeSoto, 957 F.2d at 658.
26
A holding that a plaintiff has pled an injury in fact for purposes of Article III
27
standing does not establish that he adequately pled his cause of action. See Doe v. Chao,
28
17
3:16-cv-00014-GPC-BLM
1
540 U.S. 614, 624–25 (2004) (explaining that an individual may suffer Article III injury
2
and yet fail to plead a proper cause of action.)
3
4
B. Analysis
1.
California Customer Records Act
5
CRA Section 1798.81.5(b) states:
6
A business that owns, licenses, or maintains personal information about a
California resident shall implement and maintain reasonable security procedures
and practices appropriate to the nature of the information, to protect the personal
information from unauthorized access, destruction, use, modification, or
disclosure.
7
8
9
10
11
12
13
14
15
16
17
Cal. Civ. Code § 1798.81.5(b). CRA Section 1798.82, in relevant part, states:
A person or business that conducts business in California, and that owns or
licenses computerized data that includes personal information, shall disclose a
breach of the security of the system following discovery or notification of the
breach in the security of the data to a resident of California whose unencrypted
personal information was, or is reasonably believed to have been, acquired by an
unauthorized person. The disclosure shall be made in the most expedient time
possible and without unreasonable delay, consistent with the legitimate needs of
law enforcement . . . or any measures necessary to determine the scope of the
breach and restore the reasonable integrity of the data system.
18
Id. § 1798.82(a).
Plaintiff alleges that Defendants violated the California CRA in two ways: (1) by
19
failing to “implement and maintain reasonable security procedures,” see FACC ¶ 43, and
20
(2) by failing to notify affected customers in a timely manner, see id. ¶ 44.
21
As an initial matter, proof of damages is a threshold hurdle for both CRA causes of
22
action. See Cal. Civ. Code § 1798.84(b) (permitting suit by “[a]ny customer injured by a
23
violation of [the CRA]”) (emphasis added). As concluded above, Plaintiff has failed to
24
allege any injury proximately caused by any violation of § 1798.82(a). Accordingly,
25
Plaintiff has failed to state a cause of action under § 1798.82. Thus, only Plaintiff’s
26
§ 1798.81.5 claim remains. However, that Plaintiff has pled an injury in fact for purposes
27
of Article III standing as to the § 1798.81.5 claim does not establish that he has
28
adequately pled damages for the cause of action. See Doe v. Chao, 540 U.S. at 624–25.
18
3:16-cv-00014-GPC-BLM
1
Plaintiff, therefore, must have sufficiently alleged that he was injured by a violation of
2
the CRA in order for the cause of action to survive the motion to dismiss.8
3
Defendants argue that Plaintiff has failed to allege sufficient facts demonstrating
4
that Defendants failed to maintain reasonable cybersecurity practices as required by
5
§ 1798.81.5. ECF 22-1 at 23. More specifically, Defendants assert that the FACC,
6
primarily, only offers legal conclusions and hyperbole in support of the claim. See, e.g.,
7
FACC ¶ 6 (“Instead of installing proper safeguards, Starwood essentially invited the
8
information to be stolen, exposing highly valuable and private information of its
9
customers.”). While it is true that Plaintiff’s FACC is short on specifics, one allegation
10
that does gives some indication of how Defendants’ cybersecurity was supposedly
11
insufficient states that “Starwood, among other things, failed to ‘appropriately encrypt
12
customers’ data in its possession.” Id. ¶¶ 6, 28. Plaintiff separately suggests that
13
Defendants’ “security systems and protocols” should have been designed, implemented,
14
maintained, and tested “consistent with industry standards and requirements.” Id. ¶ 66.
15
The Court finds that Plaintiff has sufficiently alleged, at the pleading stage, a legal
16
duty and a corresponding breach as to inadequate security measures. See In re Sony
17
Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 966 (S.D.
18
Cal. 2014) (holding that plaintiffs had adequately alleged breach of duty to provide
19
reasonable security by pleading that they gave personal information to Sony as part of
20
commercial transaction, and that Sony failed to employ reasonable security measures to
21
protect the information, including failing to use industry-standard encryption); see also
22
Witriol v. LexisNexis Grp., 2006 WL 4725713, at *7–8 (N.D. Cal. Feb. 10, 2006)
23
(denying defendants’ motion to dismiss negligence claim based on failure to protect
24
security and confidentiality of consumer information because plaintiff had sufficiently
25
26
Neither party has addressed whether “injury” under § 1798.84(b) extends to non-monetary forms of
loss. Without further briefing on this question, the Court will not sua sponte address the issue or rely on
it in considering the motion to dismiss.
8
27
28
19
3:16-cv-00014-GPC-BLM
1
alleged a corresponding duty owed to plaintiffs). Because Plaintiff alleges that he
2
provided his PII to Defendants as part of a commercial transaction, and that Defendants
3
failed to employ reasonable security measures to protect such PII, such as the utilization
4
of industry-standard encryption, the Court finds that Plaintiff has sufficiently alleged a
5
legal duty and a corresponding breach at this stage.
6
For the foregoing reasons, the Court finds that Plaintiff has plausibly alleged a
7
cause of action based upon the lack of reasonable security procedures under § 1798.81.5,
8
and failed to allege a cause of action for failure to notify customers in a timely fashion
9
under § 1798.82(a). Thus, the Court GRANTS Defendants’ motion to dismiss the
10
§ 1798.82(a) claim without prejudice and DENIES Defendant’s motion to dismiss the
11
§ 1798.81.5 claim.
12
13
2.
California Unfair Competition Law
California's Unfair Competition Law (“UCL”) provides a cause of action for
14
business practices that are (1) unlawful, (2) unfair, or (3) fraudulent. Cal. Bus. & Prof.
15
Code § 17200, et seq. Plaintiff alleges that Defendants’ acts and practices violating
16
§ 1798.90, et seq., of the CRA constitute unlawful and unfair business practices. See
17
generally FACC ¶¶ 48–55.
18
In order for Plaintiff to sue Defendants for unlawful and unfair business practices,
19
Plaintiff must also demonstrate that it has UCL-specific standing. In order to establish
20
standing under the UCL, a plaintiff’s claim must specifically involve lost money or
21
property. See Kwikset Corp. v. Superior Court, 246 P.3d 877, 886 (Cal. 2011); Troyk v.
22
Farmers Group, Inc., 171 Cal. App. 4th 1305, 1348 n.31 (Cal. Ct. App. 2009) (“[The]
23
UCL’s standing requirements appear to be more stringent than the federal standing
24
requirements. . . . Proposition 64 . . . added a requirement that a UCL plaintiff’s ‘injury in
25
fact’ specifically involve ‘lost money or property.’ (Cal. Bus. & Prof. Code, § 17204)”);
26
Ehret v. Uber Techs., Inc., 68 F. Supp. 3d 1121, 1132 (N.D. Cal. 2014) (“Whereas a
27
////
28
////
20
3:16-cv-00014-GPC-BLM
1
federal plaintiff's injury in fact may be intangible and need not involve lost money or
2
property, . . . a UCL plaintiff's injury in fact [must] specifically involve lost money or
3
property.”) (internal quotation marks omitted).
4
Here, Plaintiff has alleged that unauthorized charges were made on his credit card,
5
that he will incur damages to monitor identity theft, and that he has spent time responding
6
to the unauthorized charges on his credit card. As discussed above in the Standing
7
section, none of these allegations demonstrate that Plaintiff has suffered a loss of money
8
or property. In addition, as stated above, Plaintiff has, moreover, failed to establish that
9
the loss of his PII constitutes a form of property that could qualify as property under the
10
11
12
UCL.
Thus, the Court GRANTS Defendant’s motion to dismiss Plaintiff’s second cause
of action for violation of California’s UCL without prejudice.
13
3.
Invasion of Privacy
14
Under California law, to adequately state a claim for invasion of privacy, a plaintiff
15
must demonstrate three elements: (1) a legally protected privacy interest; (2) a reasonable
16
expectation of privacy under the circumstances; and (3) a serious invasion of the privacy
17
interest. See, e.g., Hill v. Nat’l Collegiate Athletic Ass’n, 865 P.2d 633, 654–55 (Cal.
18
1994).
19
Plaintiff’s FACC does not allege sufficient facts to plead an invasion of a legally
20
protected privacy interest, see generally FACC ¶¶ 58–64, and Plaintiff’s legal
21
conclusions that “Defendants are guilty of oppression, fraud, or malice by permitting
22
unauthorized disclosure of Plaintiff’s [] personal credit card information with a willful
23
and conscious disregard of Plaintiff’s [] right to privacy” do not sufficiently demonstrate
24
a “serious invasion of privacy,” see id. ¶ 63. Plaintiff fails, for example, to allege any
25
facts that would suggest that the data breach was an intentional violation of Plaintiff’s
26
and other class members’ privacy, as opposed to merely a negligent one. See In re
27
iPhone Application Litig., 844 F. Supp. 2d 1040, 1063 (N.D. Cal. 2012) (citing Ruiz v.
28
Gap, Inc., 540 F. Supp. 2d 1121, 1127–28 (N.D. Cal. 2008), aff’d, 380 F. App’x 689 (9th
21
3:16-cv-00014-GPC-BLM
1
Cir. 2010) (stating that “[e]ven negligent conduct that leads to theft of highly personal
2
information, including social security numbers, does not ‘approach [the] standard’ of
3
actionable conduct under the California Constitution and thus does not constitute a
4
violation of Plaintiffs’ right to privacy”).
5
6
7
8
Thus, the Court GRANTS Defendant’s motion to dismiss Plaintiff’s third cause of
action for invasion of privacy without prejudice.
4.
Negligence
Plaintiff alleges that Defendants did not “take adequate security measures to
9
protect the information they obtained,” FACC ¶ 21; see also ECF No. 25 at 7, and that
10
Defendants owed a duty to Plaintiff and class members “to exercise reasonable care in
11
. . . securing, safeguarding, and protecting . . . personal information,” FACC ¶ 66, and to
12
“timely disclose any incidents of data breaches,” id. ¶ 68. As a result of Defendants’
13
alleged breach of these duties, Plaintiff alleges numerous injuries suffered by Plaintiff
14
and class members, including theft of their credit card information, costs associated with
15
prevention of identity theft, and costs associated with time spent and loss of productivity,
16
among other injuries. See id. ¶ 70.
17
Generally speaking, in actions for negligence, liability is limited to damages for
18
physical injuries and recovery of economic loss is not allowed. See Aas v. Superior
19
Court of San Diego Cty., 24 Cal. 4th 627, 636 (Cal. 2000) (citing Seely v. White Motor
20
Co., 63 Cal. 2d 9, 23 (Cal. 1965)); cf. Krottner v. Starbucks Corp., 406 F. App'x 129, 131
21
(9th Cir. 2010) (no cognizable injury on negligence claim where no loss related to an
22
attempt to open a bank account was alleged and plaintiff waived any argument that his
23
alleged anxiety constituted an actionable injury). In the absence of (1) personal injury,
24
(2) physical damage to property, (3) a special relationship existing between the parties, or
25
(4) some other common law exception to the rule, recovery of purely economic loss is
26
foreclosed. See Kalitta Air, LLC v. Cent Tex. Airborne Sys., Inc., 315 F. App’x 603, 605
27
(9th Cir. 2008) (quoting J'Aire Corp. v. Gregory, 598 P.2d 60, 63–65 (Cal. 1979)). Here,
28
Plaintiff alleges nothing more than pure economic loss. Plaintiff alleges no personal
22
3:16-cv-00014-GPC-BLM
1
injury or physical damage to his property, and puts forth no facts to demonstrate that a
2
special relationship existed between him and Defendants. See FACC ¶ 29.
3
4
5
6
Thus, the Court GRANTS Defendant’s motion to dismiss Plaintiff’s fourth cause
of action for negligence without prejudice.
5.
Negligence Per Se
In California, negligence per se is “a presumption of negligence [that] arises from
7
the violation of a statute which was enacted to protect a class of persons of which the
8
plaintiff is a member against the type of harm which the plaintiff suffered as a result of
9
the violation of the statute.” See, e.g., Hoff v. Vacaville Unified Sch. Dist., 19 Cal. 4th
10
925, 938 (Cal. 1998) (citations omitted). Accordingly, negligence per se is simply a
11
codified evidentiary doctrine and does not per se establish tort liability. Quiroz v.
12
Seventh Ave. Ctr., 140 Cal. App. 4th 1256, 1284–85 (Cal. Ct. App. 2006). Stated
13
differently, negligence per se does not state an independent cause of action because “[t]he
14
doctrine does not provide a private right of action for violation of a statute.” People of
15
California v. Kinder Morgan Energy Partners, L.P., 569 F. Supp. 2d 1073, 1087 (S.D.
16
Cal. 2008) (quoting Quiroz, 140 Cal. App. 4th at 1285.)
17
18
Thus, the Court GRANTS Defendant’s motion to dismiss Plaintiff’s fifth cause of
action for negligence per se with prejudice.
19
CONCLUSION
20
For the foregoing reasons, IT IS HEREBY ORDERED that:
21
1. Defendants’ Motion to Dismiss, (ECF. No. 22), be GRANTED in part and
22
23
DENIED in part.
2. Federal Rule of Civil Procedure 15 provides that courts should freely grant
24
leave to amend “when justice so requires.” Accordingly, the Court GRANTS
25
Plaintiff twenty (20) days from the issuance of this Order to file a Second
26
Amended Complaint that addresses the pleading deficiencies noted above.
27
Failure to meet the twenty-day deadline to file an amended complaint or failure
28
to cure the deficiencies identified in this Order will result in a dismissal with
23
3:16-cv-00014-GPC-BLM
1
prejudice. Plaintiffs may not add new causes of actions or parties without leave
2
of the Court or stipulation of the parties pursuant to Rule 15.
3
IT IS SO ORDERED.
4
5
Dated: November 3, 2016
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
24
3:16-cv-00014-GPC-BLM
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?