From Casetext: Smarter Legal Research

Flores-Mendez v. Zoosk, Inc.

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA
Jan 30, 2021
No. C 20-04929 WHA (N.D. Cal. Jan. 30, 2021)

Summary

finding causation allegations sufficient to survive a motion to dismiss when the complaint alleged a data breach occurred and additional information about security system was likely held by the defendant

Summary of this case from In re Am. Cal. Unemployment Benefits Litig.

Opinion

No. C 20-04929 WHA

01-30-2021

JUAN FLORES-MENDEZ and AMBER COLLINS Plaintiffs, v. ZOOSK, INC. and SPARK NETWORKS, SE, Defendants.


ORDER RE MOTIONS TO DISMISS AND REQUEST FOR DISCOVERY

INTRODUCTION

In this putative class action by data-breach victims, defendants move to dismiss for failure to state a claim on which relief can be granted. Additionally, a Germany-based defendant moves to dismiss for lack of personal jurisdiction. For the following reasons, the motions are GRANTED IN PART AND DENIED IN PART.

STATEMENT

According to the first amended complaint, defendant Zoosk, Inc., runs a free dating platform. Spark Networks, SE, is Zoosk's parent company; Spark acquired it in 2019. Upon sign-up for Zoosk's dating site, singles must enter personal information. The complaint defines personal information as a limited universe of financial, email, identity, address, birthdate, and similar information. Zoosk is allegedly free of charge to use, but users can opt to pay for additional features. Plaintiffs, California residents, used defendant Zoosk's online matchmaking platform during the relevant period. Plaintiff Juan Flores-Mendez joined the dating platform in "2015 or 2016" and his membership was active in early 2020 when the events giving rise to this suit occurred. Per the amended complaint, Flores-Mendez disclosed his personal information to Zoosk when he joined the platform. Amber Collins similarly joined "in or about 2016," shared personal information to set up a profile, and remained active through early 2020. No other facts differentiate plaintiffs' claims.

Parties agree that Zoosk maintains its headquarters in San Francisco. Spark maintains its principal business office in Berlin. The amended complaint alleges personal jurisdiction over both defendants because of their "continuous and systematic contacts with" California, because they "conduct substantial business in" California, and because the events arise out of "[d]efendants' connection with the District" (Amd. Compl. ¶¶ 2, 3, 18, 19, 23, 32, 33, 35).

In addition, the amended complaint states that Spark maintains an office in California. A declaration by Spark's general counsel, Gitte Bendzulla, declares that Spark does not operate offices in California; instead, Spark's contacts with the district are limited to secondary ones through its subsidiaries. The subsidiaries allegedly include other dating applications operating in the state. Spark declares that one of these (not Spark) runs an office in the state and that its own contact with California is limited to revenue collection and serving residents via subsidiary dating platforms. The subsidiaries serve residents of California at a rate roughly proportional by population to residents of other states. Spark denies targeting ads to California. The complaint alleges that Spark "owned and operated" Zoosk before, during, and after the period of the breach. It alleges that Spark's other dating-site subsidiaries share a "common database" with Zoosk under Spark's umbrella. Spark responds that it does not provide the centralized services. It states that another of its subsidiaries provides centralized marketing to all other subsidiary dating applications (Bendzulla Decl. ¶¶ 4-17, Amd. Compl ¶¶ 2, 3, 18, 19, 23, 32, 33, 35).

In early 2020, according to the amended complaint, hackers styling themselves "ShinyHunters," plundered data from 30 million Zoosk users. Defendant Zoosk allegedly learned of this in May 2020. It sent notices to its users allegedly 22 days after learning of the breach. Both plaintiffs purportedly received notices of the hack at the end of May or beginning of June 2020. The amended complaint explains that Zoosk, at present, claims to use multi-factor authentication and other security features thus rendering its systems safe, but the complaint in its request for a declaratory judgment calls this "unverified" (Amd. Compl. ¶¶ 7, 13, 14, 80, 95).

After defendants filed initial motions to dismiss, plaintiffs filed the first amended complaint in October 2020. The instant motions to dismiss, accompanied by declarations and extraneous documents supplementing the issue of personal jurisdiction, followed. This order follows full briefing and oral argument (telephonic due to COVID-19).

ANALYSIS

1. PERSONAL JURISDICTION.

Defendant Spark challenges personal jurisdiction under Rule 12(b)(2). Zoosk does not. The basic dispute relates to Spark's connections to personal jurisdiction and Spark's degree of control over Zoosk.

It seems undisputed that the headquarters for Spark lies in Germany. Parties present conflicting information (all either declared or supported by affidavit) about whether Spark had a physical presence in the district during the relevant period. The amended complaint contains allegations suggesting additional connections between Spark and California, through Spark's "operation" of Zoosk and targeting of the California market. Spark's sworn declaration articulates the substantial separation between the companies, rebutting the notion that Spark ran Zoosk.

Plaintiffs attempt to rebut Spark's representations through other extraneous documents. For example, in September 30, 2019, open letter to shareholders, Spark disclosed that it was "integrat[ing] efforts at Zoosk," "consolidate[ing] our marketing teams and technology efforts," and allowing [them] to reduce "shed more than two-thirds of the San Francisco headcount by year end" (Grombacher Decl. Exh. E at 2). In its investor presentation in fall 2020, Spark disclosed that the "Zoosk acquisition has provided strong marketing synergies resulting in numerous cost-saving initiatives" and that a goal for 2020 was the, "the timing of the integration of the Zoosk technology function" (Grombacher Decl. Exh. D at 2). Spark has contested this representation, declaring that the quoted San Francisco office belonged to a different subsidiary, not Spark itself, that that "Spark Network" refers to Spark's web of subsidiaries, not Spark the parent company, and that one of its subsidiaries runs all centralized services (See also Bendzulla Decl. ¶¶ 4-17, Amd. Compl. ¶¶ 2, 3, 18, 19, 23, 32, 33, 35).

Discovery is warranted to resolve these disputes. Defendants must cooperate with expedited discovery on pain of adverse inferences. Plaintiffs will be allowed discovery on the issue of jurisdiction (both specific and general), including with respect to their alter-ego theory. Plaintiffs may take up to three depositions of seven hours each and may have up to 12 narrowly-drawn and reasonable document requests. Plaintiffs will have until APRIL 1, 2021, AT NOON to complete this discovery and submit a supplemental brief. Defendants will have seven days from the date of the supplemental brief to respond.

2. RULE 12(b)(6).

To survive a motion to dismiss under Rule 12(b)(6), a complaint must contain sufficient factual matter, accepted as true, to state a claim for relief that is plausible on its face. See Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). A claim is facially plausible when there are sufficient factual allegations to draw a reasonable inference that defendants are liable for the misconduct alleged. While a court must take all of the factual allegations in the complaint as true, it is "not bound to accept as true a legal conclusion couched as a factual allegation." Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007).

A. NEGLIGENCE.

To state a claim for negligence in California, a plaintiff must establish a duty, a breach of duty, proximate cause, and damages. See Corales v. Bennett, 567 F.3d 554, 572 (9th Cir. 2009).

Both parties devote considerable time to the question of a "special relationship" between plaintiffs and Zoosk, which is necessary to overcome California's economic loss doctrine. The "special relationship" allows for recovery of purely economic losses despite the general rule that such pure losses are not recoverable in tort. Seely v. White Motor Co., 63 Cal. 2d 9, 16-17 (1965). Put simply, "the economic loss rule prevent[s] the law of contract and the law of tort from dissolving one into the other." Robinson Helicopter Co. v. Dana Corp., 34 Cal. 4th 979, 988 (2004) (quotation marks omitted). The rule serves to "limit liability in commercial activities that negligently or inadvertently go awry." Id. at 991 n.7.

Defendants argue that the economic loss rule bars plaintiffs' negligence claim under the "duty" prong: "Because the [first amended complaint] does not adequately plead a special relationship between Zoosk and its users, Plaintiffs cannot establish that Zoosk owed them a duty to protect their information" (Mot. at 5). Defendants either misread or misrepresent the law on point. The "special relationship" question only emerges with respect to the economic loss doctrine, and all of defendants' cited cases say as much. See Kalitta Air, L.L.C. v. Cent. Texas Airborne Sys., Inc., 315 F. App'x 603, 605 (9th Cir. 2008), quoting J'Aire Corp. v. Gregory, 24 Cal.3d 799, 804 (1979) (discussing the exceptions to the general prohibition in tort on pure economic recovery); In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 966 (S.D. Cal. 2014), order corrected, No. 11MD2258 AJB (MDD), 2014 WL 12603117 (S.D. Cal. Feb. 10, 2014) (Judge Anthony J. Battaglia) (finding a duty of care but no special relationship that overcame the economic loss doctrine).

Nevertheless, to the extent that Zoosk argues that the economic loss rule bars plaintiffs' negligence claim, this order considers it. Generally, purely economic losses are not recoverable in tort. See Seely v. White Motor Co., 63 Cal. 2d 9, 16-17 (1965). Put simply, "the economic loss rule prevent[s] the law of contract and the law of tort from dissolving one into the other." Robinson Helicopter Co. v. Dana Corp., 34 Cal. 4th 979, 988 (2004) (internal quotation omitted). The rule serves to "limit liability in commercial activities that negligently or inadvertently go awry." Id. at 991 n.7. If plaintiffs' harms were purely economic, this order would be required to reach the question of whether any exception, such as a "special relationship," exists. J'Aire Corp., supra, 24 Cal.3d at 804 (six-factor test for special relationship that can overcome the economic loss doctrine). No need.

Plaintiffs allege their loss of time, risk of embarrassment, and enlarged risk of identity theft as harms and so do not allege pure economic loss. In Dugas v. Starwood Hotels & Resorts Worldwide, Inc., Case No.: 3:16-cv-00014-GPC-BLM, 2016 WL 6523428, at *12 (S.D. Cal. Nov. 3, 2016) (Judge Gonzalo P. Curiel), a district court did find that the economic loss doctrine barred a negligence claim. The victims of a data breach had alleged costs related to breached credit card information. A subsequent decision is more analogous to our facts. Stasi v. Inmediata Health Grp. Corp., No. 19-CV-2353 JM (LL), 2020 WL 6799437, at *7 (S.D. Cal. Nov. 19, 2020) (Judge Jeffrey T. Miller), held that data breach plaintiffs did not plead an economic injury because the loss was not based upon "the 'costs' of their lost time and lost productivity." See also In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., No. 3:19-CV-2284-H-KSC, 2020 WL 2214152, at *4 (S.D. Cal. May 7, 2020) (Judge Marilyn L. Huff). Plaintiffs allege they lost time responding to the breach and suffered from increased anxiety. They do not allege purely economic losses and the economic loss rule therefore does not apply.

This order returns now to the elements of a negligence claim.

First, plaintiffs Flores-Mendez and Collins have plausibly pled a duty of care. A dating app contains sensitive information about sexual preferences, which means that a hack and subsequent use of the private information could plausibly lead to blackmail and embarrassment. From an incentives standpoint, to hold that Zoosk has no duty of care would suggest that companies may profit off users' data while cutting corners on privacy. As such, the duty of care is adequately alleged.

Second, virtually all of the details that defendants insist on are in possession of the defendants, and not in possession of plaintiff. It is unreasonable for defendant to insist that the details be laid out in the initial complaint. The common law doctrine of res ipsa loquitur has some application here. The consuming public has come to believe that the internet companies, which take in their private information, have taken adequate security steps to protect the security of that information from any and all hackers or interventions. The ordinary consumer, however, has no clue what internet companies' security steps are. There would be no way for users to know what security steps were actually in place. Therefore, when a breach occurs, the thing speaks for itself. The breach would not have occurred but for inadequate security measures, or so it can be reasonably inferred at the pleadings stage.

Third, proximate cause is plain.

Fourth, plaintiffs adequately allege damages in the form of a heightened risk of future identity theft, loss of privacy with respect to highly sensitive information, loss of time, and risk of embarrassment. This is surely enough to justify our plaintiffs taking discovery from Zoosk to determine exactly what security measures were in place and how the breach occurred.

3. SECTION 17200.

To establish the right to sue under Section 17200, plaintiffs must show that they personally lost money or property "as a result of the unfair competition." Cal. Bus. & Prof. Code § 17204; Kwikset Corp. v. Superior Court, 51 Cal. 4th 310, 330 (2011).

So far, plaintiffs have alleged a loss of privacy, heightened risk of future identity theft, loss of time, and anxiety. They do not, for example, allege that they had to buy credit-monitoring services, nor do they adequately allege the value of their time in terms of opportunity cost.

Plaintiffs have not alleged a right to sue under Section 17200.

4. DECLARATORY JUDGMENT.

Plaintiffs seek a declaratory judgment that Zoos's existing security measures do not comply with its obligations to provide adequate security and duties of care to plaintiffs' personal identifiable information. A dispute exists as to what, if any, continued risk plaintiffs and similarly-situated Zoosk users face. Dismissal of the declaratory judgment relief would be premature here.

5. CALIFORNIA CONSUMER PRIVACY ACT.

Plaintiffs have agreed to dismiss their CCPA claim without prejudice. The Rule 12(b)(6) motion with respect to this claim is DENIED AS MOOT.

Plaintiffs may have leave to amend with respect to all claims above.

CONCLUSION

For the foregoing reasons, defendant Spark's Rule 12(b)(2) motion to dismiss the amended complaint is HELD IN ABEYANCE. Plaintiffs' request for discovery on personal jurisdiction as to defendant Spark is GRANTED. Defendant Zoosk's motion to dismiss is DENIED IN PART AND GRANTED IN PART. The motion for a declaratory judgment is DENIED.

IT IS SO ORDERED. Dated: January 30, 2021.

/s/_________

WILLIAM ALSUP

UNITED STATES DISTRICT JUDGE


Summaries of

Flores-Mendez v. Zoosk, Inc.

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA
Jan 30, 2021
No. C 20-04929 WHA (N.D. Cal. Jan. 30, 2021)

finding causation allegations sufficient to survive a motion to dismiss when the complaint alleged a data breach occurred and additional information about security system was likely held by the defendant

Summary of this case from In re Am. Cal. Unemployment Benefits Litig.
Case details for

Flores-Mendez v. Zoosk, Inc.

Case Details

Full title:JUAN FLORES-MENDEZ and AMBER COLLINS Plaintiffs, v. ZOOSK, INC. and SPARK…

Court:UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA

Date published: Jan 30, 2021

Citations

No. C 20-04929 WHA (N.D. Cal. Jan. 30, 2021)

Citing Cases

Smallman v. MGM Resorts Int'l

In the data breach context, courts within the Ninth Circuit have found that an individual's loss of control…

Schmitt v. SN Servicing Corp.

The breach would not have occurred but for inadequate security measures, or so it can be reasonably inferred…