Summary
holding benefit-of-the-bargain losses "sufficient to confer ... statutory standing under the UCL."
Summary of this case from Smallman v. MGM Resorts Int'lOpinion
Case No.: 5:12-CV-03088-EJD
03-28-2014
ORDER GRANTING IN PART AND
DENYING IN PART DEFENDANT'S
MOTION TO DISMISS
[Re: Docket No. 81]
Plaintiff Khalilah Wright ("Wright" or "Plaintiff") brings this putative class action against Defendant LinkedIn Corporation ("Defendant" or "LinkedIn"). Presently before the Court is Linkedln's Motion to Dismiss Plaintiffs Second Amended Consolidated Complaint ("SAC"). The Court has fully reviewed the parties' submissions and heard oral arguments of counsel presented at the hearing on November 22, 2013. For the reasons explained below, the Court has determined that Linkedln's Motion will be GRANTED IN PART and DENIED IN PART.
I. BACKGROUND
The following facts are taken from Plaintiff's SAC. LinkedIn owns and operates the website www.LinkedIn.com, which provides an online community for professional networking.
Prospective members may sign up for a membership by providing a valid email address and registration password, which LinkedIn stores on its database. Once registered, a member may create a free online professional profile containing such information as employment and educational history.
When members register, they are required to confirm that they agree to LinkedIn's User Agreement ("User Agreement") and Privacy Policy ("Privacy Policy"). The Privacy Policy contains a statement that "[a]ll information that you provide will be protected with industry standard protocols and technology."
For a monthly fee, members can upgrade to a paid "premium" subscription which grants them increased networking tools and capabilities. Members who purchase a premium subscription agree to the same terms and services of the User Agreement and Privacy Policy as if they were non-paying members.
Plaintiff alleges that sometime in 2012 hackers infiltrated LinkedIn's computer systems and services. On June 6, 2012, the hackers posted approximately 6.5 million stolen LinkedIn users' passwords on the Internet. On or around June 9, 2012, LinkedIn released a statement on its blog stating that it had recently completed a switch of its password encryption method from a system that stored member passwords in a hashed format to one that used both salted and hashed passwords for increased security.
According to the SAC, "salting" is an encryption process that protects information by concatenating a plaintext password with a series of randomly generated characters prior to hashing.
According to the SAC, "hashing" is an encryption process that protects information by by applying a one-way function or algorithm to it. Hash functions are designed to reveal no information about the underlying input and are designed such that minor changes in inputs will result in major changes to outputs.
Plaintiff alleges that she paid for a premium subscription from March 2010 until approximately August 2010. She alleges that her LinkedIn password was retrieved by the hackers and posted on the Internet on June 6, 2012. She alleges that, prior to her purchase of the premium subscription, she read LinkedIn's User Agreement and Privacy Policy and that, had LinkedIn disclosed its lax security practices, she would have viewed the premium subscription as less valuable and would either have attempted to purchase a premium subscription at a lower price or not at all.
II. LEGAL STANDARDS
a. Motion to dismiss under Rule 12(b)(1)
A Rule 12(b)(1) motion to dismiss tests whether a complaint alleges grounds for federal subject matter jurisdiction. If the plaintiff lacks standing under Article III of the U.S. Constitution, then the court lacks subject matter jurisdiction, and the case must be dismissed. See Steel Co. v. Citizens for a Better Env't, 523 U.S. 83, 101-02 (1998).
A jurisdictional challenge may be facial or factual. Safe Air for Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir. 2004). Where the attack is facial, the court determines whether the allegations contained in the complaint are sufficient on their face to invoke federal jurisdiction, accepting all material allegations in the complaint as true and construing them in favor of the party asserting jurisdiction. See Warm v. Seldin, 422 U.S. 490, 501 (1975). Where the attack is factual, however, "the court need not presume the truthfulness of the plaintiff's allegations." Safe Air for Everyone, 373 F.3d at 1039. In resolving a factual dispute as to the existence of subject matter jurisdiction, a court may review extrinsic evidence beyond the complaint without converting a motion to dismiss into one for summary judgment. See id.; McCarthy v. United States, 850 F.2d 558, 560 (9th Cir. 1988) (holding that a court "may review any evidence, such as affidavits and testimony, to resolve factual disputes concerning the existence of jurisdiction"). Once a party has moved to dismiss for lack of subject matter jurisdiction under Rule 12(b)(1), the opposing party bears the burden of establishing the Court's jurisdiction. See Kokkonen v. Guardian Life Ins. Co., 511 U.S. 375, 377 (1994); Chandler v. State Farm Mut. Auto. Ins. Co., 598 F.3d 1115, 1122 (9th Cir. 2010).
b. Motion to dismiss under Rule 12(b)(6) and Rule 9(b)
A complaint must contain "a short and plain statement of the claim showing that the pleader is entitled to relief." Fed. R. Civ. P. 8(a). A motion to dismiss pursuant to Rule 12(b)(6) of the Federal Rules of Civil Procedure tests the legal sufficiency of the claims asserted in the complaint. Fed. R. Civ. P. 12(b)(6); Navarro v. Block, 250 F.3d 729, 731 (9th Cir. 2001). The court must accept all factual allegations pleaded in the complaint as true, and must construe them and draw all reasonable inferences from them in favor of the nonmoving party. Cahill v. Liberty Mutual Ins. Co., 80 F.3d 336, 337-38 (9th Cir. 1996). The Court is not bound, however, to accept "legal conclusions" as true. Ashcroft v. Iqbal, 556 U.S. 662 (2009).
To avoid a Rule 12(b)(6) dismissal, a complaint need not contain detailed factual allegations; rather, it must plead "enough facts to state a claim to relief that is plausible on its face." Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). However, "a plaintiff's obligation to provide the 'grounds' of his 'entitle[ment] to relief requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do." Id. at 555 (citation omitted). "Factual allegations must be enough to raise a right to relief above the speculative level, on the assumption that all the allegations in the complaint are true (even if doubtful in fact)." Id. (citation omitted). In spite of the deference the court is bound to pay to the plaintiffs allegations, it is not proper for the court to assume that "the [plaintiff] can prove facts that [he or she] has not alleged or that defendants have violated the . . . laws in ways that have not been alleged." Associated Gen. Contractors of Cal., Inc. v. Cal. State Council of Carpenters, 459 U.S. 519, 526 (1983).
But "[w]hen there are well-pleaded factual allegations, a court should assume their veracity and then determine whether they plausibly give rise to an entitlement to relief." Iqbal, 556 U.S. at 679. A claim has "facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. at 677 (citing Twombly, 550 U.S. at 556). "The plausibility standard is not akin to a 'probability requirement,' but it asks for more than a sheer possibility that a defendant has acted unlawfully." Id. "Where a complaint pleads facts that are 'merely consistent with' a defendant's liability, it 'stops short of the line between possibility and plausibility of entitlement to relief.'" Id. (quoting Twombly, 550 U.S. at 557).
Complaints alleging fraud must satisfy the heightened pleading requirements of Federal Rule of Civil Procedure 9(b). Rule 9(b) requires that in all averments of fraud or mistake, the circumstances constituting fraud or mistake shall be stated with particularity. Malice, intent, knowledge, and other conditions of a person's mind may be alleged generally. A pleading is sufficient under Rule 9(b) if it "state[s] the time, place and specific content of the false representations as well as the identities of the parties to the misrepresentation." Misc. Serv. Workers, Drivers & Helpers v. Philco-Ford Corp., 661 F.2d 776, 782 (9th Cir. 1981) (citations omitted); see also Vess v. Ciba-Geigy Corp. USA, 317 F.3d 1097, 1106 (9th Cir. 2003) (quoting Cooper v. Pickett, 137 F.3d 616, 627 (9th Cir. 1997)) ("Averments of fraud must be accompanied by 'the who, what, when, where, and how' of the misconduct charged.") Additionally, "the plaintiff must plead facts explaining why the statement was false when it was made." Smith v. Allstate Ins. Co., 160 F.Supp.2d 1150, 1152 (S.D. Cal. 2001) (citation omitted); see In re GlenFed, Inc. Sec. Litig., 42 F.3d 1541, 1549 (9th Cir. 1994) (en banc) (superseded by statute on other grounds).
Regardless of the title given to a particular claim, allegations grounded in fraud are subject to Rule 9(b)'s pleading requirements. See Vess, 317 F.3d at 1103-04. Even where fraud is not an essential element of a consumer protection claim, Rule 9(b) applies where a complaint "rel[ies] entirely on [a fraudulent course of conduct] as the bases of that claim . . . the claim is said to be 'grounded in fraud' or to 'sound in fraud,' and the pleading . . . as a whole must satisfy the particularity requirement of Rule 9(b)." Kearns v. Ford Motor Co., 567 F.3d 1120, 1125 (9th Cir. 2009) (quoting Vess, 317 F.3d at 1103-04); Bros. v. Hewlett-Packard Co., 2006 WL 3093685, at *7 (N.D. Cal. Oct. 31, 2006).
III.DISCUSSION
LinkedIn moves to dismiss all claims in the SAC for lack of standing pursuant to Rule 12(b)(1) and failure to state a claim pursuant to Rule 12(b)(6).
The SAC contains three claims for: 1) violation of the fraud prong of California's Unfair Competition Law ("UCL"), Cal. Bus. & Prof. Code, § 17200 et seq., 2) violation of the unfair prong of the UCL, and 3) breach of contract. Plaintiff concedes that her second and third claims should be dismissed and asks that the Court do so without prejudice. Docket No. 87, Pl.'s Opp. Brief at 3. LinkedIn asks that the Court dismiss all three claims with prejudice.
For the reasons explained below, the Court DISMISSES Plaintiff's second and third claims with prejudice. LinkedIn's motion is DENIED as to Plaintiff's first claim.
a. Standing under Article III and the UCL
i. Background
The Court dismissed Plaintiff's First Amended Complaint ("FAC") for lack of Article III standing. See Docket No. 72. Plaintiff had attempted to establish standing based on the theories that she had suffered an injury in fact because 1) she did not receive the benefit of her bargain with LinkedIn, and 2) she now faces an increased risk of future harm as a result of the 2012 hacking incident. The Court rejected both standing theories, finding, inter alia, that the promise of industry standard security had not been a part of Plaintiff's bargain for premium services.
The parties continue to dispute whether Plaintiff has standing under Article III or under the UCL. Plaintiff has abandoned the standing theories she previously advanced and now contends that she has standing because she purchased her premium subscription in reliance on LinkedIn's misrepresentation and would not have done so but for the misrepresentation. Importantly, the SAC (unlike the FAC) alleges that Plaintiff did, in fact, read and rely upon the statement in the Privacy Policy regarding industry standard security.
With these amendments, the SAC's allegations are sufficient to confer both standing under Article III and statutory standing under the UCL.
ii. The parties' positions
The parties essentially divide the UCL standing and Article III standing cases into two categories. Plaintiff relies primarily on a line of cases in which courts find standing under the UCL and under Article III for plaintiffs who purchase deceptively labeled or advertised products in reliance on the misinformation contained in the labels or advertisements.
As to UCL standing, in Kwikset Corp. v. Superior Court, the California Supreme Court held that "[a] consumer who relies on a product label and challenges a misrepresentation contained therein can satisfy the standing requirement of [the UCL] by alleging . . . that he or she would not have bought the product but for the misrepresentation." 51 Cal. 4th 310, 330 (2011). In Hinojos v. Kohl's Corp., 718 F.3d 1098 (9th Cir. 2013), the Ninth Circuit Court of Appeals applied Kwikset in "a straightforward manner" to hold that "when a consumer purchases merchandise on the basis of false price information, and when the consumer alleges that he would not have made the purchase but for the misrepresentation, he has standing to sue under the UCL and FAL because he has suffered an economic injury." 718 F.3d at 1107.
The Article III standing cases in the Ninth Circuit agree that plaintiffs who make allegations similar to those made in Kwikset and Hinojos would also satisfy Article III's standing requirements. For example, Article III standing has been found for class members who "paid more for [a product] than they otherwise would have paid, or bought it when they otherwise would not have done so, because [the defendant] made deceptive claims and failed to disclose the [product's] limitations." Mazza v. Am. Honda Motor Co., Inc., 666 F.3d 581, 595 (9th Cir. 2012) (citing Stearns v. Ticketmaster Corp., 655 F.3d 1013, 1021 (9th Cir. 2011)). Another Ninth Circuit case found Article III standing by applying the rule from Kwikset to the plaintiffs' allegation that they paid more for a product due to reliance on false advertising. See Degelmann v. Advanced Med. Optics, Inc., 659 F.3d 835, 840 (9th Cir. 2011) vacated, 699 F.3d 1103 (9th Cir. 2012).
LinkedIn, on the other hand, distinguishes the labeling/advertising cases on the basis that the representation in the Privacy Policy was not contained in a label or an advertisement. The Privacy Policy applies to all members, both paying and non-paying and, according to LinkedIn, was not included or incorporated into the premium services contract that Plaintiff entered into. Thus, LinkedIn argues, "[u]nder no plausible theory can this single sentence in the Privacy Policy that applies to all LinkedIn members be considered an 'inducement' to the purchase of a premium subscription, the 'advertisement' of premium services, or an 'effective marketing technique' for premium service." Docket No. 89, Def.'s Reply at 7.
LinkedIn instead points to a number of other consumer cases in which courts have rejected theories of injury in fact that, like Plaintiffs theory, were premised on payment or overpayment for a product. In LinkedIn's cases, courts have required plaintiffs to allege "something more" than "overpaying for a 'defective' product" in order to establish an Article III injury in fact. In re Toyota Motor Corp., 790 F. Supp. 2d 1152, 1165 n.11 (C.D. Cal 2011); see also Whitson v. Bumbo, 2009 WL 1515597 (N.D. Cal. Apr. 16, 2009); Boysen v. Walgreen Co., 2012 WL 2953069 (N.D. Cal. July 19, 2012); In re McNeil Consumer Healthcare, 877 F. Supp. 2d 254 (E.D. Pa. 2012); Williams v. Purdue Pharma Co., 297 F. Supp. 2d 171 (D.D.C. 2003). Based on these cases, LinkedIn contends that Plaintiff has not alleged sufficient facts to establish Article III standing.
LinkedIn argues that the rationale behind the labeling/advertising cases is that "the overpayment injury does not depend on how the product functions because 'labels' and 'brands' have independent economic value." In re Toyota, 790 F. Supp. 2d at 1165 n.11. Based on that rationale, LinkedIn argues, courts in such cases find economic harm when the consumer paid money for a defendant's product over a competitor's product due to the mislabeling. Plaintiff makes no such allegations here. She does not allege, for example, that she purchased LinkedIn's services over another networking website's services because of the promise regarding industry standard security.
iii. Application and conclusion
Having carefully considered the cases, the Court finds that Plaintiff has alleged facts sufficient to confer standing. The critical distinction between Plaintiffs theory of economic injury and the theories of economic injury rejected in LinkedIn's cited cases is that Plaintiff alleges her payment or overpayment was caused by LinkedIn's alleged misrepresentations, which she alleges she read and relied on in making her decision to purchase a premium subscription. The plaintiffs in LinkedIn's cases did not, or could not, attempt to establish standing under the same theory as Plaintiffs. In Williams and Whitson, although the plaintiffs alleged that the defendants had made misrepresentations about the products at issue, the plaintiffs failed to allege that they were deceived by or even that they were exposed to the misrepresentations. 297 F. Supp. 2d at 177; 2009 WL 1515597, at *4. Similarly, neither Boysen nor In re McNeil contained allegations that the plaintiffs purchased the product in reliance on the defendant's misrepresentations. In re Toyota is inapposite because, while the court did require some plaintiffs to allege "something more" than pure economic loss, it did so only for those plaintiffs who were seeking to establish an economic loss based on a "market effect" theory. 790 F. Supp. 2d at 1165-1166. Plaintiffs theory is not based on a loss in market value.
Some plaintiffs attempted to establish an injury in fact based on a drop in value of their cars. They did not allege experiencing any defects in their cars despite predicating their loss on the drop in value due to the defect. The court agreed that those plaintiffs should allege "something more" and found that they had met this requirement by 1) showing the reduction in trade-in value of their cars in sources such as Kelley Blue Book and 2) alleging that the drop in value followed public awareness of the defect. 790 F. Supp. 2d at 1166.
The Court recognizes that there are significant differences between the "single sentence" contained in LinkedIn's Privacy Policy and the labels and advertisements from Kwikset and Hinojos. Notwithstanding these differences, however, the Court finds that the representation in LinkedIn's Privacy Policy falls within the scope of the labeling/advertising cases.
First, it is not clear that the reach of the Kwikset line of cases is limited only to misrepresentations that are also labels or advertisements. As the California Supreme Court put it, to satisfy the UCL's standing requirements, "a party must now (1) establish a loss or deprivation of money or property sufficient to qualify as injury in fact, i.e., economic injury, and (2) show that that economic injury was the result of, i.e., caused by, the unfair business practice or false advertising that is the gravamen of the claim." Kwikset, 51 Cal. 4th at 322 (emphasis added). While it is true that the final holding in Kwikset specifically identified the type of "unfair business practice or false advertising" at issue, that holding was an application of the broader rule identified in the preceding sentence of this paragraph. The Kwikset court did not indicate that the requirements for establishing UCL standing would be any different if the challenged misrepresentation was contained in something other than a deceptive product label. And although Kwikset was a California case concerning standing under the UCL, not Article III, the Ninth Circuit cases indicate that plaintiffs whose allegations meet the Kwikset criteria will at least satisfy the Article III injury in fact requirement. See Hinojos, 718 F.3d at 1104, n.3 ("There is no difficulty in this case regarding Article III injury in fact, and neither party suggests otherwise. We have explained that when, as here, 'Plaintiffs contend that class members paid more for [a product] than they otherwise would have paid, or bought it when they otherwise would not have done so' they have suffered an Article III injury in fact.")
"A consumer who relies on a product label and challenges a misrepresentation contained therein can satisfy the standing requirement of section 17204 by alleging, as plaintiffs have here, that he or she would not have bought the product but for the misrepresentation." Id. at 330.
Second, even if the Kwikset line of cases was read to apply solely to advertisements and labels, the term "advertisement" is defined broadly under California law. The UCL expressly incorporates the Fair Advertising Law's ("FAL") prohibition on unfair advertising as one form of unfair competition. Hinojos, 718 F.3d at 1103 (citing Cal. Bus. & Prof. Code § 17200). The FAL is broadly written and broadly construed, and a wide range of statements can qualify as an advertisement. Cal. Bus. & Prof. Code § 17500; see Chern v. Bank of Am., 15 Cal. 3d 866, 875 (1976). For example, a statement made in a letter denying a borrower's request for a loan modification qualifies as "advertising." Gabali v. OneWest Bank, FSB, 2013 WL 1320770 (N.D. Cal. Mar. 29, 2013). Applying one set of standing requirements to labeling/advertising and another set of standing requirements to other types of misrepresentations, as LinkedIn advocates, would be untenable given the lack of distinction California law places between misleading advertising and other forms of misleading statements.
The opinions in Kwikset and Hinojos provided several examples of marketing practices, including meat labeled as kosher and a product advertised as "not available in stores." Like those examples, the statement in LinkedIn's Privacy Policy might be significant only to a small segment of consumers and many consumers may not even care to read it before making their purchase. Yet the California Supreme Court and the Ninth Circuit Court of Appeals have indicated that when those representations are false, a consumer who is induced by them to purchase a product that she otherwise would not have purchased has standing to bring an action under the UCL in federal court.
Applying the cases discussed above, the Court finds that Plaintiff's allegations are sufficient to establish standing under the UCL and Article III. She alleges that she purchased her premium subscription on the basis of LinkedIn's statement that its users' data will be secured with industry standards and technology, she alleges that the statement was false when she read and relied on it, and she alleges that she would not have made the purchase (or that she would have negotiated for a lower price) but for the misrepresentation. Her injury (the purchase induced by the misrepresentation) is fairly traceable to LinkedIn's conduct because LinkedIn made the misrepresentation. And finally, her injury is likely to be redressed by a favorable decision because restitution is an available remedy under the UCL. Cal. Bus. & Prof. Code § 17203.
b. Plaintiff's first claim: Fraudulent business practices
i. Stating a claim
To state a claim under either the fraudulent business practices prong of the UCL, it is necessary only to show that members of the public are likely to be deceived. In re Tobacco II Cases, 46 Cal. 4th 298, 312 (2009) (internal quotations and citations omitted).
Plaintiff alleges that the representation in the Privacy Policy is likely to deceive the public because consumers would believe that LinkedIn used a more effective method of securing its users' data than it actually did.
LinkedIn attacks the materiality of the alleged misrepresentation, arguing that Plaintiff's claim should fail as a matter of law because "it is implausible that a single contractual promise in a Privacy Policy applicable to all members—free, basic-account members and paying, premium- account members—would be seen as a material inducement leading a reasonable user to upgrade to a premium account."
A representation is material if a reasonable consumer would attach importance to it or if the maker of the representation knows or has reason to know that its recipient regards or is likely to regard the matter as important in determining his choice of action. Hinojos, 718 F.3d at 1107 (internal quotations and citations omitted). The materiality of a misrepresentation is typically an issue of fact, and therefore should not be decided at the motion to dismiss stage. See In re Steroid Hormone Product Cases, 181 Cal. App. 4th 145 (2010). In some circumstances, courts have found, as a matter of law, that no reasonable consumer could have been misled by the misrepresentation. See Rice v. Fox Broad. Co., 330 F.3d 1170, 1181 (9th Cir. 2003) (false statements on videotape cover were immaterial because videotape cover could not be observed by potential consumer and therefore could not influence the purchasing decision).
LinkedIn points out that Plaintiff fails to allege that, even if LinkedIn had disclosed the fact that it used unsalted, SHA-1 encryption, Plaintiff would have actually understood such a disclosure to mean that LinkedIn was not employing industry standard security. However, Plaintiff does allege that if LinkedIn had disclosed its security protocols, consumers would have learned that those protocols did not meet the "industry standard" through word of mouth or the media. She supports this reasoning by arguing, essentially, that even if the average consumer would not have understood that unsalted, SHA-1 encryption was below the industry standard, the popular media would have found that disclosure newsworthy and would have disseminated the information to consumers.
Given the above, the Court does not find Plaintiff's claim barred as a matter of law. The only case that LinkedIn has cited on this point is Rice, and in Rice, it was impossible for the representation to deceive a consumer when no consumer could have viewed the representation prior to making a purchase. Here, the representation was available for the public to read, and, as explained below, Plaintiff has alleged a plausible explanation for why it is likely to deceive the public.
ii. Rule 8
LinkedIn contends that the SAC does not satisfy Rule 8 of the Federal Rules of Civil Procedure. A complaint must contain "a short and plain statement of the claim showing that the pleader is entitled to relief." Fed. R. Civ. P. 8(a). A court considering a motion to dismiss can choose to begin by identifying pleadings that, because they are no more than conclusions, are not entitled to the assumption of truth. Iqbal, 556 U.S. at 679. While legal conclusions can provide the framework of a complaint, they must be supported by factual allegations. Id. When there are well-pleaded factual allegations, a court should assume their veracity and then determine whether they plausibly give rise to an entitlement to relief. Id.
1. Whether Plaintiff plausibly alleges that she read Linkedln's representation
In the SAC, Plaintiff alleges the following: "Before signing up for her LinkedIn Premium Subscription, Wright—as she always does when signing up for a service online—read and agreed to the [User Agreement] and Privacy Policy and the representations and obligations listed therein." Plaintiff also alleges that the User Agreement contained an integration clause, and that the User Agreement governing her premium subscription also "incorporated by reference" LinkedIn's Privacy Policy and advised her to review and comply with the Privacy Policy.
LinkedIn argues that because the User Agreement was not part of the terms of the contract Plaintiff entered into when she signed up for her premium subscription, the terms therefore did not include the "incorporation by reference" term or the advisement to review the Privacy Policy. Because those allegations are false, LinkedIn continues, there is no reason to accept as true the conclusion-that Plaintiff read and relied on the Privacy Policy in purchasing her premium subscription.
However, regardless of whether or not the User Agreement became a part of Plaintiff's contract for the premium subscription as a matter of contract law, Plaintiff alleges that she read and relied on the User Agreement and the Privacy Policy before purchasing her premium subscription. Her understanding of contract law has no bearing on her allegation that she read and relied on those documents.
2. Whether Plaintiff plausibly alleges that Linkedln's representation was false
LinkedIn argues that Plaintiff's allegation that LinkedIn failed to use industry standards to encrypt member passwords is conclusory and unsupported. Plaintiff supports this conclusion with the following factual allegations:
1) When Plaintiff purchased her premium subscription, LinkedIn protected its users' personal information using the SHA-1 hash function. LinkedIn did not salt the information.
2) Since at least 2006, industry standards have required that users' personal information, and login credentials in particular, be stored in salted and hashed format.
3) The National Institute of Standards and Technology ("NIST") recommended that all government agencies stop using SHA-1.
4) Salting has been standard encryption practice since the 1970s, and salting and hashing (with a stronger algorithm than SHA-1) together is the preferred industry practice.
5) Three days after the breach, LinkedIn stated that it would transition from a password database system that hashed passwords, i.e. provided one layer of encoding, to a system that both hashed and salted the passwords, i.e. provided an extra layer of protection that is a widely recognized best practice within the industry.
6) The bare minimum practice within LinkedIn's industry is to "salt" the input before hashing it, preferably with a multi-digit salt long enough to render rainbow tables (a method of encryption-breaking) entirely useless.
7) The more common industry practice is to (1) salt passwords and then hash them using a more recent and secure algorithm than SHA-1, (2) salt the resulting hash value, and (3) then again run the resulting value through a hashing function. Finally, that fully encrypted password should be stored on a separate and secure server apart from all other user information.
LinkedIn points out that "Plaintiff never explicitly alleges that SHA-1 was below industry standards during the class period. She instead alleges that the National Institute of Standards and Technology [NIST] recommended that all government agencies stop using SHA-1." Docket No. 81, Def.'s Memo ISO MTD at 19 (internal quotations omitted). LinkedIn then cites to an extrinsic document written by the NIST which purportedly states that the use of SHA-1 hashing is acceptable.
However, even assuming that the Court must disregard Plaintiff's allegations concerning the NIST's position on the use of SHA-1 hashing, the rest of Plaintiff's allegations are sufficient to support her conclusion that LinkedIn's representation was false. She alleges that LinkedIn used a particular security practice, is specific about what that security practice entailed, alleges that LinkedIn's practice fell below the "bare minimum" security practice in LinkedIn's industry, and she is specific about what that "bare minimum" security practice entails. Furthermore, LinkedIn does not contend that the phrase "industry standard" amounts to puffery or is otherwise impossible to define.
Accordingly, dismissal for this reason is unwarranted.
3. Whether Plaintiff plausibly alleges that she was denied the benefit of her bargain
Next, LinkedIn contends that Plaintiff "does not plausibly allege that she did not receive all of the benefits that she bargained for," arguing that the promise of industry standard security was not one of the benefits included in Plaintiff's bargain because industry standard security is available to all members whether or not they have upgraded to premium memberships. This was an argument that the Court found convincing and became one of the grounds for dismissal of the FAC.
This contention is less relevant now that Plaintiff no longer seeks to establish standing based on being deprived of the benefit of her bargain. Furthermore, when a plaintiff alleges economic injury based on being induced by misrepresentations to purchase products that she would not otherwise have purchased, the benefit of the bargain defense is permissible only if the misrepresentation that the consumer alleges was not "material." Hinojos, 718 F.3d at 1107. Thus, LinkedIn's contention that Plaintiff received all of the benefits she bargained for is not a sufficient basis for dismissal of the SAC.
iii. Rule 9
LinkedIn contends that the SAC's averments of fraud do not satisfy Rule 9(b) after disregarding the allegations discussed above on Rule 8 grounds. However, these allegations are sufficiently pleaded and must be regarded as true at this stage in the proceedings.
In alleging fraud or mistake, a party must state with particularity the circumstances constituting fraud or mistake. Fed. R. Civ. P. 9(b).
Plaintiff's averments of fraud meet the requirements of Rule 9(b). She alleges that the representation was made in LinkedIn's Privacy Policy, which she read and relied on prior to purchasing a premium subscription, and she alleges facts that explain why the representation was false. Her allegations are specific enough to give LinkedIn "notice of the particular misconduct which is alleged to constitute the fraud charged so that [it] can defend against the charge and not just deny that [it has] done anything wrong." Semegen v. Weidner, 780 F.2d 727, 731 (9th Cir. 1985).
c. Plaintiff's second and third claims
As to the SAC's second and third claims, the Court limits its decision to whether these claims should be dismissed with or without prejudice.
Dismissal with prejudice and without leave to amend is not appropriate unless it is clear on that the complaint could not be saved by amendment. Chang v. Chen, 80 F.3d 1293, 1296 (9th Cir. 1996). Dismissal with prejudice may be appropriate where a plaintiff presents no new facts but only "new theories" and "provided no satisfactory explanation for his failure to fully develop his contentions originally." Vincent v. Trend Western Technical Corp., 828 F.2d 563, 570-71 (9th Cir. 1987).
Here, although Plaintiff has added new, critical facts to her complaint (particularly, the allegation that she read LinkedIn's representation before purchasing her premium subscription), she fails to explain how the new facts affect her second and third claims. She concedes that both claims fall within the scope of the Court's previous order dismissing the FAC. She provides no explanation for why she should be given another chance to amend those claims, other than that she only became aware that her second and third claims fell within the scope of the previous dismissal order after certain evidence was produced by LinkedIn and that she might discover facts through discovery that would allow her to reassert the claims.
Accordingly, Plaintiff's second and third claims are DISMISSED with prejudice because allowing for further amendment would be futile.
IV. CONCLUSION
For the foregoing reasons, LinkedIn's Motion to Dismiss Plaintiff's Second Amended Consolidated Complaint is GRANTED IN PART and DENIED IN PART. Plaintiff's second and third claims are DISMISSED with prejudice. LinkedIn's Motion is DENIED as to Plaintiff's first claim.
The court schedules this action for a Case Management Conference at 10:00 a.m. on June 6, 2014. The parties shall file a Joint Case Management Statement on or before May 30, 2014.
IT IS SO ORDERED
__________
EDWARD J. DAVILA
United States District Judge