Opinion
24-cv-01363-SI
04-05-2024
JUSTICE SMITH, Plaintiff, v. SEQUOIA BENEFITS AND INSURANCE SERVICES LLC, et al., Defendants.
ORDER DENYING PLAINTIFF'S MOTION FOR RECONSIDERATION
RE: DKT. NO. 12
SUSAN ILLSTON, United States District Judge
Plaintiff Justice Smith has filed a motion for reconsideration of this Court's order dismissing the complaint with leave to amend. For the reasons set forth below, the Court DENIES the motion. Smith may still file an amended complaint by April 19, 2024 if she wishes to do so.
Smith contends that she can sue Sequoia and the private individual defendants under 42 U.S.C. § 1983 because “Defendants have obtained licenses to act through the state” and therefore defendants were acting under color of state law at the time the data breach occurred. Smith has attached to her motion documents showing that Sequoia and Golub are licensed by the California Department of Insurance to conduct insurance business in the state, and that Persson is admitted to the California Bar Association. Dkt. No. 12-1.
Simply being licensed by the State, without more, is insufficient to create state action. “The state-action element in § 1983 ‘excludes from its reach merely private conduct, no matter how discriminatory or wrongful.'” Caviness v. Horizon Cmty. Learning Ctr., Inc., 590 F.3d 806, 812 (9th Cir. 2010) (quoting Am. Mfrs. Mut. Ins. Co. v. Sullivan, 526 U.S. 40, 50 (1999)). “State action may be found if, though only if, there is such a close nexus between the State and the challenged action that seemingly private behavior may be fairly treated as that of the State itself.” Villegas v. Gilroy Garlic Festival Ass'n, 541 F.3d 950, 955 (9th Cir. 2008) (en banc). Courts look at the “specific conduct” of which the plaintiff complains to determine if the private entity or person is acting as a state actor. Id. Here, Smith claims that defendants violated her privacy rights when Sequoia was subject to a data breach, and she complains about how defendants handled that data breach as well as Persson's communications with her after the data breach. All of this conduct is purely private conduct - Sequoia was acting as a private company that had experienced a data breach, Golub is Sequoia's CEO, and Persson was acting as Sequoia's attorney. There is no authority whatsoever to hold defendants liable for alleged violations of Smith's constitutional rights or pursuant to 42 U.S.C. § 1983 under these circumstances.
Smith also contends that she may pursue a FCRA claim, citing In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625 (3d Cir. 2017). In that case, the Third Circuit held that a district court had improperly dismissed a complaint for lack of standing (injury), and sent the case back to the court to determine whether the plaintiff could state a claim under the FCRA. Thus, the court was only analyzing whether the plaintiffs there had alleged enough injury to satisfy the legal doctrine of “standing.” After the case was sent back to the district court, that court held that Horizon Healthcare Services was not a “consumer reporting agency” under the FCRA because Horizon was a health insurance company:
The Third Circuit stated, “In its 12(b)(6) motion, which is not before us, Horizon questions whether it is bound by FCRA. In particular, Horizon suggests that it is not a ‘consumer reporting agency' and therefore is not subject to the requirements of FCRA. At oral argument, Horizon also argued that FCRA does not apply when data is stolen rather than voluntarily ‘furnish[ed],' 15 U.S.C. § 1681a(f). Because we are faced solely with an attack on standing, we do not pass judgment on the merits of those questions. Our decision should not be read as expanding a claimant's rights under FCRA. Rather, we assume for purposes of this appeal that FCRA was violated, as alleged, and analyze standing with that assumption in mind.” Id. at 633 n.9.
A consumer reporting agency is defined as “any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.” 15 U.S.C. § 1681a(f). ...
[H]ere, Plaintiffs have failed to allege that Defendant assembles consumer information for the purpose of furnishing consumer reports, and their contentions actually substantiate Defendant's averment that it is a health insurance company that collects its consumers' information for the purpose of providing health insurance coverage and administering health benefits plans.In re Horizon Healthcare Servs. Inc. Data Breach Litig., No. 2:13-CV-07418, 2021 WL 6049549, at *3 (D.N.J. Dec. 21, 2021). The Horizon court noted that the “Plaintiffs have not cited any authority, from this district or elsewhere, wherein a court held otherwise and found that an insurance provider qualifies as a consumer reporting agency under FCRA.” Id. at *5 *(discussing cases). see also Dolmage v. Combined Ins. Co. of Am., No. 14 C 3809, 2015 WL 292947, at *3 (N.D. Ill. Jan. 21, 2015) (dismissing FCRA case against insurance provider because “Plaintiff does not allege, however, that Defendant collects personal information on consumers for the purpose of furnishing consumer reports to third parties. Rather, Plaintiff's allegations support Defendant's contention that it is an ‘insurance provider' that collects personal information on consumers for the purpose of providing them with insurance coverage.”). The Horizon court further found that even if Horizon was a “consumer reporting agency” there was no FCRA violation because information stolen from a defendant - as in a hack - is not information that is “disclosed” or “furnished” by the defendant under FCRA. Id. at *5-6 (citing cases).
Here, just as in Horizon Healthcare Services and Dolmage, Smith alleges that Sequoia provides insurance products and services and that Sequoia “disclosed” and “furnished” her private information when Sequoia's cloud was hacked. The Court agrees with the reasoning of Horizon and Dolmage and finds that the FCRA does not apply here. If Smith wishes to file an amended complaint, she must do so by April 19, 2024.
Smith states in her motion for reconsideration that “there is no other data protection law” that she could bring a claim under aside from the FCRA. Mtn. at 5. This does not appear to be correct. Smith alleges that Persson informed her that she appeared to be a class member in a pending class action against Sequoia related to the data breach. That case is In re: Sequoia Benefits and Insurance Data Breach Litig., Case No. 3:22-cv-08217-RFL (N.D. Cal.). Claims in that case are proceeding. See Order Granting in Part and Denying in Part Motion to Dismiss, Dkt. No. 98 in 228217.
IT IS SO ORDERED.