Opinion
21-cv-02470-EMC
07-16-2024
EDWARD BATON, et al., Plaintiffs, v. LEDGER SAS, et al., Defendants.
ORDER ON DEFENDANTS' MOTIONS TO DISMISS THE SECOND AMENDED COMPLAINT DOCKET NOS. 114, 117, 122
EDWARD M. CHEN United States District Judge
I. INTRODUCTION
Plaintiffs are customers who purchased a Ledger SAS hardware wallet to protect their cryptocurrency assets. Ledger's hardware wallets store customer's “private keys” for their cryptoassets. SAC ¶ 2. The private keys are similar to a bank-account password in that the private key can be used to allow an individual to transfer their crypto-assets. See id. In 2020, Ledger's customer database was hacked, and Plaintiffs' personal identifying information (“PII”) was accessed by hackers. Plaintiffs bring a putative class action seeking redress for harms they allegedly suffered stemming from the data breach. See Docket No. 110 (Second Amended Complaint or “SAC”). The data breach occurred when two of TaskUs's “rogue” employees conspired with a “California man” who accessed and distributed Ledger users' PII.
Plaintiffs bring this action against Ledger, Shopify, and TaskUs. Shopify is Ledger's subcontractor who helps Ledger with purchases over its website. TaskUs is Shopify's subcontractor who helps Shopify with Ledger's customer service operations.
Previously, the Court denied Plaintiffs' First Amended Complaint (“FAC”) for lack of personal jurisdiction. See Amended Motion to Dismiss Order, Docket No. 79 (“MTD Order”). Plaintiffs appealed and the Ninth Circuit affirmed in part and reversed and remanded in part. Baton v. Ledger SAS, 2022 WL 17352192, at *3 (9th Cir. 2022). Plaintiffs filed a SAC. Now pending before the Court are Defendants Ledger, Shopify, and TaskUs's respective motions to dismiss the complaint for lack of personal jurisdiction, lack of standing, and failure to state a claim. Docket Nos. 114, 117, 122.
For the following reasons, the Court finds that Plaintiffs have standing except with respect to Mr. Seirafi's injunctive relief claim against Ledger, the California Consumer Subclass is stricken with leave to amend, the Court has personal jurisdiction over Shopify and TaskUs, Ledger's forum selection clause does not apply to Plaintiffs' Unfair Competition Law (“UCL”) claim against Ledger, and Shopify may avail itself of Ledger's forum selection clause.
With respect to Ledger's Rule 12(b)(6) motion, Plaintiffs have plausibly pled a UCL claim under the “unfair” and “unlawful” prongs, but Plaintiffs' CRLA and “fraudulent” UCL claim is dismissed. See Cal. Bus. & Prof. Code § 17200. With respect to TaskUs's Rule 12(b)(6) motion, Plaintiffs have plausibly pled a negligence claim and a New York Deceptive Trade Practices Act claim, but Plaintiff's negligence per se claim is dismissed. Thus, Ledger Shopify, and TaskUs's Motions to Dismiss are GRANTED in part and DISMISSED in part.
II. BACKGROUND
A. Summary of Allegations in the SAC
Plaintiffs are customers of Defendant Ledger SAS (“Ledger”), a company based in Paris, France that sells hardware wallets to allow customers to manage cryptocurrency. SAC ¶ 27. Ledger's hardware wallets store Ledger customer's “private keys” for their crypto-assets. Id. ¶ 2. The private keys are similar to a bank-account password in that the private key can be used to allow an individual to transfer their crypto-assets. See id. Ledger sells its hardware wallets-the Ledger Nano X and Ledger Nano S-through its e-commerce website, which operates on Defendant Shopify, Inc.'s platform. Id. ¶ 2. Shopify, in turn, employed TaskUs “to provide customer support and data security consulting services for Ledger's sales website and the Ledger Live services, in which Ledger customers could obtain live support for their investments and effectuate transfers of their assets on Ledger's website.” Id. ¶ 8.
Plaintiffs allege they, and several putative classes, each bought a Ledger hardware wallet on Ledger's e-commerce website, through Shopify's platform, between July 2017 and June 2020. See SAC ¶¶ 22-26. When Plaintiffs made their purchases, they provided their names, email addresses, telephone numbers and postal addresses to Ledger. See id. Shopify's database was accessed by two “rogue” employees working at TaskUs who conspired with a “California man.” Id. ¶¶ 11-13. The hackers obtained the PII of merchants who employ Shopify, including Ledger. See id. The hackers published over 270,000 Ledger users' PII online. See id. ¶ 15. Plaintiffs lost money due to phishing attempts and faced threats of physical violence. See id.
1. Ledger and its hardware wallets
Ledgers' primary product is a hardware wallet that stores the “private keys” of an individual's crypto-assets. SAC ¶ 2. The private keys are “akin to a bank-account password in that access to the private keys allows an individual to transfer one's crypto-assets.” Id. Cryptoasset transactions are publicly visible on the underlying blockchain, but the owner of a particular crypto-asset is not identifiable. Id. ¶ 4.
“Ledger offers solutions to consumers to keep their crypto-assets safe.” SAC ¶ 89. Ledger's hardware wallets “are physical consumer items that appear similar to a USB storage device”:
(IMAGE OMITTED)
Id. These “wallets” do not hold cryptocurrency. See id. ¶ 90. “Rather, consumers store their private keys on these physical devices, which are never connected to the internet.” Id. “The wallet itself can be accessed only by entering a PIN.” Id. ¶ 91. Because the private keys are stored on a hardware wallet with no internet connectivity, traditional hacking cannot reveal those private keys. See id. ¶ 96. “Instead, the main sources of risk are: (1) ‘phishing' attacks to trick a user into revealing the private PIN to their hardware wallet; or (2) physical intimidation that forces users into paying money or revealing that information to a hacker.” Id. Thus, “the single greatest point of vulnerability for owners of Ledger wallets is public disclosure of the information that a particular person owns the wallet. If hackers know the names and/or email addresses of people who own Ledger wallets, then hackers can target those people with sophisticated phishing schemes and tailored threats.” Id. ¶ 104.
When a consumer purchases Ledgers' products, Ledger collects and processes consumer's PII, including their first and last names, e-mail addresses, post addresses, and telephone numbers. SAC ¶ 94; see also id. ¶ 95 (Ledger's privacy policy). “The anonymity of its customer list is a key and obvious element of the security that Ledger offers.” Id. ¶ 105. There is no doubt that there is already a significant amount of information available about Plaintiffs and Class Members on the dark web, Id. ¶ 107, but the issue here is that their PII was identified in connection with their owning a Ledger wallet.
Ledger advertises that “Ledger wallets offer the best possible protection for crypto-assets,” SAC ¶ 110, and that it “has the ‘highest security standards,' that it ‘continuously look[s] for vulnerabilities on Ledger products as well as our providers' products in an effort to analyze and improve the security,' and that its products provide ‘the highest level of security for crypto assets,'” Id. ¶ 6. Ledger's slogan is: “If you don't want to get hacked, get a Ledger wallet.” Id. Ledger “conveyed that it was tirelessly assessing its wallets and supporting services for vulnerabilities, while adapting to protect against threats. By buying a Ledger wallet, consumers purportedly were buying into a comprehensive security support system that maximized protections against threats to crypto-assets.” Id. ¶ 113; see also id. ¶¶ 110-14 (specific statements Ledger made).
2. The particular need to keep crypto-asset-related PII private
“Bitcoin is a ledger of addresses and transfer amounts that tracks the ownership and transfer of every bitcoin in existence. This ledger is called the blockchain. The blockchain is completely public.” SAC ¶ 77. Transfers of crypto-assets are untraceable. See id. ¶ 82. “Unlike traditional accounts housed at banks, there are no approvals or fraud monitoring warnings for moving crypto-assets out of an account.” Id. ¶ 86. An owner of cryptocurrency can control the movement of bitcoin currency in and/or out of their account via their “private key.” Id. ¶ 81. Without the “private key,” the crypto-asset can never be transferred. Id. ¶ 82. “In other words, anyone with the private key has total control over the funds. Thus, to safeguard crypto-assets, one must keep the private key private.” Id. Because “any transfer is effectively untraceable and irreversible,” “the recipient [is] immune from identification or claw back.” Id. ¶ 86.
Ledger's customer list is a “gold mine” for hackers. SAC ¶ 5. This is because the customer list represents people who have converted substantial wealth into anonymized cryptoassets. See id. One would not purchase a Ledger wallet unless they had amassed enough cryptoassets to warrant purchasing a product to protect their security. Therefore, a hacker would want to target anybody with a Ledger device. See id. (“without anonymity, owning a Ledger device simply creates a target for hackers”).
3. Data breaches and the market for PII
“PII is a valuable commodity for which a black market exists on the dark web, among other places.” SAC ¶ 61. “When companies entrusted with people's data fail to implement industry best practices, cyberattacks and other data exploitations can go undetected for a long period of time. This worsens the ramifications and can even render the damage irreparable.” Id. ¶ 60. The SAC lists several statutory and regulatory sources that have published information putting Defendants on-notice of the threat of hacking and the measures they needed to take to prevent hackers from infiltrating their databases. See id. ¶¶ 58, 67, 69-70, 73-74, 185-93. In particular, the SAC lists sources detailing that it is unlawful for businesses to fail to maintain appropriate data security measures, how businesses can maintain secure networks, and that businesses should have a communication plan in place to reach the affected audience in case of a data breach. See id.
4. Shopify
Shopify, Inc. is a Canadian Corporation with offices at Ottawa, Ontario. SAC ¶ 28. Shopify, USA Inc. is a Delaware corporation registered to do business in California with its principal place of business in Ottawa, Canada. Id. ¶ 29. Shopify, USA Inc. is a wholly owned subsidiary of Shopify Inc. (collectively “Shopify”). Id. Shopify Inc.'s Data Protection Officer, Mr. Narayanadas works remotely from California.
Between September 2019 and August 2020, Ledger employed Shopify to handle payments for Ledger wallets and allowed access to its customer data. See SAC ¶ 8. “Shopify provides ecommerce solutions for businesses to allow them to easily create digital storefronts,” Id. ¶ 117, and “[it] powers Ledger's shopping website,” Id. ¶ 116. “When users purchase directly from Ledger on its Shopping Website, they must provide certain personal information before placing an order, such as their physical address, phone number, and email address. Because Ledger uses Shopify's services, Shopify acts as an intermediary between Ledger and purchasers of Ledger's products.” Id. ¶ 118.
5. TaskUs
TaskUs is an outsourcing company incorporated in Delaware. TaskUs was headquartered in Santa Monica, California, but on December 1, 2020, it relocated to New Braunfels, Texas. Andreasen Decl. at ¶¶ 2-3. TaskUs' workforce primarily operates overseas in the Philippines.
TaskUs “is a third-party company that provided customer support services to Shopify.” SAC ¶ 120. In particular, Shopify employed TaskUs to provide “customer support and data security consulting services for Ledger's sales website and the Ledger Live services, in which Ledger customers could obtain live support for their investments and effectuate transfers of their assets on Ledger's website.” Id. ¶ 8. After Ledger employed Shopify, TaskUs was “entrusted with the information collected by the Ledger Live service and Shopify's collection of the data through their e-commerce services to Ledger. TaskUs therefore had access to, and was entrusted with, the sensitive user PII...” Id. ¶ 9. The breach occurred within TaskUs, as discussed below.
6. Security breach
In 2019, a California man began conspiring with “rogue” employees of TaskUs to obtain information regarding the customers of merchants, like Ledger, that used Shopify. SAC ¶ 121. “Between April and June 2020, certain “rogue” TaskUs employees took advantage of the Ledger customer information provided to the company through the Shopify Defendants' e-commerce services and acquired and exported Plaintiffs' and Class members' customer transactional records.” SAC ¶ 10. In 2020, the California man obtained access to Ledger's customers' PII. See id. “By May/June 2020, Ledger's customer list and their sensitive data had made its way onto the internet's black market, making Ledger wallet owners vulnerable.” SAC ¶ 14. “From June 2020 through December 2020, at least one of the hackers who had acquired the data published [] online, provid[ed] over 270,000 names, physical addresses, phone numbers, and order information, as well as email addresses that were used to purchase the ledger Wallets, to every hacker in the world.” SAC ¶ 15.
In May 2020, rumors about the breach arose on social media. See SAC ¶ 127. For example, in one article, it stated that a hacker is purportedly selling customer information on the dark web that stems from companies like Ledger. See Jamie Redman, Hacker Attempts to Sell Data Allegedly Tied to Ledger, Trezor, Bnktothefuture Customers, Bitcoin (May 24, 2020), https://news.bitcoin.com/hacker-attempts-to-sell-data-allegedly-tied-to-ledger-trezor-bnktothefuture-customers/ (last accessed Nov. 9, 2023). The article further stated that the hacker was offering email addresses, home addresses, and phone numbers from an alleged Shopify breach. See id.
Plaintiffs allege that Ledger should have gotten ahead of the problem, but instead it “den[ied] that there was a breach impacting Ledger's customers.” SAC ¶ 129. Plaintiffs allege that “a prompt and proper response from Ledger, including full disclosure to all customers, would have mitigated [many] risks and damages” that occurred herein. Id.
On July 29, 2020 “Ledger made partial admissions that exacerbated, rather than mitigated, the harm caused by the Data Breach.” SAC ¶ 131. Ledger announced that on July 14, 2020 they were made aware that there was a breach and that contact information and order details were involved. Id. ¶ 132. The announcement stated that approximately 1 million users email addresses were involved in the breach. Id. Further, it stated that only a subset of 9,500 customers information was exposed including names, postal addresses, phone numbers or ordered products, and that Ledger was individually emailing those customers to inform them and share more details. See id.
Plaintiffs allege that Ledger admits it “failed to immediately warn its customers” of the breach, Id. ¶ 134, “did not disclose that this breach had anything to do with Shopify,” Id. ¶ 135, “was not clear as to the status and dissemination of the stolen data,” Id. ¶ 136, and “sent follow-up notifications only to the 9,500 customers who they determined had additional personal information exposed,” “fail[ing] to notify its one million other customers whose email information had been exposed,” Id. ¶ 137.
On September 22, 2020, Shopify announced to Ledger (and other affected merchants) that “two rogue members of our support team were engaged in a scheme to obtain customer transactional records of certain merchants,” involving “the data of less than 200 merchants.” SAC ¶ 123. This announcement notified every affected merchant that rogue employees had stolen their data, “but neither Shopify nor Ledger warned the hundreds of thousands of vulnerable Ledger customers harmed by the data breach.” Id. ¶ 126. On November 2, 2020, “Ledger refused to acknowledge the [Shopify/TaskUs] Data Breach was the source of the rising attacks on its customers.” Id. ¶ 154 (citing another Ledger announcement).
On December 21, 2020, after “the hacked customer list was posted publicly and became widely available . Ledger finally admitted to the scope of the attack, stating that the company ‘very deeply regret[s] this situation.'” Id. ¶ 17. Ledger failed to provide customer support for customers-with no phone support option, and written responses after weeks or sometimes with no response at all-leaving “customers without the help they needed.” See id. ¶ 19-20.
On February 19, 2021, a federal grand jury indicted the California man for wire fraud for his role in causing the data breach. SAC, ¶ 124. “The indictment alleges that starting in May 2019, he paid an employee of a Shopify vendor (TaskUs) to provide him with Shopify's merchant data. The unnamed vendor acted as Shopify's agent, providing customer support services to Shopify customers on its behalf.” Id. The two “rogue” TaskUs employees who conspired with the California man have since been fired. See TaskUs Mot. at 3.
7. Harm to Plaintiffs after the breach
As a result of Ledger customer's personal information being made public, “Plaintiffs and other Ledger consumers began receiving a high volume of phishing scams/emails that were designed to look like emails sent from Ledger.” SAC ¶ 141. Plaintiffs provide evidence of convincing-looking emails from Ledger's support team and evidence that Ledger users fell for the phishing attacks. See id. ¶¶ 142-43.
[A]ttacks on ledger's customers grew exponentially, with customers losing money, facing threats of physical violence, and even feeling vulnerable in their own homes. Ledger wallet owner[s] continue to be targete[ed] by scammers, receiving counterfeit hardware wallets at their home addresses feigning to be an updated, “safe” device from Ledger itself, but is actually designed for malware delivery. [H]ackers [have] threatened to enter the homes of and attack Ledger customers unless those customers made untraceable ransom payments with the crypto-assets Ledger was supposed to secure.Id. ¶ 15. Hackers also used SIM-swap attacks against the class, which is “when the scammer tricks a telephone carrier to porting the victim's phone number to the scammer's SIM card. By doing so, the attacker is able to bypass two-factor authentication accounts, as are used to access cryptocurrency wallets and other important accounts.” Id. ¶ 151. However, there is no allegation that this resulted in money taken. Class members “have also received ransom demands for monetary payment to prevent physical attacks in their homes.” Id. ¶¶ 156-58. In addition, class members have received ransom demands in the form of death threats. Id. ¶¶ 169, 177. Plaintiffs report losing significant sums of crypto-assets as a result of these phishing attempts. Id. ¶¶ 173-74 (ranging from $72,000-224,000 per named Plaintiff).
California Plaintiff Mr. Seirafi bought a Ledger Nano X hardware wallet “reasonably rel[ying] upon the data security services advertised by Ledger, believing Ledger's corresponding services to be safer, better protected, and more secure as a result.” SAC ¶ 22. Mr. Seirafi represents that if he knew the PII he gave Ledger would be at risk, he “would not have purchased the Ledger Nano X.” Id. After the breach, Mr. Seirafi received phishing emails and text messages which appeared to be from Ledger. Id. ¶¶ 144-50. Mr. Seirafi received ransom demands for monetary payment to prevent physical attacks in his home. Id. ¶ 156. On February 13, 2021, the Glendale Police Department received a 911 call by an unknown male stating he had shot his friend. See id. ¶ 161. Police were dispatched to Plaintiff's home, setting up a containment zone around the area Plaintiff Seirafi's house is located. The police determined the call to be a false alarm, and one of the officers later confirmed that the caller had a European accent and that the address was traced to a European IP address. See id.
8. Class Plaintiffs
There are seven proposed classes in this case:
• California Subclass
• California Consumer Subclass
• California Phishing Subclass
• Nationwide, UK, and Israel Class
• Nationwide, UK, and Israel Phishing Subclass
• New York Subclass
• New York Phishing SubclassSAC ¶ 208. The California Consumer subclass claims are brought against Ledger. The SAC does not state any specific claims alleged by the California Phishing Subclass, so that subclass is dismissed. The latter four classes and the California Subclass assert claims against Shopify and TaskUs.
There are five named plaintiffs who each bought a Ledger product and had their information leaked in the breach:
• Plaintiff Seirafi who is a resident of Los Angeles, California.
• Plaintiff Baton who is a resident of Georgia.
• Plaintiff Comilla who is a resident of Albany, New York.
• Plaintiff Deeney who is a resident of London in the United Kingdom (“UK”).
• Plaintiff Vilinger who is a resident of Tel Aviv, Israel.SAC ¶¶ 22-26.
B. Procedural Background
The FAC named Ledger and Shopify as the Defendants and did not include TaskUs. After Ledger and Shopify moved to dismiss the FAC, this Court granted Defendants' motions with prejudice for lack of personal jurisdiction. Plaintiffs appealed. With respect to Ledger, the Ninth Circuit found that this Court has specific personal jurisdiction over Ledger. However, the Ninth Circuit found that Ledger's forum selection clause obtained, and that Plaintiffs claims against Ledger should be sent to France, “except with respect to Plaintiffs who are ‘California resident plaintiffs bringing class action claims under California consumer law.'” Baton v. Ledger SAS, No. 21-17036, 2022 WL 17352192, at *2 (9thCir. Dec. 1, 2022) (quoting Doe 1 v. AOL LLC, 552 F.3d 1077, 1084 (9th Cir. 2009)).
With respect to Shopify, the Ninth Circuit stated that “the district court correctly ruled that the present record does not support jurisdiction but abused its discretion by disallowing any jurisdictional discovery and an opportunity to amend the complaint following jurisdictional discovery.” Id. at *3. Thus, the Ninth Circuit permitted Plaintiffs to engage Shopify's Data Protection Officer, Mr. Narayanadas, for jurisdictional discovery. Id.
Since the Ninth Circuit's ruling, Plaintiffs have taken Mr. Narayanadas' deposition and filed the SAC, adding TaskUs as a Defendant. See SAC. Ledger, Shopify, and TaskUs move to dismiss the SAC. Docket Nos. 114, 117, 122.
III. LEGAL STANDARD
A. Article III Standing
Under Rule 12(b)(1), a party may move to dismiss for lack of subject matter jurisdiction. “[L]ack of Article III standing requires dismissal for lack of subject matter jurisdiction under [Rule] 12(b)(1).” Maya v. Centex Corp., 658 F.3d 1060, 1067 (9th Cir. 2011). The “irreducible constitutional minimum” of standing requires that a “plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins (“Spokeo II”), 136 S.Ct. 1540, 1547 (2016). These three elements are referred to as, respectively, injury-in-fact, causation, and redressability. Planned Parenthood of Greater Was. & N. Idaho v. U.S. Dep't of Health & Human Servs., 946 F.3d 1100, 1108 (9th Cir. 2020). “The plaintiff, as the party invoking federal jurisdiction, bears the burden of establishing these elements,” which at the pleadings stage means “clearly . . . alleg[ing] facts demonstrating each element.” Spokeo II, 136 S.Ct. at 1547 (quoting Warth v. Seldin, 422 U.S. 490, 518 (1975)).
B. Motions to Strike
Before responding to a pleading, a party may move to strike from a pleading any “redundant, immaterial, impertinent, or scandalous matter.” Fed.R.Civ.P. 12(f). The essential function of a Rule 12(f) motion is to “avoid the expenditure of time and money that must arise from litigating spurious issues by dispensing with those issues prior to the trial.” Wang v. OCZ Tech. Grp., Inc., 276 F.R.D. 618, 624 (N.D. Cal. Oct. 14, 2011) (quoting Whittlestone, Inc. v. Handi-Craft Co., 618 F.3d 970, 973 (9th Cir. 2010)). Motions to strike are generally disfavored. See Shaterian v. Wells Fargo Bank, N.A., 829 F.Supp.2d 873, 879 (N.D. Cal. 2011); Platte Anchor Bolt, Inc. v. IHI, Inc., 352 F.Supp.2d 1048, 1057 (N.D. Cal. 2004). A motion to strike should only be granted if the matter sought to be stricken clearly has no possible bearing on the subject matter of the litigation. See Colaprico v. Sun Microsystems, Inc., 758 F.Supp. 1335, 1339 (N.D. Cal. 1991); Fantasy, Inc. v. Fogerty, 984 F.2d 1524, 1527 (9th Cir. 1993), rev'd on other grounds, Fogerty v. Fantasy, Inc., 510 U.S. 517 (1994) (“Immaterial matter is that which has no essential or important relationship to the claim for relief or the defenses being pleaded”). Statements that do not pertain to, and are not necessary to resolve, the issues in question are impertinent. Id. If there is any doubt whether the portion to be stricken might bear on an issue in the litigation, the Court should deny the motion to strike. Platte Anchor Bolt, 352 F.Supp.2d at 1057. Just as with a motion to dismiss, the Court should view the pleading sought to be struck in the light most favorable to the nonmoving party. Id.
C. Personal Jurisdiction
Under Rule 12(b)(2), a court must dismiss an action where it does not have personal jurisdiction over a defendant. Fed.R.Civ.P. 12(b)(2). “[T]he plaintiff bears the burden of establishing that jurisdiction is proper.” Mavrix Photo, Inc. v. Brand Techs., Inc., 647 F.3d 1218, 1223 (9th Cir. 2011). However, “[w]here, as here, the defendant's motion is based on written materials rather than an evidentiary hearing, the plaintiff need only make a prima facie showing of jurisdictional facts to withstand the motion to dismiss.” Id. In addition, “[u]ncontroverted allegations in the complaint must be taken as true, and factual disputes are construed in the plaintiff's favor.” Freestream Aircraft (Berm.) Ltd. v. Aero Law Grp., 905 F.3d 597, 602 (9th Cir. 2018).
D. 12(b)(6)
Federal Rule of Civil Procedure 8(a)(2) requires a complaint to include “a short and plain statement of the claim showing that the pleader is entitled to relief.” Fed.R.Civ.P. 8(a)(2). A complaint that fails to meet this standard may be dismissed pursuant to Rule 12(b)(6). See Fed.R.Civ.P. 12(b)(6). To overcome a Rule 12(b)(6) motion to dismiss after the Supreme Court's decisions in Ashcroft v. Iqbal, 556 U.S. 662 (2009) and Bell Atlantic Corporation v. Twombly, 550 U.S. 544 (2007), a plaintiff's “factual allegations [in the complaint] ‘must . . . suggest that the claim has at least a plausible chance of success.'” Levitt v. Yelp! Inc., 765 F.3d 1123, 1135 (9th Cir. 2014). The Court “accept[s] factual allegations in the complaint as true and construe[s] the pleadings in the light most favorable to the nonmoving party.” Manzarek v. St. Paul Fire & Marine Ins. Co., 519 F.3d 1025, 1031 (9th Cir. 2008). But “allegations in a complaint . . . may not simply recite the elements of a cause of action [and] must contain sufficient allegations of underlying facts to give fair notice and to enable the opposing party to defend itself effectively.” Levitt, 765 F.3d at 1135 (quoting Eclectic Props. E., LLC v. Marcus & Millichap Co., 751 F.3d 990, 996 (9th Cir. 2014)). “A claim has facial plausibility when the Plaintiff pleads factual content that allows the court to draw the reasonable inference that the Defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678. “The plausibility standard is not akin to a ‘probability requirement,' but it asks for more than a sheer possibility that a defendant has acted unlawfully.” Id. (quoting Twombly, 550 U.S. at 556).
IV. DISCUSSION
A. Article III Standing
1. Ledger
The “irreducible constitutional minimum” of standing requires that a “plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, 136 S.Ct. at 1547. Injury in fact requires “an invasion of a legally protected interest which is (a) concrete and particularized and (b) ‘actual or imminent, not “conjectural” or “hypothetical.”'” Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61 (1992) (citations omitted). Named plaintiffs “must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong.” Spokeo, 136 S.Ct. at n.6.
Here, the claims against Ledger are lodged by Plaintiff Mr. Seirafi and the California Consumer Subclass. SAC ¶ 69. Mr. Seirafi alleged that he lived in California and purchased the Ledger Nano X for use as a digital wallet to control his cryptocurrency assets. SAC ¶ 22. “In doing so, Seirafi was required to provide Ledger with his first and last name, email address, telephone number, and postal address.” Id. Mr. Seirafi “received spam emails, phone calls, and texts which, inter alia, attempted to phish for additional personal information and sell prurient content.” Id. ¶ 179. He has received phishing emails which appear to be from Ledger, Id. ¶ 144, and has received ransom demands for monetary payment to prevent physical attacks in his home, Id. ¶ 156 (example of hacker's text to Mr. Seirafi).
Mr. Seirafi claims that he has suffered several injuries including the lost value of his PII (property that Ledger obtained from him), out-of-pocket expenses associated with remediating identity theft, opportunity costs associated with mitigating the consequences of the data breach including lost time, the continued risk that unauthorized persons will access his PII, the continued risk that the PII that remains in Defendants' possession is subject to further unauthorized disclosure, the invasion of their privacy and the risk to their personal safety, the risk of theft of their PII and the resulting privacy loss of that information, and the price premium associated with the purchase of Ledger wallets which exceeds the value of the wallet had the inadequate security provided by Ledger been disclosed. SAC ¶¶ 194-95. Although he does not allege that he was successfully phished, Mr. Seirafi alleges that hackers' high-volume of phishing scams/emails significantly increases the risk of future monetary and identity theft. Id. ¶ 141. As to overpayment, Mr. Seirafi alleges that he would not have purchased Ledger products or would have paid significantly less for them if he had known of Ledger's inadequate security practices, its unwillingness to promptly disclose data breaches, and its failure to provide adequate customer service in the event of a breach. Id. ¶ 201.
Ledger argues that Mr. Seirafi lacks injury-in-fact, challenging several of these asserted injuries. See Ledger Mot. at 4-11.
a. Disclosure of contact information
Ledger argues that Mr. Seirafi has failed to allege an injury because “[t]he disclosure of names, addresses, and other contact information (like email) that Seirafi alleges here does not establish harm.” Ledger Mot. at 7. In addition, Ledger argues that Mr. Seirafi fails to “allege that cyber criminals used his contact information to commit identity theft or that he has lost a single cent because of the data breach.” Id.
In TransUnion LLC v. Ramirez, class plaintiffs' credit files misleadingly stated that they were on a terrorist-watch list, and they sued the credit reporting agency. 594 U.S. 413, 425 (2021). The Supreme Court held that the plaintiffs whose reports were disseminated to third-party businesses had suffered an injury sufficient to establish Article III standing, whereas plaintiffs whose reports were not disseminated had not suffered an injury because the “mere presence of an inaccuracy in an internal credit file . causes no concrete harm.” Id. at 434. However, the Court explained that “various intangible harms” can confer standing such as “injuries with a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts” including “disclosure of private information, and intrusion upon seclusion.” Id. at 425 (citations omitted). The harms alleged for standing purposes need not “exact[ly] duplicate” the common law harm. Id. at 433.
Following Transunion, lower courts have evaluated whether the disclosure of plaintiffs' information after a data breach “b[ore] a close relationship to harms caused by the common law private torts of disclosure of private facts and intrusion upon seclusion.” I.C. v. Zynga, Inc., 600 F.Supp.3d 1034, 1048 (N.D. Cal. 2022). For the public disclosure of private facts, a defendant may be liable “if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person, and (b) is not a legitimate concern to the public.” Id. (quoting Restatement (Second) of Torts § 652D). In Zynga, the plaintiffs failed to allege an injury because the data breach only leaked plaintiffs' basic contact information (email addresses, phone numbers, account usernames, but not full names). Id. at 1049. This information is a “matter[] of public record” and does not constitute “private information.” Id. The court concluded that in data breach cases, courts must examine the nature of the specific information at issue to determine whether privacy interests were implicated at all.” Id. at 1050; see also Bohnak v. Marsh & McLennan Co., Inc., 79 F.4th 276, 279, 285-87 (2nd Cir. 2023) (plaintiff alleged standing when her name and social security number was procured in a data breach even though nobody had attempted to steal her identity “given the close relationship between [plaintiff's] data exposure injury and the common law analog of private facts”); Medoff v. Minka Lighting, LLC, No. 22-cv-08885 2023 WL 4291973, at *3 (C.D. Cal. May 8, 2023) (same); cf. Saeedy v. Microsoft Corp., No. 23-cv-1104, 2023 WL 8828852, at *4 (W.D. Wash. Dec. 21, 2023) (plaintiffs did not have standing because they had no “reasonable expectation of privacy in their browsing data”). Thus, to allege injury-in-fact in this way, plaintiffs must allege that the intercepted information is “private ‘personal information, personally identifiable information, or information over which a party has a reasonable expectation of privacy.'” Saeedy, 2023 WL 8828852, at *4 (quoting Cook v. Game/Stop, Inc., No. 22-cv-1292 2023 WL 5529772, at *4 (W.D. Pa. Aug. 28, 2023)).
The postTransUnion district courts have used a different framework of analysis than the Ninth Circuit previously did in In re Zappos.com, Inc., 888 F.3d 1020, 1027-28 (9th Cir. 2018) and in Krottner v. Starbucks Corp, 628 F.3d 1139 (9th Cir. 2010); see Zynga, 600 F.Supp.3d at n.15 (“in light of TransUnion's rejection of risk of harm as a basis for standing for damages claims, the Court questions the viability of Krottner and Zappos's holdings”).
Here, Mr. Seirafi's name, phone number, email address, and home address were posted on the dark web, in conjunction with the fact that he owns a Ledger wallet. Mr. Seirafi alleges that Ledger's customer list is a “gold mine” for hackers, SAC ¶ 5, because the fact that one owns a Ledger wallet indicates that they have significant crypto-assets. Applying TransUnion's reasoning, the Court must evaluate whether Mr. Seirafi's injuries bear “a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts” including “disclosure of private information, and intrusion upon seclusion.” 594 U.S. 413, 425 (2021) (citations omitted). For the public disclosure of private facts tort, a defendant may be liable “if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person, and (b) is not a legitimate concern to the public.” Zynga, 600 F.Supp.3d at 1048 (quoting Restatement (Second) of Torts § 652D). First, it would be highly offensive to a reasonable person to have one's PII in conjunction with one's confidential financial information (as indicated by Mr. Seirafi's ownership of the wallet and thus his ownership in crypto wealth) disclosed to the public at large. Second, there is no reason why one's confidential financial information would be of concern to the public. This information is not of public record, it is otherwise confidential, and it was released in conjunction with Mr. Seirafi's full name, so his anonymity is not preserved. See id. at 1049.
The public knowledge of the type of information accessed here would be offensive to a reasonable person in part because it would make a victim a “ready target[] for targeted phishing and extortion attacks.” Opp'n re Ledger at 6. Indeed, cyber criminals allegedly used Mr. Seirafi's contact information to send him phishing messages and ransom demands for monetary payment to prevent physical attack. SAC ¶¶ 144-50, 156. Mr. Seirafi alleges that he received text messages from an unknown number with an article link titled “Ledger User Claims Receiving Death Threat, Ransom Attempts” and that one text message read:
Moreover, you also happen to keep quite a lot of crypto. I'm going to share all that information (and more) with local area bad guys in your area.
Do not worry not yet! But, if I occur to do so, can you imagine all the possible consequences that can happen to your and your loved ones?
Frightening right? But it does not needs to be that way. I am going to provide you with a way out of this.
Send me either 0.3 BTC to [the text cuts off]Id. ¶ 156. This text message indicates that Mr. Seirafi was targeted specifically because his PII in conjunction with the fact that he owns significant crypto-assets was leaked online. Though Mr. Seirafi does not allege that this data breach caused him thus far to lose money, he alleges that the release of his information constituted an invasion of privacy as the disclosure included highly sensitive information and that the dissemination of his information resulted in harassment and significantly increases the risk of future monetary and identity theft. SAC ¶¶ 141, 194-95. For the reasons stated above, he has plausibly alleged that he incurred an injury by virtue of the public disclosure of his sensitive private information.
Ledger also argues that “[Mr.] Seirafi also cannot establish standing based on the alleged fake 911 call by an unknown person that resulted in police being dispatched to his home-he does not plausibly allege it is ‘fairly traceable' to either the Ledger cyber-attack or the TaskUs employees' activities.” Id. Mr. Seirafi has not alleged any facts that would tie the 911 call to the breach of his contact information. There are no allegations that the hackers used this 911 call as a means for extortion. Without an allegation tying this event to the hackers' modis operandi, it is merely conjecture that hackers used this 911 call to harass Mr. Seirafi. Thus, Mr. Seirafi cannot base standing on this 911 call.
b. Benefit-of-the-bargain injury
Mr. Seirarfi alleges injuries in the form of benefit-of-the-bargain injuries “as [the members of the class] would not have paid Ledger for goods and services or would have paid less for such goods and services but for Ledger's misconduct.” SAC ¶ 284. “Under California law, the economic injury of paying a premium for a falsely advertised product is sufficient harm to maintain a cause of action.” Davidson v. Kimberly-Clark Corp., 889 F.3d 956, 965 (9th Cir. 2018), reh'g en banc denied. District courts have held that plaintiffs allegations “that he expected to receive secure [] services and that he would not have signed up for the services in the absence of such assurances” confers an injury upon the plaintiff given that “he lost the benefit of the bargain.” In re: Yahoo! Inc. Customer Data Sec. Breach Litig., 313 F.Supp.3d 1113, 1130 (N.D. Cal. 2018); see also In re Adobe Sys., Inc. Privacy Litig., 66 F.Supp.3d 1197, 1224 (N.D. Cal. 2014) (“The [c]ourt finds plausible [p]laintiffs' allegations that they relied on Adobe's representations regarding security to their detriment.”).
Ledger argues that Mr. Seirafi “received exactly what he paid for: a secure hardware wallet,” which is still secure, whereas the above cases discuss instances in which the product itself received was less valuable than the product promised. Ledger Reply at 5. Thus, Ledger argues, Mr. Seirafi's argument is unpersuasive because he does not allege that Ledger's product failed in its security. This argument is unavailing. Mr. Seirafi trusted Ledger to securely store his PII; he expected “secure [] services.” In re: Yahoo! Inc. Customer Data Sec. Breach Litig., 313 F.Supp.3d at 1130. Mr. Seirafi purchased the product with the expectation that the PII he provided in connection with the purchase would be secure. His expectation from the purchase was not limited to the performance of the hardware. He did not get the benefit of the bargain.
c. Lost value of PII
In the SAC, it is alleged that “Plaintiffs Seirafi … and the Class have suffered damages as a result of the Data Breach [which] include, but are not limited to: (i) lost value of PII…” SAC ¶ 194. Ledger argues that “Seirafi's conclusory allegation that he lost the value of his personal information is unsupported. Seirafi does not allege that disclosure of his contact information deprived him of any value.” Ledger Mot. at 8.
Several courts have held there is no standing due to lost value of PII if plaintiffs failed to “identify a single individual who was foreclosed from entering into a ‘value-for-value exchange'” as a result of defendant's practices, or if plaintiffs fail to “explain how they were ‘deprived' of the economic value of their personal information simply because their unspecified personal information was purportedly collected by a third party.” LaCourt v. Specific Media, Inc., No. 10-1256-GW 20111 WL 1661532, at *5 (C.D. Cal. Apr. 28, 2011); see also Yunker v. Pandora Media, Inc., No. 11-cv-31131-JSW 2013 WL 1282980, at *4 (N.D. Cal. Mar. 26, 2013) (“[plaintiff] does not allege that [he] attempted to sell his PII, that he would do so in the future, or that he was foreclosed from entering into a value for value transaction relating to his PII, as a result of [defendant's] conduct”); Low v. LinkedIn Corp., No. 11-cv-01468-LHK 2011 WL 5509848, at *5 (N.D. Cal. Nov. 11, 2011) (“[plaintiff] relies upon allegations that the data collection industry generally considers consumer information valuable, and that he relinquished his valuable personal information without the compensation to which he was due. But [Plaintiff] has failed to allege how he was foreclosed from capitalizing on the value of his personal data”); In re Facebook Internet Tracking Litigation, 140 F.Supp.3d 922, 931-32 (N.D. Cal. 2015) (J, Davila) (“what Plaintiffs have failed to do is adequately connect this value to a realistic economic harm or loss that is attributable to Facebook's alleged conduct. In other words, Plaintiffs have not shown, for the purposes of Article III standing, that they personally lost the opportunity to sell their information or that the value of their information was somehow diminished after it was collected by Facebook.”). Several other courts have dismissed similar claims of lost value of PII, particularly when plaintiffs failed to “allege that someone else would have bought [their PII] as a stand-alone product.” In re Facebook, Inc., Consumer Priv. User Profile Litig., 402 F.Supp.3d 767, 784 (N.D. Cal. 2019) (J, Chhabria); Burns v. Mammoth Media, Inc., 2023 WL 5608389, at *4 (C.D. Cal. 2023) (dismissing claim for lost value of PII in part because there was “no allegation of a legitimate market for the information”)).
Here, however, Mr. Seirafi has alleged that there is a market for their PII-hackers seek the PII of persons who have significant crypto-assets. See SAC ¶¶ 61, 189. Specifically, Mr. Seirafi alleged that the “going rate” for Ledger customer data was approximately $100,000. Id. ¶ 174. As alleged, Mr. Seirafi's PII combined with the fact that he owns a Ledger wallet presents a “gold mine” for hackers. Id. ¶ 5. The database of PII was not limited to the usual private information but conferred the knowledge that those whose PII was hacked presumptively had significant wealth. This adds plausibility to the allegation that this information had market value. These allegations establish a sufficient injury-in-fact.
d. Nonresponse and Waiver
In the SAC, Mr. Seirafi alleges that he suffered “severe emotional distress,” which “unfortunately[] came to fruition with the raid to his home that took place after his PII information was leaked during the breach.” SAC ¶¶ 163-64. Ledger argues that “[Mr.] Seirafi's conclusory allegations that he suffered unspecified emotional distress do not establish injury-in-fact.” Ledger Mot. at 9. Mr. Seirafi did not respond to argument this in his opposition.
In addition, Mr. Seirafi alleged that on information and belief, the dates of birth and amount and type of crypto-assets were accessed. SAC ¶ 15. Ledger challenges this contention, stating that it is implausible. Ledger Mot. at 5. Ledger's Chief Technology Officer stated in a declaration that it “does not and has never requested or collected customers' dates of birth or the amount or type of their crypto-assets in connection with the purchase or ownership of a Ledger hardware wallet.” Decl. Guillemet, ¶¶ 1, 3, Docket No. 116. Mr. Seirafi did not respond to this argument in his opposition.
As Ledger states, “Seirafi does not contest these points and therefore concedes them.” Reply at 2; see Yee v. Select Portfolio, Inc., No. 18-cv-02704-LHK, 2018 WL 6173886, at *6 (N.D. Cal. Nov. 26, 2018) (finding that plaintiff abandoned claim by failing to oppose arguments in motion to dismiss). Thus, these purported injuries for emotional distress and for the alleged disclosure of dates of birth and amount and type of crypto-assets are DISMISSED with prejudice.
2. TaskUs
Plaintiffs allegations against TaskUs are lodged on behalf of the nationwide, United Kingdom, and Israel class, the nationwide, United Kingdom, and Israel phishing subclass, and alternatively, on behalf of the remaining non-consumer subclasses. SAC ¶ 64. TaskUs argues that Plaintiffs' injuries are not “fairly traceable” to TaskUs because “the injuries alleged by Plaintiffs are based on Plaintiffs' own superseding cause in providing their own private keys to the criminals (falling prey to phishers) despite Ledger's express warnings to never provide that information-a warning Plaintiffs admit they must abide by to protect their assets.” TaskUs Reply at 4 (emphasis in original).
“[P]laintiffs must establish a ‘line of causation' between defendants' action and their alleged harm that is more than ‘attenuated.'” Maya, 658 F.3d at 1070 (quoting Allen v. Wright, 468 U.S. 737, 757 (1984)). Although “a causation chain does not fail simply because it has several ‘links,' provided those links are ‘not hypothetical or tenuous' and remain ‘plausib[le],'” id. (quoting Nat'l Audubon Soc., Inc. v. Davis, 307 F.3d 835, 849 (9th Cir. 2002)), “[w]here a chain of causation ‘involves numerous third parties' whose ‘independent decisions' collectively have a ‘significant effect' on plaintiffs' injuries, the Supreme Court and [the Ninth Circuit] have found the causal chain too weak to support standing at the pleading stage.” Maya, 658 F.3d at 1070 (citing Allen, 468 U.S. at 759.). The “fairly traceable” requirement “ensures that there is a genuine nexus between a plaintiff's injury and a defendant's alleged illegal conduct.” Friends of the Earth, Inc. v. Gaston Copper Recycling Corp., 204 F.3d 149, 160 (4th Cir. 2000). “[W]hat matters is not the ‘length of the chain of causation,' but rather the ‘plausibility of the links that comprise the chain.'” Mendia v. Garcia, 768 F.3d 1009, 1012-13 (9th Cir. 2014) (quoting Nat'l Audubon Soc'y, Inc. v. Davis. 307 F.3d 835, 849 (9th Cir. 2002)).
A plaintiff's injury is “fairly traceable” when there is a “substantial likelihood” that the defendant's conduct caused the harm. NRDC v. Texaco Ref. & Mktg., Inc., 2 F.3d 493, 505 (3d Cir. 1993) (citing Public Interest Research Group of New Jersey, Inc. v. Poweell Duffryn Terminals Inc., 913 F.2d 64, 72 (3d Cir. 1990)). “The ‘fairly traceable' standard is ‘not equivalent to a requirement of tort causation,' (sic) a plaintiff ‘must merely show that a defendant discharges a pollutant that causes or contributes to the kinds of injuries alleged' in the area of concern. Maine People's All. v. Holtrachem Mfg. Co., LLC., 211 F.Supp.2d 237, 253 (D. Me. 2002) (Friends of the Earth, Inc. v. Gaston Copper Recycling Corp., 204 F.3d 149, 161 (4th Cir. 2000)). As stated above, causation for Article III standing is less strict than that under tort law. See id. In a case discussing tort causation in a data breach case, Ross v. AT&T Mobility, LLC, 2020 WL 9848766 (N.D. Cal. 2020), the plaintiff made several allegations including that AT&T failed to supervise its employees which resulted in an AT&T employee conducting an unauthorized SIM swap on his phone.
“[T]he defense of ‘superseding cause[ ]' ... absolves [the original] tortfeasor, even though his conduct was a substantial contributing factor, when an independent event [subsequently] intervenes in the chain of causation, producing harm of a kind and degree so far beyond the risk the original tortfeasor should have foreseen that the law deems it unfair to hold him responsible.” Chanda v. Fed. Home Loans Corp., 215 Cal.App.4th 746, 755 (2013) (citation omitted) (alterations in the original). “To qualify as a superseding cause so as to relieve the defendant from liability for the plaintiff's injuries, both the intervening act and the results of that act must not be foreseeable. Significantly, what is required to be foreseeable is the general character of the event or harm not its precise nature or manner of occurrence.” Id. (internal citations and quotation marks omitted) (alteration in original).Id. (emphasis added). The court concluded that AT&T's failure to supervise its employees, which resulted in an employee hacking a customer's phone, was a type of risk which defendants could have foreseen. Foreseeability is key.
Here, even under stricter tort law causation analysis, Plaintiffs allege foreseeability. They allege that “[p]rior to the Data Breach, Defendants knew or should have known that there was a foreseeable risk that Plaintiffs' and Class Members' PII could be accessed, exfiltrated and published as the result of a cyberattack.” SAC ¶ 191. Indeed, several of the TaskUs named Plaintiffs did fall victim to phishing attempts:
Plaintiff Baton lost about 150,000 Stellar Lumens, worth approximately $72,000 at today's market prices. Plaintiff Comilla lost all his crypto assets due to a successful phishing attack, 2.6 bitcoin and 8 ether, worth about $115,000 at today's market prices. Plaintiff Vilinger also lost all his crypto assets after the breach, 6.4 bitcoun worth about $225,000 at today's market prices.... Plaintiff Deeney lost $145,000 when account manipulation caused by the data breach caused one of his trading accounts to be temporarily frozen, preventing him from closing out a short position on XRP.SAC ¶ 173. The SAC alleges, “Plaintiffs have plausibly alleged that Class members “were the foreseeable and probable victims of any inadequate security practices” and that TakUs's “failure to protect Class members' personal information would likely harm Class members, because they knew that hackers routinely attempt to steal such information and use if for nefarious purposes.” Id. ¶ 234. In addition, Plaintiffs allege that TaskUs failed to “timely and comprehensively notify[] Class members of any potential or actual unauthorized access of their personal information.” Id. ¶ 233. This deprives consumers of the need to exercise heightened vigilance against e.g. phishing attempts. “The natural and foreseeable result was that many customers fell victim to hackers' phishing emails disguised as emails from Ledger.” Id. ¶ 18.
TaskUs cites several cases which found no standing due to lack of traceability, but those cases explain that the complaints failed to allege that the provider had an inadequate security system. Without such allegations of an inadequate security system, a plaintiff's injuries would solely be due to the third-party hackers, not the provider. See Anderson v. Kimpton Hotel & Rest. Grp., LLC, 2019 WL 3753308 (N.D. Cal. Aug. 8, 2019) (“the complaint is ‘devoid of facts' to support [its] conclusory allegation[s]” wherein “the complaint does not allege the nature of any assertedly reasonable, appropriate, obligatory, sufficient and/or adequate action Kimpton failed to take”); Springmeyer v. Marriott International, Inc., 2021 WL 809894, at *1 (D. Md. 2021 March 3, 2021) (plaintiff's claims were “conclusory” wherein they failed to “allege[] any facts about what measures Marriott did or did not take to protect PII, what alleged inadequacies in its systems it should have disclosed, what ‘standard and reasonably available steps' existed that Marriott did not take, how Marriott failed to detect the data breach, or why it did not provide timely and accurate notice of the breach.”).
There is a plausible causal chain linking TaskUs's conduct with Plaintiffs' injury wherein TaskUs's conduct in failing to implement adequate security measures and in failing to notify Plaintiffs of the data breach “contributed” to Plaintiffs' injury. Nat. Res. Def. Council, 710 F.3d at 85. The foreseeable result of TaskUs's inadequate security measures is that TaskUs would be hacked, subjecting Plaintiffs to phishing attacks. Plaintiffs may have been able to avoid the phishing attacks if TaskUs had notified Plaintiffs earlier of the breach because they would have been on-notice. But TaskUs failed to do so. As a result, the named Plaintiffs lost significant crypto-assets. Since there is a “substantial likelihood” that TaskUs's conduct caused Plaintiffs' injuries, Plaintiffs have met the “fairly traceable” standard. Texaco Ref. & Mktg., Inc., 2 F.3d at 505.
3. Ledger and TaskUs - Injunctive Relief
Plaintiffs must demonstrate standing for each form of relief they seek. See Friends of the Earth, Inc. v. Laidlaw Environmental Services (TOC), Inc., 528 U.S. 167, 185 (2000). “Because injunctions regulate future conduct, a party has standing to seek injunctive relief only if the party shows ‘a real and immediate-as opposed to a merely conjectural or hypothetical-threat of future injury.'” Houston v. Marod Supermarkets, Inc., 733 F.3d 1323, 1329 (11th Cir. 2013). When plaintiffs seek injunctive relief, “they must demonstrate that they are ‘realistically threatened by a repetition of the violation.'” Gest v. Bradbury, 443 F.3d 1177, 1181 (9th Cir. 2006 (citing Armstrong v. Davis, 275 F.3d 849, 860-61 (9th Cir. 2001) (emphasis in original). “Although ‘past wrongs are evidence bearing on whether there is real and immediate threat of repeated injury,' O'Shea, 414 U.S. at 496, ‘past wrongs do not in themselves amount [a] real and immediate threat of injury necessary to make out a case or controversy,' City of Los Angeles v. Lyons, 461 U.S. 95, 103 (1983).” Updike v. Multnomah Cnty., 870 F.3d 939, 948 (9th Cir. 2017).
Mr. Seirafi seeks injunctive relief in his claim against Ledger, alleging that “[i]njunctive relief is appropriate because Ledger continues to misrepresent that their security features should be trusted.” SAC ¶ 286; see also id. ¶¶ 300-01. Indeed, “a previously deceived consumer may have standing to seek an injunction against false advertising or labeling, even though the consumer now knows or suspects that the advertising was false at the time of the original purchase, because the consumer may suffer an ‘actual and imminent, not conjectural or hypothetical' threat of future harms.” Davidson v. Kimberly-Clark Corp., 889 F.3d 956, 969 (9th Cir. 2018) (quoting Summers v. Earth Island Inst., 555 U.S. 488, 493 (2009)). In Davidson, Plaintiff had standing for injunctive relief because she alleged that she would be unable to rely on the product's label in future when deciding whether to purchase the product and that the company's false advertising threatened to invade her statutory right, created by the UCL, CLRA, and FAL, to receive truthful information about the product at issue. Id. at 966-67. In addition, a consumer may have standing if they might purchase the product in the future on the incorrect assumption that the product is as represented. See id. at 969 (“Knowledge that the advertisement or label was false in the past does not equate to knowledge that it will remain false in the future.”). Here, Mr. Seirafi does not allege that he seeks to purchase Ledger's products in the future or otherwise rely on Ledger's advertisements or labels. Thus, Mr. Seirafi does not have standing to seek prospective injunctive relief against further misrepresentations.
In addition, Plaintiffs seek injunctive relief in their claim against TaskUs requiring TaskUs “to employ adequate security protocols consistent with law and industry standards to protect consumers' personal information.” SAC ¶ 252. Plaintiffs further allege that they “remain at imminent risk that further compromises of their personal information will occur in the future,” and that “the risk of another [data breach] is real, immediate, and substantial.” SAC ¶¶ 250, 253. Though these allegations border on conclusory, other district courts have found these types of statements to be sufficient in the data breach context. In re Ambry Genetics Data Breach Litig., 567 F.Supp.3d 1130, 1141 (C.D. Cal. 2021) (there was standing for injunctive relief when defendants “announced few if any changes to their data security infrastructure which permitted the breach to occur” and plaintiffs alleged “now that Defendants' insufficient data security is known to hackers, [plaintiff's information] is even more vulnerable to cyberattack.”); Stallone v. Farmers Group, Inc., 2022 WL 10091489, at *9 (D. Nev. Oct. 15, 2022) (plaintiffs had standing for injunctive relief when they alleged (“that without injunctive relief requiring Defendants to remedy the deficiencies in their security measures, Plaintiff's PII could be ‘obtained again in the same unauthorized manner'”); but see Dugas v. Starwood Hotels & Resorts Worldwide, Inc., 2016 WL 6523428, at *8 (S.D. Cal. Nov. 3, 2016) (after a data breach, a district court found that the plaintiffs did not have standing for its injunctive relief claim due to “his ‘fear of on-going data breaches' and ‘intent[t] to continue as a customer if his data can be adequately protected.'” An injunctive relief order “w[ould] not provide any relief for past injuries or injuries incurred in the future because of a data breach that has already occurred,” and “the relief afforded would be mostly ‘psychic satisfaction.'”). Thus, Plaintiffs have plausibly alleged that they have Article III standing for a claim for injunctive relief against TaskUs, because they remain at risk due to Defendants' continuing inadequate security system.
Therefore, Mr. Seirafi does not have standing to seek injunctive relief against Ledger with respect to further misrepresentations, but Plaintiffs do have standing to seek injunctive relief against TaskUs as to its inadequate security.
B. Motion to Strike
Ledger asks the Court to strike Mr. Seirafi's California Consumer Subclass. Mr. Seirafi seeks to assert his claims against Ledger on behalf of a California Consumer Subclass comprising “all persons residing in California who purchased a [Ledger wallet] from Ledger or an authorized reseller within the limitations period, as may be extended or tolled by any applicable rule of law or equitable doctrine.” SAC ¶ 208. Ledger argues that this purported consumer class does not have a nexus to Mr. Seirafi's claims which derive from the security incidents. Ledger Mot. at 21. Ledger argues the class definition is overly broadly, because it includes “every person in California who purchased a Ledger wallet: [(1)] from a reseller, and thus did not provide their contact information to Ledger; [(2)] from Ledger before the security incidents, but whose contact information the criminals did not access; and [(3)] from Ledger after the security incidents.” Id. Thus, Ledger asserts that the Court should strike these class allegations as they are unrelated to plaintiff's claims.
To meet the requirements of Rule 23, “the claims or defenses of the representative parties [must be] typical of the claims or defenses of the class.” Fed. R. Civ. Proc. 23(a)(3). Here, the California Consumer Subclass' definition is overly broad and does not meet the Rule 23 standard for typicality. Mr. Seirafi argues that there is a nexus between the asserted California Consumer Subclass' claims and Seirafi's claims, because Mr. Seirafi's claims are not limited to the harm he incurred from the data breach; rather, he also alleges that he would not have purchased a Ledger wallet at all had he known of Ledger's inadequate security and customer service practices. Opp'n at 21. This argument is unpersuasive. As the proposed California Consumer Subclass currently stands, it “includes individuals who purchased a Ledger wallet after the security incidents occurred and were thus [presumably] aware of the allegedly ‘inadequate' security practices at the time of their purchase.” Ledger Reply at 15.
The question here is whether it is appropriate for the Court to strike class allegations at the motion to dismiss stage, rather than at the class certification stage. In Ortiz v. Fibreboard Corp., the Supreme Court stated:
While an Article III court ordinarily must be sure of its own jurisdiction before getting to the merits, a Rule 23 question should be treated first because class certification issues are “logically antecedent” to Article III concerns and pertain to statutory standing, which may properly be treated before Article III standing.527 U.S. 815, 816 (1999) (citations omitted). Several district courts in this district have found that it was appropriate to strike an overly broad proposed class at the motion to dismiss stage. See Hovsepian v. Apple, Inc., No. 08-5788 JF 2009 WL 5069144, at *1 (N.D. Cal. 2009) (plaintiffs' proposed class included “all persons and entities in the United States who made original purchases on an iMac computer” which was too broad because it included members who have not experienced any problems with their iMac display screens); see also Sandoval v. Ali, 34 F.Supp.3d 1031, 1044 (N.D. Cal. 2014) (plaintiffs' proposed class was “all non-exempt bodyshop employees” which was overbroad because it “include[d] as class members employees who are not paid based on the ‘piece rate system' that is the focus of Plaintiffs' allegations”); Sanders v. Apple Inc., 672 F.Supp.2d 978, 989-90 (N.D. Cal. 2009) (same); but see Velasquex v. HSBC Fin. Corp., 2009 WL 112919, at *4 (N.D. Cal. Jan. 16, 2009) (“Motions to strike class allegations are disfavored because a motion for class certification is a more appropriate vehicle for the arguments.”).
Although the Court could defer the issue until class certification, where the problem is facially evident, it makes sense to address the issue early on. As such, the Court GRANTS Ledger's Motion to strike Mr. Seirafi's proposed California Consumer Subclass with leave to amend.
C. Personal Jurisdiction
1. Shopify
a. Procedural background
This Court previously held there was no personal jurisdiction over Shopify and denied Plaintiffs' request for jurisdictional discovery. See MTD Order. Plaintiffs appealed. The Ninth Circuit affirmed this Court's holding that it does not have personal jurisdiction over Shopify as alleged in Plaintiffs' FAC, but reversed the determination that jurisdictional discovery was not warranted. Baton, 2022 WL 17352192, at *2 (“the district court correctly ruled that the present record does not support personal jurisdiction but abused its discretion by disallowing any jurisdictional discovery.”).
Here, the Court must focus on new facts alleged in the SAC following discovery. Askins v. U.S. Dept. of Homeland Security, 899 F.3d 1035, 1042 (9th Cir. 2018) (quoting United States v. Houser, 804 F.2d 565, 567 (9th Cir. 1986) (“A trial court may not [] reconsider a question decided by an appellate court.”). The SAC's only new alleged contact between Shopify and California is with respect to Mr. Narayanadas, Shopify's Data Protection Officer (“DPO”).
In the prior MTD Order, the Court stated: “a finding [of] purposeful direction cannot ‘be based on the mere fact that [a company] provides services to customers nationwide, including but not limited to California.'” MTD Order at *6 (quoting Caces-Tiamson v. Equifax, 20-CV-00387-EMC 2020 WL 1322889, at *3 (N.D. Cal. Mar. 20, 2020). The Plaintiffs “fail[ed] to support their assertion that Shopify, Inc. engaged in activity in California leading up to and during the breach.” Id. (emphasis in original).
In the FAC, Plaintiffs had alleged that Mr. Narayanadas worked remotely from California, which, among other things, conferred the Court with personal jurisdiction over Shopify. The Court dismissed this theory and denied Plaintiffs request for jurisdictional discovery regarding Mr. Narayanadas' contacts with California. See MTD Order at *13. The Ninth Circuit reversed this Court on its jurisdictional discovery decision. Baton, 2022 WL 17352192, at *2 (“we reverse the district court's denial of jurisdictional discovery with respect to the DPO's role and responsibilities and his relationship to Shopify, Inc.”). Specifically, the Ninth Circuit stated that, with respect to Mr. Narayanadas:
It is reasonable to infer that this employee may have played a role related to the data breach because he appears to have overseen the relevant privacy policies and Shopify's response. The DPO's LinkedIn profile displays his title as “Vice President, Legal; Data Protection Officer.” His job duties include “[strategically advis[ing the] executive team, senior leaders, and Board of Directors,” as well as “[s]erv[ing] as [the] company's Data Protection Officer, advising senior management, Board of Directors, and key teams within the company on issues relating to privacy, data protection, data usage, and cybersecurity.” These responsibilities plausibly relate to how Shopify would prevent and respond to a data breach.Id. Since the Ninth Circuit's opinion, Plaintiffs have taken Mr. Narayanadas' deposition, and alleged facts relating specifically to his relationship with Shopify.
Mr. Narayanadas was the Associate General Counsel of privacy at Shopify and then became the Directing Associate General Counsel. Mishra Decl., Ex. 1, Narayanadas Dep., Docket No. 118 (“Narayanadas Dep.”) 22:7-11. This was not a promotion; it was a change in his title. Id. At all times he was a director since he was hired. Id. at 22:11-21. In his role, he testified that he was “expected” “to build out a global privacy program for Shopify.” Id. at 18:10-12. In so doing, he “built and overs[aw] the privacy functions” of the company. Id. 38:23-24. Part of his role was to figure out what he thought was needed within his subject areas, “including privacy.” Id. at 21:22-22:2. When asked if he would be responsible for a potential security incident, he stated that “[he] or someone from [his] privacy team [would] be[] available to the security team to provide legal advice,” Id. at 49:3-6, and that it “could be” part of his role to respond to and assess security incidences “depending on the nature of the incidents,” Id. at 49:9-14. In his role, Mr. Narayanadas had twenty people who reported to him, including direct and indirect reports. Id. at 22:22-23:8. The direct reports “deal[t] with privacy[,] litigation and IP.” Id. at 23:18-21.
Mr. Narayanadas testified that he was hired because “the European Union's General Data Protection Regulation [(“GDPR”)] was coming into effect in May the following year, and [the boss] wanted [him] to really focus on building a legal privacy program that would meet the [GDPR's] requirements.” Id. at 18:12-18. The GDPR is the EU's “set of privacy standards and requirements that apply across the Union.” Id. at 176:15-19. Mr. Narayanadas stated, “we largely designed [the company's systems] to meet the GDPR standard globally just because we expected other jurisdictions to follow the GDPR's pathway, especially when it came to things like data subject rights.” Id. at 38:9-21. He stated that his role “was focused on Shopify's operations in the EU,” Id. at 176:20-23, and that the role was “meant to be global,” Id. at 172:19-23.
The SAC alleges that Mr. Narayanadas “oversaw the operational and legal responses to security incidents and data breaches.” SAC ¶ 45. Mr. Narayanadas “had roles in both (1) Shopify's failure to oversee its vendor who was hacked and (2) Shopify's failure to timely communicate the hack to affected customers.” Id. ¶ 39. Plaintiffs allege: “not only do his general duties as global head of privacy implicate his responsibility to oversee vendor data, but had he been fulfilling his formal duties as Data Protection Officer under the GDPR, there would have been sufficient controls to catch the years-long data breach earlier.” SAC ¶ 203; see also id. ¶¶ 204-07. In addition, he “admitted he was responsible for at least some controls that would apply to TaskUs.” Id. ¶ 46.
When Shopify originally hired Mr. Narayanadas, it wanted to fill the role in Canada where its offices are. SAC ¶ 50. However, Shopify provided Mr. Narayanadas an “accommodation” to work remotely due to his wife's employment at Georgetown University in Washington, DC. Narayanadas Dep., 170:6-172:12. In June 2018, Mr. Narayanadas' wife received a tenure track position at a law school in San Diego, and Shopify did not object to Mr. Narayanadas moving to California with her. Id. 173:22-174:7. Shopify “did not want him to” work in California, and Shopify “‘repeatedly” told him “they would have preferred that [he] move to Ottawa or somewhere else in Canada where Shopify's headquarters are.” Id. at 175:18-176:4. He performed his work from California from July 2018 to December 2021, when he resigned. SAC ¶ 50.
Plaintiffs allege that Mr. Narayanadas “was paid by the Shopify entity located in California.” Id. ¶ 49. However, the SAC does not provide more information on the “Shopify entity located in California.”
b. Elements for personal jurisdiction
“There are two forms of personal jurisdiction that a forum state may exercise over a nonresident defendant-general jurisdiction and specific jurisdiction.” Boschetto v. Hansing, 539 F.3d 1011, 1016 (9th Cir. 2008). Plaintiffs do not contend that there is general jurisdiction over Shopify Defendants, only specific jurisdiction. See Shopify Mot. at 7.
There is a three-prong test for analyzing claims of specific personal jurisdiction:
(1) The non-resident defendant must purposefully direct his activities or consummate some transaction with the forum or resident thereof; or perform some act by which he purposefully avails himself of the privilege of conducting activities in the forum, thereby invoking the benefits and protections of its laws;
(2) the claim must be one which arises out of or relates to the defendant's forum-related activities; and
(3) the exercise of jurisdiction must comport with fair play and substantial justice, i.e. it must be reasonable.Schwarzenegger v. Fred Martin Motor Co., 374 F.3d 797, 802 (9th Cir. 2004) (quoting Lake v. Lake, 817 F.2d 1416, 1421 (9th Cir. 1987)). “The plaintiff bears the burden of satisfying the first two prongs of the test. ... If the plaintiff succeeds in satisfying both of the first two prongs, the burden then shifts to the defendant to ‘present a compelling case' that the exercise of jurisdiction would not be reasonable.” Id. (quoting Burger King Corp. v. Rudzewicz, 471 U.S. 462, 476-78 (1985). Plaintiffs must only make a “prima facie showing of jurisdictional facts” to avoid dismissal. Shields v. Federation Internationale de Natation, 419 F.Supp.3d 1188, 1202 (N.D. Cal. 2019) (quoting Data Disc, Inc. v. Sys. Tech. Ass'n, Inc., 557 F.2d 1280, 1285 (9th Cir. 1977)).
i. 1st element: purposeful availment
Purposeful availment and purposeful direction are “two distinct concepts.” Schwarzenegger, 374 F.3d at 802. “A purposeful availment analysis is most often used in suits sounding in contract. A purposeful direction analysis, on the other hand, is most often used in suits sounding in tort.” Id. (citations omitted). This Court previously applied the purposeful direction test given that the claims herein are primarily tort or statutory claims. See MTD Order at *5. Nonetheless, courts often look to both tests for all types of claims. See Impossible Foods Inc. v. Impossible X LLC, 80 F.4th 1079, 1088 (9th Cir. 2023); Global Commodities Trading Group, Inc. v. Beneficio de Arroz Cholomoa, 972 F.3d 1101, 1107 (9th Cir. 2020) (“our cases do not impose a rigid dividing line between these two types of claims. When both contract and tort claims are at issue, both tests are relevant.”). “Both purposeful availment and purposeful direction ask whether defendants have voluntarily derived some benefit from their interstate activities such that they ‘will not be haled into a jurisdiction solely as a result of ‘random', ‘fortuitous', or ‘attenuated' contacts.'” Id. (quoting Burger King, 471 U.S. at 474-75, 105 S.Ct. 2174 (quoting Keeton v. Hustler Magazine, Inc., 465 U.S. 770, 773-74, 104 S.Ct. 1473, 79 L.Ed.2d 790 (1984))).
A defendant “purposefully direct[s]” [its] activities at the forum if [it]: (1) committed an intentional act, (2) expressly aimed at the forum state, (3) causing harm that the defendant knows is likely to be suffered in the forum state.” Picot v. Weston, 780 F.3d 1206, 1214 (9th Cir. 2015) (internal quotations and citation omitted). “Failing to sufficiently plead any one of these three elements . is fatal to Plaintiff[s'] attempt to show personal jurisdiction.” Alexandria Real Estate Equities, Inc. v. Runlabs Ltd., No. 18-CV-07517-LHK, 2019 WL 4221590, at *7 (N.D. Cal. 2019) (internal quotations omitted).
For purposeful availment, courts “ask whether a defendant has ‘purposefully avail[ed] [himself] of the privilege of conducting activities within the forum State, thus invoking the benefits and protections of its laws.'” Picot v. Weston, 780 F.3d 1206, 1212 (9th Cir. 2015) (quoting Schwarzenegger, 374 F.3d at 802). “A showing that a defendant purposefully availed himself of the privilege of doing business in a forum state typically consists of evidence of the defendant's actions in the forum, such as executing or performing a contract there.” Schwarzenegger, 374 F.3d at 802. In addition, it may consist of the defendant “engag[ing] in some form of affirmative conduct allowing or promoting the transaction of business within the forum state.” Gray & Co. v. Firstenberg Mach. Co., 913 F.2d 758, 760 (9th Cir. 1990).
To establish “minimum contacts” under the “purposeful availment” test:
A defendant must have “performed some type of affirmative conduct which allows or promotes the transaction of business within the forum state.” Sher, 911 F.2d at 1362 (quoting Sinatra v. Nat'l Enquirer, Inc., 854 F.2d 1191, 1195 (9th Cir.1988)). In determining whether such contacts exist, we consider “prior negotiations and contemplated future consequences, along with the terms of the contract and the parties' actual course of dealing.” Burger King, 471 U.S. at 479, 105 S.Ct. 2174.Picot v. Weston, 780 F.3d 1206, 1212 (9th Cir. 2015). Courts ask whether the defendant would have a “reasonable foreseeability of possible litigation there.” Burger King, 471 U.S. at 482.
For both tests, “[d]ue process requires that a defendant be haled into court in a forum State based on his own affiliation with the State, not based on the ‘random, fortuitous, or attenuated' contacts he makes by interacting with other persons affiliated with the State.” Walden v. Fiore, 571 U.S. 277, 286 (2014). “Rather than looking to the place of performance, the Court look[s] to the business reality behind the particular contract at issue. . [For example,] ‘prior negotiations and contemplated future consequences, along with the terms of the contract and the parties' actual course of dealing-that must be evaluated in determining whether the defendant purposefully established minimum contacts within the forum.'” Global Commodities Trading Group, Inc. v. Beneficio de Arroz Cholomoa, 972 F.3d 1101, 1108 (9th Cir. 2020) (quoting Burger King, 471 U.S. at 479).
Two principles animate the “defendant-focused” inquiry. Walden, 134 S.Ct. at 1122. First, the relationship between the nonresident defendant, the forum, and the litigation “must arise out of contacts that the ‘defendant himself' creates with the forum State.” Id. (quoting Burger King Corp. v. Rudzewicz, 471 U.S. 462, 475, 105 S.Ct. 2174, 85 L.Ed.2d 528 (1985)). Second, the minimum contacts analysis examines “the defendant's contacts with the forum State itself, not the defendant's contacts with persons who reside there.” Id. It follows that “a defendant's relationship with a plaintiff or third party, standing alone, is an insufficient basis for jurisdiction.” Id. at 1123.
These principles apply to cases involving intentional torts. Id. “A forum State's exercise of jurisdiction over an out-of-state intentional tortfeasor must be based on intentional conduct by the defendant that creates the necessary contacts with the forum.” Id.Axiom Foods, Inc. v. Acerchem Int'l, Inc., 874 F.3d 1064, 1068 (9th Cir. 2017). Importantly, “the defendant's suit-related conduct must create a substantial connection with the forum State.” Walden, 571 U.S. at 284 (emphasis added); see also Bristol-Myers Squibb Co. v. Superior Court of California, San Francisco County, 582 U.S. 255, 265 (2017) (there was no specific jurisdiction when plaintiffs did not claim to have suffered harm in the forum state; rather, the defendant merely had extensive forum contacts unrelated to plaintiffs' claims). Thus, whether a remote employee's presence in a state is sufficient to confer jurisdiction depends on “the parties' actual course of dealing” in the forum, Global Commodities Trading Group, 972 F.3d at 1108, and whether the “defendant's suit-related conduct [] create[d] a substantial connection with the forum state,” Walden, 571 U.S. at 284.
“[P]hysical entry into the State-either by the defendant in person or through an agent, goods, mail, or some other means-is certainly a relevant contact. But ... it is the defendant's conduct that must form the necessary connection with the forum State that is the basis for its jurisdiction over him.” Walden, 571 U.S. at 287 (citations omitted). Several courts have found personal jurisdiction when an employer supports or facilitates its employees' remote work in a forum state, and the employee meets with distributors or vendors in the forum state. There was personal jurisdiction in Cossart v. United Excel Corp., when an out-of-state employer reached into a forum state to hire and support a remotely-working employee by registering a sales office in the state to facilitate his work for the company. 804 F.3d 13, at *18 (1st Cir. 2015). In Perry v. National Association of Home Builders of United States, No. TDC-20-0454 2020 WL 5759766, at *4 (D. Md. 2020), the court cited two similar cases:
Winner v. Tryko Partners, LLC, 333 F.Supp.3d 250, 256, 264 (W.D.N.Y. 2018) (finding personal jurisdiction where a New Jersey defendant company employed the plaintiff to “provide marketing services” from her home in New York, expressly agreed to her continuing to live and work in New York, and enlisted the plaintiff to attend multiple meetings with vendors in New York); Stuart v.Churn LLC, No. 1:19-CV-369, 2019 WL 2342354, at *5 (M.D. N.C. June 3, 2019) (finding purposeful availment where the New York defendant employer hired the plaintiff with the understanding that he would work out of his home in North Carolina, provided him an allowance to support office expenses there, and knew that he was working to expand the company's business in North Carolina and was meeting with potential distributors there).Id.; see also Wallens v. Milliman Financial Risk Management LLC, 509 F.Supp.3d 1204, 1216 (C.D. Cal. 2020) (wherein a remote employee was harassed by their employer in the forum state, which conferred personal jurisdiction over the employer-defendant in that state); Rice v. Nova Biomedical Corp., 763 F.Supp. 961, 966 (N.D. Ill. 1991) (same); Wright v. Xerox Corp., 882 F.Supp. 399, 407 (D. N.J. 1995) (same).
Conversely, sporadic or un-endorsed remote work is insufficient to confer jurisdiction. “In remote-work cases, [] a defendant's mere knowledge that an employee happens to reside in the forum state and conduct some work from home does not constitute purposeful availment.” Perry v. Nat'l Assoc. of Home Builders of U.S., 2020 WL 5759766, at *5 (D. Md. Sept. 28, 2020); see also Callahan v. Wisdom, No. 3:19-CV-00350, 2020 WL 2061882, at *12 (D. Conn. Apr. 29, 2020) (no purposeful availment when plaintiff's work in a state was “purely incidental” to the work of the defendant company); Bertolini-Mier v. Upper Valley Neurology Neurosurgery, P.C., No. 5:16-CV35, 2017 WL 4081901 (D. Vt. Sept. 13, 2017) (no purposeful availment when employees work in a state was an “accommodation” and “not a purposeful effort” to have work conducted in the forum state); Phillips v. Persons Services Corp., 2021 WL 5277481, at *4 (W.D. Tenn. March 31, 2021) (citing Burger King Corp. v. Rudzewicz, 471 U.S. 461, 478 (1985)) (there was no personal jurisdiction over a company in Tennessee when the company was not located in Tennessee and one its employees worked at various jobsites in Mississippi, Alabama, and Florida, as well as living in and working remotely on occasion from Tennessee).
Here, Plaintiffs argue that this Court has personal jurisdiction over Shopify because Mr. Narayanadas “had roles in both (1) Shopify's failure to oversee its vendor who was hacked and (2) Shopify's failure to timely communicate the hack to affected consumers,” SAC ¶ 41, and that he implemented these responsibilities “directly on behalf of Shopify” from California, Opp'n re Shopify at 12. As previously discussed, whether a remote employee's presence in a state is sufficient to confer jurisdiction depends on “the parties' actual course of dealing” in the forum, Global Commodities Trading Group, 972 F.3d at 1108, and whether the “defendant's suit-related conduct [] create[d] a substantial connection with the forum state,” Walden, 571 U.S. at 284. With respect to the parties' actual course of dealing, the SAC alleges that Mr. Narayanadas “oversaw the operational and legal responses to security incidents and data breaches.” SAC ¶ 45. Mr. Narayanadas “had roles in both (1) Shopify's failure to oversee its vendor who was hacked and (2) Shopify's failure to timely communicate the hack to affected customers.” Id. ¶ 39. Plaintiffs allege: “not only do his general duties as global head of privacy implicate his responsibility to oversee vendor data, but had he been fulfilling his formal duties as Data Protection Officer under the GDPR, there would have been sufficient controls to catch the years-long data breach earlier.” SAC ¶ 203; see also id. ¶¶ 204-07. In addition, he “admitted he was responsible for at least some controls that would apply to TaskUs.” Id. ¶ 46.
With respect to the “connection between the forum and the specific claims at issue,” Mr. Narayanadas worked at Shopify in California from July 2018 to December 2021 as the head of data security. Mr. Narayanadas testified that he was hired because “the European Union's General Data Protection Regulation [(“GDPR”)] was coming into effect in May the following year, and [the boss] wanted [him] to really focus on building a legal privacy program that would meet the [GDPR's] requirements.” Id. at 18:12-18. When asked if he would be responsible for a potential security incident, he stated that “[he] or someone from [his] privacy team [would] be[] available to the security team to provide legal advice,” Id. at 49:3-6, and that it “could be” part of his role to respond to and assess security incidences “depending on the nature of the incidents,” Id. at 49:9-14. In his role, Mr. Narayanadas had twenty people who reported to him, including direct and indirect reports. Id. at 22:22-23:8. The direct reports “deal[t] with privacy[,] litigation and IP.” Id. at 23:18-21. Thus, there is a significant connection between Mr. Narayanadas' work in California and the claims at issue.
To be sure, it can be argued that Mr. Narayanadas' presence in California was not based on Shopify's will - in fact Shopify preferred that he work from Canada, not California. Thus, in some sense, his residency in California was fortuitous. Yet, the thrust of the Ninth Circuit's order remanding the case appears to focus on the nature of Mr. Narayanadas' role and responsibility in this event. As noted above, the Ninth Circuit stated:
It is reasonable to infer that this employee may have played a role related to the data breach because he appears to have overseen the relevant privacy policies and Shopify's response. The DPO's LinkedIn profile displays his title as “Vice President, Legal; Data Protection Officer.” His job duties include “[strategically advis[ing the] executive team, senior leaders, and Board of Directors,” as well as “[s]erv[ing] as [the] company's Data Protection Officer, advising senior management, Board of Directors, and key teams within the company on issues relating to privacy, data protection, data usage, and cybersecurity.” These responsibilities plausibly relate to how Shopify would prevent and respond to a data breach. Because more facts are needed to determine whether those activities support the exercise of jurisdiction, we reverse the district court's denial of jurisdictional discovery with respect to the DPO's role and responsibilities and his relationship to Shopify, Inc., which processed and stored the data.Id. at *2. It appears that in the Ninth Circuit's view, if Mr. Narayanadas “played a role” as to “how Shopify would prevent and respond to a data breach,” that is sufficient to confer jurisdiction, at least if that role was significant. The facts now before the Court, especially when viewed in Plaintiffs' favor, establish that Mr. Narayanadas did play a significant role in the management and supervision of privacy and security which lies at the heart of this case.
The panel's decision in Briskin v. Shopify, Inc., 87 F.4th 404 (9th Cir. 2023), rehearing granted en banc, 101 F.4th 706 (9th Cir. 2024), does not affect the specific jurisdiction analysis herein. Briskin employed purposeful direction analysis, whereas here the focus is on purposeful availment, the analysis implicit in the Circuit's remand herein.
ii. 2nd element: “arising out of or related to”
With respect to the second element of the specific jurisdiction test, courts ask whether the claim is one which arises out of or relates to the defendant's forum-related activities. See Schwarzenegger, 374 F.3d at 802. For plaintiff's claim to “relate to” defendant's forum-related conduct, “the plaintiff must show ‘that the instant litigation “relate[s] to”' the contacts in question” but a causal connection is not required. Id. at 414 (quoting LNS Enters., LLC v. Continental Motors, Inc., 22 F.4th 852, 864 (9th Cir. 2022)). “Relatedness requires a close connection between contacts and injury.” Yamashita v. LG Chem, Ltd., 62 F.4th 496, 506 (9th Cir. 2023). In Ford Motor Co. v. Montana Eight Judicial District Court, specific jurisdiction attached “when a company like Ford serve[d] a market for a product in the forum State and the product malfunction[ed] there.” 592 U.S. 351, 363 (2021).
Here, Shopify “performed sufficient acts in California related to (1) data security policies that led to the breach and (2) the Shopify Defendants' handling of the breach.” Opp'n re Shopify at 6-7. Here, Plaintiffs argue that Mr. Narayanadas was a “senior employee” who “ma[de] significant decisions in California” and was a “key decision maker for the alleged negligence at issue in the case.” Opp'n at 11, 13. Thus, Plaintiffs claims “relate to” defendant's forum related conduct of handling the breach.
iii. 3rd element: reasonableness of exercising jurisdiction
Shopify argues that the exercise of personal jurisdiction over Shopify would be unreasonable. Shopify Mot. at 13. The Ninth Circuit lists seven factors for courts to consider in this context:
[T]he extent of purposeful interjection, the burden on the defendant to defend the suit in the chosen forum, the extent of conflict with the sovereignty of the defendant's state, the forum state's interest in the dispute; the most efficient forum for judicial resolution of the dispute; the importance of the chosen forum to the plaintiff's interest in convenient and effective relief; and the existence of an alternative forum.Amoco Egypt Oil Co. v. Leonis Nav. Co., Inc., 1 F.3d 848, 851-52 (9th Cir. 1993). The Ninth Circuit has also stated:
We presume that an otherwise valid exercise of specific jurisdiction is reasonable. See Sher v. Johnson, 911 F.2d 1357, 1364 (9th Cir.1990) (once court finds purposeful availment, it must presume that jurisdiction would be reasonable). The burden of convincing us otherwise is on Royal. To avoid jurisdiction, Royal must “present a compelling case that the presence of some other considerations
would render jurisdiction unreasonable.” Burger King, 471 U.S. at 477, 105 S.Ct. at 2185 (emphasis added); Haisten, 784 F.2d at 1397, 1400. In our view, Royal has not carried its heavy burden of rebutting the strong presumption in favor of jurisdiction.Ballard v. Savage, 65 F.3d 1495, 1500 (9th Cir. 1995).
Shopify argues that because its only contacts with California is via Mr. Narayanadas, a single remote employee, it would be burdensome to litigate in California given that it is a Canadian company, the sovereignty barrier is high given that Shopify is located in Canada, a foreign nation, and that it would be more convenient to litigate these claims in France. But Shopify's arguments do not suggest that it would be unreasonable to hale it into court in California. First, Shopify does business with several merchants in California, and Shopify, USA was headquartered in California at least into 2020. Second, Shopify argument that litigation in California would be inconvenient is unavailing as it argues instead that the claims should be heard in France which would likely be an even more inconvenient forum. Third, California has an interest in this dispute because it has an interest in ensuring that companies that perform substantial work in California remain accountable to California courts. Finally, Mr. Narayanadas was a high ranking official within Shopify and had responsibilities that touch on the subject matter of this case. Thus, this Court's exercise of jurisdiction over Shopify is reasonable.
Plaintiffs request that the Court take judicial notice of the United States Securities and Exchange Commission's Form 40-F filed by Shopify, Inc., for the fiscal year ending on December 31, 2020, which is Exhibit B to the Declaration of Richard Cipolla filed in support of Plaintiffs' Opposition to Defendant Shopify's Motion to Dismiss. See Docket Nos. 127, 128. Plaintiffs' request is granted. See Fed. R. Civ. Proc. 201; Wells v. Global Tech Industries, 658 F.Supp.3d 912, n.2 (D. Nev. 2023) (“it is ... ‘well-established that courts may take judicial notice of SEC filings'”).
2. TaskUs
Until December 1, 2020, TaskUs' principal place of business was in Santa Monica, California. Andreasen Decl. at ¶¶ 2-3. The breach herein occurred sometime in 2020, and Shopify announced the incident on September 22, 2020. SAC ¶ 123. Thus, TaskUs's principal place of business was California up until and during the breach. After December 1, 2020, TaskUs moved to Texas.
Plaintiffs request that the Court take judicial notice of the State of California Secretary of State's website which indicates that TaskUs was registered in California in 2015. See Docket Nos. 129, 130. Plaintiffs' request is granted. See Fed. R. Civ. Proc. 201; Reyn's Pasta Bella, LLC v. Visa USA, Inc., 442 F.3d 741, 764 n.6 (9th Cir. 2006) (courts may “take judicial notice of courts filings and other matters of public record [as they] are readily verifiable”).
a. General jurisdiction
Defendant TaskUs argues that the Court does not have general jurisdiction over it. TaskUs Mot. at 5-6. In Plaintiffs' opposition, they only address specific jurisdiction. Opp'n at 5-8. However, for the reasons discussed below, this Court has general jurisdiction over TaskUs.
Where there is general jurisdiction over a defendant, the plaintiff can bring any claim against the defendant in the forum state. See Daimler AG v. Bauman, 571 U.S. 117, 118 (2014) (exercise of general jurisdiction is reasonable when “a foreign corporation's ‘continuous corporate operations within a state [are] so substantial and of such a nature as to justify suit against it on causes of action arising from dealings entirely distinct from those activities.'”). In order for general jurisdiction to obtain, the defendant's contacts with the forum state must be so continuous and systematic as to render the defendant essentially at home in the forum State. See id. at 122, 128; see also Schwarzenegger v. Fred Martin Motor Co., 374 F.3d 797, 807 (9th Cir. 2004) (asking whether the defendant has continuous and systematic contacts that approximate physical presence in the forum state). “With respect to a corporation, the place of incorporation and principal place of business are ‘paradig[m] ... bases for general jurisdiction.'” Daimler, 571 U.S. at 137. Here, TaskUs's principal place of business was in Santa Monica, California during the time of the breach. After the breach, TaskUs moved to Texas.
If a Defendant has moved its principal place of business (and thus its “home”) from the forum state:
[M]ost courts look back from that date a “reasonable time,” typically between three and seven years, to assess whether there are continuous and systematic contacts sufficient for general personal jurisdiction. 4 Wright et al., Federal Practice & Procedure § 1067.5 & n. 11.75 (3d ed. 2002 & Supp.2014); see Metro. Life Ins. Co. v. Robertson-Ceco Corp., 84 F.3d 560, 569-70 (2d Cir.1996) (“[O]ur review of general jurisdiction cases reveals that contacts are commonly assessed over a period of years prior to the plaintiffs filing of the complaint.”). For example, as these sources observe, the Supreme Court looked back over a seven-year period to determine whether there was general personal jurisdiction in Helicopteros Nacionales de Colombia, S.A. v. Hall, 466 U.S. 408, 409-11, 104 S.Ct. 1868, 80 L.Ed.2d 404 (1984), and the Ninth Circuit examined contacts over a three-year period in Gates Learjet Corp. v. Jensen, 743 F.2d 1325, 1329-31 (9th Cir.1984).Kormylo v. Forever Resorts, LLC, No. 13-CV-511 JM WVG, 2015 WL 106379, at *10-11 (S.D. Cal. Jan. 6, 2015). As the Second Circuit noted, other circuit courts similarly look back to the defendant's prior residence in the forum state:
Likewise, other circuits have examined minimum contacts over a reasonable period of years in general jurisdiction cases, see Wilson v. Belin, 20 F.3d 644, 650-51 (5th Cir.) (examining defendant's contacts with forum state over five-year period in assessing minimum contacts for general jurisdiction purposes), cert. denied, 513 U.S. 930, 115 S.Ct. 322, 130 L.Ed.2d 282 (1994); Bearry, 818 F.2d at 372, 376 (analyzing defendant's contacts with forum state over five-year period in general jurisdiction case); Gates Learjet Corp. v. Jensen, 743 F.2d 1325, 1329, 1330-31 (9th Cir.1984) (examining defendant's contacts over three-year period in connection with general jurisdiction inquiry). Finally, our own circuit has suggested in dictum that examining a defendant's contacts over a period of several years is appropriate when applying the “continuous and systematic” standard, Braman v. Mary Hitchcock Memorial Hosp., 631 F.2d 6, 9 (2d Cir.1980) (implying that defendant's contacts with the forum state over five-year period relevant to minimum contacts inquiry).Metro. Life Ins. Co. v. Robertson-Ceco Corp., 84 F.3d 560, 569 (2d Cir. 1996), cert. Denied, 519 U.S. 1006 (1996). The Ninth Circuit has not articulated a contrary view.
Here, TaskUs was headquartered in California until December 2020. At all relevant times herein, it was registered to do business in California. TaskUs was added to this case on November 22, 2023. Because TaskUs was headquartered in California less than three years before this suit commenced, see Gates Learjet Corp., 743 F.2d at 1329, 1330-31, it is subject to general jurisdiction for purposes of this suit.
In the alternative, Plaintiffs request jurisdictional discovery. See Opp'n at 8. Because this Court has personal jurisdiction over TaskUs, jurisdictional discovery is not necessary.
D. Forum Selection Clause
1. Ledger
In the FAC, Plaintiffs stated several bases for liability, including that Ledger was liable under California's Unfair Competition Law (UCL) and California's Consumer Legal Remedies Act (CLRA). FAC, ¶¶ 193-238. The Court dismissed Plaintiffs claims with prejudice stating that the Court lacked specific jurisdiction over Ledger. MTD Order at *12. On appeal, the Ninth Circuit found that “[t]he district court had specific personal jurisdiction over Ledger.” Baton, 2022 WL 17352192, at *1. In addition, it found that Ledger's forum selection clause obtained:
These forum-selection clauses are enforceable except with respect to Plaintiffs who are “California resident plaintiffs bringing class action claims under California consumer law.” Doe 1 v. AOL LLC, 552 F.3d 1077, 1084 (9th Cir. 2009) (per curiam) (holding that a forum-selection clause was unenforceable because it violated California public policy against waiver of consumer rights under California's Consumer Legal Remedies Act). Accordingly, we reverse the dismissal of Plaintiffs' California consumer law claims but otherwise affirm the dismissal of Plaintiffs' claims against Ledger.Id. at *2 (emphasis added). Thus, Plaintiffs claims against Ledger will be heard in France pursuant to Ledger's forum selection clause except for “Plaintiffs' California consumer law claims.” Id. In the SAC, Mr. Seirafi realleged the same California UCL and CLRA claims against Ledger. SAC ¶¶ 256-301.
Now, Ledger argues that the Ninth Circuit's reference to Doe 1 implicates that the Ninth Circuit only preserved the CLRA claim for this Court and that the UCL claim, in contrast, should proceed in France. Ledger argues:
Doe involved a CLRA claim, not a UCL claim, and in Doe the Ninth Circuit held that the forum selection clause could not be enforced because it violated the anti-waiver provision of the CLRA. Doe 1 v. AOL LLC, 552 F.3d 1077, 1084 (9th Cir. 2009). The UCL does not have an anti-waiver provision. The Ninth Circuit's reversal, therefore, did not include Seirafi's UCL claim.Ledger Mot. at 12. Ledger relies on the fact that the Baton panel's parenthetical discussing Doe 1 specifically refers to the CLRA, but not the UCL (see italicized text above).
As Plaintiffs argue, Doe 1 involved UCL and CLRA claims, like in the case at bar. Doe 1, 552 F.3d at 1080. There, Does brought a class action against AOL, LLC for making publicly available the internet search records of more than 650,000 of its members. Id. at 1078. Plaintiffs alleged violations of federal electronic privacy law, and a subclass of California-resident AOL members also alleged violations of California law, including the CLRA, the California Customer Records Act, California False Advertising laws, and the California UCL. Id. at 1080. Under the AOL Member Agreement, all plaintiffs agreed to a forum selection clause that designates the “courts of Virginia” as the fora for disputes. Id. at 1078. Virginia state court does not permit consumer class actions. Id. at 1079.
The Ninth Circuit provided two independent grounds for its holding that the forum selection clause at issue was unenforceable. First, the forum selection clause was unenforceable with respect to the CLRA because it “violate[d] the anti-waiver provision of the [CLRA], which states ‘[a]ny waiver by a consumer of the provisions of this title is contrary to public policy and shall be unenforceable and void.'” Id. at 1084. Second, the forum selection clause was unenforceable because “it violated California public policy that strongly favors consumer class actions because consumer class actions are not available in Virginia state courts.” Id. at 1083. A forum selection clause is enforceable when “enforcement would contravene a strong public policy of the forum in which suit is brought, whether declared by statute or by judicial decision.” Id. (quoting M/S Bremen v. Zapata Off-Shore Co., 407 U.S. 1, 17 (1972) (emphasis in original).
The Ninth Circuit relied on America Online, Inc. v. Superior Court of Alameda County (Mendoza), 90 Cal.Appt.4th 1 (2001), where a California state court declared by “judicial decision” that the same AOL forum selection clause “contravenes a strong public policy of California.” Doe 1, 552 F.3d at 1083. In Mendoza, the California court of appeal decided that the CLRA should be litigated in Virginia as opposed to California. The court analyzed the CLRA's Virginia counterpart: the Virginia Consumer Protection Act (VCPA). Id. at 16. Class action relief was not available in Virginia actions at law, and the VCPA did not explicitly allow class suits under the Act. Id. at 17. In addition, under the VCPA, individuals were not entitled to recover as much in damages, attorney's fees and costs were permissively awarded (whereas under the CLRA they are mandatory if plaintiffs prevail), the statute-of-limitations period was shorter, and injunctive relief was not available for the class. Id. at 16. In Doe 1, the Ninth Circuit stated:
We agree with plaintiffs that Mendoza is the kind of declaration “by judicial decision” contemplated by Bremen. Mendoza found a California public policy against consumer class action waivers and waivers of consumer rights under the CLRA that California public policy applies to California residents bringing class action claims under California consumer law. As to such California resident plaintiffs, Mendoza holds California public policy is violated by forcing such plaintiffs to waive their rights to a class action and remedies under California consumer law.
Accordingly, the forum selection clause in the instant member
agreement is unenforceable as to California resident plaintiffs bringing class action claims under California consumer law.Id. at 1083-84 (citations omitted). Because of California's public policy encouraging consumer class actions and the CLRA's express anti-waiver provision, the forum selection clause was deemed unenforceable as to all of plaintiff's California consumer law claims (including the UCL).
The UCL does not have the same anti-waiver clause as the CLRA. Thus, one basis for finding the forum selection clause unenforceable does not apply. However, there is a second basis. Enforcement of Ledger's forum selection clause would “contravene[] a strong public policy of California”-the “California public policy that strongly favors consumer class actions,” Doe 1, 552 F.3d at 1083. See Holland Am. Line Inc. v. Wartsila N. Am., Inc., 485 F.3d 450, 457 (9th Cir. 2007) (quoting Murphy v. Schneider Nat'l, Inc., 362 F.3d 1133, 1140 (9th Cir. 2004)) (forum selection clause not enforceable “if it would contravene a strong public policy of the forum in which suit is brought”).
Here, “California public policy [] strongly favors consumer class actions.” Doe 1, 552 F.3d at 1083. “The burden is on the [defendants] to show that enforcement of [the] forum selection clause will not subvert substantive rights afforded California citizens.” Wimsatt v. Beverly Hills Weight etc. Internal, Inc., 32 Cal.App. 4th 1511, 1514 (Ct. App. 1995). For example, in Muto v. Fenix Int'l Ltd., a district court considered whether the plaintiffs UCL claims could be sent to England pursuant to a forum selection clause. 2024 U.S. Dist. Lexis 83275, at *7-8 (C.D. Cal. May 2, 2024). There, plaintiffs' individual payout would be relatively small-the allegedly improperly charged monthly fees were only $5.00 to $50.00 per consumer. Id. at *8. However, plaintiffs provided facts to suggest that defendants may have generated almost half a billion dollars in net revenue from this alleged scheme. Id. The court found:
[N]one of the procedures in the English and Welsh courts that Defendants have identified would offer Plaintiffs the essential benefits of the class action format. Under a “group litigation order,” per CPR 19.11, each claimant would be required to affirmatively opt into the proceedings and enter into a retainer agreement with the solicitor (attorney) responsible for managing the group's claims. As British courts acknowledge, the up-front costs of the retainer agreement render this process “not economic” for “claims which individually are only worth a few hundred pounds.” For similar reasons, the Court finds that the other procedural alternatives Defendants point to would also fail to protect the important
objectives of California's strong consumer class action policy.Id. at *9 (citations omitted). Here, at the May 9, 2024, hearing, the Court asked the parties for supplemental briefing to discuss whether Mr. Seirafi's UCL claim could be vindicated in France. See Docket Nos. 145, 146. France does permit class actions, but the parties dispute whether France would provide the same rights as permitted under UCL.
The parties agree that consumer class actions in France can only be brought by associations approved or accredited by the Government. See Pl. Suppl. Br. at 1; Def. Suppl. Br. at 1. The French law states: “A nationally representative consumer defense association . may act before a civil court in order to obtain compensation for individual harm suffered by consumers.” Art. L. 423-1. Plaintiffs claim that “only approved ‘qualified entities' (i.e., representative bodies) [may] bring representative actions” and that “French law requires the qualified entity to seek out class members for whom they could seek redress.” Pl. Suppl. Br. at 1. Thus, individual consumers do not have standing. Id. Ledger claims that “not-for-profit consumer associations accredited by the government, as well as certain other associations whose purpose includes protecting privacy and personal data and trade unions, may bring actions in cases where a data breach affects individuals.” Def. Suppl. Br. at 2. Presently:
Plaintiffs'support for this contention is a secondary source: Chris Warren-Smith, Paul Mesquitta, and Keir Baker, Class and Group Actions 2024, at 120, International Comparative Legal Guides, https://iclg.com/practice-areas/class-and-group-actions-laws-and-regulations/france.
Defendants only support for this contention is a declaration by a French attorney. See Delabarre Decl.
Associations must be representative at a national level, have at least one year of existence, show evidence of effective and public activity with a view to the protections of consumer interests, and have a threshold of individually paid-up members. To this date, 15 associations may start class actions proceedings. Lawyers are not entitled to start class actions from their own motion. However, in practice, representation by lawyer remains mandatory since class actions are necessarily filed in high courts of first instance (‘ tribunal de grande instance').
High courts of first instance have exclusive jurisdiction over class action procedures. In accordance to French civil procedural rules, the competent court is the one where the defendant is established. However, the Paris High Court of First Instance (‘ tribunal de grande instance de Paris') has exclusive jurisdiction when the defendant is located outside France.
Alexandre Biard, Class Action Developments in France, STANFORD LAW SCHOOL (Aug. 2016), https://globalclassactions.law.stanford.edu/wp-content/uploads/2020/10/FRANCE0.pdf. It is otherwise unclear what it means to be an approved or accredited association or if Plaintiffs can get their counsel approved or else how they would solicit an approved association to represent them in this matter.
In addition, law.com states that France's “regime for group actions is so complicated and limited that only a few dozen cases have been filed and only has resulted in a final judgment of liability against a defendant.” Rick Mitchell, Class-Action Reform in France Awaits Parliament's Pleasure-and Waits, and Waits..., LAW.COM INTERNATIONAL (Mar. 18, 2024 at 6:58p.m.), https://www.law.com/international-edition/2024/03/18/class-action-reform-in-france-awaits-parliaments-pleasure-and-waits-and-waits/. For now, French law “limits filings to low-value, opt-in consumer suits that can seek only material damages and that can only be filed by government-certified consumer associations and labor unions. Punitive damage awards and advertising to gather plaintiffs are prohibited.” Id. “[T]he existing regime has confused filers with complex, very long procedures that can differ depending on the complaint's economic sector. Filers' misunderstandings of procedural requirements have led to cases getting thrown out.” Id.
In addition, Plaintiffs claim that injunctive relief is not available to individual consumers, punitive damages and contingency attorney fee structures are banned, there is no discovery and no jury trials in civil cases, there's no opt-out mechanism, and the qualified entities who bring a class action must cover all costs of litigation, including attorneys' fees, so if the recovery for consumers is relatively small, it would not be economically feasible to bring a claim. See Pl. Suppl. Br. at 1-2 (citing Chris Warren-Smith, Paul Mesquitta, and Keir Baker, Class and Group Actions 2024, INTERNATIONAL COMPARATIVE LEGAL GUIDES, at 122, 124-25, 126, 128 https://iclg.com/practice-areas/class-and-group-actions-laws-and-regulations/france). Ledger states that injunctive relief is available, but it does not specify whether injunctive relief is available publicly or privately. Def. Suppl. Br. at 3 (citing Delabarre Decl. ¶ 4). In addition, Ledger states that consumers can get restitution and relief for mental and emotional distress, a judge can order a defendant to compensate plaintiffs for attorneys' fees, and the statute of limitations is longer in France (five years in France as opposed to one year for the UCL). Id.
On the record before the Court, Ledger has not carried its burden to demonstrate that the consumer class action format in France is a viable means to vindicate Plaintiffs' rights under the UCL. First, consumer class actions in France can only be brought by associations approved or accredited by the government. The parties did not brief what it means to be an approved association and what plaintiffs would have to do to either get their counsel approved or obtain representation by an approved association, but it seems that Plaintiffs would face significant barriers in obtaining representation in France. Second, there is no right to discovery, no right to a jury, and no opt-out policy. Third, Plaintiffs claim that there is no public injunctive relief available for consumer class actions in France; while Ledger asserts that injunctive relief is available, but does not specify if that is for public or private injunctive relief. See Blair v. Rent-A-Center, Inc., 928 F.3d 819, 824 (9th Cir. 2019) (“waiver ‘of the right to seek public injunctive relief under these statutes [, including the UCL,] would seriously compromise the public purposes the statutes were intended to serve.' Therefore, such waivers are ‘invalid and unenforceable under California law.'”). Plaintiffs have provided evidence that their rights cannot be vindicated in France, and Ledger only provided the Court with a declaration from a French attorney which did not specify how Plaintiffs may fairly proceed with their UCL claim. See Wimsatt v. Beverly Hills Weight etc. Internal, Inc., 32 Cal.App. 4th 1511, 1514 (Ct. App. 1995) (“The burden is on the [defendants] to show that enforcement of [the] forum selection clause will not subvert substantive rights afforded California citizens”). Ledger has not provided convincing evidence to the contrary.
Thus, Plaintiffs' UCL claim is not subject to Ledger's forum selection clause and may proceed in this Court along with the CLRA claim.
2. Shopify
Shopify argues that this Court should dismiss Plaintiffs' claims against Shopify pursuant to the forum selection clause in Plaintiffs' contracts with Ledger. Shopify Mot. at 16. “The Court must first address whether the forum selection clause is mandatory or permissive and whether the action falls within the scope of the forum selection clause.” McNally v. Kingdom Trust Co., 2020 WL 7786539, at *1 (C.D. Cal. 2020). “In order to determine the scope of the forum selection clause, the Court must examine its construction.” Cedars-Sinai Medical Center v. Global Excel Management, Inc., 2010 WL 5572079, at *5 (C.D. Cal. 2010). Here, the Ninth Circuit already confirmed that Ledger's three agreements with its consumers “contain extremely broad forum selection clauses providing that covered disputes will be subject to the exclusive jurisdiction of the French courts” which covered the claims in this case with respect to Ledger. Baton, 2022 WL 17352192, at *2. In particular, the Ninth Circuit quoted Ledger's Live Terms of Use which covers “[a]ny dispute, controversy, difference or claim arising out of or relating to” the agreement. Id.
“Once venue is challenged by the defendant, the plaintiff bears the burden of establishing that venue is proper.” Bartholomew v. Virginia Chiropractors Ass'n, 612 F.2d 812, 816 (4th Cir. 1979).
While the scope of the clause is broad and substantively covers the instant dispute, the question is whether Shopify can benefit from the clause. The Ninth Circuit has stated that “[a] range of transaction participants, parties and non-parties, should benefit from and be subject to forum selection clauses.” Manetti-Farrow, Inc. v. Gucci America, Inc., 858 F.2d 509, n.5 (9th Cir. 1988) (quoting Clinton v. Janger, 583 F.Supp. 284, 290 (N.D. Ill. 1984)). A forum selection clause is enforceable against a non-party to the agreement “when the non-party is a third-party beneficiary of the contract and the non-party and the conduct at issue are ‘closely related' to the parties to the contract with the forum selection clause.” McNally, 2020 WL 7786539, at *2. A non-signatory may avail himself of a forum selection clause if he is “closely related” to the agreement such that “the non-signatory's enforcement of the forum selection clause is ‘foreseeable.'” Magi XXI, Inc. v. Stato della Citta del Vaticano, 714 F.3d 714, 722 (2d Cir. 2013). “The vast majority of cases that have found a non-signatory bound by a forum selection clause under the theory that they are ‘closely related' to the signatory or the dispute have done so where the non-signatory had an active role in the transaction between the signatories or where the non-signatory had an active role in the company that was the signatory.” Prospect Funding Holdings, LLC v. Vinson, 256 F.Supp.3d 318, 325 (S.D.N.Y. 2017). District courts have emphasized that the non-signatory's relationship is analyzed via “their relation to the contract, not by their relation to the party.” W. Boxed Meats Distributors, Inc. v. Parker, No. 17-CV-5156-BHS, 2017 WL 3034517, at *6 (W.D. Wash July 18, 2017); see also JH Portfolio Debt Equities, LLC v. Garnet Capital Advisors, LLC, 2018 WL 6112695, at *5 (C.D. Cal. 2018). It is often important that “the non-signatory played an active role in the transaction.” Bent v. Zounds Hearing Franchising, LLC, 2016 WL 153092, at *4 (S.D.N.Y. Jan. 12, 2016).
Whether the role of the non-party is closely related to the transaction which involves the forum selection clause has been addressed in various contexts. In Holland America Line Inc. v. Wartsila North America, Inc., 485 F.3d 450 (9th Cir. 2007), after Holland America and Bureau Veritas entered into a contract, and Holland America sought to enforce the contracts' forum selection clause against non-signatory-party BVNA, the Ninth Circuit stated that “[t]he forum selection clauses appl[ied] equally to BVNA and BV Canada because any transactions between those entities and Holland America took place as part of the larger contractual relationship between Holland America and Bureau Veritas.” Id. at 456; see also Manetti-Farrow, Inc. v. Gucci America, Inc., 858 F.2d 509, 514 (9th Cir. 1988) (applying Gucci Parfums' forum selection clause to non-signatory-party Gucci America wherein Gucci Parfums and Gucci America were affiliated entities); TAAG Linhas Aereas de Angola v. Transamerica Airlines, Inc., 915 F.2d 1351 (9th Cir. 1990) (wherein an express third-party beneficiary of the contract was bound by the forum selection clause).
At least two district courts in this circuit have found that an “agent” of a signatory party was able to benefit from the signatory party's forum selection clause. Robeson v. Twin Rivers Unified Sch. Dist., 2014 WL 1392922 (E.D. Cal. 2014). In Robeson, plaintiff Siegrid Robeson was employed by Twin Rivers Unified School District (“Twin Rivers”), and their employer-employee contract had a forum selection clause. Id. at *3. The defendants consisted of “Twin Rivers' current and former employees, members of the governing board of the school district, lawyers retained by Twin Rivers, individuals who provided consulting services to Twin Rivers, the City of Sacramento, and several police officers employed by the City of Sacramento.” Id. “[P]laintiff explicitly allege[d] that defendants ‘conspired with each other' and with Twin Rivers to force her out of her position as deputy superintendent.” Id. She also “alleges that those defendants were agents or employees of Twin Rivers and that her termination resulted from acts taken within the scope of that employment or agency relationship.” Id. The court held that “all defendants are bound by [the forum selection clause] provision because their conduct is closely related to plaintiff's contractual relationship with Twin Rivers.” The court did not address whether the fact that the defendants conspired with each other was a significant element in its finding that the agents were subject to the forum selection clause.
Other district court cases discuss subsidiaries and third-party beneficiaries as being subject to a forum selection clause. See Morgan Tire of Sacramento, 60 F.Supp.3d at 1109 (a company's non-signatory subsidiary who was involved in the transaction was subject to the forum selection clause); McNally, 2020 WL 7786539, at *1 (plaintiff's investment adviser opened a trust account with the defendant signing a contract on plaintiff's behalf. Plaintiff was subject to the forum selection clause in the agreement as a third-party beneficiary to the contract.); Yacht LLC v. Certain Lloyds at Lloyd's London, 407 F.Supp.3d 931 (S.D. Cal. 2019) (the non-signatory defendant was named in the contract as the insurance broker and was thus subject to the forum selection clause).
In Pat Pellegrini Flooring Corp. v. ITEX Corp., ITEX is a company that provides its members with a forum for cashless business transactions. 2010 WL 1005318, at *1 (D. Or. 2010). Defendant NYTO Trade Incorporated holds itself out as an agent of ITEX. Id. Defendant John Castoro is the General Manager and a broker of NYTO, and was responsible for the training of defendant Izzy Garcia, who is the Trade Manager and a broker for NYTO. Id. Plaintiff Pat Pellegrini Flooring Corporation (“PPF”) signed an application for membership with ITEX. Id.
Here, PPF alleges that Castoro and Garcia are managers and brokers of NYTO and that NYTO holds itself out as an agent of ITEX. (Mot. to Am. Ex. A ¶¶ 4, 5.) In his declaration, Pelligrini represents that the NYTO Defendants were instrumental in PPF's decision to join ITEX, provided all of the ITEX membership documents for PpF, answered all of PPF's questions about ITEX, and brokered all of PPF's trades in the ITEX marketplace. (Pellegrini Decl. ¶¶ 3-6.) In other words, the NYTO Defendants were involved in every aspect of PPF's contractual relationship with ITEX. Based on these allegations, the court finds that the conduct of the NYTO Defendants was so closely related and so integral to PPF's relationship with ITEX that the NYTO Defendants should be bound by the forum selection clause contained in the 1993 Rules.Id. at *10.
Here, between September 2019 and August 2020, Ledger employed Shopify to handle payments for Ledger wallets and allowed access to its customer data. SAC ¶ 8. Shopify provides e-commerce solutions for businesses and allows them to easily create digital storefronts, as it did for Ledger. Id. ¶¶ 116-17. As such, Shopify “powers Ledger's shopping website.” Id. ¶ 116. Thus, any transactions that Ledger's customers made on Ledger's website “took place as part of the larger contractual relationship between” Ledger and Shopify, Ledger's e-commerce vendor. See Holland America, 485 F.3d at 456. Plaintiffs in this case would have inputted their PII on Ledger's website - a website created and maintained by Shopify. Further, Shopify was entrusted with Plaintiffs' PII. Shopify essentially performed a function for Ledger that was part of Ledger's responsibility to the plaintiffs.
Whether Shopify breached any duty owed to Plaintiffs could well be informed by the terms of the Ledger agreement (and any expressed or implied promise of privacy and security) with the Plaintiffs. Parker, 2017 WL 3034517, at *6 (a non-signatory may be bound by a forum selection clause via “their relation to the contract, not by their relation to the party”). The duties that both Ledger and Shopify owed to Plaintiffs are intertwined. Plaintiffs' claims against Shopify arose out of their contract with Ledger and Plaintiffs would have had every reason to expect that the privacy rights ensured in their contract with Ledger would obtain to Ledger's subcontractors. Thus, Shopify's connection to the conduct at issue is “closely related” to the signatories of the contract with the forum selection clause, and to the contract's terms and enforcement. See McNally, 2020 WL 7786539, at *2.
Since Plaintiffs believed they were entrusting Ledger with their PII, and therefore any of Ledger's vendors who had access to their PII, it is “foreseeable” that said vendors would be able to enforce their forum selection clause in Plaintiffs' agreement with Ledger. See Magi XXI, 714 F.3d at 722. As in Robeson, 2014 WL 1392922, and Pat Pelligrini, 2010 WL 1005318, Shopify may avail itself of Ledger's forum selection clause as an agent or third-party vendor to the Ledger contract, which is closely related to the signatories and the contract at issue. Thus, Shopify is dismissed from this suit in favor of the forum in France which presently does not include any California-specific consumer claims, such as the CLRA and UCL, which would be exempt from the forum selection clause.
E. Failure to State a Claim
Ledger, Shopify, and TaskUs contest the claims brought against them under Rule 12(b)(6). Each shall be addressed in turn except those that are being transferred to France i.e., all claims against Shopify.
Plaintiffs' SAC is subject to Rule 9(b)'s heightened pleading standard. Courts in this district have held that misrepresentation claims under the UCL and CLRA must be pled with particularity. See In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 903 F.Supp.2d 942, 967 (S.D. Cal. 2012) (“Sony”). Rule 9(b) requires that: “[i]n all averments of fraud or mistake, the circumstances constituting fraud or mistaking shall be stated with particularity.” Fed. R. Civ. Proc. 9(b). “The pleader must state the time, place, and specific content of the false misrepresentations as well as the identities of the parties to the misrepresentation.” Odom v. Microsoft Corp., 486 F.3d 541, 553 (9th Cir. 2007). In addition, the plaintiff must “set forth an explanation as to why the statement or omission complained of was false and misleading.” In re Glenfed, Inc. Sec. Litig., 42 F.3d 1541, 1548 (9th Cir. 1994) (en banc), superseded by statute on other grounds. Plaintiffs do not dispute that Rule 9(b) applies. Opp'n at 12, 15. Thus, Plaintiffs claims must meet the 9(b) threshold for particularity.
1. Ledger
The Plaintiffs charge Ledger with violations of the UCL and the CLRA. The UCL defines “unfair competition” to include “any unlawful, unfair or fraudulent business act or practice” and “unfair, deceptive, untrue or misleading advertising.” Cal. Bus. & Prof. Code § 17200. The law's scope is “broad.” Cel-Tech Commc'ns, Inc. v. L.A. Cellular Tel. Co., 20 Cal.4th 163, 180-81 (1999). The UCL's prongs on “unlawful,” “unfair” or “fraudulent” practices give rise to separate and distinct theories of liability. See id. at 180. “Whether a practice is deceptive, fraudulent, or unfair is generally a question of fact which requires ‘consideration and weighing of evidence from both sides' and which usually cannot be made on demurrer.” Linear Tech. Corp. v. Applied Materials, Inc., 61 Cal.Rptr. 3D 221, 236 (Cal.App. Ct. 2007) (quoting McKell v. Washington Mutual, Inc., 142 Cal.App.4th 1472, 1473 (Cal.App. Ct. 2006)).
“The ‘unfair' prong of the UCL creates a cause of action for a business practice that is unfair even if not proscribed by some other law.” Korea Supply Co. v. Lockheed Martin Corp., 29 Cal.4th 1134, 1143 (2003). Mr. Seirafi alleges that Ledger violated the unfair prong by marketing and advertising its faulty products and failing to implement and maintain reasonable security measures. SAC ¶¶ 269-72. Under the “unlawful” prong of the UCL, violations of state or federal law are “unlawful practices that the unfair competition law makes independently actionable.” Velazquez v. GMAC Mortg. Corp., 605 F.Supp.2d 1049, 1068 (C.D. Cal. 2008) (citations omitted). Under the “fraudulent” prong of the UCL, claims for misrepresentation may be “affirmative untrue statements[,]” “false” representations, and “a broader category of representations that have ‘a capacity, likelihood[,] or tendency to deceive or confuse the public.'” Rothman v. Equinox Holdings, Inc., 2021 WL 1627490, at *10 (C.D. Cal. Apr. 27, 2021) (quoting Colgan v. Leatherman Tool Grp., Inc., 135 Cal.App.4th 663, 683 (2003); Williams, 552 F.3d at 938).
Plaintiffs allege that Ledger's conduct violates the CLRA, the California Consumer Records Act, the Federal Trade Commission Act (FTCA), and California common law. SAC ¶ 280. Under the CLRA, “any consumer who suffers any damage as a result of the use or employment by any person of a method, act, or practice declared to unlawful by Section 1770 may bring an action against that person.” Cal. Civ. Code § 1780. The SAC alleges that Ledger engaged in the following unlawful conduct: “representing that goods or services have sponsorship, approval, characteristics, ingredients, sues, benefits, or quantities ... that [it] does not have,” SAC ¶ 291; § 1770(a)(5), and “representing that goods or services are of a particular standard, quality, or grade, or that goods are of a particular style or model, if they are of another,” SAC ¶ 292; § 1770(a)(7).
a. Misrepresentations
Ledger argues that Mr. Seirafi's UCL and CLRA claims should be dismissed because Mr. Seirafi fails to specifically identify a representation that Ledger made that was likely to deceive the public. Ledger Mot. at 13. Ledger does not address the fact that Mr. Seirafi's UCL claim includes three prongs (fraudulent, unfair, and unlawful). Mr. Seirafi's CLRA claim and “fraudulent” UCL claim rely upon Ledger's various representations and omissions. SAC ¶¶ 281, 295-96. Mr. Seirafi's two other “unfair” and “unlawful” UCL claims rely on Ledger's misrepresentations and also allege that Ledger is liable for “fail[ing] to implement and maintain reasonable security measures”, which is not based on misrepresentation. Id. ¶¶ 270, 278. Thus, when Ledger argues that Mr. Seirafi's CLRA and UCL claims should be dismissed due to failure to identify a misrepresentation that would deceive the public, this argument encompasses Mr. Seirafi's CLRA claim, “fraudulent” UCL claim, and the portions of his “unfair” and “unlawful” UCL claims that rely on Ledger's misrepresentations. However, the portions of Mr. Seirafi's “unfair” and “unlawful” UCL claims that allege that Ledger failed to implement reasonable security measures are not addressed by Ledger's arguments about its alleged misrepresentations and are not subject to the impending motion to dismiss.
Thus, they only address the misrepresentation-related claims. “Misrepresentation claims brought pursuant to the UCL . and CLRA are each judged against the same ‘reasonable consumer' test, which asks whether ‘members of the public are likely to be deceived' by the alleged misrepresentation.” Rothman v. Equinox Holdings, Inc., 2021 WL 1627490, at *9 (C.D. Cal. Apr. 27, 2021) (quoting Williams v. Gerber Prod. Co., 52 F.3d 934, 938 (9th Cir. 2008)). Claims for misrepresentation may be “affirmative untrue statements[,]” “false” representations, and “a broader category of representations that have ‘a capacity, likelihood[,] or tendency to deceive or confuse the public.'” Id. at *10 (quoting Colgan v. Leatherman Tool Grp., Inc., 135 Cal.App.4th 663, 683 (2003); Williams, 552 F.3d at 938). “Under . the UCL or the CLRA, when a defendant truthfully and clearly discloses an alleged misrepresentation or omission, a plaintiff cannot plausibly state a claim for relief.” Hammerling v. Google, LLC, 615 F.Supp.3d 1069, 1082 (N.D. Cal. 2022) (citing Dinan v. Sandisk LLC, 2019 WL 2327923, at *2 (N.D. Cal. May, 31, 2019)); see also Fabozzi v. StubHub, Inc., 2021 WL 506330, at *6 (N.D. Cal. Feb. 15, 2012) (J., Chen) (a ticket reseller did not fraudulently omit that it sold its tickets at a “premium” compared to the ticket's face value because the ticket reseller disclosed on its website that its tickets “may be . above face value.”).
First, Plaintiffs claim that Ledger made misrepresentations about its safety, which Ledger denies. Ledger Mot. at 13. Plaintiff quotes Ledger's advertisements in the SAC as indicative of Ledger's misrepresentations. For example, one advertisement stated, “Ledger hardware wallets are designed with the highest security standard to keep your crypto secure at all times.” SAC ¶ 6. However, Ledger's privacy policy states: “While we endeavor to provide best-in-class protection for your personal data when you use our Services, please keep in mind that the transmission of information on the Internet is not fully secure.” Id. This language suggests that Ledger was not misrepresenting that it had impenetrable security, especially for information transmitted on the Internet, such as Plaintiffs' PII. Similarly, in Sony, 903 F.Supp.2d at 967-68 plaintiffs alleged that Sony violated the UCL and CLRA by misrepresenting the quality of its security and the “reasonable measures” it would take to protect consumers' information. Id. at 967. However, before registering for the PlayStation Network (PSN), plaintiffs had to agree to Sony's privacy policy, which stated: “there is no such thing as perfect security ... we cannot ensure or warrant the security of any information transmitted to use through the PSN ...” Id. at 968. The court stated, “in the presence of clear admonitory language that Sony's security was not ‘perfect,' no reasonable consumer could have been deceived” and dismissed plaintiffs UCL and CLRA claims with leave to amend. Id. Likewise, here, Ledger disclosed that any information inputted on the Internet is “not fully secure.” Thus, consumers could not have been misled into thinking that providing Ledger with their PII online would be fully secure.
Additionally, Ledger argues that the representations regarding the hardware wallets were not misleading because, as Ledger states, “Seirafi cannot rely on Ledger's representations about the security of the hardware wallets to support his claims, because the statements clearly describe the hardware wallets, not the e-commerce database that was hacked.” Ledger Mot. at 14. For example, the SAC cites Ledger's “tagline”: “If you don't want to get hacked, get a Ledger wallet.” SAC ¶ 6. It is true that Mr. Seirafi does not allege that his hardware wallet was hacked; he argues that the PII that he gave to Ledger when buying a Ledger hardware wallet was hacked. Thus, Ledger's representations regarding the security of its hardware wallets do not pertain to the security of Mr. Seirafi's PII which was not on the hardware wallet at all.
Ledger also argues that these statements regarding Ledger's security do not rise above the level of “mere puffery.” For example, Ledger claims that it has the “highest security standards.”
Finally, Ledger argues that its statements about the data breach cannot support Mr. Seirafi's claims because those statements were not false or misleading. Ledger Mot. at 15. In May 2020, rumors about the breach arose on social media. See SAC ¶ 127. For example, one article stated that a hacker is purportedly selling customer information on the dark web that stems from companies like Ledger. See Jamie Redman, Hacker Attempts to Sell Data Allegedly Tied to Ledger, Trezor, Bnktothefuture Customers, Bitcoin (May 24, 2020), https://news.bitcoin.com/hacker-attempts-to-sell-data-allegedly-tied-to-ledger-trezor-bnktothefuture-customers/ (last accessed Nov. 9, 2023). The article further stated that the hacker was offering email addresses, home addresses, and phone numbers from an alleged Shopify breach. See id. The SAC represents that on May 24, 2020, Ledger Tweeted: “Rumors pretend our Shopify database has been hacked through a Shopify exploit. Our e-commerce team is currently checking these allegations by analyzing the so-called hacked [database], and so far, it doesn't match our real [database]. We continue investigations and are taking the matter seriously.” SAC ¶ 129. On July 29, 2020 Ledger announced:
On the 14th of July 2020, a researcher participating in our bounty program made us aware of a potential data breach on the Ledger website. We immediately fixed this breach after receiving the researcher's report and underwent an internal investigation. A week after patching the breach, we discovered it had been further exploited on the 25th of June 2020, by an unauthorized third party who accessed our e-commerce and marketing database - used to send order confirmations and promotional emails - consisting mostly of email addresses, but with a subset including also contact and order details such as first and last name, postal address, email address and phone number. Your payment information and crypto funds are safe.
To be as transparent as possible, we want to explain what happened. An unauthorized third party had access to a portion of our ecommerce and marketing database through an API Key. The API key has been deactivated and is no longer accessible.
What personal information was involved?
Though some of Ledger's representations may be puffery, some of their statements are not. Ledger advertises that it “continuously look[s] for vulnerabilities on Ledger products as well as [its] providers' products in an effort to analyze and improve the security.” SAC, ¶ 6. This statement is not “vague, generalized, and subjective”; it is a “factual representation” that is “specific” and “measurable,” and thus it is not puffery. Brown v. Madison Reed, Inc., 622 F.Supp.3d 786, 803 (N.D. Cal. 2022).
Contact and order details were involved. This is mostly the email address of our customers, approximately 1M addresses. Further to investigating the situation we have also been able to establish that, for a subset of 9500 customers were also exposed, such as first and last name, postal address, phone number or ordered products. Due to the scope of this breach and our commitment to our customers, we have decided to inform all of our customers about this situation.
Those 9500 customers whose detailed personal information are exposed will receive a dedicated email today to share more details.
Regarding your ecommerce data, no payment information, no credentials (passwords), were concerned by this data breach. It solely affected our customers' contact details.
This data breach has no link and no impact whatsoever with our hardware wallets nor Ledger Live security and your crypto assets, which are safe and have never been in peril. You are the only one in control and able to access this information.SAC ¶ 132 (emphasis in original). Mr. Seirafi contends that Ledger's July 29 announcement “did not disclose that this breach had anything to do with the Shopify breaches.” SAC ¶ 135. However, the SAC alleges that Shopify announced the incident in September 2020, Id. ¶ 123, and Shopify did not notify Ledger regarding the incident until December 2020, Id. ¶ 126 n.32. The SAC cites a website URL to Ledger's Frequently Asked Questions (“FAQ”) page regarding the data breach. On the FAQ page, Ledger states: “on December 23rd, 2020, we were notified by Shopify ... regarding an incident involving merchant data. ” E-commerce and Marketing data breach - FAQ, LEDGER, https://support.ledger.com/hc/en-us/articles/360015559320-E-commerce-and-Marketing-data-breach-FAQ (last accessed Nov. 9, 2023). Since Shopify did not announce this incident to Ledger until December, Ledger could not have noticed its customers of Shopify's involvement in the incident in May and July.
Thus, Ledger's motion to dismiss is GRANTED with respect to the UCL “fraudulent” prong and the CLRA with leave to amend.
Ledger additionally argues that Mr. Seirafi failed to allege actual reliance sufficient to support his UCL and CLRA claims. Because the CLRA claim and the UCL claims (with respect to Ledger's misrepresentations) have been dismissed, the Court need not analyze actual reliance with respect to those claims. This is because Mr. Seirafi only needs to prove actual reliance for his allegations which are “grounded in misrepresentation or deception.” In re Actimmune Marketing Litig., No. 08-02376 MHP 2010 WL 3463491, at *8 (N.D. Cal. Sept. 1, 2010). Mr. Seirafi does not need to allege actual reliance with respect to his allegation that Ledger failed to implement reasonable security measures under the “unlawful” and “unfair” prongs of the UCL.
b. UCL statutory standing
Ledger challenges whether Mr. Seirafi has statutory standing under the UCL, for all UCL claims alleged herein. Under the UCL, standing is limited to those who have “lost money or property as a result of the unfair competition.” Cal. Bus. & Prof. Code § 17204. Mr. Seirafi argues that benefit of the bargain damages is sufficient to allege lost money or property and thus standing under the UCL. See opp'n at 19. Courts have so held. See Kwikset Corp. v. Superior Court, 51 Cal.4th 310 (2011) (Plaintiffs established UCL standing by alleging they paid more than they actually valued the product); In re Adobe, 66 F.Supp.3d at 1224 (plaintiffs who alleged “they personally spent more on Adobe products than they would had they known Adobe was not providing the reasonable security Adobe represented it was providing” had standing to bring a UCL claim). Thus, Mr. Seirafi has UCL statutory standing.
Ledger also argues that Mr. Seirafi lacks statutory standing because he does not allege that he lost money or his cryptocurrency assets as a result of the security incidents. Ledger. Mot. at 18. Additionally, Ledger argues that Mr. Seirafi cannot predicate his UCL claims on the money he paid to purchase his Ledger Nano X. Id. at 19. As discussed, Mr. Seirafi has standing under a benefit-of-the-bargain theory, so Ledger's further contentions need not be addressed.
c. Adequate remedy at law
Ledger argues that because the UCL claim exclusively provides equitable relief, it must be dismissed because Mr. Seirafi cannot establish that he lacks an adequate remedy at law, pursuant to Sonner v. Premier Nutrition Corp., 971 F.3d 834, 841 (9th Cir. 2020). See Ledger Mot. at 19.
In Sonner, the Plaintiffs sought injunctive relief and restitution under the UCL and CLRA and damages under the CLRA. Id. at 838. Plaintiff sought leave to file an amended complaint to dismiss the CLRA damages claim. Id. Plaintiff did this in order “to request that the district court judge award the class $32,000,000 as restitution, rather than having to persuade a jury to award this amount as damages.” Id. The district court granted leave to amend, and the defendant brought a motion to dismiss, which the district court granted holding that the class “could not proceed on [its] equitable claims for restitution in lieu of a claim for damages” wherein the class “failed to establish that [it] lacked an adequate legal remedy for the same past harm for which [it] sought equitable restitution” pursuant to the “inadequate-remedy-at-law doctrine.” Id. The Ninth Circuit affirmed the district court, “hold[ing] that a federal court must apply traditional equitable principles before awarding restitution under the UCL and CLRA. It has been a fundamental principle for well over a century that state law cannot expand or limit a federal court's equitable authority.” Id. at 841 (citing Payne v. Hook, 74 U.S. (7 Wall.) 425, 430 (1868)). This outcome also “implicates the well-established federal policy of safeguarding the constitutional right to a trial by jury in federal court.” Id. at 842 (citing Byrd v. Blue Ridge Rural Elec. Coop., Inc., 356 U.S. 525, 537-39 (1958)).
The Ninth Circuit noted that, in this case, “[i]njunctive relief [wa]s not an issue.” Sonner, 971 F.3d at 838.
The Ninth Circuit revisited its Sonner holding in Guzman v. Polaris Industries Inc., 49 F.4th 1308 (9th Cir. 2022). There, a consumer alleged violations of the CLRA, UCL, and the California False Advertising Law (“FAL”). Id. at 1310. The district court dismissed the consumer's CLRA and FAL claims as time-barred. Id. at 1311. The Ninth Circuit held that the consumer “could not bring his equitable UCL claim in federal court because he had an adequate legal remedy in his time-barred CLRA claim.” Id. “Sonner's holding applies to equitable UCL claims when there is a viable CLRA damages claim” pursuant to the “generally applicable rule that equitable relief is not available in federal court in a diversity action unless ‘a plain, adequate and complete remedy at law [is] wanting.'” Id. at 1313 (quoting Guaranty Trust Co. of New York v. York, 326 U.S. 99, 105 (1945).
This Court discussed this issue pre-Guzman in Warren v. Whole Foods Market California, Inc., 2022 WL 2644103 (N.D. Cal. 2022) and in Nacarino v. Chobani, LLC, 668 F.Supp.3d 881 (N.D. Cal. 2022). In both cases, the Court “decline[d] to trim out Plaintiff's equitable restitution claim at [the motion to dismiss] stage” but stated that “Plaintiff's entitlement to seek the equitable remedy of restitution may be revisited at a later stage.” Nacarino, 668 F.Supp.3d at 897. The Court's reasoning is consistent with what other courts in this district have held post-Guzman. See In re Natera Prenatal Testing Litig., 664 F.Supp.3d 995, 1012-13 (N.D. Cal. 2023).
Here, Ledger argues that Mr. Seirafi has an adequate remedy at law because he seeks damages for his CLRA claim. See Ledger Mot. at 20. However, the Court has dismissed Mr. Seirafi's CLRA claim with leave to amend. Even if Mr. Seirafi's CLRA claim was dismissed with prejudice, there would be a question of whether the CLRA claim can be deemed an “adequate” remedy at law. This instance may be contrasted with Guzman wherein the plaintiff had a viable CLRA claim except that it was time-barred. See Guzman, 49 F.4th at 1311. At this stage of the proceedings, the Court will reserve judgment on whether Mr. Seirafi's CLRA claim is an adequate remedy until the pleadings are settled.
Therefore, Ledger's motion to dismiss with respect to Plaintiffs' “unfair” and “unlawful” UCL claims is DENIED, and Ledger's motion with respect to Plaintiff's CLRA and “fraudulent” UCL claim is GRANTED with leave to amend.
2. TaskUs
Plaintiffs' remaining claims are lodged against TaskUs under theories of negligence, negligence per se, declaratory relief, and violations of New York Deceptive Trade Practices Act.
a. Negligence
Plaintiffs claim that TaskUs breached its duty of care and therefore was negligent by failing to:
(a) [E]xercise reasonable care and implement adequate security systems, protocols, and practices sufficient to protect the personal information of the Class members; (b) detect the breaches while they were ongoing; (c) maintain security systems consistent with industry standards; and (d) disclose that the Class members' personal information in Ledger's and/or Shopify's possession had been or was reasonably believed to have been stolen or compromised.SAC ¶ 238. In addition, Plaintiffs contend that “TaskUs was responsible for the negligent hiring and oversight of the agents who abused their access to merchant and customer data of Shopify's customers, including Ledger.” SAC ¶ 36.
“To state a cause of action for negligence, a plaintiff must allege (1) the defendant owed the plaintiff a duty of care, (2) the defendant breached that duty, and (3) the breach proximately caused the plaintiff's damages or injuries. Whether a duty of care exists is a question of law to be determined on a case-by-case basis.” Alvarez v. BAC Home Loans Servicing, L.P., 228 Cal.App.4th 941, 944, 176 Cal.Rptr.3d 304, 306 (Ct. App. 2014), disapproved of on other grounds by Sheen v. Wells Fargo Bank, N.A., 12 Cal. 5th 905, 505 P.3d 625 (Ct. App. 2022).
i. “Special relationship”
TaskUs argues that it did not owe a duty to Plaintiffs to exercise reasonable care in protecting Plaintiffs' PII, detecting the existence of a breach, overseeing its employees, and timely notifying Plaintiffs of the breach, because Plaintiffs failed to allege a “special relationship” with TaskUs which would establish a duty of care. In general, “‘Everyone is responsible for an injury occasioned to another by his or her want of ordinary care of skill in the management of his or her property or person' Civil Code section 1714. This statute establishes the default rule that each person has a duty ‘to exercise, in his or her activities, reasonable care for the safety of others.'” Brown v. USA Taekwondo, 11 Cal. 5th 204, 213 (2021).
In a case involving harm caused by a third party, the “special relationship” test applies to determine whether a duty to protect the plaintiff against the third party obtains. Id. at 215. A special relationship may obtain when “‘one party relies to some degree on the other for protection,' one party has ‘superior control over the means of protection,' the relationship has ‘defined boundaries,' that create ‘a duty of care owed to a limited community, not the public at large,' and the relationship ‘especially benefit[s] the party charged with a duty of care.'” Matyas, 2023 WL 7108818, at *5 (quoting Regents, 4 Cal. 5th at 620-21). “It typically applies only where it is the defendant who created the risk of harm to the plaintiffs; ‘[t]he law does not impose the same duty on a defendant who did not contribute to the risk that the plaintiff would suffer the harm alleged.'” Hassaine v. Club Demonstration Services, Inc., 77 Cal.App. 5th 843, 851 (Ct. App. 2022) (quoting Brown, 11 Cal. 5th at 276).
TaskUs argues that Plaintiffs fail to establish a special relationship given that TaskUs is a sub-sub-contractor of Ledger, the company with whom Plaintiffs had a direct relationship. TaskUs Mot. 13-14. In the SAC, Plaintiffs allege that Shopify employed TaskUs to provide “customer support and data security consulting services for Ledger's sales website and the Ledger Live services, in which Ledger customers could obtain live support for their investments and effectuate transfers of their assets on Ledger's website.” Id. ¶ 8. As alleged, TaskUs was involved in “data security consulting services for Ledger.” Id. Here, there is a special relationship when “‘one party relies to some degree on the other for protection,' one party has ‘superior control over the means of protection,' the relationship has ‘defined boundaries,' that create ‘a duty of care owed to a limited community, not the public at large,' and the relationship ‘especially benefit[s] the party charged with a duty of care.'” Matyas, 2023 WL 7108818, at *5 (quoting Regents, 4 Cal. 5th at 620-21). Here, Plaintiffs “relie[d]” on Ledger and its subcontractors to safeguard their PII. TaskUs had a “superior control over the means of protect[ing]” Plaintiffs' PII, because TaskUs was in control of Plaintiffs PII and was therefore responsible for implementing security measures. The “duty of care [was] owed to a limited community,” Ledger customers, and “not the public at large.” And, finally, the relationship benefited TaskUs, “the party charged with a duty of care” because TaskUs benefited in profiting from its contractual relationship with Shopify. Thus, TaskUs had a “special relationship” with Plaintiffs sufficient to establish a duty of care, especially in view of the sensitive nature of the information at issue. See In re Marriot International Inc. Customer Data Security Breach Litig., 2020 WL 6290670, at *7 (D. Md. Oct. 27, 2020) (a third-party service provider owed a duty to plaintiffs when “as alleged, [the third-party service provider] specifically contracted with [the signatory party] to protect the personal information of this class of potential claimants-[the signatory party's] customers-who entered their information on [the signatory party's] on-line reservation system.”); see also In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 903 F.Supp.2d at 966 (a vendor has a “duty to safeguard a customers' confidential information”).
Where there is a special relationship, courts evaluate whether the policy considerations articulated in Rowlandv. Christian, 69 Cal.2d 108 (1968) mandate that the court create an exception to the “affirmative dut[y] to protect or warn.” See Brown, 11 Cal. 5th at 218.
The Rowland factors fall into two categories. “Three factors- foreseeability, certainty, and the connection between the plaintiff and the defendant-address the foreseeability of the relevant injury, while the other four-moral blame, preventing future harm, burden [to the defendant], and availability of insurance-take into account public policy concerns that might support excluding certain kinds of plaintiffs or injuries from relief.” Kesner v. Superior Court (2016) 1 Cal.5th 1132, 1145, 210 Cal.Rptr.3d 283, 384 P.3d 283.Hassaine, 77 Cal.App. 5 th at 857. The most important factor is whether the duty to exercise ordinary care was foreseeable. Id. The “task is not to decide whether a particular injury was reasonably foreseeable but rather whether the category of negligent conduct at issue is sufficiently likely to result in the kind of harm the plaintiff experienced to warrant imposing liability.” Id.
Here, Plaintiffs have alleged that companies dealing with PII are on notice that “hackers routinely attempt to steal such information and use it for nefarious purposes.” SAC ¶ 234. As such, it is foreseeable that companies dealing with PII must implement adequate security practices and must exercise reasonable care in ascertaining which subcontractors/vendors and employees they choose to work with, especially when sharing customers' PII with said vendors. Id. Thus, the foreseeability of harm supports the Court's conclusion that TaskUs and Shopify had a special relationship with the Plaintiffs. In addition, none of the other policy factors offer a reason to refrain from placing a duty of care on third-party vendors operating on behalf of Ledger. See Hassaine, 77 Cal.App. 5th at 857-58.
ii. Breach
When alleging breach, “plaintiffs must be clear on the relevant standard of care applicable here, the source of that standard, and what factual allegations show that the duty was breached.” Jasso v. Citizens Telecommunications Co. of CA, Inc., 2007 WL 97036, at *5 (E.D. Cal. 2007). TaskUs argues that “Plaintiffs' vague allegations cannot satisfy the pleading standard for breach because they fail to identify facts demonstrating unreasonable conduct by TaskUs.” TaskUs Mot. at 14. In response, Plaintiffs argue that TaskUs breached its duty to safeguard Plaintiffs' PII which was in their possession by failing to exercise reasonable care in implementing adequate security systems, detect ongoing breaches, oversee the agents who abused their access to customer data, and disclose the existence of a breach to Plaintiffs. Opp'n re TaskUs at 16; see also SAC ¶¶ 36, 238. In Flores-Mendez v. Zoosk, Inc., 2021 WL 308543 (N.D. Cal. 2021), a data breach case, the district court found that plaintiffs sufficiently alleged that the defendants breached the standard of care owed to plaintiffs:
The consuming public has come to believe that the internet companies, which take in their private information, have taken adequate security steps to protect the security of that information from any and all hackers or interventions. The ordinary consumer, however, has no clue what internet companies' security steps are.
There would be no way for users to know what security steps were actually in place. Therefore, when a breach occurs, the thing speaks for itself. The breach would not have occurred but for inadequate security measures, or so it can be reasonably inferred at the pleadings stage.Id. at *4; see also Mednax Servs., Inc., Customer Data Sec. Breach Litig., 603 F.Supp.3d 1183, 1222 (S.D. Fla. 2022) (“Federal courts in Florida have well established that entities which collect sensitive, private data from consumers and store such data on their networks have a duty to protect the information.”). Here, Plaintiffs have alleged that “TaskUs was responsible for the negligent hiring and oversight of the agents who abused their access to merchant and customer data of Shopify's customers, including Ledger.” SAC ¶ 36. In addition, TaskUs breached its duty to “exercise reasonable care and implement adequate security systems, protocols, and practices sufficient to protect the personal information of the Class members”, “detect the breaches while they were ongoing”, “maintain security systems consistent with industry standards”, and “disclose that the Class members' personal information in Ledger's and/or Shopify's possession had been or was reasonably believe to have been stolen or compromised.” SAC ¶ 238. Plaintiffs have adequately alleged that TaskUs breached the standard of care owed to Plaintiffs. TaskUs also argues that it was not TaskUs's responsibility to disclose to class members that their PII had been or was reasonably believed to have been stolen or compromised, because Ledger was the only entity who had such a duty. TaskUs Mot. at 14. TaskUs cites to several state statutes which state:
A person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of the breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.Cal. Civ. Code § 1798.82(b); GA Code § 10-1-912(b) (same); N.Y. Gen. Bus. Law § 899-aa(3) (same). Neither party cites and the Court's research did not reveal any authority suggesting that this statute would not apply to a business's subcontractor who is a “business that maintains computerized data that includes personal information that the [] business does not own.” Id. Even though TaskUs is Ledger's subcontractor and never had a direct relationship with Plaintiffs, there is no evidence to suggest that TaskUs would not be obligated to ensure that Plaintiffs should have been notified of the breach (perhaps through TaskUs's notification to Shopify and Ledger) that occurred at TaskUs pursuant to section 1798.82(b). The Plaintiffs have plausibly alleged that TaskUs had a duty to notify Plaintiffs of the breach.
iii. Proximate causation
TaskUs argues that Plaintiffs fail to allege proximate causation because the hackers, third-party criminals, were a superseding cause to TaskUs's liability. Plaintiffs argue in response that there was proximate causation because it was foreseeable that hackers could infiltrate a vulnerable security system. For proximate causation, there must be a causal or logical relationship between events; a purely temporal connection will not suffice. See Stollenwerk v. Tri-W. Health Care All., 254 Fed.Appx. 664, 668 (9th Cir. 2007). “Ordinarily, proximate cause is a question of fact which cannot be decided as a matter of law from the allegations of a complaint.... Nevertheless, where the facts are such that the only reasonable conclusion is an absence of causation, the question is one of law, not of fact.” State Dep't of State Hosps. V. Superior Ct., 61 Cal.4th 339, 353, 349 P.3d 1013, 1022 (2015) (citations omitted).
“An actor may be liable if the actor's negligence is a substantial factor in causing an injury, and the actor is not relieved of liability because of the intervening act of a third person if [the] act was reasonably foreseeable at the time of the original negligent conduct. ‘The foreseeability required is of the risk of harm, not of the particular intervening act.'”Rosencrans v. Dover Images, Ltd., 192 Cal.App.4th 1072, 1087 (Ct. App. 2011) (citations omitted). However, an actor may not be liable for a third party's actions if the actor “lack[s] the legal or practical ability to control such criminal actions of third parties.” Martinez v. Pacific Bell, 225 Cal.App.3d 1557, 1569 (1990).
In data breach cases, where users' data was stolen by hackers, courts often find that causation exists where protections are inadequate. In In re Ambry Genetics Data Breach Litig., after hackers accessed customer information, the district court held that plaintiffs had demonstrated causation because the defendants failed to take steps to prevent the data breach which caused plaintiffs injuries. 567 F.Supp.3d 1130, 1141 (C.D. Cal. 2021); In re Yahoo! Inc. Customer Data Security Breach Litig., 313 F.Supp.3d 1113, 1133 (N.D. Cal. 2018) (“it was plainly foreseeable that Plaintiffs would suffer injury if Defendants did not adequately protect the PII”); Huynh v. Quora, Inc., 508 F.Supp.3d 633, 657 (N.D. Cal. 2020) (“[i]t was foreseeable that Plaintiff would incur time and money working to secure that information when Defendant did not adequately protect it”); but see Citizens Bank of PA v. Reimbursement Technologies, Inc., 2014 WL 2738220, at *5 (E.D. Pa. June 17, 2014) (plaintiffs injuries were too attenuated when plaintiffs data was sold to a third party “fraud ring”).
Here, Plaintiffs have alleged that the market for PII has grown substantially and that there is therefore a risk of data breaches, especially for bitcoin and crypto-asset companies. See SAC ¶¶ 56-94, 236. Many regulatory and federal agencies warned of increasing threats. See id. ¶¶184-93. Plaintiffs allege that TaskUs did not heed these warnings and negligently hired employees who conspired with the California man to enact this data breach. SAC ¶¶ 36, 238. Plaintiffs allege that TaskUs “knew that their failure to protect Class members' personal information would likely harm Class members because they knew that hackers routinely attempt to steal such information and use it for nefarious purposes,” Id. ¶ 234, TaskUs “had duties to safeguard the personal information of the Class members,” Id. ¶ 237, TaskUs breached its duties by failing to “exercise reasonable care and implement adequate security systems, protocols, and practices sufficient to protection the personal information of the Class members,” Id. ¶ 238, and that “TaskUs's negligence was, at least, a substantial factor in causing the Class members' personal information to be improperly accessed, disclosed, and otherwise compromised, Id. ¶ 239. In addition, Plaintiffs allege “TaskUs negligently hired their agents and failed to oversee them, resulting in this security breach.” SAC ¶ 13. Defendants' argument that the third-party criminal superseded causation is unavailing. At this stage in the litigation, Plaintiffs have plausibly alleged that Shopify and TaskUs's failure to implement stronger security measures and to monitor their employees proximately caused the data breach that occurred.
TaskUs cites two cases which discuss respondeat superior: Castro v. JPMorgan Case Bank, N.A., 2021 WL 3468108 (C.D. Cal. 2021); Ins. Co. of N. Am. V. Federal Express Corp., 189 F.3d 914, 922 (9th Cir. 1999). However, respondeat superior applies to intentional torts, not negligence.
iv. Economic loss doctrine
Under the “economic loss doctrine” “purely economic losses are not recoverable in tort.” NuCal Foods, Inc. v. Quality Egg LLC, 918 F.Supp.2d 1023, 1028 (E.D. Cal. 2013) (quoting S.M. Wilson Co. v. Smith Int'l, Inc., 587 F.2d 1363, 1376 (9th Cir. 1978)). A “purely economic loss” is shorthand for “pecuniary or commercial loss that does not arise from actionable physical, emotional or reputational injury to persons or physical injury to property.” So. Cal. Gas Leak Cases, 7 Cal. 5th 391, 398 (2019) (citation omitted).
Put simply, “the economic loss rule ‘prevent[s] the law of contract and the law of tort from dissolving one into the other.'” However, a plaintiff can recover in tort after a contract breach in three situations. First, when a “product defect causes damage to ‘other property,' that is, property other than the product itself.” Second, when a defendant breaches a legal duty independent of the contract, irrespective of whether damages are economic. Third, if a “special relationship” existed between the parties, a party can still recover when the economic loss rule would otherwise apply.Id. (citations omitted).
District courts have found that in data breach cases the economic loss rule does not apply where “[p]laintiffs allege[d] their loss of time, risk of embarrassment, and enlarged risk of identity theft as harms.” Flores-Mendez v. Zoosk, Inc., 2021 WL 308543, at *4 (N.D. Cal. Jan 30, 2021); see also Stasi v. Inmediata Health Grp. Corp., No. 19-CV-2353 JM (LL), 2020 WL 6799437, at *7 (S.D. Cal. Nov. 19, 2020) (plaintiffs “allege they noticed an increase in spam/phishing e-mails and/or calls, which is harm that is also not necessarily ‘economic' in nature”); Bass v. Facebook, Inc., 394 F.Supp.3d 1024, 1039 (N.D. Cal. 2019) (the economic loss rule did not apply because “loss of time” was alleged as a harm); but see Dugas v. Starwood Hotels & Resorts Worldwide, Inc., No. 16-CV-00014-GPC-BLM, 2016 WL 6523428, at *12 (S.D. Cal. Nov. 3, 2016) (the economic loss rule barred plaintiffs' injuries wherein plaintiffs alleged “theft of their credit card information, costs associated with prevention of identity theft, and costs associated with time spent and loss of productivity, among other injuries”). Here, Plaintiffs have alleged:
[S]evere emotional distress following threats and physical home disturbance, loss of time spent on credit monitoring, reviewing credit reports and fraud reports, implementing, and removing credit freezes, and contacting third parties to determine whether or not they had suffered fraud. SAC ¶¶ 163-171, 194-195.Opp'n re TaskUs at 19.
Accordingly, the economic loss doctrine does not bar plaintiffs' claim.
b. Negligence,per se
Plaintiffs allege that TaskUs is liable under a negligence per se theory pursuant to Section 5 of the Federal Trade Commission Act (“FTCA”), 15. U.S.C. § 45, which prohibits “unfair practices in or affecting commerce,” including the failure to use reasonable means to protect customer PII. SAC ¶¶ 242-44. In addition, Plaintiffs allege that TaskUs violated “similar state statutes” to the FTCA. Id. ¶ 243.
TaskUs argues that “Plaintiffs' negligence [per se] claim must be dismissed because the only identified source of a duty is the FTCA which does not provide for a private right of action and an alleged violation of that statute cannot serve as the predicate duty of care.” TaskUs Mot. at 18. California courts routinely dismiss claims brought pursuant to a statute that does not confer a private right of action where the sole enforcement mechanism is through a government agency. TaskUs Mot. at 18. To properly allege a negligence per se claim, “Plaintiffs must demonstrate that the statute allegedly violated allows for a private cause of action.” J.R. v. Walgreens Boots Alliance, Inc., 2021 WL 4859603, at *7 (4th Cir. Oct. 19, 2021) (citing Doe v. Marion, 645 S.E.2d 245, 248 (S.C. 2007)).
The FTCA does not permit a private cause of action, and district courts do not permit negligence per se claims to hinge on the FTCA. In Pica v. Delta Air Lines, Inc., the court stated: “Plaintiffs' negligence per se claim is barred because the FTC Act creates no private right of action.” 2018 WL 5861362, at *9 (C.D. Cal. Sept. 18, 2023); see also Walgreens Boots Alliance, 2021 WL 4859603, at *8 (“Plaintiffs' FTCA-based negligence per se claim fares no better .. the FTCA does not explicitly provide for a private right of action.”); Johnson v. Bank of Am., N.A., 2015 U.S. Dist. Lexis 161800, *9-10 (C.D. Cal. Nov. 30, 2015) (“the FTC Act does not recognize a private right of action”) (collecting cases). Thus, the negligence per se claim must be dismissed as the FTC Act does not provide for a private right of action. To the extent Plaintiffs seek to rest their negligence per se on “similar state statutes,” this is insufficient to state a claim.
The FTCA only permits a cause of action “[w]henever the Commission shall have reason to believe that any such person ... has been or is using any unfair method of competition ... it shall issue and serve upon such person . a complaint .” 15. U.S.C. § 45.
Thus, TaskUs's motion to dismiss Plaintiffs' negligence per se claim is GRANTED.
c. Declaratory Judgment and Injunctive Relief
Plaintiffs' third cause of action is for declaratory judgment and injunctive relief. SAC ¶¶ 247-55. In particular, Plaintiffs allege that TaskUs's data-security measures remain inadequate and Plaintiffs continue to “remain at imminent risk that further compromises of their personal information will occur in the future.” Id. ¶ 250. Plaintiffs ask the Court, pursuant to its authority under the Declaratory Judgment Act (“DJA”) to enter a judgment declaring:
• TaskUs owes a duty to secure consumers' personal information and to timely notify consumers of a data breach under the common law, Section 5 of the FTC Act, and various state statutes; and
• TaskUs is in breach of these legal duties by failing to employ reasonable measures to secure consumers' personal information.SAC ¶ 251.
TaskUs argues that declaratory and injunctive relief are both remedies, not independent causes of action, so they should be dismissed. TaskUs Mot. at 19. Pursuant to the DJA, “[i]n a case of actual controversy within its jurisdiction ... any court of the United States, upon the filing of an appropriate pleading, may declare the rights and other legal relations of any interested party seeking such declaration, whether or not further relief is or could be sought.” 28 U.S.C. § 2201(a). Declaratory relief is a remedy, not an independent cause of action. See Wishnev v. Nw. Mut. Life Ins. Co., 162 F.Supp.3d 930, 952-53 (N.D. Cal. 2016) (J, Chen), vacated and remanded on other grounds, 786 Fed.Appx. 691 (9th Cir. 2019). Declaratory relief must be predicated upon an “actual controversy,” which is “definite and concrete.. .real and substantial.” Id. (quoting Aetna Life Ins. Co. of Hartford, Conn. V. Haworth, 300 U.S. 227, 240-41, 57 S.Ct. 461, 81 L.Ed. 617 (1937); cf. Owen v. Wells Fargo Bank, N.A., 2009 U.S. Dist. Lexis 96533, at *12-14 (plaintiffs claim for declaratory relief failed because its other claims failed). Because Plaintiffs may proceed on their negligence claim. Plaintiffs' claims for declaratory judgment and injunctive relief are predicated on the negligence claim, and thus there is a real controversy so that these claims will not be.
TaskUs also argues that Plaintiffs cannot predicate its claims for declaratory judgment on the FTCA. See mot. at 19. However, Plaintiffs may predicate their declaratory judgment claim on their negligence claim, as discussed.
Further, TaskUs argues that “Plaintiffs' request for injunctive relief is improper because monetary damages can address Plaintiffs' alleged harms.” TaskUs Mot. at 19. “[A] monetary injury-even if severe-is an insufficient ground for injunctive relief. That is because monetary loss may be compensated and is a reparable harm.” Caetano v. Kings County Sheriff, 2022 WL 1138075, at *1 (E.D. Cal. April 18, 2022). TaskUs argues that the “rogue” employees, who stole plaintiffs' data, have been fired so injunctive relief cannot redress plaintiffs' harm.
However, Plaintiffs' request is not simply to redress the injury due to the “rogue” employees' actions. “Plaintiffs allege that Shopify's and TaskUs's data-security measures remain inadequate.” SAC ¶ 250. Additionally, Plaintiffs “remain at imminent risk that further compromises of their personal information will occur in the future.” Id. In In re Yahoo! Inc. Customer Data Security Breach Litig., 313 F.Supp.3d 1113, 1139 (N.D. Cal. 2018), the district court found that the plaintiff's contract and declaratory relief claims could both proceed because the contract claim sought past damages for the defendant's conduct whereas the declaratory relief claim sought a forward-looking declaration that certain provisions of defendants' terms of service was unconscionable, so the declaratory relief claim was not duplicative of the contract claim. See also In re Adobe Sys. Privacy Litig., 66 F.Supp.3d 1197, 1222 (N.D. Cal. Sept. 4, 2014) (finding that Plaintiffs had plausibly alleged the requirements for obtaining declaratory relief when they alleged in their complaints “Plaintiffs ... seek a declaration [] that Adobe's existing security measures do not comply with its contractual obligations ...”); cf. In re Zappos.com, Inc., CV-00325-RCJ, 2013 WL 4830497, at *5 (D. Nev. Sept. 9, 2013) (plaintiffs asked the court to declare that the defendant had violated the same state and federal laws already pled in the complaint, which was “on its face duplicative” and was disallowed). Here, Plaintiffs' allegations of continuing inadequate security measures are sufficient to maintain their claim for declaratory relief.
d. New York Deceptive Trade Practices Act, Gen. Bus. Law § 349 (“NYGBL § 349”)
The New York Deceptive Trade Practices Act regulates:
Deceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service in this state are hereby declared unlawful.Gen. Bus. Law § 349. The New York subclass and New York phishing subclass argue that TaskUs violated this provision by “failing to implement and maintain reasonable security and privacy measures”, “failing to identify foreseeable security and privacy risks, remediate identified security and privacy risks, and adequately improve security and privacy measures following previous cybersecurity incidents”, “omitting, suppressing, and concealing the material fact that it did not reasonably or adequately secure the New York Subclass members' PII” through which it failed to comply with “common law and statutory duties pertaining to the security and privacy of the New York Subclass members' PII, including duties imposed by the FTCA” SAC ¶ 304-06.
“To state a claim under Section 349, a plaintiff, who transacted in New York, ‘must allege that a defendant has engaged in (1) consumer-oriented conduct that is (2) materially misleading and that (3) plaintiff suffered injury as a result of the allegedly deceptive act or practice.'” Wright v. Publishers Clearing House, Inc., 439 F.Supp.3d 102 (E.D.N.Y. 2020) (quoting Koch v. Acker, Merrall & Condit Co., 18 N.Y.3d 940, 941, 944 N.Y.S.2d 452, 967 N.E.2d 675 (2012)). “Whether a representation or an omission, the deceptive practice must be ‘likely to mislead a reasonable consumer acting reasonably under the circumstances.'” Dixon v. Ford Motor Co., No. 14-CV-6135 JMA ARL, 2015 WL 6437612, at *7 (E.D.N.Y. Sept. 30, 2015) (citing Stutman v. Chem. Bank, 95 N.Y.2d 24, 29 (2000)).
i. Consumer-oriented conduct
To state a section 349 claim, a plaintiff must allege that the defendants engaged in consumer-oriented conduct.
This requirement, however, has been construed liberally. A defendant engages in “consumer-oriented” activity if his actions cause any “consumer injury or harm to the public interest.” Securitron Magnalock Corp. v. Schnabolk, 65 F.3d 256, 264 (2d Cir. 1995). The “critical question”, then, “is whether the matter affects
the public interest in New York, not whether the suit is brought by a consumer....” Id.New York v. Feldman, 210 F.Supp.2d 294, 301 (S.D.N.Y. 2002).
Courts have interpreted “consumer-oriented activity” as that which “affects the public interest in New York.” Securitron Magnalock Corp. v. Schnabolk, 65 F.3d 256 (2d Cir. 1995), cert. denied, 116 S.Ct. 916 (1996). Securitron is a manufacturer of electromagnetic locks, called Magnalock, which is mostly sold to security equipment wholesalers who sell Magnalock to installing companies. Id. The New York City Bureau of Standards and Appeals had jurisdiction to approve materials, including electromagnetic locks, for use in city construction projects. Id. This bureau approved the Magnalock's use. Charles Schnabolk, the owner and President of a different security equipment company, wrote to the bureau and made false representations about the Magnalock, inducing the bureau to use a different security system. Id. This conduct was actionable under the NYGBL section 349 because the matter “affect[ed] the public interest in New York.” Id. at 264. Though this was a private commercial dispute, harm to the public was manifest because the regulatory agency in question deals with matters of public safety, which was forced to undertake unnecessary investigations, interfering with its decision-making processes and diverting its attention from its normal activities. Id. Courts have applied section 349 to third-party vendors/subcontractors holding that even if a vendor contributes or supplies an aspect of a consumer-facing companies' product, the vendor's activity would still be considered “consumer-oriented” activity under section 349. See Woodard v. Labrada, No. CV1600189JGBSPX, 2017 WL 3309765, at *1 (C.D. Cal. July 31, 2017) (two suppliers who sold active ingredients contained in a bodybuilding nutrition product had sufficiently engaged in consumer-oriented conduct “even if [their] involvement went no further than providing ingredients to [the company who sold the bodybuilding nutrition product]). There, it was “plausible to infer” that the suppliers sold the bodybuilding nutrition company their ingredients “so these products could ultimately be sold to consumers.” Id. at *15.
TaskUs argues that it “did not have a consumer-facing relationship with the New York Plaintiffs” because, as Plaintiffs state, TaskUs “is a third-party company that provided customer support services to Shopify.” Id. ¶ 120. However, Plaintiffs have adequately alleged that TaskUs engaged in consumer-oriented conduct wherein Ledger employed Shopify as a vendor to manage Ledger's website, and Shopify, in turn, “hired TaskUs to provide customer support and data security consulting services for Ledger's sales website and the Ledger Live services, in which Ledger customers could obtain live support for their investments and effectuate transfers of their assets on Ledger's website.” SAC ¶ 8. As in Securitron, TaskUs's work, as a third-party company, provided customer support and data security consulting services that affected Ledger customers - i.e. members of the public. Securitron, 65 F.3d at 264. TaskUs engaged in consumer-oriented conduct when it supplied a necessary component of Ledger's overall product. See Woodard, 2017 WL 3309765, at *15. Moreover, the breach alleged here concerned a matter of public importance touching on the privacy and safety of a large number of consumers. Thus, Plaintiffs have alleged that TaskUs engaged in consumer-oriented conduct given that its subcontractor relationship with Ledger affects the public interest.
ii. Materially misleading representation or omission
With respect to the second prong, whether the conduct at issue was “materially misleading,” “[b]oth affirmative representations and omissions may qualify as deceptive or misleading acts or practices.” In re Sling Media Slingbox Advert. Litig., 202 F.Supp.3d 352, 359 (S.D.N.Y. 2016). Plaintiffs' claim is with respect to omissions, not representations. Opp'n re Shopify at 25.
“[W]here a defendant fails to supply a consumer information that it alone possesses, and where that information would be material or important to a reasonable consumer and where the consumer could not have reasonably obtained the information other than through the defendant, [Section 349] provide[s] a basis for relief.” Fishon v. Peloton Interactive, Inc., 620 F.Supp.3d 80, 104 (S.D.N.Y. 2022) (while customers were making subscription payments, Peloton failed to disclose that half of its library was decreasing because of Peloton's knowing violation of copyright laws). “[P]laintiffs pursuing an omission-based claim must ‘plausibly allege[] that the . . . [d]efendants had knowledge of the [material information] and failed to disclose or actively concealed such information . . .' In other words, a defendant's failure to reveal facts about which even it was unaware at the time will not lead to liability under § 349.” In re Sling Media Slingbox Advert. Litig., 202 F.Supp.3d at 359 (citation omitted) (emphasis in original). “A ‘material claim is one that involves information that is important to consumers and, hence, likely to affect their choice of, or conduct regarding, a product.” Id. at 360 (quoting Bildstein v. MasterCard Int'l Inc., 329 F.Supp.2d 410, 414 (S.D.N.Y. 2004)).
“Whether a representation or omission is a ‘deceptive act or practice' depends on the likelihood that it will ‘mislead a reasonable consumer acting reasonably under the circumstances.'” Gomez-Jimenez v. New York Law School, 103 A.D.3d 13, 16, 956 N.Y.S.2d 54, 58 (2012) (citation omitted).
In data breach cases, plaintiffs must allege that defendant's security procedures were inadequate to deal with security threats and that defendant knew that their security procedures were inadequate. See Yuille v. Uphold HQ Inc., 686 F.Supp.3d 323, 348 (S.D.N.Y. 2023) (plaintiffs' omission-based section 349 claim failed wherein plaintiff failed to “allege that [d]efendant's security procedures were inadequate to deal with common threats or that Defendant knew there would be”). For example, in Fero v. Excellus Health Plan, Inc., plaintiffs sufficiently alleged that the defendant had reason to know that its data security was inadequate before the data breach. 236 F.Supp.3d 735, 776 (W.D.N.Y. 2017). Plaintiffs alleged that a company had audited defendants to review its compliance with the privacy, security, and breach rules in the healthcare context and revealed that defendants' policies and procedures failed to identify the risks and vulnerabilities of its customers' PII. Id. at 744. In addition, plaintiffs alleged that government agencies had released information about how the health care industry is not resilient to cyber intrusions making the possibility of increased cyber intrusions likely, and that other data breaches in the health care industry put defendants on-notice that healthcare companies were a target of cyberattack and that these companies had an obligation to implement reasonable safeguards. Id. The court found that defendants' omissions were actionable under section 349, stating “it is also at least plausible that the Excellus Defendants' failure to disclose the purportedly inadequate data security measures would mislead a reasonable consumer.” Id. at 776.
Here, Plaintiffs state that “TaskUs knew of the poor security measures and insufficient employee oversight that led to the breach and yet actively withheld this information from consumers who were subjecting their confidential data to TaskUs services.” Opp'n re TaskUs at 25. In particular, TaskUs “omit[ed], suppress[ed], and conceal[ed] the material fact that it did not reasonably or adequately secure the New York Subclass members' PII” and “the material fact that it did not comply with common law and statutory duties pertaining to the security and privacy of the New York Subclass members' PII.” SAC ¶¶ 304-05. Plaintiffs allege that TaskUs knew or should have known that “the PII of individuals is highly valuable to criminals,” Id. ¶ 189, and that:
The FBI, FTC, GAO, U.S. Secret Service, United States Cybersecurity and Infrastructure Security Agency, State Attorney General Offices and many other government and law enforcement agencies, and hundreds of private cybersecurity and threat intelligence firms, have issued warnings that put Defendants on notice, long before the Data Breach, that (1) cybercriminals were targeting large, public companies such as Defendants Ledger and Shopify; (2) cybercriminals were ferociously aggressive in their pursuit of large collections of PII like that in possession of Defendants; (3) cybercriminals were selling large volumes of PII and corporate information on Dark Web portals; and (4) the threats were increasing.Id. ¶ 187. In particular, Plaintiffs allege that the FTC guidelines recommend that businesses should protect customer information by “encrypt[ing] information stored on computer networks,” Id. ¶ 69, and that TaskUs “knew or should have known that it should encrypt the sensitive data elements within the PII it collected so that it would be protected against publication and misuse in the event of a data breach,” Id. ¶ 192.
Plaintiffs have therefore plausibly alleged that TaskUs knew or should have known that its data security practices were inadequate and that its “failure to disclose the purportedly inadequate data security measures would mislead a reasonable consumer.” Fero, 236 F.Supp.3d at 776.
iii. Plaintiff suffered injury as a result of the allegedly deceptive act or practice
The third element for a claim under section 349 is that the “plaintiff suffered injury as a result of the allegedly deceptive act or practice.'” Wright, 439 F.Supp.3d at 102. TaskUs argues that the SAC fails to allege an injury caused by TaskUs's purportedly deceptive misstatements. See TaskUs Mot. at 21. Here, Plaintiffs have alleged that TaskUs knew or had reason to know that its security practices were deficient and failed to inform Plaintiffs. As a result, Plaintiffs' PII was hacked. The New York Plaintiff, Comilla, “lost all his crypto assets due to a successful phishing attack, 2.6 bitcoin and 8 ether, worth about $115,000 at today's market prices.” SAC ¶ 173. Thus, TaskUs's materially deceptive omission “cause actual ... harm” to Mr. Comilla. Oswego, 85 N.Y.2d at 26.
TaskUs argues that a NYGBL § 349 claim cannot be predicated upon violations of the FTC Act because those statutes do not provide for private rights of action. TaskUs Mot. at 22; SAC ¶ 305. Indeed, without an allegation of deception, an act that violates “another statute which does not allow for private enforcement,” is insufficient to state a claim under section 349. Nick's Garage, Inc. v. Progressive Cas. Ins. Co., 875 F.3d 107, 127 (2d Cir. 2017). Here, the SAC does not improperly rely on the FTC Act, as it separately alleges deception under section 349.
V. CONCLUSION
In sum, Ledger Shopify, and TaskUs's Motions to Dismiss are GRANTED in part and DISMISSED in part:
• Mr. Seirafi has established Article III standing in his claim against Ledger except with respect to his claim for injunctive relief
• TaskUS Plaintiffs have established Article III standing in their claims against TaskUs
• The California Consumer Subclass is stricken with leave to amend
• The Court has personal jurisdiction over Shopify and TaskUs
• Ledger's forum selection clause does not apply to Plaintiffs' UCL claim against Ledger
• Shopify may avail itself of Ledger's forum selection clause
• Mr. Seirafi has plausibly pled a UCL claim under the “unfair” and “unlawful” prongs against Ledger
• Mr. Seirafi's CLRA and “fraudulent” UCL claims are dismissed against Ledger
• Plaintiffs have plausibly pled a negligence claim and a New York Deceptive Trade Practices Act claim against TaskUs
• Plaintiffs' negligence per se claim against TaskUs is dismissed
Plaintiff shall have 30 days from the date of this Order to file an amended complaint.
IT IS SO ORDERED.