Opinion
No. C16-1006RSL
01-17-2017
MARK HOFFMAN, individually and on behalf of other similarly situated persons, Plaintiff, v. ONE TECHNOLOGIES, LLC, Defendant.
ORDER DENYING DEFENDANT'S PARTIAL MOTION TO DISMISS
This matter comes before the Court on "Defendant's Partial Motion to Dismiss." Dkt. # 13. Plaintiff Mark Hoffman sued defendant One Technologies, LLC for violations of Washington's Commercial Electronic Mail Act, RCW 19.190.010 et seq. ("CEMA"), and Consumer Protection Act, RCW 19.86.010 et seq. ("CPA"). Dkt. # 1-3. Defendant moves to dismiss or stay plaintiff's claims. Dkt. # 13. Having reviewed the parties' briefing and the remainder of the record, the Court finds as follows.
BACKGROUND
Plaintiff claims that defendant violated CEMA and the CPA by sending him emails that deceptively solicited him to provide personally identifying information. Specifically, plaintiff alleges that these emails suggested that the sender was affiliated with the credit bureaus Equifax, Experian, and TransUnion, and urged plaintiff to follow web links in order to check his credit score. The linked web sites, which belonged to defendant, asked plaintiff to input personally identifying information. Plaintiff received multiple such emails between 2012 and 2016. Dkt. # 1-3, ¶¶ 9-20. He brings his CEMA and CPA claims individually and on behalf of other persons who received similar emails from defendant.
For example, the emails contained subject lines such as "Data Breach: Check Your Equifax Score for Errors, Free*Today" and "Your Monthly Notification Experian Score is Now Viewable"; identified their sender by addresses such as "TransUnion DataLeak Warning <TransUnion-DataLeak-Warning@value10.cozyrecordscore.us>" and "Equifax Cyber Warning <equifax.cyber.warning @blw222.interiorscore.ninja>"; and contained text such as "Experian CyberCrime Warning - Complimentary Score Check ends 04.23.15 Go Here to View Your Score," with an embedded hyperlink leading to a website run by defendant. Dkt. # 1-3, ¶¶ 11-14.
DISCUSSION
A. Pleading Standard
Federal pleading rules require a complaint to include "a short and plain statement of the claim showing that the pleader is entitled to relief." Fed. R. Civ. P. 8(a)(2). This requirement serves to "give the defendant fair notice of what the claim is and the grounds upon which it rests." Bell Atl. Corp. v. Twombly, 550 U.S. 544, 545 (2007) (internal marks and citation omitted). Although the complaint's factual allegations need not be detailed, they must sufficiently state a "plausible" ground for relief. Id. at 544. "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). The plausibility standard is met when a complaint alleges "more than a sheer possibility that a defendant has acted unlawfully." Id. "Dismissal is proper only where there is no cognizable legal theory or an absence of sufficient facts alleged to support a cognizable legal theory." Taylor v. Yee, 780 F.3d 928, 935 (9th Cir. 2015). Dismissal without leave to amend is proper "only if it is absolutely clear that the deficiencies of the complaint could not be cured by amendment." Grogan v. Health Officer of Cty. of Riverside, 221 F.3d 1348 (9th Cir. 2000) (quotation marks and citation omitted). All well-pleaded allegations of material fact are accepted as true and are construed in the light most favorable to the non-moving party. Manzarek v. St. Paul Fire & Marine Ins. Co., 519 F.3d 1025, 1031 (9th Cir. 2008).
B. Washington Commercial Electronic Mail Act
Under CEMA, it is illegal to "solicit, request, or take any action to induce a person to provide personally identifying information by means of a web page, electronic mail message, or otherwise using the internet by representing oneself, either directly or by implication, to be another person, without the authority or approval of such other person." RCW 19.190.080. "Personally identifying information" is defined as an individual's social security number, driver's license number, bank account number, credit or debit card number, personal identification number, automated or electronic signature, unique biometric data, account passwords, or "any other piece of information that can be used to access an individual's financial accounts or to obtain goods or services." RCW 19.190.010(12). Electronic solicitation of personally identifying information by deceptive means is informally known as "phishing." Gragg v. Orange Cab Co., Inc., 145 F. Supp. 3d 1046, 1051 n.2 (W.D. Wash. 2015).
Defendant moves to dismiss plaintiff's phishing claim on the grounds that plaintiff has neither alleged with specificity what personally identifying information defendant's emails sought, nor alleged that he actually provided any information in response to the offending emails. It is true that the complaint alleges only the solicitation of "personally identifying information," rather than specific categories of information. But read together with the other factual allegations in the complaint, including the allegation that the emails urged plaintiff to check his credit score and suggested an affiliation with the three credit bureaus, the allegation rises above "a formulaic recitation of the elements of a cause of action." See Twombly, 550 U.S. at 555. Plaintiff has alleged the specific actions that defendant took to induce him to provide certain information, and has alleged facts from which the Court can draw a plausible inference that the information sought falls under CEMA's definition of "personally identifying information."
Moreover, defendant appears to concede that its "flagship website," www.freescore360.com, solicits "personally identifying information," though defendant argues that it does so only after the viewer provides his name, email address, and zip code. Dkt. # 13 at 5. Defendant claims that it has attached a print-out of this website as an exhibit to its motion to dismiss, Dkt. # 13-1, but because plaintiff contests the exhibit's authenticity, the Court does not rely on it in ruling on this motion. See Knieval v. ESPN, 393 F.3d 1068, 1076 (9th Cir. 2005).
The Court also rejects defendant's argument that plaintiff must allege that he actually provided his personal information in order to plead a cognizable injury giving rise to a CEMA claim. As previously noted, see Dkt. # 23 at 2, plaintiff's allegations of personal harm - including, inter alia, usurpation of his electronic storage space and invasions of his privacy, Dkt. # 1-3, ¶ 23 - are sufficiently concrete and particularized to establish Article III standing. See Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1549-50 (2016). And plaintiff need only allege that he received emails violating CEMA to state a claim under that statute. In amending CEMA to add the phishing provision, the Washington legislature empowered individual email recipients to enforce the law; it did not limit the private right of action to individuals whose information had been divulged and misappropriated. See RCW 19.190.090(1); Wash. H.R. B. Rep., 2005 Reg. Sess. H.B. 1888 ("A recipient . . . may bring a civil action against a sender who violates the laws relating to commercial electronic mail messages."). Plaintiff correctly distinguishes this requirement under CEMA from the injury to "business or property" that is required to state a claim under the CPA, see RCW 19.86.090. By alleging that he received emails that deceptively solicited him to provide personally identifying information, plaintiff has pled facts sufficient to state a CEMA claim.
Defendant's motion to dismiss plaintiff's CEMA claim is denied.
Defendant separately moves to dismiss certain of plaintiff's allegations because they fail to state a claim under CEMA. Dkt. # 13 at 13-15. A party may not move to "dismiss" factual allegations merely because they do not support a viable claim for relief.
C. Washington Consumer Protection Act
The CPA forbids "unfair or deceptive acts or practices in the conduct of any trade or commerce." RCW 19.86.020. Generally, a plaintiff may prevail in a private CPA action if he shows: (1) an unfair or deceptive act or practice; (2) occurring in trade or commerce; (3) an impact on the public interest; (4) an injury to the plaintiff in his business or property; and (5) causation. Hangman Ridge Training Stables, Inc. v. Safeco Title Ins. Co., 105 Wn.2d 778, 780 (1986).
Plaintiff's successful phishing claim, described above, gets him partway there. A CPA claim can be predicated upon a per se violation of another statute. Klem v. Wash. Mut. Bank, 176 Wn.2d 771, 787 (2013). CEMA specifically provides that "practices covered by [CEMA] are matters vitally affecting the public interest for the purpose of applying the [CPA]," and that a violation of CEMA "is an unfair or deceptive act in trade or commerce . . . for the purpose of applying the [CPA]." RCW 19.190.030(3); -.100. Accordingly, by successfully stating a phishing claim under CEMA, plaintiff also successfully states the first three elements of a CPA claim. Cf. Gragg v. Orange Cab Co., Inc., No. C12-576RSL, 2013 WL 195466, at *5 (W.D. Wash. Jan 17, 2013).
To satisfy the fourth and fifth elements of his CPA claim, plaintiff alleges that defendant's emails injured plaintiff "in [his] trade and property." Unlike plaintiff's allegation that defendant solicited his personally identifying information, this allegation is almost entirely unsupported by any other factual allegations that save it from being a legal conclusion cast in the form of a factual allegation, which cannot alone defeat a motion to dismiss. See W. Min. Council v. Watt, 643 F.2d 618, 624 (9th Cir. 1981). At most, plaintiff alleges that the emails "usurped some of the limited storage space on the computer he uses for trade" and "caused him to lose time from his trade and compensable work," Dkt. # 1-3, ¶¶ 23.e-j - injuries which suffice for standing, see Spokeo, 136 S. Ct. at 1549-50, but which may not suffice to state the "injury to business or property" required for a claim under the CPA. See Hangman Ridge, 105 Wn.2d at 780.
Defendant notes that this Court recently certified to the Washington Supreme Court the question whether CEMA's liquidated damages provision, RCW 19.190.040(1), establishes the causation and/or injury elements of a CPA claim as a matter of law. Dkt. # 13 at 15-16; Gragg v. Orange Cab Co., Inc., No. C12-576RSL, ECF No. 186 (W.D. Wash. April 22, 2016). Defendant asks the Court to stay resolution of this matter until the state supreme court answers that question. As the Court finds that plaintiff has successfully stated a CPA claim on other grounds, see infra, the certified question is not dispositive and a stay would not advance judicial economy. See Colorado River Water Conservation Dist. v. United States, 424 U.S. 800, 817 (1976).
The Court need not decide whether these allegations of injury suffice, however, because plaintiff manages to state a CPA claim via a different provision of CEMA. RCW 19.190.030 provides that "[i]t is a violation of the [CPA] . . . to initiate the transmission of a commercial electronic mail message that . . . misrepresents or obscures any information in identifying the point of origin or the transmission path of a commercial electronic mail message; or . . . [c]ontains false or misleading information in the subject line." RCW 19.190.030(1)(a), (b). Plaintiff alleges that defendant initiated the transmission of commercial electronic mail messages that contained false or misleading information in the subject line - specifically, subject lines suggesting that the sender was affiliated with the three credit bureaus. Dkt. # 1-3, ¶¶ 11, 19-20. Plaintiff also alleges that defendant deliberately obscured the point of origin of its emails by keeping the linked websites active for "only a brief period after transmitting the email." Dkt. # 1-3, ¶ 17. Defendant argues that its website is not actually false or misleading, but fails to address plaintiff's allegations that defendant's emails were misleading and had obscured points of origin. Dkt. # 13 at 9-10. Accordingly, plaintiff's allegations state a CPA claim under RCW 19.190.030(1).
Defendant's motion to dismiss plaintiff's CPA claim is denied.
CONCLUSION
For all of the foregoing reasons, defendant's partial motion to dismiss (Dkt. # 13) is DENIED.
DATED this 17th day of January, 2017.
/s/_________
Robert S. Lasnik
United States District Judge