Summary
finding fourth factor satisfied by allegations injury stemmed from the defendant's failure to protect personal information
Summary of this case from In re Am. Cal. Unemployment Benefits Litig.Opinion
Case No. 5:18-cv-07597-BLF
12-21-2020
Franklin David Azar, Pro Hac Vice, Paul R. Wood, Margeaux Rachelle Azar, Pro Hac Vice, Franklin D. Azar & Associates, P.C., Aurora, CO, Blair E. Reed, Brittany Skye Scott, L. Timothy Fisher, Bursor and Fisher, P.A., Walnut Creek, CA, Cody Robert Padgett, Trisha Kathleen Monesi, Steven R. Weinmann, Tarek H. Zohdy, Capstone Law, APC Capstone Law, APC, Los Angeles, CA, Ivy T. Ngo, Roche Cyrulnik Freedman LLP, Miami, FL, Joshua Moyer, Shamis & Gentile, P.A., San Diego, CA, for Plaintiffs. Ian Ballon, Greenberg Traurig LLP, East Palo Alto, CA, Rebekah Susanne Strawn Guyon, Greenberg Traurig LLP, Los Angeles, CA, Vishesh Narayen, Pro Hac Vice, Greenberg Traurig, Tampa, FL, for Defendant.
Franklin David Azar, Pro Hac Vice, Paul R. Wood, Margeaux Rachelle Azar, Pro Hac Vice, Franklin D. Azar & Associates, P.C., Aurora, CO, Blair E. Reed, Brittany Skye Scott, L. Timothy Fisher, Bursor and Fisher, P.A., Walnut Creek, CA, Cody Robert Padgett, Trisha Kathleen Monesi, Steven R. Weinmann, Tarek H. Zohdy, Capstone Law, APC Capstone Law, APC, Los Angeles, CA, Ivy T. Ngo, Roche Cyrulnik Freedman LLP, Miami, FL, Joshua Moyer, Shamis & Gentile, P.A., San Diego, CA, for Plaintiffs.
Ian Ballon, Greenberg Traurig LLP, East Palo Alto, CA, Rebekah Susanne Strawn Guyon, Greenberg Traurig LLP, Los Angeles, CA, Vishesh Narayen, Pro Hac Vice, Greenberg Traurig, Tampa, FL, for Defendant.
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT'S MOTION FOR SUMMARY JUDGMENT
[Re: ECF 140]
BETH LABSON FREEMAN, United States District Judge
In this putative class action, Plaintiff Jeri Connor ("Plaintiff") alleges that Defendant Quora, Inc. ("Defendant") failed to safeguard its users’ personal identifying information ("PII") from a data breach of their platform. Before the Court is Defendant's Motion for Summary Judgment on the remaining claims for (1) negligence and (2) California's Unfair Competition Law (the "UCL"). Mot. for Summary J. ("Mot."), ECF 140. Having considered the parties’ briefing, oral arguments on October 29, 2020, and the applicable law, the Court GRANTS IN PART and DENIES IN PART Defendant's Motion.
I. BACKGROUND
A. The Undisputed Facts of the Data Breach
The facts set forth in this section are undisputed unless otherwise noted. For the purposes of this Motion only, Defendant concedes that all the data Plaintiff claims was stolen was, in fact, stolen.
Defendant Quora is a question-and-answer social media platform. Decl. of Paula Griffin ("Griffin Decl.") ¶ 3, ECF 140-1; Decl. of Zhe Fu ("Fu Decl.") ¶ 3, ECF 140-2. To become one of its users, a person must create an account and provide Defendant certain PII, which the company collects and maintains under its Privacy Policy. See Griffin Decl. ¶ 4; Decl. of Steven R. Weinmann ("Weinmann Decl.") Ex. C ("Terms of Service"), ECF 151-1, and Ex. F ("Privacy Policy"), ECF 151-4. Defendant also provides users the ability to link their accounts with other social media accounts such as Facebook and LinkedIn. See Weinmann Decl. Ex. B, at 20:6-9, ECF 152-1, and Decl. of Rebekah S. Guyon ("Guyon Decl.") Ex. 13, ECF 140-4 (collectively "Connor Tr."); see also Guyon Decl. Ex. 11 ("Disclosure Email"), ECF 140-4.
On November 30, 2018, Defendant learned that a third-party had breached its platform approximately six months earlier (the "Data Breach"). Fu Decl. ¶ 4; Weinmann Decl. Ex. D ("Griffin Tr."), at 41:13-19, ECF 151-2; Decl. of Paul R. Wood ("Wood Decl.") Ex. 2 ("Quora Blog Post"), ECF 150-4. Days later on December 3, 2018, Defendant disclosed the Data Breach via email to its affected users, including Plaintiff Jeri Connor. See Disclosure Email. One month later in January 2019, Plaintiff purchased premium credit monitoring from ClickFreeScore for five months, costing $39.90 per month. See Guyon Decl. Ex. 12 ("Purchase Receipt") and Ex. 17 ("Cancellation Receipt"), ECF 140-4; Connor Tr. 197:1-198:11. Since she received notice of the Data Breach, Plaintiff says she has spent approximately one hour per day monitoring her accounts. Connor Tr. 242:16-24. While Plaintiff has been the victim of numerous other data breaches and feels she has been put at risk for identity theft, she does not allege that she has yet suffered actual identity theft or fraud since the Data Breach. Connor Tr. 10:5-11:13, 16:18-23, 17:5-15, 39:6-10, 44:4-9.
Plaintiff states that she spent $39.95 per month on ClickFreeScore while Defendant states that she spent $19.95 per month. Opp'n 6; Mot. 7. The transcript evidence cited by either party does not provide a sum certain amount. See Connor Tr. 33, 197-198. It appears, based on the submitted receipt reflecting the purchase, that Plaintiff was to be charged $39.90 per month after being charged a $1 refundable processing fee to create her account. See Purchase Receipt.
B. Procedural History
Plaintiff Alexander Huynh commenced this action on December 18, 2018. Compl., ECF 1. After several other cases were consolidated into this one, Plaintiffs filed the Second Amended Complaint on April 25, 2019. See Order, ECF 17; Order, ECF 19; Order, ECF 45; Second Am. Compl. ("SAC"), ECF 55. On December 19, 2019, the Court granted in part and denied in part Defendant's motion to dismiss the Second Amended Complaint. Order ("Prior Order I"), ECF 72.
On February 25, 2020, Plaintiffs filed the Third Amended Complaint, alleging four causes of action: (1) violation of California's Unfair Competition Law ("UCL"), Cal. Bus. & Prof. Code § 17200 et seq. ; (2) negligence; (3) breach of confidence; and (4) breach of contract. See Consol. Third Am. Class Action Compl. ("TAC") ¶¶ 68-115, ECF 85. On February 28, 2020, Defendant moved to dismiss the Third Amended Complaint. Mot., ECF 88. On June 1, 2020, the Court granted in part and denied in part Defendant's motion to dismiss, allowing Plaintiffs’ negligence and UCL claims to proceed. Order ("Prior Order II"), ECF 116.
After the filing of the Third Amended Complaint, this Court granted the voluntary dismissal of Plaintiffs Alexander Huynh, Rick Musgrave, Erica Cooper. See Order, ECF 96; Order, ECF 138; Order, ECF 139.
Defendant filed this Motion for Summary Judgment on September 4, 2020. See generally Mot. Plaintiff timely filed the Opposition on October 5, 2020. See generally Opp'n, ECF 154. Defendant filed the Reply on October 15, 2020. See generally Reply, ECF 161.
II. RULE 56 SUMMARY JUDGMENT LEGAL STANDARD
"A party is entitled to summary judgment if the ‘movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law.’ " City of Pomona v. SQM N. Am. Corp. , 750 F.3d 1036, 1049 (9th Cir. 2014) (quoting Fed. R. Civ. P. 56(a) ). A fact is "material" if it "might affect the outcome of the suit under the governing law." Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248, 106 S.Ct. 2505, 91 L.Ed.2d 202 (1986). A dispute as to a material fact is "genuine" if there is sufficient evidence for a reasonable trier of fact to decide in favor of the nonmoving party. Id.
The party moving for summary judgment bears the initial burden of informing the Court of the basis for the motion and identifying portions of the pleadings, depositions, answers to interrogatories, admissions, or affidavits that demonstrate the absence of a triable issue of material fact. Celotex Corp. v. Catrett , 477 U.S. 317, 323, 106 S.Ct. 2548, 91 L.Ed.2d 265 (1986). To meet its burden, "the moving party must either produce evidence negating an essential element of the nonmoving party's claim or defense or show that the nonmoving party does not have enough evidence of an essential element to carry its ultimate burden of persuasion at trial." Nissan Fire & Marine Ins. Co. v. Fritz Cos., Inc. , 210 F.3d 1099, 1102 (9th Cir. 2000). In judging evidence at the summary judgment stage, the Court "does not assess credibility or weigh the evidence, but simply determines whether there is a genuine factual issue for trial." House v. Bell, 547 U.S. 518, 559-60, 126 S.Ct. 2064, 165 L.Ed.2d 1 (2006). Where the moving party will have the burden of proof on an issue at trial, it must affirmatively demonstrate that no reasonable trier of fact could find other than for the moving party. Celotex , 477 U.S. at 325, 106 S.Ct. 2548 ; Soremekun v. Thrifty Payless, Inc., 509 F.3d 978, 984 (9th Cir. 2007).
If the moving party meets its initial burden, the burden shifts to the nonmoving party to produce evidence supporting its claims or defenses. Nissan Fire , 210 F.3d at 1103. If the nonmoving party does not produce evidence to show a genuine issue of material fact, the moving party is entitled to summary judgment. Celotex , 477 U.S. at 323, 106 S.Ct. 2548. "The court must view the evidence in the light most favorable to the nonmovant and draw all reasonable inferences in the nonmovant's favor." City of Pomona , 750 F.3d at 1049. "[T]he ‘mere existence of a scintilla of evidence in support of the [nonmovant's] position’ " is insufficient to defeat a motion for summary judgment. First Pac. Networks, Inc. v. Atl. Mut. Ins. Co. , 891 F. Supp. 510, 513-14 (N.D. Cal. 1995) (quoting Anderson , 477 U.S. at 252, 106 S.Ct. 2505 ). " ‘Where the record taken as a whole could not lead a rational trier of fact to find for the nonmoving party, there is no genuine issue for trial.’ " First Pac. Networks , 891 F. Supp. at 514 (quoting Matsushita Elec. Indus. Co. v. Zenith Radio Corp. , 475 U.S. 574, 587, 106 S.Ct. 1348, 89 L.Ed.2d 538 (1986) ).
III. RULE 56(D) MOTION TO DELAY OR DENY SUMMARY JUDGMENT
Plaintiff alleges that Defendant has obfuscated the nature and details of the Data Breach, undermining her ability to determine whether any compromised information can be used to perpetrate fraud or identity theft. Opp'n 4. Plaintiff therefore moves to delay or deny Defendant's Motion for Summary Judgment pursuant to Rule 56(d) so that she can develop facts regarding the scope of the Data Breach. Opp'n 4, 6-7. Plaintiff's request is DENIED.
Federal Rule of Civil Procedure 56(d) is "a device for litigants to avoid summary judgment when they have not had sufficient time to develop affirmative evidence." U.S. v. Kitsap Physicians Serv. , 314 F.3d 995, 1000 (9th Cir. 2002). Rule 56(d) states:
If a nonmovant shows by affidavit or declaration that, for specified reasons, it cannot present facts essential to justify its opposition, the court may:
(1) defer considering the motion or deny it;
(2) allow time to obtain affidavits or declarations or to take discovery; or
(3) issue any other appropriate order.
To prevail on a Rule 56(d) request, the party seeking relief must show that "(1) it has set forth in affidavit form the specific facts it hopes to elicit from further discovery; (2) the facts sought exist; and (3) the sought-after facts are essential to oppose summary judgment." Family Home & Fin. Ctr., Inc. v. Fed. Home Loan Mortg. Corp. , 525 F.3d 822, 827 (9th Cir. 2008). The party must also show that he or she has pursued discovery diligently in the past and that additional discovery would prevent summary judgment. Iglesia Ni Cristo v. Cayabyab , Case No. 18-cv-00561-BLF, 2020 WL 1531349, at *6 (N.D. Cal. Mar. 31, 2020) (citing Chance v. Pac-Tel Teletrac Inc. , 242 F.3d 1151, 1161 n.6 (9th Cir. 2001) ).
Here, Plaintiff sets forth the discovery sought in the Declaration of Paul R. Wood and in the Opposition. Plaintiff seeks further discovery to determine "whether Quora's conclusory ‘facts’ regarding the breach and the extent of the data compromised are supported or accurate." Opp'n 7; see also Wood Decl. ¶¶ 3-8. With the discovery of these facts, she aims to rebut the facts in Defendant's declarations "regarding (1) when the breach occurred; (2) the Quora databases that were compromised; (3) the storage and characteristics of the Quora access tokens; and (4) whether the searches run by Griffin in the backup data base captured all data related to Plaintiff." Opp'n 7. Plaintiff also requests more time to depose Defendant's witnesses. Opp'n 7; Wood Decl. ¶¶ 5-7. In response, Defendant argues that "(1) the discovery [Plaintiff] seeks ... is not essential; (2) she has identified no facts that actually exist that would refute summary judgment (which is premised on her own lack of causation or harm); and (3) she delayed discovery without excuse." Reply 3.
This Court agrees that Plaintiff does not explain how the information that she seeks to discover is "essential" to justifying her Opposition. See Fed. R. Civ. P. 56(d). Neither the Opposition nor the Declaration of Paul R. Wood explains how a continuance or denial would allow Plaintiff to develop the factual issues surrounding actionable causation or damages, the bases for Defendant's Motion as to Plaintiff's negligence claim. See Mot. 9-20; see also Tatum v. City & Cnty. of San Francisco , 441 F.3d 1090, 1100-01 (9th Cir. 2006) (finding no abuse of discretion in denying a continuance where the plaintiff's declaration did not explain how a continuance would allow the plaintiff to produce evidence creating a factual issue regarding probable cause); Amgen Inc. v. Sandoz Inc. , 295 F. Supp. 3d 1062, 1071 (N.D.Cal. 2017) (denying a continuance where factual issues sought to be developed were not material to the finding of noninfringement). Developing facts as to the nature and scope of the Data Breach will not answer whether the nature of the alleged harm—that Plaintiff spent time and money dealing with the Data Breach—is actionable. See Connor Tr. 10:5-13, 242:15-18; Sun Decl. ¶ 18(e). And learning more about the scope of the Data Breach does not resolve whether Plaintiff's purchased credit monitoring service was the "same" as the other free credit monitoring services available to her at the time. Mot. 4, 11-12; see also Connor Tr. 34:9-23. Finally, as to the UCL claim, the scope of the Data Breach is irrelevant to the issue of whether injunctive relief is available where there is an adequate remedy at law. See Mot. 23-25; Opp'n 25; Reply 15.
In sum, there "is a proper ground for denying discovery and proceeding to summary judgment." Brae Transp., Inc. v. Coopers & Lybrand , 790 F.2d 1439, 1443 (9th Cir. 1986). Thus, Plaintiff's request for a continuance or denial pursuant to Rule 56(d) is DENIED.
IV. RULE 56(C) EVIDENTIARY OBJECTIONS
Under Federal Rule of Civil Procedure 56(c)(2), a party can object to an opposing party's declarations and evidentiary material if it "cannot be presented in a form that would be admissible in evidence." Fed. R. Civ. P. 56(c). Defendant objects to one statement in the Connor Transcript and several assertions in the Declaration of David Sun, including the declaration in its entirety based on Sun's alleged lack of expertise. See Connor Tr. 242:15-18; Decl. of David Sun ("Sun Decl."), ECF 150-1. The Court discusses and OVERRULES each objection.
A. Connor Tr. 242:15-18: Response to Allegedly Leading Question on Redirect
Plaintiff testified to the following at her deposition:
Q. And in addition to purchasing credit monitoring through ClickFreeScore.com from January to June, did you also ... monitor your credit during that period?
A. Yes.
Q. And did you monitor it more than you did prior to the Quora Breach?
MR. BALLON: Objection to form; more than? Vague and ambiguous.
Q. Excuse me. Let me rephrase it. Did the level of your monitoring increase after the Quora breach?
A. Yes.
Q. And ... how frequently would you monitor your credit after the Quora breach?
A. Daily.
Q. And approximately how much time would you spend monitoring your credit after the Quora breach?
A. Depending on the day, but typically an hour.
Connor Tr. 242:2-24. Defendant objects to the assertion that Connor spent more time monitoring her credit after learning of the Data Breach because it was given in response to a leading question on re-direct. Reply 6; Connor Tr. 242:15-18.
Ruling: OVERRULED. "A leading question is a question that suggests the answer to the person being interrogated." Ochave v. I.N.S. , 254 F.3d 859, 871 n.4 (9th Cir. 2001) (Pregerson, J., dissenting) (internal quotation marks and modifications omitted). Under Federal Rule of Evidence 611(c), "[l]eading questions should not be used on direct examination except as necessary to develop the witness's testimony. Ordinarily, the court should allow leading questions: (1) on cross-examination; and (2) when a party calls a hostile witness, an adverse party, or a witness identified with an adverse party." Fed. R. Evid. 611(c).
But there is no absolute prohibition on leading questions. The language of Rule 611(c) is permissive, vesting, "broad discretion in trial courts." Miller v. Fairchild Industries, Inc. , 885 F.2d 498, 514 (9th Cir. 1989) ; see also Morgan v. Bill Vann Co., Inc. , 969 F. Supp. 2d 1358, 1361 n.6 (S.D. Ala. 2013) (citing cases). Indeed, a trial court will be reversed for allowing testimony elicited by an improper leading question only if "the judge's action ... amounted to, or contributed to, the denial of a fair trial." Miller , 885 F.2d at 514 (internal quotation marks and footnote omitted)); see also U.S. v. DeFiore , 720 F.2d 757, 764 (2d Cir. 1983) (explaining that the Advisory Committee's Note to Rule 611(c) indicates that appellate courts have manifested "[a]n almost total unwillingness to reverse for infractions").
Here, "[t]he facts elicited by the leading question are evidence that would be admissible at trial, and the Court shall consider those facts." Anderson v. SeaWorld Parks and Entm't, Inc. , No. 15-cv-02172-JSW, 2018 WL 1981396, at *4 n.3 (N.D. Cal. Feb. 20, 2018) (admitting testimony elicited by a leading question on a motion for summary judgment); see also Celotex Corp. , 477 U.S. at 324, 106 S.Ct. 2548 (explaining that on summary judgment, the nonmoving party need not "produce evidence in a form that would be admissible at trial in order to avoid summary judgment"); but see Wilson v. Frito-Lay N. Am., Inc. , 260 F. Supp. 3d 1202, 1210 (N.D. Cal. 2017) (excluding answers to "improper leading questions of a non-hostile witness" from consideration on a motion for summary judgment). Exercising its discretion, this Court will consider Plaintiff's deposition testimony for the purpose of this early Motion. Thus, Defendant's objection is OVERRULED.
B. Rule 702 Objections
Defendant moves to exclude both Sun as an expert and statements from his declaration under Federal Rule of Evidence 702 and Daubert v. Merrell Dow Pharm., Inc. , 509 U.S. 579, 589, 113 S.Ct. 2786, 125 L.Ed.2d 469 (1993). Plaintiff relies on Sun's opinions in opposing this Motion.
1. Legal Standard
Federal Rule of Evidence 702 provides that an expert must be qualified to testify by "knowledge, skill, experience, training, or education." Fed. R. Evid. 702. As such, a qualified expert may testify if
(a) the expert's scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue;
(b) the testimony is based on sufficient facts or data;
(c) the testimony is the product of reliable principles and methods; and
(d) the expert has reliably applied the principles and methods to the facts of the case.
Id. The district court acts as the gatekeeper to "ensure that any and all scientific testimony or evidence admitted is not only relevant, but reliable." Daubert , 509 U.S. at 589, 113 S.Ct. 2786 ; Primiano v. Cook , 598 F.3d 558, 567-68 (9th Cir. 2010). These standards apply for a challenge brought during summary judgment. See In re Ford Tailgate Litig. , No. 11-cv-02953-RS, 2015 WL 7571772, at *5 n.3 (N.D. Cal. Nov. 25, 2015) (" Daubert dictates the analysis necessary for a motion to exclude expert testimony in the context of a motion for summary judgment."); but see Daniel v. Ford Motor Co. , No. CIV. 2:11-02890 WBS EFB, 2013 WL 2474934, at *2 (E.D. Cal. June 7, 2013) (explaining that a full Daubert analysis is less pressing at summary judgment, where "the court sits as both a modified fact finder seeking to determine whether a genuine issue of material exists and as the Daubert gatekeeper"), reversed on other grounds , 806 F.3d 1217 (9th Cir. 2015) ; Darensburg v. Metro Transp. Comm'n , No. C-05-01597 EDL, 2008 WL 4277656, at *1 (N.D. Cal. Sept. 15, 2008) ("There is less need for the gatekeeper to keep the gate when the gatekeeper is keeping the gate only for himself."). The Court has broad discretion concerning the admissibility or exclusion of expert testimony. Wood v. Stihl, Inc. , 705 F.2d 1101, 1104 (9th Cir. 1983).
Daubert explains that evidence is relevant if it will "assist the trier of fact to understand the evidence or to determine a fact in issue." 509 U.S. at 591, 113 S.Ct. 2786 (quoting Fed. R. Evid. 702) (internal quotation marks omitted). "Expert testimony which does not relate to any issue in the case is not relevant and, ergo, non-helpful." Id. (internal quotation marks and citation omitted). This consideration is described as one of "fit," i.e., "whether expert testimony proffered in the case is sufficiently tied to the facts of the case that it will aid the jury in resolving a factual dispute." Id.
The reliability of expert testimony turns on four factors: "(1) whether a theory or technique can be tested; (2) whether it has been subjected to peer review and publication; (3) the known or potential error rate of the theory or technique; and (4) whether the theory or technique enjoys general acceptance within the relevant scientific community." Estate of Barabin v. AstenJohnson, Inc. , 740 F.3d 457, 463 (9th Cir. 2014) (citing Daubert , 509 U.S. at 592-94, 113 S.Ct. 2786 ), overruled on other grounds by U.S. v. Bacon , 979 F.3d 766 (9th Cir. 2020). And in the Ninth Circuit, another significant factor is "whether the experts are proposing to testify about matters growing naturally and directly out of research they have conducted independent of the litigation, or whether they have developed their opinions expressly for purposes of testifying." Daubert v. Merrell Dow Pharm., Inc. , 43 F.3d 1311, 1317 (9th Cir. 1995).
The "basic gatekeeping obligation" articulated in Daubert applies not only to scientific testimony but to all expert testimony. Kumho Tire Co., Ltd. v. Carmichael , 526 U.S. 137, 147, 119 S.Ct. 1167, 143 L.Ed.2d 238 (1999). Furthermore, the factors of reliability "do not constitute a definitive checklist or test." Id. at 150, 119 S.Ct. 1167 (emphasis in original). The reliability inquiry is flexible, and "whether Daubert ’s specific factors are, or are not, reasonable measures of reliability in a particular case is a matter that the law grants the trial judge broad latitude to determine." Kumho Tire , 526 U.S. at 153, 119 S.Ct. 1167.
Keeping this framework in mind, the Court turns to Defendant's evidentiary objections regarding Plaintiff's main expert witness, David Sun.
2. Sun Decl. ¶¶ 3-6: Sun's Qualifications
Plaintiff submits the Declaration of David Sun in support of her Opposition to offer testimony regarding the nature and scope of the Data Breach and the distinction among the various credit monitoring services at issue. See generally Sun Decl. Defendant objects to the admission of the entire declaration because Sun does not claim expertise in identity theft or fraud. Reply 8.
Ruling: OVERRULED. Here, Sun bases his qualifications on his experience dealing with cyber security and computer forensics. Sun Decl. ¶¶ 3-6. He is a partner in charge of the cyber security and forensics practice at his firm and previously owned a consulting firm specializing in these areas. Id. ¶ 3. Sun is also a Certified Information Systems Security Professional, a Certified Computer Examiner, and an EnCase Certified Examiner with a master's degree in electrical engineering. Id. ¶ 5. Finally, he has prior experience testifying in litigation matters regarding "cyber security incidents, computer forensic examinations and cyber-intrusion and breach investigations." Id. ¶ 6. While he does not premise his expertise in knowledge of identity theft or financial fraud, his background qualifies him to opine on the nature, scope, and impact of the Data Breach. Thus, Defendant's objection is overruled without prejudice for the purpose of this Motion. However, because this ruling is without prejudice, it does not preclude Defendant from seeking to exclude Sun's testimony later on these same grounds.
3. Sun Decl. ¶¶ 14-16: Sun's Review of Plaintiff's Compromised Data
Plaintiff submits Sun's expert testimony that combining certain compromised information such as IP addresses, browser information, and the type of device associated with Plaintiff's account enables a third party to "piece together a pattern of the Plaintiff's location and cell phone ownership history." Sun Decl. ¶ 14. He states that such information is unavailable to the public and could allow a hacker to pose as Plaintiff. Id. ¶ 14. Additionally, Sun proposes, based on his prior experience with other telecommunication carriers, that combining general nonpublic information about a person with past cell phone ownership on their account "could satisfy the criteria for some level of account authorization." Id. ¶ 16. Defendant objects to this testimony on the grounds that it is highly speculative and is based on an assessment of Sprint, whereas Plaintiff's mobile carrier was Boost Mobile. Reply 8; see also Connor Tr. 172:17-20. As such, Defendant argues that Sun's opinion is unreliable and irrelevant, making it unhelpful. Reply 8.
Ruling: OVERRULED. Here, Sun bases his conclusions on an assessment of the Declaration of Paula Griffin, which describes the data elements included in the compromise. Sun Decl. ¶ 14; see also Griffin Decl. ¶¶ 15-18. Relying on his prior experience, he was able to uncover the personal information regarding Connor's location and cell phone ownership history. Sun Decl. ¶ 14. The times of the phone records acquired by Sun in his review range from October 2016 to June 2018. Id. His review identifies the mobile carrier as "Boost Mobile/Virgin (Sprint)." Id. On the dates in question, Boost Mobile was Sprint's for-pay service. Mot. Hr'g Tr. 36:5-12, ECF 200. Thus, such information is both (1) reliable in that Sun explains how he can uncover nonpublic information from the compromised data that could be used for some level of account authorization, and (2) relevant in that it could help the factfinder determine whether the compromised information puts Plaintiff at risk for identity theft and financial fraud. See Daubert , 509 U.S. at 591, 113 S.Ct. 2786 ; Fed. R. Evid. 702.
4. Sun Decl. ¶¶ 19-20: Sun's Review of Plaintiff's Credit Monitoring Services
Plaintiff submits Sun's review of the various credit monitoring services in which she was enrolled to explain why it was reasonable to purchase ClickFreeScore when she had other free services available to her. Sun Decl. ¶¶ 19-20. He examined each provider's prices and coverage of the three main credit reporting bureaus, concluding that "[o]nly the ClickFreeScore.com Platinum service provides coverage of all three bureaus, providing access to the actual credit reports and scores from all of them." Id. ¶ 20. Defendant objects to this testimony on the grounds that Sun claims no credit monitoring expertise and that he does not "bring any special expertise in analyzing [Plaintiff's] many credit monitoring services." Reply 11. Defendant argues that "[b]ecause Sun's entire knowledge on this subject comes from ‘little more than a quick internet search,’ it does not qualify him as an expert under Rule 702 and is inadmissible." Reply 11-12 (quoting Samuels v. Holland Am. Line-USA, Inc. , 656 F.3d 948, 953 (9th Cir. 2011) ). Relying on Stollenwerk v. Tri-West Health Care Alliance , 254 Fed. Appx. 664, 667 (9th Cir. 2007), Defendant contends that Sun does not address why it is necessary to access all the services and a raw credit score in the same place when Plaintiff could place fraud alerts with the major credit agencies and receive copies of her credit reports free of charge. Reply 12.
Ruling: OVERRULED. Here, Sun does not explicitly claim qualifications in credit monitoring, but he does claim an extensive background in technology consulting and has authored technical publications covering telecommunications. Sun Decl. ¶ 4-5. He has also testified in numerous litigations regarding computer breach investigations. Id. ¶ 6. Therefore, he is qualified to help the jury understand how victims may use commonly offered tools like credit monitoring services to deal with compromised data. See Fed. R. Evid. 702(a). Furthermore, his testimony can help explain the rationale behind purchasing a premium credit monitoring service when other free services are available. See Mot. 9-15; Opp'n 8-17; Reply 6-10. And the facts in Stollenwerk are not analogous to the facts here. In Stollenwerk , the expert evidence at issue "did not mention or account for the availability of free services," causing the court to conclude that the report was "entirely too conclusory to establish that a reasonable person faced with Stollenwerk's level of risk of identity theft would incur significant monitoring costs rather than take advantage of these services." Stollenwerk , 254 Fed. Appx. at 667. But Sun goes beyond mere conclusory statements to explain why ClickFreeScore's single premium service is preferable to multiple free services—that the premium service provides greater coverage of the credit reporting bureaus and access to full credit reports. Sun Decl. ¶ 20. Thus, this Court will consider Sun's analysis of the various credit monitoring services on this Motion.
5. Sun Decl. ¶¶ 8-11: Sun's Assessment of the Declaration of Zhe Fu
Sun analyzes the Declaration of Zhe Fu, who provides testimony regarding Defendant's platform infrastructure and the scope of the Data Breach. See Sun Decl. ¶¶ 8-11; Fu Decl. ¶¶ 5-7. Sun posits that because Fu bases his findings of significant data transfers on billing records, Fu's analysis is insufficiently thorough to determine the scope of the Data Breach. See Sun Decl. ¶¶ 8-9. He explains that Fu references "significant data transfers" in his analysis but "does not provide any details beyond the graph to determine if [Fu] examined smaller, protracted transfers that would not be noticeable in the graph." Id. ¶ 8. Furthermore, Sun declares that "assurances by Fu of what data was stored in AWS S3 and subject to the security incident is not corroborated by any information available." Id. ¶ 10. Defendant contends that Sun's assertions are speculative and "based on a misreading of ‘significant’ in the Fu Declaration and lifting words out of context, not a material dispute." Reply 9.
Ruling: OVERRULED. Here, it is unclear how Sun misreads the Declaration of Zhe Fu or lifts words out of context. See Reply 9. Sun explains that more information is required to determine if "a small, imperceptible increase in transfer volume over a 6-month period" occurred, which he asserts could result in a significant amount of data. Sun Decl. ¶ 8. Sun does not speculate to draw conclusions about the Data Breach itself; rather, he uses his background to posit that more information is required to assess the scope of the Data Breach. See Id. ¶¶ 8-10. Such information is helpful to determine the risk to Plaintiff. See Daubert , 509 U.S. at 591, 113 S.Ct. 2786 ; Fed. R. Evid. 702(a). Thus, the Court will consider this evidence.
C. Opp'n 4-5: Statements About Quora's Business Model
Plaintiff submits that Defendant is in the "business of selling data" and that as a result there is a "cost" to Defendant's users. Opp'n 4-5. Defendant objects to such assertions as inadmissible on the grounds that (1) Plaintiff provides no evidence and (2) they are irrelevant since Plaintiff cannot claim Defendant's profits. Reply 15.
Ruling: OVERRULED. Here, Plaintiff submits Defendant's Terms of Service and Privacy Policy as evidence to support her assertions in the Opposition. See Terms of Service; Privacy Policy; see also Opp'n 5. And while Plaintiff cannot claim Defendant's profits, such background information is relevant to establishing context regarding the nature of the relationship between Defendant and Plaintiff. Thus, this Court will not strike the material.
Defendant requests judicial notice of two documents. Mot. 6 n.2. Courts may take judicial notice of matters either that are "generally known within the trial court's territorial jurisdiction" or that "can be accurately and readily determined from sources whose accuracy cannot reasonably be questioned." Fed. R. Evid. 201(b). "Specifically, a court may take judicial notice: (1) of matters of public record, (2) that the market was aware of information contained in news articles, and (3) publicly accessible websites whose accuracy and authenticity is not subject to dispute." In re Facebook, Inc. Sec. Litig. , 405 F. Supp. 3d 809, 827 (N.D. Cal. 2019) (internal citations and quotation marks omitted). Here, the Court grants Defendant's request and takes judicial notice of (1) Verizon Communication, Inc. Current Report (Form 8-K) at Guyon Decl. Ex. 15, ECF 140-4, and (2) Yahoo 2013 Account Security Update FAQs at Guyon Decl. Ex. 16, ECF 140-4. See McManus v. McManus Fin. Consultants, Inc. , 552 Fed. Appx. 713, 714 (9th Cir. 2014) (taking judicial notice of Form 8-K, a public filing); Loomis v. Slendertone Distrib., Inc. , 420 F. Supp. 3d 1046, 1063 (S.D. Cal. 2019) (taking judicial notice of printouts from the defendant's publicly available website).
Defendant brings this Motion seeking summary adjudication of Plaintiff's remaining claims for (1) negligence and (2) violation of the UCL. See generally Mot. Defendant's arguments generally focus on the nature of Plaintiff's asserted harms and remedies as well as an alleged lack of causation. See Mot. 9, 20-22. Plaintiff maintains that there are genuine disputes of material fact sufficient to withstand granting this Motion. See Opp'n 3-4. Viewing all evidence in the light most favorable to Plaintiff, the Court DENIES summary judgment as to the negligence claim and GRANTS summary judgment as to the UCL claim.
A. Negligence
Plaintiff's negligence cause of action is based on Defendant's alleged failure to adequately protect her PII, causing her to spend time and money monitoring her credit after the Data Breach. See TAC ¶¶ 82-89. To prevail on a negligence claim in California, a plaintiff must allege facts to satisfy these elements: "(1) the existence of a duty to exercise due care; (2) breach of that duty; (3) causation; and (4) damages." In re Sony Gaming Networks & Customer Data Sec. Breach Litig. (Sony Gaming I ), 903 F. Supp. 2d 942, 959-60 (S.D. Cal. 2012) (citing Paz v. State of Cal. , 22 Cal. 4th 550, 558-59, 93 Cal.Rptr.2d 703, 994 P.2d 975 (2000) ). Defendant argues that Plaintiff's negligence claim fails for three reasons: (1) Plaintiff cannot prove cognizable injury; (2) Plaintiff cannot prove causation; and (3) the economic loss rule bars Plaintiff's claim. Mot. 9. Each is discussed in turn.
1. Cognizable Injury
"Under California law, appreciable, nonspeculative, present harm is an essential element of a negligence cause of action." Sony Gaming I , 903 F. Supp. 2d at 959-60 (citing Aas v. Super. Ct. , 24 Cal. 4th 627, 646, 101 Cal.Rptr.2d 718, 12 P.3d 1125 (2000), superseded by statute on other grounds , Cal. Civ. Code § 895 et seq. , as recognized in S. Cal. Gas Leak Cases , 7 Cal. 5th 391, 412, 247 Cal.Rptr.3d 632, 441 P.3d 881 (2019) ). Defendant argues that Aas is instructive on Plaintiff's asserted harm. Mot. 10. In Aas , the California Supreme Court held that homeowners could not recover damages in negligence from their home builders for construction defects that have not caused property damage. 24 Cal. 4th at 632, 101 Cal.Rptr.2d 718, 12 P.3d 1125. The court explained that "[c]onstruction defects that have not ripened into property damage, or at least into involuntary out-of-pocket losses, do not comfortably fit the definition of ‘appreciable harm’—an essential element of a negligence claim." Id. at 646, 101 Cal.Rptr.2d 718, 12 P.3d 1125 (citing Davies v. Krasna , 14 Cal. 3d 502, 513, 121 Cal.Rptr. 705, 535 P.2d 1161 (1975) ).
Relying on Aas , Defendant moves for summary judgment based on Plaintiff's failure to show "appreciable, nonspeculative, present harm." Mot. 9. Defendant bases its Motion on the fact that Plaintiff has not suffered identity theft and asserts that she has voluntarily attempted to repair any hypothetical threat of future harm by temporarily purchasing credit monitoring services and monitoring her accounts. Mot. 10-11. Plaintiff contends that Aas is factually distinct "from a data breach where the harm is from the theft of PII, some of which is just now being revealed to Plaintiff." Opp'n 9.
It appears that California courts have not considered whether time and money lost to credit monitoring from the future threat posed by compromised PII are damages to support a negligence claim. Ruiz v. Gap, Inc. , 380 Fed. Appx. 689, 691 (9th Cir. 2010) ; see also Adkins v. Facebook, Inc. , 424 F. Supp. 3d 686, 695 (N.D. Cal. 2019) ("No binding decision has ever decided whether or not future harms from a data breach can anchor a claim for negligence."). Early federal cases answering this question in the negative confronted situations in which physical hardware was stolen from an office, making it difficult to prove the severity of the risk. See, e.g. , Ruiz v. Gap, Inc. , 622 F. Supp. 2d 908, 910-11, 14-15 (N.D. Cal. 2009) (granting summary judgment for lack of cognizable harm where thieves stole laptops with PII from the defendant's office), aff'd , 380 Fed. Appx. 689, 691 (9th Cir. 2010) ; Gardner v. Health Net, Inc. (Gardner II ), No. CV 10-2140 PA (CWx), 2010 WL 11571242, at *2-3 (C.D. Cal. Nov. 29, 2010) (dismissing where the plaintiff failed to allege actual exposure of his information caused by the theft of a disk drive from the defendant's offices). Courts dealing with data breach cases involving hacking have since recognized that such situations are distinct because the thieves are more electronically sophisticated and engage in hacking to target users’ PII directly. See Anderson v. Hannaford Bros. Co. , 659 F.3d 151, 165-66 (1st Cir. 2011). Furthermore, California does carve out an exception to the present harm requirement for medical monitoring cases in which victims were exposed to toxic chemicals. See Potter v. Firestone Tire & Rubber Co. , 6 Cal. 4th 965, 1009, 25 Cal.Rptr.2d 550, 863 P.2d 795 (1993) (holding that "the cost of medical monitoring is a compensable item of damage" pursuant to a five-factor test of whether such a cost is reasonable and necessary). And courts confronting the issue in this Circuit have extended the toxic tort exception to data breach cases in which PII is compromised. See, e.g. , Corona v. Sony Pictures Entm't, Inc. , No. 14-CV-09600 RGK (Ex), 2015 WL 3916744, at *4 (C.D. Cal. June 15, 2015) (adapting the Potter medical monitoring test to determine the need for future credit monitoring); Castillo v. Seagate Tech., LLC , No. 16-cv-01958-RS, 2016 WL 9280242, at *4 (N.D. Cal. Sept. 14, 2016) (following Corona ). Furthermore, courts have found that "injury by way of costs relating to credit monitoring, identity theft protection, and penalties" can "sufficiently support a negligence claim." Corona , 2015 WL 3916744, at *4-5 ; see also Stasi v. Inmediata Health Grp. Corp. , No. 19cv2353 JM (LL), 2020 WL 6799437, at *9-11 (S.D. Cal. Nov. 19, 2020) (finding cognizable harm where the plaintiffs alleged lost time and money to deal with a data breach); In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig. , No. 3:19-cv-2284-H-KSC, ––– F.Supp.3d ––––, ––––, 2020 WL 2214152, at *4 (S.D. Cal. May 7, 2020) (finding that allegations of "[i]ncreased time spent monitoring one's credit and other tasks associated with responding to a data breach" were sufficiently "specific, concrete, and non-speculative"); Castillo , 2016 WL 9280242, at *4 (holding that those who incurred out-of-pocket expenses on additional identity protection and restoration services had pleaded cognizable injuries, whereas those who were merely considering the purchase of such services had not).
Here, this Court agrees with Plaintiff that the time and money she spent on credit monitoring in response to the Data Breach is cognizable harm to support her negligence claim. See Opp'n 9. Like several victims in Castillo , Plaintiff spent money purchasing a premium version of an identity-protection service. See Connor Tr. 32:4-34:23, 94:2-17; Purchase Receipt; Cancellation Receipt; Sun Decl. ¶¶ 19-20; see also Castillo , 2016 WL 9280242, at *4 (finding cognizable injury where some plaintiffs bought a subscription to an identity protection service "because they wanted greater protection than that offered" by the defendant). And Plaintiff has testified that she spent more time monitoring her credit as a result of the Data Breach. Connor Tr. 242:16-24. Her testimony that she spent "typically an hour" per day after the Data Breach is sufficiently specific to constitute cognizable injury. Connor Tr. 242:19-24; compare Corona , 2015 WL 3916744, at *4 (finding that "general allegations of lost time are too speculative to constitute cognizable injuries" (emphasis added)), with Solara , ––– F.Supp.3d at ––––, ––––, 2020 WL 2214152, at *1, *4 (finding that more specific allegations of the amount of time spent responding to the threat were sufficient to allege cognizable harm).
Accordingly, this Court DENIES Defendant's Motion for Summary Judgment based on the claim that Plaintiff cannot produce sufficient evidence supporting cognizable harm in negligence.
2. Causation
"Causation is generally a question of fact for the jury unless ‘the proof is insufficient to raise a reasonable inference that the act complained of was the proximate cause of the injury.’ " Lies v. Farrell Lines, Inc. , 641 F.2d 765, 770 (9th Cir. 1981) (quoting Leaf v. U.S. , 588 F.2d 733, 736 (9th Cir. 1978) ). In California, "[t]o demonstrate actual or legal causation, the plaintiff must show that the defendant's act or omission was a ‘substantial factor’ in bringing about the injury." Gardner v. Health Net, Inc. (Gardner I ), No. CV 10-2140 PA (CWx), 2010 WL 11597979, at *4 (C.D. Cal. Aug. 12, 2010) (quoting Saelzler v. Advanced Grp. 400 , 25 Cal. 4th 763, 778, 107 Cal.Rptr.2d 617, 23 P.3d 1143 (2001) ) (internal quotation marks omitted); see also Viner v. Sweet , 30 Cal. 4th 1232, 1239, 135 Cal.Rptr.2d 629, 70 P.3d 1046 (2003) (explaining that the substantial factor test, which California has definitively adopted for cause-in-fact determinations, subsumes the but-for test). As such, "the plaintiff must show ‘some substantial link or nexus’ between the act and the injury." Gardner I , 2010 WL 11597979, at *4 (quoting Saelzler , 25 Cal. 4th at 778, 107 Cal.Rptr.2d 617, 23 P.3d 1143 ). "[T]he actor's negligent conduct is not a substantial factor in bringing about harm to another if the harm would have been sustained even if the actor had not been negligent." Viner , 30 Cal. 4th at 1240, 135 Cal.Rptr.2d 629, 70 P.3d 1046 (emphasis in original deleted) (quoting Restatement (Second) of Torts § 432(1) (Am. L. Inst. 1965) ). But if "two forces are actively operating ... and each of itself is sufficient to bring about harm to another, the actor's negligence may be found to be a substantial factor in bringing it about." Viner , 30 Cal. 4th at 1240, 135 Cal.Rptr.2d 629, 70 P.3d 1046 (quoting Restatement (Second) of Torts § 432(2) ).
Here, Defendant first argues that Plaintiff cannot prove causation because she has been the victim of numerous other data breaches in which her compromised information could have been used to commit fraud. Mot. 11-13; see also Decl. of Anthony J. Ferrante ("Ferrante Decl.") ¶¶ 21-31, ECF 140-5. But the mere fact that Plaintiff has been a victim of other more serious breaches in the past does not mean a substantial connection between this breach and her decision to monitor her credit more closely is lacking. See Gardner I , 2010 WL 11597979, at *4 (quoting Saelzler , 25 Cal. 4th at 778, 107 Cal.Rptr.2d 617, 23 P.3d 1143 ). Defendant does not get a free pass on this basis. Defendant relies on cases outside this Circuit that have granted summary judgment for failing to present sufficient evidence of causation where the victims’ PII had been compromised in prior breaches. Mot. 12-13. In those cases, however, the plaintiffs presented insufficient evidence linking the compromised PII to identity theft, not to lost time and money spent dealing with the breach. See Jianjun Fu v. Wells Fargo Home Mortg. , No. 2:13-cv-01271-AKK, 2014 WL 4681543, at *4-5 (N.D. Ala. Sept. 12, 2014) (granting summary judgment where the plaintiffs did not provide evidence indicating that the unsecured email at issue was the cause of their claims of actual identity theft); Jones v. Commerce Bank, N.A. , No. 06 Civ. 835(HB), 2007 WL 672091, at *3-4 (S.D.N.Y. Mar. 6, 2007) (granting summary judgment where the plaintiff essentially relied on a theory of res ipsa loquitor to prove causation of identity theft).
In this case, Defendant informed Plaintiff in December 2018 that her PII was compromised as a result of the Data Breach. See Disclosure Email. Plaintiff claims and provides testimony that, in response, she spent more time and money monitoring her credit, not that her identity was stolen. TAC ¶ 19; Connor Tr. 242:6-24; see also Stasi , 2020 WL 6799437, at *9 (finding that causation for negligence can be sustained by allegations that lost time and an increase in spam/phishing were the result of defendant's duty to protect the plaintiff's PII). She also testifies that the Data Breach was the last straw in a string of breaches and that she could not be sure whether more sensitive financial information was disclosed previously. See Connor Tr. 251:17-252:15. Indeed, in January 2019—only a month after the disclosure—Plaintiff purchased enhanced credit monitoring. See Purchase Receipt; Cancellation Receipt; Opp'n 6, 15; cf. In re Sony Gaming Networks & Customer Data Sec. Breach Litig. (Sony Gaming II ), 996 F. Supp. 2d 942, 970 (S.D. Cal. 2014) (explaining that a plaintiff must "plead both a logical and temporal connection between the decision to purchase credit monitoring services and the defendant's alleged breach" and finding the "high burden" was not met where the plaintiff failed to allege when or why he closed his accounts). This evidence is sufficient to raise a reasonable inference that the Data Breach was a substantial factor in causing Plaintiff to purchase enhanced credit monitoring and to increase the time she spent monitoring her credit. See Lies , 641 F.2d at 770 (explaining that causation is generally a fact for the jury where the evidence creates a reasonable inference that the tortious act proximately caused the injury). While Defendant may challenge the authenticity of Plaintiff's claimed reasons for more carefully monitoring her credit, such a dispute is not for this Court to decide summarily. See Mot. 7-8; see also Abarca v. Franklin County Water Dist. , 761 F. Supp. 2d 1007, 1064 (E.D. Cal. 2011) ("Assessing the credibility of a witness is properly left to the jury."); Erhart v. Bofl Holding, Inc. , No. 15-cv-02287-BAS-NLS, ––– F.Supp.3d ––––, ––––, 2020 WL 1550207, at *39 (S.D. Cal. Mar. 31, 2020) (denying summary judgment where a jury could find that money spent investigating an internal auditor's mishandling of employees’ nonpublic personal information was sufficient to cause damage).
Additionally, Defendant argues that Plaintiff cannot prove causation because there is no evidence that the information compromised in the Data Breach could be used to commit identity theft and therefore put her identity at risk. Mot. 12; Ferrante Decl. ¶ 16. But Plaintiff counters that, while a malicious third party may be unable to use the compromised information to perpetrate fraud directly, it could be combined with other data to uncover private information that may be used against her, such as learning her location at various times. Opp'n 13; Sun Decl. ¶¶ 13-17. This conflicting testimony creates another genuine dispute of material fact.
Defendant next argues that Plaintiff's decision to purchase ClickFreeScore and mitigate any risk of harm was neither reasonable nor necessary. Mot. 13. In support of this argument, Defendant cites several cases that predate more recent data breach litigation cases, most of which are factually distinct because they involve the theft of actual hardware, as opposed to a hack into a company's systems. Compare Ruiz , 622 F. Supp. 2d at 910-11 (theft of laptops), Gardner I , 2010 WL 11597979, at *4 (theft of a disk drive), and Stollenwerk , 254 Fed. Appx. at 665 (theft of computer servers with hard drives), with Anderson , 659 F.3d at 165-66 (theft based on "a sophisticated breach of electronic data"); but see Sony Gaming II , 996 F. Supp. 2d at 970 (relying on Stollenwerk and other cases outside this Circuit to conclude that the plaintiff had not met the high burden of showing that credit monitoring services were reasonably necessary in an electronic data breach). More recent cases have found that such prophylactic actions were reasonable and necessary. See, e.g., Stasi , 2020 WL 6799437, at *9-11 (finding that credit monitoring was warranted where the information involved was not the type courts have recognized as enabling identity theft, such as financial information or Social Security numbers); Solara , ––– F.Supp.3d at ––––, 2020 WL 2214152, at *4 (finding that credit monitoring was reasonable where PII was stolen); Castillo , 2016 WL 9280242, at *4 (finding that purchase of a subscription to a premium credit monitoring service was warranted); Corona , 2015 WL 3916744, at *4-5 (applying California's medical monitoring test in Potter to conclude that the theft of employees’ PII warranted credit monitoring).
Here, in December 2018, Defendant informed Plaintiff that her PII may have been compromised, including account and user information such as "email, IP, user ID, encrypted password, user account settings, [and] personalization data." Disclosure Email. The email notification explained that Defendant, exercising an abundance of caution, was logging out all users who may have been affected by the hack and was invalidating any passwords used for authentication. Disclosure Email. Defendant also stated that the company "believe[d]" it had identified the root cause of the breach but that the investigation was "ongoing" and that the company was continuing to work "to gain a full understanding of what happened." Disclosure Email. Finally, it recommended that users change passwords if they were using the same ones across multiple websites. Disclosure Email. From these statements, a Quora user like Plaintiff could reasonably conclude that the severity of the Data Breach, and therefore the threat of identity theft or fraud, was still unknown. See Corona , 2015 WL 3916744, at *4 ("It is commonly known that the consequences resulting from identity theft can be both serious and long-lasting."). As such, a jury could find it reasonable for Plaintiff to believe "that credit monitoring was needed in the wake of the Quora breach." Opp'n 13. Furthermore, Plaintiff provides that the compromised information could be used in combination with other pieces of information to commit fraud. Sun Decl. ¶¶ 13-17. Hence, this Court cannot find as a matter of law that it was not reasonable and necessary for Plaintiff to take prophylactic steps to prevent misuse of her information.
Finally, the parties dispute whether it was reasonable and necessary for Plaintiff to purchase a premium version of ClickFreeScore. Mot. 14-15; Opp'n 14-16. It is undisputed that Plaintiff had other free credit monitoring services available to her to mitigate prior data breaches. See Mot. 14-15; Opp'n 15; Sun. Decl. 19-20. Defendant offers Plaintiff's deposition testimony that ClickFreeScore's paid service provided "pretty much the same services" as Credit Karma's free services, causing her to downgrade to the "basic package." Connor Tr. 33:9-34:23. Defendant argues that these statements show Plaintiff knew she had the same services for free that ClickFreeScore offered for a fee. See Mot. 14; Reply 11; Connor Tr. 76-79, 99. Plaintiff, however, presents evidence elaborating on her initial statements, explaining that she downgraded to the basic package, not because she did not feel the need for additional services, but because the subscription cost money that she would rather spend on her four children, as opposed to "something that should have already been protected in the first place." Connor Tr. 34:25-35:10. She further testified that ClickFreeScore's premium service offered additional protections such as $1 million in fraud protection against which ClickFreeScore would insure. Connor Tr. 35:12-24. And Plaintiff presents evidence that "only the ClickFreeScore.com Platinum service provides coverage of all three [credit reporting] bureaus, providing access to the actual credit reports and scores from all of them." Sun Decl. ¶ 20. Hence, this Court finds that there remains a genuine dispute of material fact over whether ClickFreeScore's premium services offered the "same" services that Plaintiff could already use for free.
In sum, the evidence demonstrates genuine disputes of material fact regarding whether the Data Breach caused Plaintiff to spend time and money monitoring her credit and whether Plaintiff's decision to purchase enhanced credit monitoring was reasonable and necessary. Accordingly, this Court DENIES Defendant's Motion for Summary Judgment based on the claim that Plaintiff cannot produce sufficient evidence supporting causation in negligence.
3. The Economic Loss Rule
Defendant argues that the economic loss rule bars recovery for Plaintiff's asserted harms. Mot. 15. Specifically, Defendant contends that all Plaintiff's asserted harms are purely economic and that no exception to the economic loss rule applies because the parties do not have a special relationship. Mot. 16-17. The Court disagrees for the reasons discussed below.
"[T]he economic loss rule prevents the law of contract and the law of tort from dissolving into one another" and "requires a [plaintiff] to recover in contract for purely economic loss due to disappointed expectations, unless he can demonstrate harm above and beyond a broken contractual promise." Robinson Helicopter Co. v. Dana Corp. , 34 Cal. 4th 979, 988, 22 Cal.Rptr.3d 352, 102 P.3d 268 (2004) (brackets and internal quotation marks omitted). Hence, to recover for purely economic loss, a plaintiff must demonstrate that one of these exceptions to the economic loss rule applies: "(1) personal injury, (2) physical damage to property, (3) a special relationship existing between the parties, or (4) some other common law exception to the rule." Kalitta Air, L.L.C. v. Cent. Texas Airborne Sys., Inc. , 315 Fed. Appx. 603, 605 (9th Cir. 2008) (internal quotation marks omitted).
This Court previously held that the economic loss rule did not bar Plaintiff's negligence claim because she alleged loss of time as a harm, meaning she had not alleged pure economic loss. See Prior Order I 13. And this Court later found that, regardless of whether loss of time is a pure economic loss, there is a special relationship between the parties. See Prior Order II 12-16. Defendant urges this Court to revisit these rulings on the grounds that (1) the recovery Plaintiff seeks is a pure economic harm, and (2) the undisputed facts show there is no special relationship between the parties. Mot. 15-16.
This Court does not disturb its prior ruling that Plaintiff alleged sufficient facts to show that the parties have a special relationship, which is an exception to the economic loss doctrine. And Plaintiff has now offered sufficient evidence to defeat summary judgment on that claim. Whether there is a special relationship under J'Aire presents a question of law for the court. Greystone Homes, Inc. v. Midtec, Inc. , 168 Cal. App. 4th 1194, 1228, 86 Cal.Rptr.3d 196 (Cal. App. Ct. 2008) ; see also Lichtman v. Siemens Industry Inc. , 16 Cal. App. 5th 914, 924, 224 Cal.Rptr.3d 725 (Cal. Ct. App. 2017) (examining Biakanja / J'Aire factors "to determine whether defendant established as a matter of law that it owed no duty to plaintiffs"). To determine the existence of a special relationship, the Court examines six factors:
(1) the extent to which the transaction was intended to affect the plaintiff,
(2) the foreseeability of harm to the plaintiff,
(3) the degree of certainty that the plaintiff suffered injury,
(4) the closeness of the connection between the defendant's conduct and the injury suffered,
(5) the moral blame attached to the defendant's conduct and
(6) the policy of preventing future harm.
J'Aire Corp. v. Gregory , 24 Cal. 3d 799, 804, 157 Cal.Rptr. 407, 598 P.2d 60 (1979). "All six factors must be considered by the court and the presence or absence of one factor is not decisive." Sony Gaming II , 996 F. Supp. 2d at 968 (citing Kalitta Air, L.L.C. v. Cent. Tex. Airborne Sys., Inc. , 315 Fed. Appx. 603, 605-06 (9th Cir. 2008) ). "[T]he inquiry hinges not on mere rote application of these ... factors, but instead on a comprehensive look at the ... sum total of the policy considerations at play in the context before us." S. Cal. Gas Leak , 7 Cal. 5th at 399, 247 Cal.Rptr.3d 632, 441 P.3d 881 (internal quotation marks omitted).
The first factor is "the extent to which the transaction was intended to affect the plaintiff." J'Aire , 24 Cal. 3d at 804, 157 Cal.Rptr. 407, 598 P.2d 60. At the pleading stage, this Court, relying on Sony Gaming II , previously found that as pled this factor favored Defendant. Prior Order II 12-13. Defendant, arguing that no California court has found a special relationship in the absence of the first factor, now asserts that the first factor is a requirement that, if found lacking, precludes a special relationship. Mot. 17; see S. Cal. Gas Leak , 7 Cal. 5th at 401-02, 247 Cal.Rptr.3d 632, 441 P.3d 881 ("What we mean by special relationship is that the plaintiff was an intended beneficiary of a particular transaction but was harmed by the defendant's negligence in carrying it out."); see also Andrews v. Plains All Am. Pipeline, L.P. , No. CV-154113 PSG (JEMx), 2019 WL 6647930, at *4 (C.D. Cal. Nov. 20, 2019) (finding that the most natural reading of the California Supreme Court's opinion in S. Cal. Gas Leak , 7 Cal. 5th at 401-402, 247 Cal.Rptr.3d 632, 441 P.3d 881, "is that a transaction involving defendant intending to affect the plaintiff is necessary to establish a special relationship, but may not be sufficient on its own, without a subtler inquiry"). Plaintiffs respond that cases postdating Sony Gaming II have found that the first factor favors the plaintiffs in similar data sharing situations. Opp'n 21-22. Although the Ninth Circuit has held that the presence or absence of any one factor is not decisive, Sony Gaming II , 996 F. Supp. 2d at 968, this Court, applying California law, revisits its prior conclusion based on the evidence submitted.
With Defendants’ new arguments, the Court has reassessed this first factor. Cases decided after Sony Gaming II have found that the first factor is met when plaintiffs share personal data with a company with the understanding that the company will protect that data. See e.g. , Terpin v. AT&T Mobility, LLC , No. 2:18-CV-06975-ODW (KSx), 2020 WL 883221 (C.D. Cal. Feb. 24, 2020) ; In re Yahoo! Inc. Customer Data Sec. Litig. , 313 F. Supp. 3d 1113 (N.D. Cal. 2018) ; Corona , 2015 WL 3916744. In Terpin , the plaintiff entered into a basic contract for mobile telephone services with AT&T. 2020 WL 883221 at *4. Because of AT&T's inadequate security policies, hackers were able to use his telephone number to commit identity theft and financial fraud. Id. at *1, *4. The Court found that the first factor was met where the plaintiff "was required to share his personal information with AT&T with the understanding that AT&T would adequately protect it." Id. at *4. In Yahoo! , which involved free email accounts, the Court found the first factor met because "Plaintiffs were required to turn over their PII to Defendants and did so with the understanding that Defendants would adequately protect Plaintiffs’ PII and inform Plaintiffs of breaches." 313 F. Supp. 3d at 1132. Finally, in Corona , the plaintiffs were required to provide their PII as a condition of their employment, and the PII was later exposed because of a data breach. 2015 WL 3916744, at *5. The court found that, "[b]ased on these allegations, there is no doubt that this ‘transaction’ was intended to affect Plaintiffs." Id.
Here, it is undisputed that as part of Defendant's Terms of Service, Plaintiff was required to provide certain information upon creating an account. See Terms of Service 1. Contained within the Terms of Service was a privacy promise, described in Defendant's Privacy Policy. Terms of Service 7. The Privacy Policy explained Defendant's "policies and procedures on the collection, use, disclosure, and sharing of [users’] personal information or personal data when [users] use the Quora Platform." Privacy Policy 1. Emphasizing the importance of users’ privacy and the security of their information, the Privacy Policy assured users that Defendant implemented safeguards to protect their information. Privacy Policy 1, 6. And the Privacy Policy clarified to the user: "You may, of course, decline to submit information through the Quora Platform, in which case we [Defendant] may not be able to provide certain services to you." Privacy Policy 6. Such a transaction mirrors that of Terpin , Yahoo! , and Corona ; Plaintiff was required to provide her personal information as a condition of using Defendant's services, with the expectation that Defendant would take reasonable steps to safeguard against misuse of that information.
After reviewing the applicable law, the Court is no longer persuaded by Defendant's argument that Plaintiff cannot establish the first factor because she provides no evidence that she herself intended to use the platform in a manner that varied from that of Defendant's other millions of users. Mot. 17-18; Reply 13; see also Prior Order II 13. This Court now concludes that Plaintiff need only demonstrate she is a member of a class of people intended to be affected, not that she alone was in that position. See Centinela Freeman Emergency Med. Assoc. v. Health Net of Cal., Inc. , 1 Cal. 5th 994, 1014 n.10, 209 Cal.Rptr.3d 280, 382 P.3d 1116 (2016) (explaining that "liability for negligent conduct may be imposed ‘where there is a duty of care owed by the defendant to the plaintiff or to a class of which the plaintiff is a member ’ " and disapproving cases analyzing the first factor as too restrictive for reasoning that alleged negligent conduct must be "intended to affect that particular plaintiff, rather than just a class of persons to whom the plaintiff happens to belong" (emphasis in original) (quoting J'Aire , 24 Cal. 3d at 803, 157 Cal.Rptr. 407, 598 P.2d 60 )). Plaintiff has shown that she is a member of a distinct class of people—Defendant's account users—who specifically provided Defendant certain personal information with the expectation that Defendant would take reasonable steps to secure it. See Terms of Service 1; Privacy Policy 1, 6; see, e.g. , Potter v. Chevron Prod. Co. , No. 17-cv-06689-PJH, 2018 WL 4053448, at *8 (N.D. Cal. Aug. 24, 2018) (finding that the first factor favored the plaintiff, who was a member of a class of third-party oil-change consumers that the agreements at issue were intended to affect). Such a transaction was intended to affect Plaintiff and others in the class by assuring them that they could use the platform while knowing their personal information would be reasonably protected. Any dispute regarding the precise nature of the hacked information will be resolved by the jury, but Plaintiff submits sufficient evidence to support this J'Aire factor for purposes of summary judgment.
Privacy law is a rapidly evolving area, and the Court finds from Corona , as well as Terpin and Yahoo! , that entrusting PII to a company establishes a "transaction intended to affect the plaintiff." J'Aire , 24 Cal. 3d at 804, 157 Cal.Rptr. 407, 598 P.2d 60. Consequently, the Court concludes now, on a more developed record, that there is evidence to support a transaction intended to affect Plaintiff.
The second factor is the "foreseeability of harm to the plaintiff." Id. Courts "determine foreseeability not by reference to specific parties but instead based on the general sort of conduct at issue." S. Cal. Gas Leak , 7 Cal. 5th at 401 n.5, 247 Cal.Rptr.3d 632, 441 P.3d 881. Here, Plaintiff has offered evidence that when she became a Quora user, she provided personal information that was later compromised, such as her account and user information (e.g., name, email, user ID, and encrypted password) as well as data imported from other linked networks (e.g., contacts, demographic information, interests, and access tokens). See Disclosure Email. Plaintiff further shows that she spent time and money responding to the Data Breach after learning about it in December 2018. See Disclosure Email; Purchase Receipt; Connor Tr. 242:6-24. This Court has already determined that such alleged harms are cognizable and that there is a genuine dispute of material fact whether such action was reasonable and necessary. See supra § V.A.1.-2. It was foreseeable that Plaintiff would incur time and money working to secure that information when Defendant did not adequately protect it. See Yahoo! , 313 F. Supp. 3d at 1132 ("[I]t was plainly foreseeable that Plaintiffs would suffer injury if Defendants did not adequately protect the PII," which "includes the user's name, email address, birth date, gender, ZIP code, occupation, industry, and personal interests"); Terpin v. AT&T Mobility, LLC , 399 F. Supp. 3d 1035, 1120, 1049 (C.D. Cal. 2019) (finding it foreseeable that the plaintiff would suffer injury if the defendant failed to adequately protect the plaintiff's PII). Thus, Plaintiff provides evidence sufficient to withstand summary judgment as to the second factor.
The third factor is "the degree of certainty that the plaintiff suffered injury." J'Aire , 24 Cal. 3d at 804, 157 Cal.Rptr. 407, 598 P.2d 60. Here, Plaintiff provides evidence that she spent money on credit monitoring amounting to $39.90 per month for five months and an average of one hour per day in time lost responding to the Data Breach. See Purchase Receipt. Such evidence shows that Plaintiff has suffered harm. See, e.g., Stasi , 2020 WL 6799437, at *9-11 (finding harm in the form of lost time and money dealing with the data breach); Solara , ––– F.Supp.3d at ––––, 2020 WL 2214152, at *4 (same); Castillo , 2016 WL 9280242, at *4 (finding harm in the form of purchasing a premium credit monitoring service); Corona , 2015 WL 3916744, at *5 (finding harm in the form of "costs relating to credit monitoring, identity theft protection, and penalties"). This Court already found that such harm is cognizable and that there is a triable issue whether Plaintiff's actions were reasonable and necessary. See supra § V.A.1.-2. Thus, contrary to Defendant's assertions, Plaintiff can present evidence showing the third factor favors her position.
The fourth factor is "the closeness of the connection between the defendant's conduct and the injury suffered." J'Aire , 24 Cal. 3d at 804, 157 Cal.Rptr. 407, 598 P.2d 60. Here, Plaintiff shows that she purchased ClickFreeScore approximately one month after Defendant sent her an email notification that her PII may have been compromised as a result of the Data Breach. See Disclosure Email; Purchase Receipt. She also testified that it was the last straw in a string of data breaches, prompting her to purchase enhanced credit monitoring. Connor Tr. 251:20. These facts sufficiently demonstrate a close connection between Defendant's failure to safeguard her PII adequately and Plaintiff's decision to spend more time and money monitoring her credit. See Corona , 2015 WL 3916744, at *4-5 (finding a sufficient connection where the defendant failed to maintain adequate security, causing the plaintiffs to incur expenses related to credit monitoring to deal with the data breach). Thus, Plaintiff provides enough evidence to withstand summary judgment as to the fourth factor.
The fifth factor is "the moral blame attached to the defendant's conduct." J'Aire , 24 Cal. 3d at 804, 157 Cal.Rptr. 407, 598 P.2d 60. In its Privacy Policy, Defendant assured its users that their privacy is "very important" and that Defendant takes users’ privacy "very seriously." Privacy Policy 1. In response to the Data Breach, Defendant acknowledged its responsibility to safeguard against this type of invasion and its failure to meet this responsibility. See Disclosure Email. While Defendant did issue an apology within days of learning about the Data Breach, evidence suggests the breach went undetected for months before Defendant became aware of it. See Griffin Tr. 41:13-19, 48:5-8. In other words, Plaintiff can demonstrate that Defendant became morally blameworthy by the standards set forth in J'Aire when it failed to adequately protect her PII despite acknowledging that it had a responsibility to do so. See, e.g. , Terpin , 2020 WL 883221, at *4 (finding the defendant was morally culpable for being aware that allowing SIM swapping made its customers’ PII more vulnerable yet doing nothing to prevent the practice); Corona , 2015 WL 3916744, at *4-5 (finding a special relationship where the defendant knew it had inadequate security but opted to accept the risk of a breach); Sony Gaming II , 996 F. Supp. 2d at 973 (finding moral blame where the defendant knew about its security vulnerabilities); Gardner II , 2010 WL 11571242, at *3 ("[T]he moral blame attached to Defendant's conduct is high, given Plaintiffs’ allegations that Defendant failed to take the appropriate measures to protect Plaintiffs’ information."). Thus, Plaintiff offers evidence sufficient to rebut Defendant's claim that its conduct was not morally blameworthy.
The sixth factor is "the policy of preventing future harm." J'Aire , 24 Cal. 3d at 804, 157 Cal.Rptr. 407, 598 P.2d 60. This Court agrees with Plaintiff that imposing "liability for negligence—which is not contested in the [Motion]—would encourage companies such as [Defendant] to take better care to safeguard their users’ PII." Opp'n 23; see also Prior Order II 15. Furthermore, failing to adequately safeguard users’ PII "implicates consumer protection concerns expressed in California and federal statutes." Prior Order II 15; see, e.g. , Terpin , 2020 WL 883221, at *4 ("AT&T's failure to adequately protect [plaintiff's] personal information implicates the consumer data protection concerns expressed in federal statutes, such as Section 222 of the Federal Communications Act."); Yahoo! , 313 F. Supp. 3d at 1131-32 (explaining that the defendant's negligent protection of the plaintiffs’ PII "implicates the consumer data protection concerns expressed in California statutes, such as the CRA and CLRA"); Sony Gaming II , 996 F. Supp. 2d at 973 (finding that "imposing liability might influence other businesses to take the necessary precautions"); Gardner II , 2010 WL 11571242, at *3 (finding that "the policy of preventing future harm" supported the availability of damages, "given the prevalence of identity theft and the need to protect consumers’ confidential information"). Thus, Plaintiff can show that the sixth factor favors her position.
In sum, Plaintiff has offered evidence sufficient to show that all six J'Aire factors weigh in her favor. Therefore, summary judgment based on Defendant's contention that the facts do not support the special relationship exception to the economic loss rule is not appropriate. Accordingly, this Court DENIES Defendant's Motion for Summary Judgment based on the argument that the economic loss rule bars Plaintiff's negligence claim.
4. Conclusion
Plaintiff has presented evidence sufficient to demonstrate that (1) the harm alleged is cognizable, (2) there is a genuine dispute of material fact as to causation, and (3) the special relationship exception to the economic loss rule applies. Thus, Defendants’ Motion for Summary Judgment is DENIED as to the negligence claim.
B. California's Unfair Competition Law ("UCL")
Plaintiff's UCL cause of action is based on Defendant's alleged representations and omissions surrounding its failure to adequately protect Plaintiff's PII and disclose the details of the Data Breach. See TAC ¶¶ 68-81. Plaintiff seeks an injunction requiring Defendant (1) to provide updated information about exactly what was exposed and (2) to institute industry-standard practices to protect its users’ data. Opp'n 25. Defendant moves for summary judgment on the UCL claim based on two grounds. Mot. 20-25. First, Defendant argues that because the Data Breach did not cause Plaintiff to lose money, she lacks statutory standing to bring a UCL claim. Mot. 20-22. Second, Defendant argues that because Plaintiff has an adequate remedy at law, she cannot claim injunctive relief under the UCL. Mot. 23-25. Each ground is discussed in turn.
Plaintiff originally requested restitution under the UCL claim. TAC ¶ 81. Now conceding that she cannot obtain restitution, she requests only injunctive relief. Opp'n 25.
--------
1. Statutory Standing
The UCL provides a cause of action for business practices that are (1) unlawful, (2) unfair, or (3) fraudulent. Cal. Bus. & Prof. Code § 17200. But whether a UCL claim is actionable turns first on a plaintiff's standing to bring it. In re Anthem, Inc. Data Breach Litig. , 162 F. Supp. 3d 953, 985 (2016). To establish standing for a UCL claim, a plaintiff must demonstrate that the alleged unfair competition caused him or her to personally lose money or property, i.e., suffer economic injury-in-fact. Yahoo! , 313 F. Supp. 3d at 1129 ; Cal. Bus. & Prof. Code § 17204 ; Kwikset Corp. v. Super. Ct. , 51 Cal. 4th 310, 322-27, 120 Cal.Rptr.3d 741, 246 P.3d 877 (2011). Causation requires showing either a causal connection to or reliance on the alleged unfair business practice. Kwikset , 51 Cal. 4th at 326, 120 Cal.Rptr.3d 741, 246 P.3d 877. Economic injury-in-fact can occur where a defendant's wrongful conduct requires the plaintiff to "enter into a transaction, costing money or property, that would otherwise have been unnecessary." Id. at 323, 120 Cal.Rptr.3d 741, 246 P.3d 877. To have standing, such costs need not be restitution, which is the only monetary remedy available under the UCL. See Sony Gaming II , 996 F. Supp. 2d at 986 (citing Kwikset , 51 Cal. 4th at 335-37, 120 Cal.Rptr.3d 741, 246 P.3d 877 ).
Here, Plaintiff presents evidence that Defendant's unfair business practices compelled her to spend money on enhanced credit monitoring protection in January 2019. Opp'n 24-25; Disclosure Email; Purchase Receipt. Defendant argues that its alleged unfair competition did not cause Plaintiff to purchase the enhanced credit monitoring, since she already had other free services available and bought the services after filing this action. Mot. 21; Reply 14-15.
To support its argument, Defendant first asserts that the Data Breach did not cause Plaintiff to lose money because she purchased ClickFreeScore "after seeing a pop-up ad for the service in January 2019, not in response to learning of the [Data Breach] in December 2018." Mot. 21; see also Reply 14-15; Connor Tr. 94:2-13. The Court finds that this argument lacks merit. It is reasonable to infer that Plaintiff, after learning of the Data Breach only one month earlier, responded to the ClickFreeScore advertisement because she saw benefit in greater protection against her increased risk of identity theft and fraud. It is likewise reasonable to infer that, had the Data Breach not recently occurred, Plaintiff would have ignored the advertisement. The pop-up ad informed Plaintiff of an available service to help her deal with an already existing problem; it did not destroy the required "causal connection." Kwikset , 51 Cal. 4th at 326, 120 Cal.Rptr.3d 741, 246 P.3d 877.
Defendant next attacks Plaintiff's deposition testimony explaining why she spent more time monitoring her credit after this Data Breach as opposed to other breaches involving her PII:
Q. Okay. Can you explain what it is about the Quora credit breach that caused you to spend more time than you were spending before, given that your information was also exposed—given that more sensitive information was exposed in the Experian and TaskRabbit credit breaches?
MR. WOOD: Objection; form.
A. I have no idea.
Q. (By Mr. Ballon) What was it that's different about the Quora credit breach except that you have sued over this one?
A. Maybe the straw that kind of broke the camel's back.
Q. But you do agree that you had more sensitive information exposed previously in the TaskRabbit security breach, correct?
A. I don't know that for sure.
Q. Well, based on the notices you got, at least you were told that you had more sensitive information disclosed, correct?
A. Probably, yes.
Q. And you had more sensitive financial information disclosed in the [Equifax] breach, correct? [ ]
A. I'm not—I don't know for sure.
Q. But at least you were told that more sensitive financial information was exposed in the Equifax breach than in the Quora breach?
A. Possibly.
Q. But your testimony is the reason you spent more time as a result of the Quora breach is that it was the straw that broke the camel's back; is that correct?
A. Pretty much, yes, sir.
Connor Tr. 251:10-252:15. Defendant urges this Court to focus on Plaintiff's answer that she had "no idea" why she spent more time monitoring her credit after this Data Breach as opposed to the other data breaches. Mot. 21. But such a reading takes Plaintiff's deposition testimony out of context. Read as a whole, Plaintiff's deposition testimony suggests that she may have been confused by the wording of the original question and that her motivations in purchasing enhanced credit monitoring stem not from the seriousness of the compromised data, but from the Data Breach itself as the last straw in a history of data breaches. See Connor Tr. 251:20. At a minimum, the evidence creates a genuine dispute of material fact as to whether this Data Breach caused her to purchase ClickFreeScore. See Troyk v. Farmers Grp. Inc. , 171 Cal. App. 4th 1305, 1350-51, 90 Cal.Rptr.3d 589 (Cal. Ct. App. 2009) (denying summary judgment where the movant failed to show no triable issue of fact as to causation for UCL standing); Chowning v. Kohl's Dep't Stores, Inc. , No. CV 15-08673 RGK (SPx), 2016 WL 1072129, at *2-4 (C.D. Cal. Mar. 15, 2016) (denying summary judgment as to causation for UCL standing because there was a triable issue of fact as to reliance on the alleged misrepresentations).
Defendant further posits that Plaintiff has not suffered a cognizable loss as a result of the Data Breach because she could use other free services to monitor her credit. Mot. 21. To support its argument, Defendant relies on Ruiz v. Gap, Inc. , No. 07-5739 SC, 2009 WL 250481, at *3 (N.D. Cal. Feb. 3, 2009), where the court found that the plaintiff failed to allege a "loss of money" because victims of the data breach could obtain reimbursement for payment made toward enhanced credit monitoring. Mot. 21-22. But payments toward enhanced credit monitoring that arise from a data breach and that are not reimbursed do "constitute economic injury, sufficient to confer UCL standing." In re Capital One Consumer Data Sec. Breach Litig. , MDL No. 1:19md2915 (AJT/JFA), 488 F.Supp.3d 374, 418–19(E.D. Va. Sept. 18, 2020) ; see also In re Yahoo! Customer Data Sec. Breach Litig. , No. 16-MD-02752-LHK, 2017 WL 3727318, *21-22 (N.D. Cal. Aug. 30, 2017) (finding that plaintiffs were "required to enter into a transaction, costing money or property, that would otherwise have been unnecessary" after incurring out-of-pocket expenses on credit monitoring to deal with the data breach); Anthem , 162 F. Supp. 3d at 986-87 (noting that the language in Kwikset favors the argument that money spent on credit monitoring to prevent fraud is sufficient to assert statutory standing under the UCL); Corona , 2015 WL 3916744, at *5, *8 (finding standing based on prior finding of cognizable injury in negligence "by way of costs relating to credit monitoring, identity theft protection, and penalties"); Witriol v. LexisNexis Grp. , No. C05-02392 MJJ, 2006 WL 4725713, *6 (N.D. Cal. Feb. 10, 2006) (finding that "costs associated with monitoring and repairing credit impaired by the unauthorized release of private information" constituted "monetary loss as a result of Defendants’ actions").
Here, no evidence suggests that Plaintiff could seek reimbursement for her purchase of ClickFreeScore. See Opp'n 25. And there is a genuine dispute of material fact over whether ClickFreeScore's premium services offered the same services that Plaintiff could already use for free, since "only the ClickFreeScore.com Platinum service provides coverage of all three [credit reporting] bureaus, providing access to the actual credit reports and scores from all of them." Sun Decl. ¶ 20; see also Mot. 21-22; Opp'n 3.
Thus, this Court finds that Plaintiff has provided evidence sufficient to raise a genuine dispute of material fact as to statutory standing under the UCL.
2. Injunctive Relief
"The UCL's coverage is sweeping, and its standard for wrongful business conduct intentionally broad." Moore v. Apple, Inc. , 73 F. Supp. 3d 1191, 1204 (N.D. Cal. 2014) (internal quotation marks omitted). But because a UCL action is equitable in nature, its remedies for private individuals "are limited to restitution and injunctive relief." Pom Wonderful LLC v. Welch Foods, Inc. , No. CV 09-567 AHM (AGRx), 2009 WL 5184422, *2 (C.D. Cal. Dec. 21, 2009). In Sonner v. Premier Nutrition Corp. , 971 F.3d 834, 844 (9th Cir. 2020), the Ninth Circuit held that "the traditional principles governing equitable remedies in federal courts, including the requisite inadequacy of legal remedies, apply when a party requests restitution under the UCL and CLRA in a diversity action." Cases in this Circuit have held that Sonner extends to claims for injunctive relief. See, e.g. , Zaback v. Kellogg Sales Co. , No. 3:20-cv-00268-BEN-MSB, 2020 WL 6381987, *4 (S.D. Cal. Oct. 29, 2020) (dismissing a UCL claim for injunctive relief because the plaintiff failed to allege that there was no adequate remedy at law); In re Macbook Keyboard Litig. , No. 5:18-cv-02813-EJD, 2020 WL 6047253, at *2-3 (N.D. Cal. Oct. 13, 2020) (finding that Sonner extends to preclude claims for injunctive relief); Gibson v. Jaguar Land Rover N. Am., LLC , No. CV 20-00769 CJC (GJSx), 2020 WL 5492990, at *3-4 (C.D. Cal. Sept. 9, 2020) (dismissing UCL claims for injunction and restitution based on Sonner ); Teresa Adams v. Cole Haan, LLC , No. Sacv 20-913 JVS (DFMx), 2020 WL 5648605, at *2 (C.D. Cal. Sept. 3, 2020) (finding, under the reasoning of Sonner , that there is no "exception for injunctions as opposed to other forms of equitable relief"); Schertz v. Ford Motor Co. , No. CV 20-03221 TJH (PVCx), 2020 WL 5919731, at *2 (C.D. Cal. July 27, 2020) (dismissing UCL claims for injunction and restitution where the plaintiff failed to allege that there was no adequate remedy at law).
Here, Plaintiff concedes she has no claim for restitution under the UCL and instead seeks only injunctive relief. Opp'n 25. Most importantly, she fails to allege or demonstrate that any remedy at law is inadequate, and in fact she even seeks a remedy at law through her negligence claim, which is based on the same alleged conduct as her equitable claim. See TAC ¶¶ 10, 33, 84, 86; Opp'n 24-25. Plaintiff requests an injunction mandating that Defendant both (1) provide updated information about exactly what was exposed and (2) institute industry-standard practices for protection of its users’ data. Opp'n 25. But the potential harm caused by both actions may be remedied by money damages, and "[w]here the claims pleaded by a plaintiff may entitle her to an adequate remedy at law, equitable relief is unavailable." Rhynes v. Stryker Corp. , No. 10-5619 SC, 2011 WL 2149095, at *4 (N.D. Cal. May 31, 2011) ; see, e.g. , Mullins v. Premier Nutrition Corp. , No. 13-cv-01271-RS, 2018 WL 510139, at *2, *4 (N.D. Cal. Jan. 23, 2018) (dismissing the claims for equitable restitution under the UCL because the plaintiff failed to demonstrate that she lacked an adequate legal remedy, especially given that she had an available legal remedy under her CLRA claim), aff'd , Sonner , 971 F.3d at 845 ; Munning v. Gap, Inc. , 238 F. Supp. 3d 1195, 1203-04 (N.D. Cal. 2017) (dismissing the UCL claim with prejudice because there was an adequate remedy at law under the plaintiff's breach of contract and breach of express warranty claims); Zapata Fonseca v. Goya Foods Inc. , No. 16-cv-02559-LHK, 2016 WL 4698942, at *7 (N.D. Cal. Sept. 8, 2016) (dismissing claims for equitable relief under the UCL because the plaintiff pled other claims, including negligent misrepresentation, providing for an adequate remedy at law).
Furthermore, Defendant has met its burden of showing that Plaintiff has an adequate remedy at law. See Mot. 23-25; Reply 15. But Plaintiff does not produce evidence rebutting Defendant's assertions. See Opp'n 25. The Declaration of David Sun, which Plaintiff cites in the Opposition but does not explain, offers expert testimony that Defendant should have relied on more sophisticated information and tools to assess the Data Breach. Opp'n 25; Sun Decl. ¶ 9. It does not, however, provide evidence demonstrating that Defendant's failure to change its practices or provide timely updates could produce harm for which legal relief is inadequate. See id. As such, even if it were possible for Plaintiff to demonstrate she has no adequate remedy at law, she has failed to meet her burden of production to offer contradictory evidence that one exists. See Nissan Fire , 210 F.3d at 1103 (explaining that "if ... a moving party carries its burden of production, the nonmoving party must produce evidence to support its claim or defense" to withstand summary judgment).
Accordingly, summary judgment as to the UCL claim is warranted.
3. Conclusion
Defendant has demonstrated that there is an adequate remedy at law for the conduct described in the injunction Plaintiff seeks. But Plaintiff does not produce, and this Court cannot find, any evidence that meaningfully rebuts the evidence offered by Defendant. Thus, the Court GRANTS summary judgment on the UCL claim.
VI. ORDER
For the foregoing reasons, IT IS HEREBY ORDERED that Defendants’ Motion for Summary Judgment is DENIED as to the negligence claim and GRANTED as to the UCL claim.