Opinion
21-cv-01155-EJD
10-28-2024
IN RE ACCELLION, INC. DATA BREACH LITIGATION
ORDER DENYING MOTIONS TO DISMISS AND FOR RECONSIDERATION RE: ECF NOS. 244, 271
EDWARD J. DAVILA United States District Judge
In December 2020 and January 2021, hackers breached a secure file transfer application offered by Defendant Accellion, Inc. and widely used by entities who handled sensitive personal information. This breach exposed millions of individuals' private data. In response, Plaintiffs filed this putative class action against Accellion. Now before the Court are two motions. First is Accellion's motion to dismiss Plaintiffs' negligence claim. Second is Plaintiffs' motion for reconsideration of an earlier order dismissing their Confidentiality of Medical Information Act (“CMIA”) claim. After reviewing the parties' written submissions, the Court finds oral argument to be unnecessary under Local Rule 7-1(b). The Court DENIES both motions.
I. BACKGROUND
A. Factual Allegations
Accellion is a “cloud solutions company” that develops and offers products for “prevent[ing] data breaches and compliance violations from third party cyber risk.” Am. Consol. Class Action Compl. (“Amended Complaint” or “Am. Compl.”) ¶ 25, ECF No. 248. Among Accellion's offerings is a product called the File Transfer Appliance (“FTA”). Id. ¶ 26. Accellion designed the FTA to securely transfer files as an alternative to email, particularly in those situations where file sizes exceed the limits for email attachments. Id. To use the FTA, a person uploads the files to be transferred. Then, that person sends a link to the intended recipient from which the recipient can view or download those files. Id. FTA file transfers often involved sensitive personally identifiable information such as Social Security numbers, demographic information, and medical records. Id. ¶ 32.
Plaintiffs initially filed a redacted version of the Amended Complaint at ECF No. 230. The Court cites to the unredacted version throughout this Order.
Accellion began offering the FTA in the early 2000s. Id. ¶ 26. By December 2020, the FTA was nearly 20 years old and approaching its end of life. Id. ¶ 34. Accellion allegedly recognized that the FTA had become outdated and encouraged its clients to upgrade to a newer, more secure file transfer product called Kiteworks. Id. Still, Accellion continued to make the FTA available, albeit with fewer resources devoted to maintaining that older product. Id. ¶ 35.
On December 16, 2020, the FTA's built-in anomaly detector notified an Accellion client that unauthorized third parties had breached the system. Id. ¶ 39. The client alerted Accellion, and when Accellion investigated the issue, it confirmed that the FTA contained security vulnerabilities. Id. Over the following week, Accellion released patches to address those vulnerabilities. Id. ¶ 40. Despite Accellion's efforts, a second breach occurred on January 20, 2021. Id. ¶ 43. Accellion learned about this breach two days later and identified two more security vulnerabilities. Id. ¶ 44. According to Plaintiffs, Accellion struggled to fix those vulnerabilities. Id. ¶¶ 47-51.
Plaintiffs allege that these breaches exposed their personally identifiable information, subjecting them to injuries such as identity theft and fraudulent credit charges. Id. ¶ 4.
B. Procedural History
In their original Consolidated Class Action Complaint (“Original Complaint” or “Original Compl.”), ECF No. 170, Plaintiffs raised eleven claims. Accellion moved to dismiss all eleven claims, Mot. to Dismiss Original Compl., ECF No. 174, and the Court mostly granted Accellion's motion. Order Granting in Part & Den. in Part Mot. to Dismiss (“Prior Order”), ECF No. 217. As relevant here, the Court allowed Plaintiffs' negligence claim to proceed and dismissed Plaintiffs' CMIA claim with leave to amend. Id. at 15, 24. When Plaintiffs filed their Amended Complaint, they did not renew their CMIA claim or otherwise attempt to correct the deficiencies in their CMIA claim. Instead, Plaintiffs only brought the two claims for which the Court had denied the motion to dismiss: negligence and one other claim not pertinent here. Am. Compl. ¶¶ 122-56.
Although the Court previously found that the Original Complaint stated a claim for negligence, Accellion moved again to dismiss that same claim from the Amended Complaint. Mot. to Dismiss Am. Compl. (“MTD Mot.”), ECF No. 244. In its motion, Accellion challenges only one element of Plaintiffs' renewed negligence claim, arguing that the amended allegations do not establish a special relationship between Accellion and Plaintiffs such that Accellion owed a duty of care to Plaintiffs. After the parties finished briefing this second motion to dismiss, Plaintiffs requested permission to file a motion for reconsideration of the Court's Prior Order dismissing their CMIA claim. Mot. for Leave to File, ECF No. 266. The Court granted leave to file, ECF No. 269, and Plaintiffs subsequently filed their motion. Mot. for Reconsideration (“Recon. Mot.”), ECF No. 271.
Accellion also raises choice of law issues. However, choice of law in this case is a fact-intensive exercise better suited for later stages of litigation when the parties may present evidence on the issue. In re Apple Inc. Device Performance Litig., 386 F.Supp.3d 1155, 1170 (N.D. Cal. 2019). Deferring choice of law issues is all the more appropriate here because the parties should have completed most of their discovery on choice of law already, and class certification briefing is due in less than two months, providing an opportunity for Accellion to brief choice of law with the aid of evidence in the near future. Therefore, the Court declines to address choice of law in this Order.
II. MOTION TO DISMISS
A. Legal Standard
To survive a Rule 12(b)(6) motion for failure to state a claim, a complaint must contain sufficient factual allegations to make out a plausible legal claim. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citation omitted). In determining whether the complaint states a plausible claim, courts “accept as true all factual allegations in the complaint and draw all reasonable inferences in favor of the nonmoving party.” Retail Prop. Tr. v. United Bhd. of Carpenters & Joiners of Am., 768 F.3d 938, 945 (9th Cir. 2014). But courts “are not bound to accept as true a legal conclusion couched as a factual allegation.” Iqbal, 556 U.S. at 678 (citation omitted).
B. Discussion
1. Law of the Case
The Court begins by addressing Plaintiffs' threshold argument that law of the case bars the Court from granting Accellion's motion to dismiss. Plaintiffs assert that law of the case applies because the Court had previously rejected the sole argument that Accellion advances in its instant motion. Opp'n to MTD Mot. (“MTD Opp'n”) 6, ECF No. 250. If Plaintiffs are correct that law of the case applies, Accellion faces a higher burden to dismiss Plaintiffs' negligence claim from the Amended Complaint than it would typically face on a Rule 12(b)(6) motion. Namely, Accellion would need to show that the Court's prior special relationship finding was wrong due to “clear error, changed law, new evidence, changed circumstances, or manifest injustice.” Askins v. U.S. Dep't of Homeland Sec., 899 F.3d 1035, 1043 (9th Cir. 2018). However, Plaintiffs are incorrect about law of the case. Motion practice regarding an amended complaint “does not ask the court to reconsider its analysis of the initial complaint” because an “amended complaint is a new complaint.” This means that the parties are “entitl[ed] [] to judgment on the [new] complaint's own merits” rather than on the initial complaint's merits. Id. As such, the Court “is not . . . bound by any law of the case.” Id.
Although the Court is not bound in any way by its Prior Order, the Court's earlier decision is still relevant. So long as the Court does not hold Accellion to the higher standard for overcoming law of the case, if the Court “determines the [A]mended [C]omplaint is substantially the same as the initial complaint, the [Court] is free to follow the same reasoning” and to “decide the second motion to dismiss in the same way it decided the first.” Id. Accellion asserts that the Court should not even do that because there is a key difference between the Original and Amended Complaints. The Original Complaint alleges that Accellion itself stored, transferred, and maintained Plaintiffs' personal information. Original Compl. ¶¶ 30, 62, 63, 114, 116. But the Amended Complaint alleges that Accellion's product (the FTA) stored, transferred, and maintained that personal information. Am. Compl. ¶¶ 32, 72, 73, 123, 125. Contrary to Accellion's suggestion, though, this is not a substantial difference that renders the Court's prior reasoning inapt. As the Court explains further below, it makes no material difference whether Accellion or its product is alleged to have transferred Plaintiffs' personal information since Accellion is responsible for its product. Thus, the differences between the Original and Amended Complaints are no basis for the Court to abandon its prior reasoning.
2. Special Relationship
As the Court previously explained, California courts consider whether four factors are present when determining if a special relationship exists: (1) dependence, (2) control, (3) limits to the scope of the community to which a duty of care is owed, and (4) benefits to the duty-holder. Prior Order 6-7 (quoting Regents of Univ. of Cal. v. Superior Ct., 4 Cal. 5th 607, 620-21 (2018)). While the Amended Complaint's new allegations do not alter the Court's earlier conclusions regarding these four factors, Accellion has further developed its arguments since its first motion to dismiss. Therefore, the Court discusses those newly developed arguments factor-by-factor.
Dependence. Special relationships typically involve “an aspect of dependency,” meaning that “one party relies to some degree on the other for protection.” Regents, 4 Cal.4th at 620. The degree of reliance that justifies a special relationship is high; historically, courts have recognized special relationships only where “the plaintiff is particularly vulnerable.” Id. at 621 (citations omitted). The Original Complaint cleared this bar because its allegations showed “there [was] no reason to believe that Plaintiffs could have secured their [personal information] themselves when it was sent using Accellion's FTA software.” Prior Order 7. Put differently, because there was nothing Plaintiffs could have personally done to secure their information, they needed to rely on the FTA's security features to protect their information. By extension, Plaintiffs' reliance on Accellion's FTA software meant that Plaintiffs depended on Accellion, the entity responsible for developing and updating the FTA, for protection. This logic still applies with equal force now that Plaintiffs allege Accellion's FTA software, rather than Accellion itself, transferred and maintained their personal information. If anything, Plaintiffs' amendments reinforce the first link in that logical chain-that Plaintiffs relied on the FTA.
The remainder of Accellion's arguments on dependence are unconvincing. First, Accellion argues there were no allegations that it created the risk of data breach, that it induced detrimental reliance, or that it induced a false sense of security. MTD Mot. 13. Accellion confuses different sources of tort duty. Creation of risk is a separate source of duty than a special relationship, Brown v. USA Taekwondo, 11 Cal. 5th 204, 214-15 (2021), so whether Accellion was responsible for the risk faced by Plaintiffs is not germane to the dependence analysis. Second, Accellion claims that this case is analogous to Tristan v. Bank of America, No. 22-cv-1183, 2023 WL 4417271 (C.D. Cal. June 28, 2023), and to Moriarty v. Bayside Insurance Associates, Inc., No. 2056139, 2021 WL 4061105 (9th Cir. Sept. 7, 2021), two cases where courts found that no special relationship existed. But Tristan and Moriarity are distinguishable from this case because the plaintiffs there had the ability to protect themselves, unlike Plaintiffs here. In Tristan, the plaintiffs were victims of scams that solicited money through the payment platform Zelle. 2023 WL 4417271, at *1-2. The Tristan plaintiffs were not particularly vulnerable, though, because the scammers were in direct contact with them. Id. Thus, the Tristan plaintiffs could have protected themselves through their own vigilance. Similarly, in Moriarty, which involved an alleged failure to warn about unpaid insurance premiums, the plaintiffs could have protected themselves by keeping closer track of their own insurance payments. 2021 WL 4061105, at *1.
Control. “The corollary of dependence in a special relationship is control.” Regents, 4 Cal. 5th at 621. That is, plaintiffs depend on the defendant in a special relationship because the defendant “has superior control over the means of protection.” Id. Like the Original Complaint, the Amended Complaint establishes that Accellion had control over the FTA because Accellion had the power to issue patches for security vulnerabilities in the FTA. Am. Compl. ¶¶ 40, 43. Accellion suggests that this is not enough control because Accellion's customers (such as the government agencies and banks that collected Plaintiffs' personal information) had the ultimate responsibility for ensuring security, and because those customers could have rejected Accellion's security patches. MTD Mot. 13-14. The latter defies common sense. See Iqbal, 556 U.S. at 663-64 (“[Determining whether a complaint states a plausible claim is context specific, requiring the reviewing court to draw on its experience and common sense.”). As a practical matter, it is highly unlikely that entities like banks, which deal with sensitive information and require high levels of security, would refuse to implement critical security patches offered by Accellion. More fundamentally, control requires a defendant to be in a “unique position to protect the plaintiff from injury.” Brown, 11 Cal. 5th at 216. It does not require the defendant to be the only one capable of offering protection. Accellion's customers may have been able to offer additional protection to Plaintiffs, but it is Accellion who was uniquely positioned to patch security vulnerabilities in the FTA. There is no indication that any other party could have provided the necessary patches.
Scope. Special relationships must also be “limited to specific individuals.” Regents, 4 Cal. 5th at 621. As the Court previously held, the relationship proposed by Plaintiffs here satisfies that requirement because it “exists only between Accellion and those specific individuals whose information the FTA software ferries.” Prior Order 8. Accellion resists this conclusion, arguing that under this definition, the identities of those individuals benefiting from the proposed special relationship are unknown. MTD Mot. 15. “Unknown,” however, does not have the same meaning as “unlimited” or “unknowable.” If the beneficiaries of Plaintiffs' proposed relationship were truly unlimited or unknowable, the proposed relationship would be problematic. But that is not the case here. The special relationship's scope is not unlimited because the FTA did not transfer everyone's data. And the special relationship's scope is not unknowable because discovery from Accellion's clients could reveal the specific beneficiaries of this relationship. The fact that the exact identities of the beneficiaries are unknown at this very moment, or that it might be difficult to ascertain those identities, does not improperly broaden the scope of the proposed special relationship.
Benefit. As Accellion concedes, it “benefitted from its commercial activity of providing the FTA to customers.” MTD Mot. 15. So this last factor also supports finding that a special relationship exists.
* * *
Based on the Amended Complaint, all four factors support finding a special relationship, just as all four factors supported finding a special relationship under the Original Complaint.Therefore, Accellion's argument fails, and the Court DENIES its motion to dismiss.
Accellion also briefly argues that no duty exists because Plaintiffs' amendments show that Accellion had no “threshold level of interaction[]” with Plaintiffs. MTD Mot. 16. Accellion misreads the Court's Prior Order. There, the Court held that a duty of care can extend beyond “those with whom [a defendant] shares privity” and can also extend beyond relationships with “some threshold level of interactions.” Prior Order 9. Thus, the Court did not hold that special relationships require some minimum interaction.
III. MOTION FOR RECONSIDERATION
A. Legal Standard
A motion for reconsideration is an “extraordinary remedy” that “should not be granted[] absent highly unusual circumstances.” Dairy v. Bonham, 25 F.Supp.3d 1284, 1286 (N.D. Cal. 2014) (citations omitted). It is usually only appropriate to grant reconsideration in one of three circumstances: (1) there is newly discovered evidence; (2) the court previously committed clear error or made a manifestly unjust decision; or (3) there is an intervening change in controlling law. Hiramanek v. Clark, No. 5:13-cv-00228-RMW, 2016 WL 11033962, at *1 (N.D. Cal. Mar. 29, 2016). Plaintiffs move for reconsideration under only the third ground. Recon. Mot. 4.
B. Discussion
Plaintiffs ask for reconsideration of the Court's earlier decision to dismiss their CMIA claim. In its Prior Order, the Court found that Plaintiffs failed to state a CMIA claim because they did not allege facts showing that Accellion was a “provider of health care” covered by the CMIA. Prior Order 22-24. Specifically, the Court held that Accellion did not meet the definitions for a provider of health care under either of California Civil Code §§ 56.06(a) or (b). Plaintiffs now claim that the California Court of Appeal's recent decision in J.M. v. Illuminate Education, Inc., 103 Cal.App. 5th 1125 (2024), changes the landscape for § 56.06. But even if Illuminate changed the law, it did not do so in a way that affects the Court's previous CMIA ruling.
Accompanying Plaintiffs' reconsideration motion is a motion for leave to amend. The request to amend the complaint to add a CMIA claim is an extension of the reconsideration motion, so the Court does not address it separately-the Court's ruling on the reconsideration motion applies equally to the motion for leave to amend.
To begin, § 56.06(a) defines a “provider of health care” in relevant part as a “business organized for the purpose of maintaining medical information.” The Court held that, in the Original Complaint, Plaintiffs failed to show that Accellion fell under the § 56.06(a) definition because Plaintiffs' allegations were insufficient. Prior Order 22-23. Plaintiffs made only two allegations about Accellion's purpose. The first allegation was conclusory and therefore insufficient under Iqbal. Id. at 22 (quoting allegation in Original Compl. ¶ 167 that “Accellion is organized in part for the purpose of maintaining medical information”). The second allegation was not conclusory, but it was insufficient to plead purpose by itself. Plaintiffs alleged that Accellion sold its file-sharing services to hospitals and other medical professionals. Id. at 23 (quoting Original Compl. ¶ 167). But this showed only that hospitals and medical professionals had discovered that Accellion's products could be useful, not that Accellion had purposefully designed its products to appeal to medical professionals. So, the Court accepted Accellion's argument that there was a “lack of pleaded facts suggesting that Accellion is organized at all for [the] purpose” required by § 56.06(a). Reply in Support of Mot. to Dismiss Original Compl. 9, ECF No. 187.
Accellion's motion for reconsideration does not address this pleading defect. Instead, Accellion focuses on a statutory interpretation dispute that the parties had raised in their briefs on the first motion to dismiss but that the Court did not address in the Prior Order: Whether § 56.06(a) requires Plaintiffs to plead that maintaining medical information was Accellion's sole purpose or if it is enough that maintaining such information was one of Accellion's purposes. Recon. Mot. 5-6. According to Plaintiffs, Illuminate establishes that the latter interpretation is correct. However, because the Court did not dismiss Plaintiffs' CMIA claim on the basis that § 56.06(a) covers only companies whose sole purpose is to maintain medical information, even assuming that Illuminate changed the law as Plaintiffs suggests, Illuminate is not relevant to the Court's prior ruling on § 56.06(a). Thus, Illuminate cannot be a basis for reconsidering the Court's § 56.06(a) ruling. Illuminate does not change the Court's § 56.06(b) analysis either. In its Prior Order, the Court found that Accellion was not a provider of health care under § 56.06(b) because it did not offer its software directly to individual consumers. Prior Order 23. Section 56.06(b) applies to businesses that offer software to “consumers,” Cal. Civ. Code § 56.06(b), which the Court construed to mean “individual consumers.” Prior Order 23. Illuminate did not construe the word “consumer” in § 56.06(b), so it is not relevant to the Court's prior § 56.06(b) ruling, either.
Accordingly, the Court DENIES Plaintiffs' motion for reconsideration.
IV. CONCLUSION
The Court DENIES Accellion's motion to dismiss and Plaintiffs' motion for reconsideration.
IT IS SO ORDERED.