Opinion
3:22-cv-05138-JD
08-15-2024
IN RE SAN FRANCISCO 49ERS DATA BREACH LITIGATION.
ORDER RE DISMISSAL
JAMES DONATO UNITED STATES DISTRICT JUDGE
Plaintiffs in this consolidated action say that their personally identifiable information (PII) was hacked in a data breach of defendant San Francisco 49ers' computer systems in February 2022. Dkt. No. 28 (consolidated amended complaint). They allege claims for negligence, breach of implied contract, and violations of the California Consumer Records Act, Cal. Civ. Code § 1798.80 et seq. (CRA), Unfair Competition Law, Cal. Bus. Code § 17200 et seq. (UCL), California Consumer Privacy Act, Cal. Civ. Code § 1798.150 (CCPA), and the Georgia Uniform Deceptive Trade Practices Act, Ga. Code Ann. § 10-1-370 et seq. (Georgia UDTPA). The 49ers ask to dismiss under Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). Dkt. No. 42.
The parties' familiarity with the record is assumed. Overall, most of the claims are just plausible enough to warrant a fully developed record for determination on summary judgment. Negligence per se is dismissed with prejudice as a freestanding claim, and the Georgia UDTPA claim is dismissed with leave to amend.
LEGAL STANDARDS
Under Rule 12(b)(1), dismissal is appropriate if the Court lacks subject matter jurisdiction. Fed.R.Civ.P. 12(b)(1). Federal courts are courts of limited jurisdiction, and the “case or controversy” requirement of Article III of the U.S. Constitution “limits federal courts' subject matter jurisdiction by requiring, inter alia, that plaintiffs have standing.” Chandler v. State Farm Mut. Auto. Ins., 598 F.3d 1115, 1121 (9th Cir. 2010); see also Maystrenko v. Wells Fargo, N.A., No. 21-CV-00133-JD, 2021 WL 5232221, at *2 (N.D. Cal. Nov. 10, 2021). “[A] plaintiff must demonstrate standing to sue by alleging the ‘irreducible constitutional minimum' of (1) an ‘injury in fact' (2) that is ‘fairly traceable to the challenged conduct of the defendants' and (3) ‘likely to be redressed by a favorable judicial decision.'” Patel v. Facebook Inc., 290 F.Supp.3d 948, 952 (N.D. Cal. 2018) (quoting Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016)). The “specific element of injury in fact is satisfied when the plaintiff has suffered an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical.” Id. (internal quotations and citations omitted).
“A Rule 12(b)(1) jurisdictional attack may be facial or factual. In a facial attack, the challenger asserts that the allegations contained in a complaint are insufficient on their face to invoke federal jurisdiction. By contrast, in a factual attack, the challenger disputes the truth of the allegations that, by themselves, would otherwise invoke federal jurisdiction.” Safe Air for Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir. 2004) (citations omitted); see also Patel, 290 F.Supp.3d at 951-52. The 49ers' attack on plaintiffs' standing is facial, and the truth of the allegations in the complaint will be assumed.
For Rule 12(b)(6) motion to dismiss, a plaintiff must allege “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). This calls for enough “factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citing Twombly, 550 U.S. at 556). The plausibility analysis is “context-specific” and not only invites, but “requires the reviewing court to draw on its judicial experience and common sense.” Id. at 679.
DISCUSSION
I. STANDING
Plaintiffs have alleged a concrete and individualized injury sufficient to confer standing to sue under Article III. Plaintiffs say that hackers obtained their Social Security numbers and similar personal information, and that they have incurred “out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of their PII.” Dkt. No. 28 ¶ 11; see also ¶¶ 40, 51. This is enough to establish standing. See TransUnion LLC v. Ramirez, 594 U.S. 413, 436 (2021); Jones v. Ford Motor Co., 85 F.4th 570, 574 (9th Cir. 2023) (per curiam); In re Zappos.com, Inc., 888 F.3d 1020, 1027-28 (9th Cir. 2018).
Plaintiffs have also adequately alleged that their injuries are fairly traceable to the actions of the 49ers. The theory of the complaint is that the 49ers did not encrypt or otherwise protect plaintiffs' PII with reasonable security protocols. See Dkt. No. 28 ¶¶ 9, 22. This is a sufficiently clear causal chain to allege traceability. See Brill v. Chevron Corp., No. 15-CV-04916-JD, 2017 WL 76894, at *3 (N.D. Cal. Jan. 9, 2017).
II. NEGLIGENCE
For negligence, a plaintiff must plausibly allege: (1) the defendant had a duty, or an “obligation to conform to a certain standard of conduct for the protection of others against unreasonable risks,” (2) the defendant breached that duty, (3) that breach proximately caused the plaintiff's injuries, and (4) damages. Corales v. Bennett, 567 F.3d 554, 572 (9th Cir. 2009) (quoting McGarry v. Sax, 158 Cal.App.4th 983 (2008)).
For present purposes, plaintiffs have alleged enough to state a negligence claim. “The general rule in California is that everyone is responsible for an injury occasioned to another by his or her want of ordinary care or skill in the management of his or her property or person. In other words, each person has a duty to use ordinary care and is liable for injuries caused by his failure to exercise reasonable care in the circumstances.” Cabral v. Ralphs Grocery Co., 51 Cal.4th 764, 771 (2011) (simplified); see also Cal. Civ. Code § 1714 (“Everyone is responsible, not only for the result of his or her willful acts, but also for an injury occasioned to another by his or her want of ordinary care or skill in the management of his or her property or person.”). As noted, plaintiffs say that the 49ers obtained and stored their PII without implementing reasonable safeguards against hacking and unauthorized access, and that they have incurred actual costs in following up on the hacking. Plaintiffs also say they have already incurred, and will continue to incur, monitoring costs. That is enough for pleading purposes to go forward, without prejudice to a determination of duty, damages, and causation on a fully developed record at summary judgment.
The Court defers the question of whether the economic loss rule might apply to foreclose the negligence claim. The 49ers contend that the amended complaint alleges purely economic losses untethered to personal injury or a special relationship, and so recovery in tort is unavailable. Dkt. No. 42 at 10-11; see Robinson Helicopter Co. v. Dana Corp., 34 Cal.4th 979, 988 (2004). The rule serves to “limit liability in commercial activities that negligently or inadvertently go awry.” Robinson Helicopter, 34 Cal.4th at 991 n.7. It is true that plaintiffs feature their out-ofpocket losses in the amended complaint, but they also mention noneconomic injuries, albeit not with crystal clarity. See, e.g., Dkt. No. 28 ¶¶ 63-70. Consequently, this question is better resolved on a fully developed record later in the litigation.
With plaintiffs' agreement, Dkt. No. 49 at 12, the negligence per se claim is dismissed as a freestanding claim.
III. UCL
The UCL claim was not handled well by either side. The 49ers made a two-paragraph argument for dismissal, and plaintiffs responded in kind with a series of cursory and rather disjointed comments. The 49ers also raised for the first time in a reply brief the contention that plaintiff Donelson cannot bring a UCL claim because the relevant conduct occurred outside of California. That was not an appropriate tactic.
The Court declines to take up the UCL claim on this anemic record. The 49ers may challenge it on summary judgment.
IV. BREACH OF IMPLIED CONTRACT
“An implied contract is one, the existence and terms of which are manifested by conduct.” Cal. Civ. Code § 1621. For this claim, plaintiffs must allege: “(1) the contract, (2) plaintiff's performance or excuse for nonperformance, (3) defendant's breach, and (4) the resulting damages to plaintiff.” Reichert v. Gen. Ins. Co. of Am., 68 Cal. 2d 822, 830 (1968) (citations omitted).
Plaintiffs have plausibly alleged these elements. The amended complaint states that plaintiffs were required to disclose their PII to the 49ers, to the 49ers' benefit, with the understanding that the 49ers would reasonably protect their information. That is enough for the implied contract claim to go forward.
V. CCRA
The CCRA requires California businesses that own or license computerized data that include personal information to disclose a data breach after discovering one “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, . . . or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” Cal. Civ. Code § 1798.82. The amended complaint alleges that the 49ers knew of the breach in February 2022, Dkt. No. 28 ¶ 25, but waited approximately six months before disclosing it. Id. ¶¶ 3, 4. Specifically, plaintiffs say that the 49ers had realized that the breach included “personal, unencrypted information of Plaintiffs and the class, but waited approximately three months to notify them,” and that the delay of three months is unreasonable under the circumstances as it “prevented Plaintiffs and the Class from taking appropriate measure from [sic] protecting themselves against harm.” Id. ¶¶ 134-35. The CCRA claim will go forward.
VI. CCPA
The 49ers say that plaintiffs' allegation that the 49ers failed to “implement and maintain reasonable security procedures and practices” is conclusory. Dkt. No. 42 at 12. But the amended complaint includes specific allegations regarding the 49ers' security procedures and practices, including their failure “to even encrypt or redact” their highly sensitive PII. Dkt. No. 28 ¶ 9. That is enough for present purposes.
Whether plaintiffs may recover statutory damages under the CCPA remains in question. The CCPA requires a 30-day notice-and-cure procedure prior to initiating an action. Cal. Civ. Code § 1798.150(b). Materials outside of the amended complaint indicate plaintiffs mailed the required notice after initiating litigation. Plaintiffs did not address this issue. The Court will not make a final determination of these external facts at the pleadings stage, but the parties are directed to confer on an agreement with respect to the date of mailing and whether that forecloses statutory damages.
The 49ers attached pre-suit letters to its motion to dismiss. Dkt. Nos. 42-1, 42-2, 42-3.
VII. GEORGIA UDTPA
The Georgia Uniform Deceptive Trade Practices Act provides that “a person likely to be damaged by a deceptive trade practice of another may be granted” injunctive relief. O.C.G.A. § 10-1-373(a). Deceptive trade practices include representations that “goods or services have . . . characteristics, ingredients, uses, [or] benefits . . . that they do not have.” O.C.G.A. § 10-1-372(a)(5). The complaint does not identify which, if any, of the 49ers' representations were deceptive. The Georgia UDTPA claim is dismissed with leave to amend.
CONCLUSION
Plaintiffs may file a second amended complaint with respect to the Georgia UDTPA claim by August 30, 2024. No new claims or parties may be added without the Court's prior consent. A failure to comply with this order or filing deadline will result in dismissal of the Georgia UDTPA claim with prejudice pursuant to Federal Rule of Civil Procedure 41(b).
IT IS SO ORDERED.