Opinion
21cv1144-LL-MSB
04-01-2022
GERALD S. LEE, individually and on behalf of all others similarly situated and on behalf of the general public, Plaintiff, v. NETGAIN TECHNOLOGY, LLC, Defendant.
ORDER GRANTING DEFENDANT'S MOTION TO DISMISS FOR LACK OF PERSONAL JURISDICTION [ECF No. 12]
Honorable Linda Lopez United States District Judge
Defendant Netgain Technology, LLC (“Netgain”) moves to dismiss this putative class action for lack of personal jurisdiction under Federal Rule of Civil Procedure 12(b)(2). ECF No. 12. Plaintiff filed a response in opposition, [ECF No. 14], and Netgain filed a reply, [ECF No. 16]. The motion has been fully briefed and is suitable for submission without the need for oral argument. For the below reasons, the motion is GRANTED.
A different plaintiff and putative class representative filed a nearly identical complaint in Clark v. Netgain Technology, LLC, No. 21-cv-1432-LL-MSB (S.D. Cal. Aug. 10, 2021) in which Netgain also has a pending motion to dismiss for lack of personal jurisdiction. Both parties agree the Court's ruling in this case will also resolve the motion in Clark.
I. BACKGROUND
Plaintiff alleges that Netgain is a cloud hosting and information technology services company that provides services to several organizations in the healthcare and accounting industries nationwide. Complaint (“Compl.”) ¶ 3. CareSouth Carolina, Inc. (“CareSouth”) is one of Netgain's clients and is a community health center providing a comprehensive set of services to its patients, from pediatrics to pharmacy to community outreach. Id. ¶ 6. Plaintiff is a citizen and resident of South Carolina. Id. ¶ 14. As a patient of CareSouth, he was required to provide Netgain and CareSouth with his personal medical information (“PMI”) with the assurance that such information would be kept safe from unauthorized access. Id. at 7.
CareSouth was voluntarily dismissed as a defendant just prior to the filing of Negtain's motion to dismiss. ECF No. 11.
On or around December 3, 2020, cyber criminals infiltrated network servers belonging to Netgain and CareSouth where sensitive personal and medical information was being kept unprotected (the “data breach”). Id. ¶ 1. The cybercriminals gained access to certain network servers, and Netgain paid a significant amount of money in exchange for a promise from the attackers that they would delete the copies of the data that was in their possession and would not publish, sell or otherwise share the data. Id. ¶ 2. On May 17, 2021, Plaintiff received a letter from CareSouth informing him of “an incident that involved personal information maintained by our vendor Netgain” in which “some of [the] servers that it maintained for CareSouth Carolina were affected as part of a ransomware attack.” ECF No. 1-2.
Plaintiff brings a putative nationwide class action on behalf of all persons residing in the United States whose PMI was compromised as a result of the data breach. Id. ¶ 119. Plaintiff also brings a putative subclass action on behalf of all patients of CareSouth. Id. Plaintiff's claims include: (1) negligence; (2) invasion of privacy; (3) breach of third-party beneficiary contract; (4) breach of implied contract; (5) breach of confidence; (6) breach of implied covenant of good faith and fair dealing; (7) violations of South Carolina Code of Laws, SC Stat. Tit. 389, Ch. 5 §§ 10, et seq.; (8) violations of South Carolina Code of Laws, SC Stat. Tit. 39, Ch. 1 § 90; and (9) for declaratory relief.
II. LEGAL STANDARDS
Under Federal Rule of Civil Procedure 12(b)(2), a district court may dismiss an action for lack of personal jurisdiction. Any judgment rendered by a court that lacks personal jurisdiction over a defendant is void. Ruiz v. Snohomish Cnty. Pub. Util. Dist. No. 1, 824 F.3d 1161, 1164 (9th Cir. 2016). A federal court has personal jurisdiction over an out of state defendant if the defendant had certain minimum contacts with the state such that the maintenance of the suit does not offend traditional notions of fair play and substantial justice. Goodyear Dunlop Tires Ops., S.A. v. Brown, 564 U.S. 915, 923 (2011) (citing Int'l Shoe Co. v. Washington, 326 U.S. 310, 316 (1945)). This minimum contact jurisdiction may be either “general or all-purpose jurisdiction, ” or “specific or case-linked jurisdiction.” Id. at 919 (citing Helicopteros Nacionales de Colom. a S.A. v. Hall, 466 U.S. 408, 414 (1984)).
“Where defendants move to dismiss a complaint for lack of personal jurisdiction, plaintiffs bear the burden of demonstrating that jurisdiction is appropriate.” Dole Food Co. Inc. v Watts, 303 F.3d 1104, 1108 (9th Cir. 2002). Factual disputes are resolved in the plaintiff's favor. Pebble Beach Co. v. Caddy, 453 F.3d 1151, 1154 (9th Cir. 2006) (citation omitted). Where the court decides a motion to dismiss for lack of personal jurisdiction without an evidentiary hearing, the plaintiff need only make a prima facie showing of jurisdictional facts to withstand the motion to dismiss. Ballard v. Savage, 65 F.3d 1495, 1498 (9th Cir. 1995).
The plaintiff cannot, however, simply rest on the bare allegations of his or her complaint. Mavrix Photo, Inc. v. Brand Techs., Inc., 647 F.3d 1218, 1223 (9th Cir. 2011) (citation omitted). Only uncontroverted allegations in the complaint must be taken as true. Id. The court may consider evidence presented in affidavits and declarations in determining personal jurisdiction. Doe v. Unocal Corp., 248 F.3d 915, 922 (9th Cir. 2011); see also In re Cathode Ray Tube (CRT) Antitr. Litig., 27 F.Supp.3d 1002, 1008 (N.D. Cal. 2014) (“The Court may not assume the truth of allegations that are contradicted by affidavit.”).
III. DISCUSSION
The parties dispute whether the Court has specific jurisdiction over Netgain. Specific jurisdiction exists where “the defendant's suit-related conduct . . . . create[s] a substantial connection with the forum State.” Walden v. Fiore, 571 U.S. 277, 284 (2014). In order for a federal court to exercise specific jurisdiction over a non-resident defendant:
The parties do not dispute (1) that Netgain does not reside in California, and (2) the Court lacks general jurisdiction over Netgain.
(1) The non-resident defendant must purposefully direct his activities or consummate some transaction with the forum or resident thereof; or perform some act by which he purposefully avails himself of the privilege of conducting activities in the forum, thereby invoking the benefits and protections of its laws; (2) the claim must be one which arises out of or relates to the defendant's forum-related activities; and (3) the exercise of jurisdiction must comport with fair play and substantial justice, i.e. it must be reasonable.See Schwarzenegger v. Fred Martin Motor Co., 374 F.3d 797, 801-02 (9th Cir. 2004). (citing Lake v. Lake, 817 F.2d 1416, 1421 (9th Cir. 1987)). “If any of the three requirements is not satisfied, jurisdiction in the forum would deprive the defendant of due process of law.” Caddy, 453 F.3d at 1155. The plaintiff bears the burden of satisfying the first two prongs of the test. Id. (citing Sher v. Johnson, 911 F.2d 1357, 1361 (9th Cir. 1990)). If the plaintiff satisfies the first two prongs, the burden shifts to the defendant to present a “compelling case” that the exercise of jurisdiction would not be reasonable. Burger King Corp. v. Rudzewicz, 471 U.S. 462, 476-78 (1985).
A. Purposeful Availment and Direction
A purposeful availment analysis is most often used in suits sounding in contract while a purposeful direction analysis is most often used in suits sounding in tort. Schwarzenegger, 374 F.3d at 802 (citations omitted). “[B]oth purposeful availment and purposeful direction ask whether defendants have voluntarily derived some benefit from their interstate activities such that they will not be haled into a jurisdiction solely as a result of ‘random,' ‘fortuitous,' or ‘attenuated' contacts.” Global Commodities Trading Grp., Inc. v. Beneficio de Arroz Choloma, 972 F.3d 1101, 1107 (9th Cir. 2020) (quoting Burger King, 471 U.S. at 474-75).
1. Purposeful Direction
Purposeful direction requires that that the defendant: “‘(1) committed an intentional act, (2) expressly aimed at the forum state, (3) causing harm that the defendant knows is likely to be suffered in the forum state.'” Axiom Foods, Inc. v. Acerchem Int'l, Inc., 874 F.3d 1064, 1069 (9th Cir. 2017) (quoting Wash. Shoe Co. v. A-Z Sporting Goods Inc., 704 F.3d 668, 673 (9th Cir. 2012)). A defendant acts intentionally when he acts with “an intent to perform an actual, physical act in the real world, rather than an intent to accomplish a result or consequence of that act.” AMA Multimedia, LLC v. Wanat, 970 F.3d 1201, 1209 (9th Cir. 2020) (quoting Schwarzenegger, 374 F.3d at 806). Showing the defendant “engaged in wrongful conduct targeted at a plaintiff whom the defendant knows to be a resident of the forum state” is relevant to the “expressly aimed” inquiry. Axiom Foods, 874 F.3d at 1069-70.
In his Complaint, Plaintiff claims “[t]his Court has personal jurisdiction over Defendants because Defendant Netgain conducts much of its business in and has sufficient minimum contacts with California.” Compl. ¶ 28. Plaintiff further claims that “[v]enue is likewise proper . . . . in this District . . . . because Defendant Netgain conducts business through this District (including promoting, selling, marketing, and distributing the Netgain brand and services at issue).” Id. ¶ 29. Plaintiff argues he has made a prima facie showing of both purposeful availment and direction because “the uncontroverted allegations are that Netgain (1) advertises serving the San Diego market via its website; (2) has a physical office in California; (3) employs personnel working in California; and (4) has California employees providing IT services to its customers, which includes California residents, contracting with California residents, and maintaining business relationships with California residents.” ECF No. 14 at 5. In support of this argument, Plaintiff cites a link to a page on Netgain's website noting that “[t]he company has grown to include offices and data centers in Chicago, Minneapolis, San Diego and Phoenix.” Id. at n.1.
Plaintiff states “[t]he legal standard governing a motion to dismiss for lack of personal jurisdiction permits the Court to consider relevant materials outside the pleadings without taking judicial notice of those materials.” ECF No. 14 at 5 n.1 (citing Diaimler AG v. Bauman, 134 S.Ct. 746, 752 (2014). Although Netgain does not dispute the information on its website, to the extent Plaintiff requests the Court take judicial notice of Netgain's website, the request is GRANTED. See Allphin v. Peter K. Fitness, LLC, No. 13-cv-01338-BLF, 2014 WL 6997653, at *3 (N.D. Cal. Dec. 11, 2014) (“Courts have taken judicial notice of the websites of parties to the litigation when determining personal jurisdiction.”).
In opposition, Netgain argues that Plaintiff has not shown purposeful directionbecause “Netgain only has one satellite office in California that is staffed by only a few employees, none of whom provided services to CareSouth” and “Netgain does not store any data at its California office, including any data associated with Mr. Lee or CareSouth.” ECF No. 12 at 10. In support of this argument, Netgain attaches a declaration by its Vice President of Finance stating: (1) “Netgain has a satellite office in San Diego;” (2) “Netgain does not store any customers' personal information data at its California office, including any data associated with Plaintiff . . . . or . . . . CareSouth;” and (3) “Netgain's California office is staffed by only a few employees who are responsible for IT services for customers not including CareSouth.” ECF No. 12-1 at 4-6.
Netgain argues the correct test is purposeful direction “because [Plaintiff's] claims sound in tort, not contract.” ECF No. 15 at 3. As noted above, however, in addition to claims for negligence, invasion of privacy, and South Carolina state statutory claims, Plaintiff brings claims for breach of contract under a third party beneficiary theory, breach of implied contract, and bad faith. Netgain does not explain, nor is it apparent, why these claims sound in tort but not contract. See Baton v. Ledger SAS, No. 21-cv-02470-EMC, 2021 WL 5226315, at *5 (N.D. Cal. Nov. 9, 2021) (applying purposeful direction test data breach case where plaintiff “primarily” asserted tort or statutory claims).
By opening an office and data center in San Diego, Netgain performed an actual, physical act in the real world that was aimed at California. In operating the San Diego office day-to-day, Netgain also presumably performs acts aimed at California. However, Plaintiff does not identify an actual, physical act in the real world that Netgain did that caused the data breach. The gravamen of Plaintiff's claims is that Netgain failed, by taking no action or insufficient action, to secure CareSouth patients' PMI. The act of opening and operating a San Diego office does not, without more, constitute wrongful conduct, or conduct targeted at a plaintiff whom Netgain knew was a California resident. See Calder v. Jones, 465 U.S. 789 (1984) (“mere untargeted negligence” does not support personal jurisdiction).
Even if Plaintiff was a resident of California and suffered harm in California, that fact alone would not be enough for specific jurisdiction. See Patao v. Equifax, Inc., No. CV 19-00677 JMS-WRP, 2020 WL 5033561, at *4 (D. Haw. Aug. 25, 2020) (alleging that data breach caused plaintiff to suffer harm in forum state is “insufficient to establish specific jurisdiction under either a purposeful direction or purposeful availment analysis”).
Plaintiff also does not allege or show, that by operating the San Diego office, Netgain caused the data breach, or that Netgain knew that by operating the San Diego office the data breach would likely occur. While Plaintiff alleges that after the data breach CareSouth “began filing” sample data security incident letters with various state Attorneys General, including California's, that mirrored the language of the notice sent to Plaintiff, see Compl. ¶ 31, Plaintiff does not allege, or provide any evidence supporting, that any such notices were actually sent to a person in California. In data breach cases, courts have found that decisions by out-of-state companies regarding data breach notifications in California presumably occur at the company's headquarters. In Baton, for example, the court found “[t]here are no facts alleged that [defendant] made its decision regarding notification in California or that it specifically targeted California in its decision not to provide communications about the breach, nor do any facts presented by Plaintiffs suggest that California-residents were uniquely harmed or entitled to a warning about the breach more than anyone else affected by the breach residing in any other jurisdiction.” 2021 WL 5226315, at *7; see also Caces-Tiamson v. Equifax, No. 20-cv-00387-EMC, 2020 WL 1322889, at *3 (N.D. Cal. Mar. 20, 2020) (declining to find specific jurisdiction because actions defendant did or did not take with respect to its data security systems would presumably have occurred where it had its principal place of business, even where the plaintiff resided in California); Tiamson v. Equifax, Inc., No. 19-CV-08430-LHK, 2020 WL 3972582, at *6 (N.D. Cal. July 14, 2020) (applying Caces-Tiamson's reasoning that specific jurisdiction does not exist where the plaintiff did not show that the data breach, or the failure to prevent the data breach, was “tied to” California).
Moreover, as discussed below, Plaintiff essentially admits in his request for jurisdictional discovery that he does not know whether the data breach originated in California due to the acts or omissions of the San Diego office, or whether the San Diego office had any control of Plaintiff's or CareSouth's data. See Baton, 2021 WL 5226315, at *6-7 (finding lack of specific jurisdiction where there was no evidence by declaration or elsewhere that the defendant “reposited” the plaintiff's data in California, and where the plaintiff did not allege that the defendant permitted customer data to be accessible to, and accessed by, anyone in California). As is the case for decisions regarding breach notifications, it is not reasonable to infer that decisions regarding data security, especially CareSouth's data security, were made in California. Accordingly, Plaintiff has not made a prima facie showing of purposeful direction.
2. Purposeful Availment
“A showing that a defendant purposefully availed himself of the privilege of doing business in a forum state typically consists of evidence of the defendant's actions in the forum, such as executing or performing a contract there.” Schwarzenegger, 374 F.3d at 802. Instructive factors include: (1) prior negotiations; (2) contemplated future consequences; (3) the terms of the contract at issue; and (4) the parties' actual course of dealing. Burger King, 471 U.S. at 479. The analysis involves a “qualitative evaluation of the defendant's contact with the forum state.” Harris Rutsky & Co. Ins. Servs., Inc. v. Bell & Clements Ltd., 328 F.3d 1122, 1130 (9th Cir. 2003). Direct solicitation of business in the forum state, and conducting negotiations in the forum state, are “particularly persuasive” under the purposeful availment test. Decker Coal Co. v. Commonwealth Edison Co., 805 F.2d 834, 840 (9th Cir. 1986). The substantiality of the effect in the forum state may be considered. See, e.g., Haisten v. Grass Valley Med. Reimburs. Fund, Ltd., 784 F.2d 1392, 1398 (9th Cir. 1986).
By operating an office in San Diego, Netgain has purposefully availed itself of the privilege of doing business in California. See Jeong v. Nexo Fin. LLC, No. 21-cv-02392-BLF, 2022 WL 174236, at *10 (N.D. Cal. Jan. 19, 2022) (uncontradicted allegation that defendant operated a branch of its business in California is sufficient to find purposeful availment). In his opposition, however, Plaintiff does not recognize: (1) the distinction between purposeful direction and availment; (2) that each test typically applies to different types of claims; or (3) that Plaintiff's claims appear to sound in both tort and contract. Moreover, Plaintiff does not allege that he directly contracted with Netgain. See Toretto v. Mediant Commc'ns, Inc., No. 19-cv-05208-EMC, 2020 WL 1288478, at *4 (N.D. Cal. Mar. 18, 2020) (finding lack of purposeful availment in data breach case where the defendant did not have a “direct contractual relationship with any of the . . . . businesses involved in the breach” and “no direct contractual relationship with any of the . . . . breach-affected companies located in California”). Nonetheless, to the extent Plaintiff argues that Netgain has purposefully availed itself, Plaintiff has made a prima facie showing of purposeful availment, but only with respect to his contract-based claims.
3. Relatedness
To demonstrate that its claims “arise out” of forum-related activities, Plaintiff must show that he would not have suffered an injury “but for” Netgain's “forum related conduct.” Myers v. Bennett L. Offs., 238 F.3d 1068, 1075 (9th Cir. 2001). Plaintiff argues he has made his prima facie case for relatedness because (1) “Netgain staffs its California office with IT personnel providing IT services for multiple customers, including California healthcare providers impacted by the same Data Breach that impacted Lee and the Nationwide Class Members, ” and (2) Plaintiff “alleges that it was due to these very IT services, including Defendant's negligence and data security failures provided to its customers nationwide (including out of its California office), that the Data Breach occurred.” ECF No. 14 at 6.
As noted above, however, Plaintiff acknowledges that he does not know whether the data breach occurred but for the acts or omissions of Netgain in, or directed at, California. Moreover, Plaintiff's argument does not match his allegations. In support of his argument, Plaintiff cites paragraph 11 of his Complaint, in which he alleges “[d]ue to Defendants' negligence and data security failures, cyber criminals obtained and now possess everything they need to commit personal and medical identity theft and wreak havoc on the financial and personal lives of hundreds of thousands of individuals for decades to come.” Plaintiff also cites paragraph 74, in which he alleges that Netgain owed various duties of care regarding the safekeeping of Plaintiff's PMI. Neither of these paragraphs suggests the data breach would not have occurred but for the acts or omission of Netgain vis-à-vis its activities in, or directed at, California. See Toretto, 2020 WL 1288478, at *5 (finding lack of specific jurisdiction in data breach case because “it is not at all evident that, absent [defendant's] contractual agreements to provide services to California entities, Plaintiffs' claims would not have arisen”). Accordingly, Plaintiff has not made a prima facie showing of relatedness.
4. Reasonableness
Because Plaintiff cannot satisfy the first two elements of the specific jurisdiction test, the burden does not shift to Netgain to show that jurisdiction would be unreasonable. See, e.g., Willis v. Princess Cruise Lines, No. 2:19-cv-06278-SVW-FFM, 2020 WL 5353984, at *6 (C.D. Cal. May 29, 2020). Assuming Plaintiff had shown purposeful direction and relatedness, most of the reasonableness factors would likely weigh in favor of declining specific jurisdiction over Netgain. The Ninth Circuit applies a seven-part balancing test to determine whether a case satisfies the “fair play and substantial justice” element:
(1) the extent of the defendants' purposeful injection into the forum state's affairs; (2) the burden on the defendant of defending in the forum; (3) the extent of conflict with the sovereignty of the defendant's state; (4) the forum state's interest in adjudicating the dispute; (5) the most efficient judicial
resolution of the controversy; (6) the importance of the forum to the plaintiff's interest in convenient and effective relief; and (7) the existence of an alternative forum.Dole, 303 F.3d at 1114.
By allegedly failing to protect CareSouth's patients' PMI, the extent of Netgain's purposeful injection into California's affairs is minimal. There is no allegation or evidence, for example, that Netgain had reason to believe CareSouth's patients, or former patients, were in California. It also seems burdensome that Netgain would have to defend against claims related to a data breach in any state where it had employees, regardless of whether the data breach was in any way linked to that state. Furthermore, California's interest in adjudicating this dispute is not strong given that Plaintiff is from South Carolina, his claims arise mostly, if not entirely, under South Carolina law, and arise from a data breach of a Minnesota company that possessed South Carolina patients' PMI. South Carolina or Minnesota would clearly be more efficient and important alternative forums for resolving this controversy.
Plaintiff does not specify which state's law applies to his common law claims.
Netgain states that it is the defendant “in a consolidated action in Minnesota alleging putative classes that if certified would include his claims and the classes he purports to represent.” ECF No. 16.
B. Jurisdictional Discovery
Finally, Plaintiff argues that “[i]f the Court requires a further factual showing that the Data Breach would not have occurred but for Netgain's conduct in the forum state, then it should permit limited discovery on these narrow issues prior to a preliminary hearing.” ECF No. 14 at 9. “[W]here pertinent facts bearing on the question of jurisdiction are in dispute, discovery should be allowed.” Am. W. Airlines, Inc. v. GPA Grp., Ltd., 877 F.2d 793, 801 (9th Cir. 1989). A district court has the discretion to permit or deny jurisdictional discovery. Boschetto v. Hansing, 539 F.3d 1011, 1020 (9th Cir. 2008). A court may deny a request to conduct jurisdictional discovery if “a plaintiff's claim of personal jurisdiction appears to be both attenuated and based on bare allegations in the face of specific denials made by the defendants, ” Caddy, 453 F.3d at 1160, or “it is clear that further discovery would not demonstrate facts sufficient to constitute a basis for jurisdiction, ” Laub v. U.S. Dep't of Interior, 342 F.3d 1080, 1093 (9th Cir. 2003) (quotation marks omitted). Plaintiff is required to establish a “colorable basis” for personal jurisdiction before a court grants jurisdictional discovery. See Mitan v. Feeney, 497 F.Supp.2d 1113, 1119 (C.D. Cal. 2007). “This ‘colorable' showing should be understood as something less than a prima facie showing, and could be equated as requiring the plaintiff to come forward with ‘some evidence' tending to establish personal jurisdiction over the defendant.” Id. (citations omitted).
In support of his request for jurisdictional discovery, Plaintiff essentially argues that jurisdictional discovery might reveal that: (1) the data breach originated in California due to acts and omissions in the San Diego office; (2) the system's “weak point” was in the San Diego office; (3) Netgain's negligence and data security failures were “nationwide;” (4) the San Diego office possessed or controlled the compromised PMI; and (5) the San Diego office was responsible for Plaintiff's or other class members' PMI. ECF No. 14 at 8-9. “Such an approach smacks of a fishing expedition - in other words, it appears that Plaintiff is seeking jurisdictional discovery based on a mere ‘hunch,' which courts have found to be insufficient.” Jeong, 2022 WL 174236, at *16 (citing Boschetto, 539 F.3d at 1020). As noted above, Plaintiff provides no actual evidence that the data breach occurred in California or affected persons in California. As also noted above, Plaintiff does not argue or allege that any breach notification letters were sent to anyone in California. Plaintiff's only allegation specifically related to personal jurisdiction is that Netgain “conducts much of its business in” California. Compl. ¶ 28.
It is not clear that a “nationwide” security failure would confer specific jurisdiction. See Caces-Tiamson, 2020 WL 1322889, at *3 (“Nor can specific jurisdiction be based on the mere fact that [the defendant] provides services to customers nationwide[.]”).
Overall, Plaintiff's request for jurisdictional discovery is not based on evidence that the evidence presented by Netgain is false or inaccurate. Accordingly, Plaintiffs request for jurisdictional discovery is based on speculation, and Plaintiff has therefore not met his burden of showing some evidence of personal jurisdiction. See Baton, 2021 WL 5226315, at *14. Additionally, because jurisdictional discovery is unwarranted, it would be futile for Plaintiff to attempt to amend his Complaint to assert specific jurisdiction. See id.
IV. CONCLUSION
For the foregoing reasons, Netgain's motion to dismiss for lack of personal jurisdiction [ECF No. 12] is GRANTED. Plaintiff's Complaint is DISMISSED with prejudice and without leave to amend. Plaintiff's request for jurisdictional discovery is DENIED. This order is not intended to preclude Plaintiff from pursuing his claim in another state or joining a pending claim in another state.
IT IS SO ORDERED.