Opinion
5:23-cv-02293-CAS (SHKx)
03-18-2024
PRISCILLA WALL v. WESCOM CENTRAL CREDIT UNION ET AL
Attorney present for plaintiffs: John nelson Attorney present for Defendants Tambry Bradford Angelo Stio Marnishia Jernigan
Attorney present for plaintiffs:
John nelson
Attorney present for Defendants
Tambry Bradford
Angelo Stio
Marnishia Jernigan
PRESENT: THE HONORABLE CHRISTINA A. SNYDER
CIVIL MINUTES - GENERAL
Proceedings: DEFENDANT BARRACUDA NETWORKS, INC.'S MOTION TO DISMISS PLAINTIFF'S COMPLAINT (Dkt. 15, filed on JANUARY 11, 2024)
I. INTRODUCTION
On November 7, 2023, plaintiff Priscilla Wall brought this class action suit on behalf of all others similarly situated (“the Class”) against defendants Wescom Central Credit Union (“Wescom”) and Barracuda Networks, Inc. (“Barracuda”). Dkt. 1 (“Compl.”). On behalf of herself and the Class, Wall brings claims for (1) negligence, as against Wescom and Barracuda; (2) breach of implied contract, as against Wescom; and (3) unjust enrichment/quasi contract, as against Wescom and Barracuda; and on behalf of herself and the California Subclass, Wall brings a claim for (4) Violation of California's Unfair Competition Law (“UCL”) and Unlawful Business Practice, Cal Bus. & Prof. Code § 17200, et seq., as against Wescom and Barracuda. Id.
On January 11, 2024, Barracuda filed a motion to dismiss the complaint and attached a request for judicial notice in support of its motion. Dkt. 15. On February 20, 2024, Wall filed an opposition to Barracuda's motion to dismiss. Dkt. 25. On March 4, 2024, Barracuda filed a reply in support of its motion. Dkt. 28.
Barracuda requests that the Court take judicial notice of three exhibits. Dkt. 15-2. These include: (1) a true and correct copy of the product page for Barracuda's Email Security Gateway, found at https://www.barracuda.com/products/emailprotection/email-security-gateway (last visited January 11, 2024); (2) a true and correct copy of Wescom's Data Breach Notification concerning the incident discovered by Wescom on September 18, 2023, which is publicly available at the following webpage: https://apps.web.maine.gov/online/aeviewer/ME/40/d55f0583-a6fb-45aaa46f-adb949f4197b.shtml (last visited January 11, 2024); and (3) a true and correct copy of the template Notice Letter sent by Wescom, found at https://apps.web.mame.gov/online/aeviewer/ME/40/d55f0583-a6fb-45aa-a46f-adb949f4197b.shtml (last visited January 11, 2024). Id. The Court finds that judicial notice of these exhibits is appropriate pursuant to Federal Rule of Evidence 201.
On March 12, 2024, Wall filed a notice of dismissal pursuant to Federal Rule of Civil Procedure 41(a) or (c), dismissing Wescom with prejudice. Dkt. 29.
On March 18, 2024, the Court held a hearing on Barracuda's motion to dismiss Wall's complaint. Having carefully considered the parties' arguments and submissions, the Court finds and concludes as follows.
II. BACKGROUND
Wescom is a California-based credit union, and Barracuda is “a data management corporation that provides IT services including ‘Email Protection, Application Protection, Network Security, and Data Protection Solutions.'” Compl. ¶¶ 2-3. Wall brings this class action suit on behalf of current and former Wescom customers against Wescom and Barracuda because of a recent cyberattack and data breach (the “Data Breach”) by cyber-criminals that allegedly resulted from Wescom's failure to implement industry standard and reasonable data security practices. Id. ¶¶ 1, 7, 27. Pursuant to Federal Rule of Civil Procedure 23, the Nationwide Class is defined as “[a] 11 individuals residing in the United States whose PII was compromised in the data breach announced by Wescom in October 2023” (the “Class”). Id. ¶ 144. The California Subclass is defined as “[a]ll individuals residing in the United States whose PII was compromised in the data breach announced by Wescom in October 2023” (the “California Subclass”). Id. Those excluded from the Class and the California Subclass include defendants and their “parents, subsidiaries, affiliates, officers and directors, and any entity in which [defendants has a controlling interest; all individuals who make a timely election to be excluded from this proceeding using the correct protocol for opting out; and all judges assigned to hear any aspect of this litigation, as well as their immediate family members.” Id. ¶ 145. Wall contends that certification for class-wide treatment is appropriate because she “can prove the elements of her claims on class-wide basis using the same evidence as would be used to prove those elements in individual actions asserting the same claims,” “[defendants' policies challenged herein apply to and affect Class Members uniformly[,] and [p]laintiff's challenge of these policies hinges on [d]efendants' conduct with respect to the Class as a whole, not on facts or law applicable only to [p]laintiff.” Id. ¶¶ 146, 150.
Wall further contends that the numerosity, commonality, typicality, and adequacy of representation requirements for class certification are met. Compl. ¶¶ 147-49, 151. She asserts that class action treatment is superior to other methods of adjudicating this action and is manageable. Id. ¶¶ 152-57. Finally, Wall contends that “[u]nless a Class-wide injunction is issued, [d]efendants may continue in their failure to properly secure the PII of Class Members, [d]efendants may continue to refuse to provide proper notification to Class Members regarding the Data Breach, and [d]efendants may continue to act unlawfully as set forth in this Complaint.” Id. ¶ 159.
“The personal information [(the “PII”)] compromised in the Data Breach included [p]laintiff s and Class Members' full names and financial account numbers[.]” Id. ¶ 6. Wall and about 34,000 Class Members suffered injuries, including:
(i) invasion of privacy; (ii) theft of their PII; (iii) lost or diminished value of PII; (iv) lost time and opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach; (v) loss of benefit of the bargain; (vi) lost opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach; (vii) experiencing an increase in spam calls, texts, and/or emails; (viii) [p]laintiff experiencing fraudulent charges, for approximately $11, placed on her Wescom Central Credit Union debit card, in or about November 2023; (ix) statutory damages; (x) nominal damages; and (xi) the continued and certainly increased risk to their PII, which: (a) remains unencrypted and available for unauthorized third parties to access and abuse; and (b) remains backed up in [defendants' possession and is subject to further unauthorized disclosures so long as [d]efendants fail to undertake appropriate and adequate measures to protect the PII.Id. ¶ 8. The potential for the improper disclosure of the compromised PII “was a known risk to [d]efendants,” which “maintained the PII in a reckless manner.” Id. ¶ 10. Because the data thieves have engaged and will continue to engage in fraud, identity theft, and various crimes, the Class Members must closely monitor their financial accounts and may incur out of pocket costs to detect and deter identity theft. Id. ¶¶ 13-15.
Defendants further failed to provide adequate and timely notice to the Class Members that an unknown third party had accessed their PII or of “precisely what specific type of information was accessed.” Id. ¶ 16. Wescom, through its privacy policy and other disclosures, promised to provide adequate security and confidentiality for customer data. Id. ¶ 30. Yet, on or around October 20, 2023, Wescom sent Notice of Data Breach letters to Wall and Class Members. Id. ¶ 33. The letters stated:
What Happened? On May 19, 2023, Barracuda announced a wide-spread vulnerability in their ESG appliance which allowed third party access to a subset of their ESG appliances since October 2022. On May 30, 2023, Barracuda confirmed this impacted Wescom. Upon notice, Wescom immediately removed the appliance from the network and began an investigation into the incident with cybersecurity experts.
What Information Was Involved? The investigation determined the ESG had been accessed and that some emails and attachments stored on the appliances between October 30, 2022 and May 30, 2023, were potentially at risk. We reviewed the contents of the emails and attachments that were potentially accessible to the unauthorized person for personal information. On September 29, 2023, we determined that one or more emails or attachments stored on the ESG appliances included your name and financial account number[.]Id. Wall believes that “the cyberattack was targeted at [d]efendants, due to their statuses as a financial institution and data management company that collects, creates, and maintains PII on their computer networks and/or systems.” Id. ¶ 37. She also believes that the stolen PII-the Class Members' names and financial account numbers-“is currently available for sale on the dark web because that is the modus operand! of cybercriminals.” Id. ¶¶ 39, 42. Wescom's offering twelve months of credit and identity monitoring services inadequately compensates the Class Members and acknowledges that the Class Members are subject to “a substantial and imminent threat of fraud and identity theft.” Id. ¶¶ 44-45. Defendants should have adequately implemented several measures to prevent and detect ransomware attacks and/or cyberattacks, such as encrypting the information, exercising due diligence in selecting IT vendors, setting anti-virus programs to conduct regular scans, and “build[ing] credential hygiene.” Id. ¶¶ 47-52.
Because of the Data Breach, the Class Members “are at a heightened risk of identity theft for years to come,” as data thieves may use ‘“social engineering' to obtain even more information about a victim's identity” and develop “Fullz” packages with this information. Id. ¶¶ 111, 115-121. Wall has suffered fear and anxiety because of the Data Breach, and “anticipates spending considerable time and money on an ongoing basis to try to mitigate and address harms caused by the Data Breach.” Id. ¶¶ 140-41.
III. LEGAL STANDARD
A. Federal Rule of Civil Procedure 12(b)(1)
A motion to dismiss an action pursuant to Fed.R.Civ.P. 12(b)(1) raises the objection that the federal court has no subject matter jurisdiction over the action. This defect may exist despite the formal sufficiency of the allegations in the complaint. T.B. Harms Co. v. Ehscu, 226 F.Supp. 337, 338 (S.D.N.Y. 1964), aff'd 339 F.2d 823 (2d Cir. 1964). When considering a Rule 12(b)(1) motion challenging the substance of jurisdictional allegations, the Court is not restricted to the face of the pleadings, but may review any evidence, such as declarations and testimony, to resolve any factual disputes concerning the existence of jurisdiction. See McCarthy v. United States, 850 F.2d 558, 560 (9th Cir. 1988). Once a Rule 12(b)(1) motion has been raised, the burden is on the party asserting jurisdiction. Sopcak v. N. Mountain Helicopter Serv., 52 F.3d 817, 818 (9th Cir. 1995); Ass'n of Am. Med. Coll, v. United States. 217 F.3d 770, 778-79 (9th Cir. 2000). If the plaintiff lacks standing under Article III of the U.S. Constitution, then the court lacks subject matter jurisdiction, and the case must be dismissed. See Steel Co. v. Citizens for a Better Env't, 523 U.S. 83, 101-02 (1998).
B. Federal Rule of Civil Procedure 12(b)(6)
A motion pursuant to Federal Rule of Civil Procedure 12(b)(6) tests the legal sufficiency of the claims asserted in a complaint. Under this Rule, a district court properly dismisses a claim if “there is a Tack of a cognizable legal theory or the absence of sufficient facts alleged under a cognizable legal theory.'” Conservation Force v. Salazar, 646 F.3d 1240, 1242 (9th Cir. 2011) (quoting Balisteri v. Pacifica Police Dep't, 901 F.2d 696, 699 (9th Cir. 1988)). “While a complaint attacked by a Rule 12(b)(6) motion to dismiss does not need detailed factual allegations, a plaintiff s obligation to provide the ‘grounds' of his ‘entitlement to relief requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do.” Bell Atlantic Corp, v. Twombly, 550 U.S. 544, 555 (2007). “[F]actual allegations must be enough to raise a right to relief above the speculative level.” Id.
In considering a motion pursuant to Rule 12(b)(6), a court must accept as true all material allegations in the complaint, as well as all reasonable inferences to be drawn from them. Pareto v. FDIC, 139 F.3d 696, 699 (9th Cir. 1998). The complaint must be read in the light most favorable to the nonmoving party. Sprewell v. Golden State Warriors, 266 F.3d 979, 988 (9th Cir. 2001). However, “a court considering a motion to dismiss can choose to begin by identifying pleadings that, because they are no more than conclusions, are not entitled to the assumption of truth. While legal conclusions can provide the framework of a complaint, they must be supported by factual allegations.” Ashcroft v. Iqbal, 556 U.S. 662, 679 (2009); see Moss v. United States Secret Service. 572 F.3d 962, 969 (9th Cir. 2009) (“[Flor a complaint to survive a motion to dismiss, the non-conclusory ‘factual content,' and reasonable inferences from that content, must be plausibly suggestive of a claim entitling the plaintiff to relief”). Ultimately, “[d]etermining whether a complaint states a plausible claim for relief will... be a context-specific task that requires the reviewing court to draw on its judicial experience and common sense.” Iqbal, 556 U.S. at 679.
Unless a court converts a Rule 12(b)(6) motion into a motion for summary judgment, a court cannot consider material outside of the complaint (e.g., facts presented in briefs, affidavits, or discovery materials). In re American Cont'l Corp./Lincoln Sav. & Loan Sec. Litig., 102 F.3d 1524, 1537 (9th Cir. 1996), rev'd on other grounds sub nom Lexecon, Inc, v. Milberg Weiss Bershad Hynes & Lerach, 523 U.S. 26 (1998). A court may, however, consider exhibits submitted with or alleged in the complaint and matters that may be judicially noticed pursuant to Federal Rule of Evidence 201. In re Silicon Graphics Inc. Sec. Litig., 183 F.3d 970, 986 (9th Cir. 1999); see Lee v. City of Los Angeles, 250 F.3d 668, 689 (9th Cir. 2001).
As a general rule, leave to amend a complaint which has been dismissed should be freely granted. Fed.R.Civ.P. 15(a). However, leave to amend may be denied when “the court determines that the allegation of other facts consistent with the challenged pleading could not possibly cure the deficiency.” Schreiber Distrib. Co. v. Serv-Well Furniture Co., 806 F.2d 1393, 1401 (9th Cir. 1986).
IV. DISCUSSION
A. Article III Standing
To establish standing, “a plaintiff must show (1) it has suffered an ‘injury in fact' that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that their injury will be redressed by a favorable decision.” Friends of the Earth. Inc, v. Laidlaw Envtl. Servs., Inc., 528 U.S. 167, 180-81 (2000); see also Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992).
The crux of Barracuda's standing argument concerns whether Wall suffered an “injury in fact” based on the potential compromise of her name and financial information in the Data Breach. Barracuda argues that “the potential exposure of [Wall's] name and financial account number, without more, does not and cannot establish an injury-in-fact that is concrete, particularized, and actual or imminent to establish Article III standing.” Dkt. 15-1 at 6-7. According to Barracuda, California law, including California's Breach Notification Law and the California Consumer Privacy Act, does not protect financial account numbers and names alone without accompanying information, such as a password. Id. at 6-7; see also Cal. Civ. Code § 1798.82; Cal. Civ. Code § 1798.81.5. Barracuda asserts that courts within the Ninth Circuit “have refused to find standing in cases involving accessed information that does not create a risk of fraud or identity theft even where, unlike here, some of that information is entitled to certain privacy protections under California law.” Dkt. 15-1 at 7.
Moreover, Barracuda argues that Wall cannot establish standing because she fails to connect her alleged “litany of injuries” to the PII potentially accessed in the Data Breach. Id. at 8. Barracuda argues that Wall's efforts to mitigate the consequences of the Data Breach, the loss of the PII's value, the invasion of privacy, and the loss of her benefit of the bargain, do not constitute injuries in fact. Id. at 8-9. With regard to the fraudulent charge of $11 to Wall's debit card. Barracuda asserts that Wall admits she replaced her debit cards and fails to allege that the charges were not reimbursed. Id. at 10. Barracuda also argues that because the PII “allegedly accessed could not lead to identity theft,” Wall's injuries of anxiety, fear, and stress and an increase in spam calls, emails, and texts, cannot confer standing. Id. at 10-11. Thus, Barracuda argues that Wall has failed to allege a concrete and immediate injury in fact to establish standing. Id.
In opposition. Wall asserts that “the Ninth Circuit recognizes the ‘substantial risk' of identity theft and fraud resulting from the compromise of personal information sufficient to confer Article III standing.” Dkt 25 at 4. Wall contends that Wescom presumably would not have admonished the individuals potentially impacted by the Data Breach “to take steps to protect their privacy” if it did not recognize “a real risk of fraud and identity theft.” Id. at 5. She argues that she does not need to allege actual financial harm to establish standing; instead, it is sufficient to allege that the compromised PII allows unauthorized individuals the means to commit identity theft and fraud. Id. Further, Wall disagrees that her other alleged injuries-including that “she has suffered a loss of privacy, she has been denied control over who uses her PII and how, she has suffered from the diminution in value of her PII, she has suffered emotional harm, [] she has lost time and opportunity responding to the Data Breach[,]” and she experienced fraudulent charges to her Wescom debit card-do not constitute injuries in fact that confer standing. Id. at 6. Moreover, Wall argues that the causal connection between these injuries and the Data Breach is established because she “alleges that she takes measures to safeguard her information.” Id. at 7-8. According to Wall, she would not have to take time to monitor her credit reports or to engage in other mitigation efforts if the Data Breach had not occurred. Id. at 8. Finally, Wall asserts that she is entitled to damages for the invasions of her right to control her PII and right to privacy and for “even the increased risk of harm resulting from the Data Breach.” Id. at 10-11; see also In re Zappos.com, Inc., 888 F.3d 1020, 1030 (9th Cir. 2018) (“The injury from the risk of identity theft is also redressable by relief that could be obtained through this litigation.”).
In reply, Barracuda argues that there is no credible or substantial risk of future harm where only a name and financial account number, without an accompanying password, access code, or security code to actually access the account, have potentially been disclosed. Dkt. 28 at 3-4. Barracuda asserts that the cases upon which Wall relies are distinguishable from this action because they involve the disclosure of sensitive personal information that could be used to commit identity theft or fraud, such as social security numbers, or passwords in addition to account numbers. Id. at 4-5. Moreover, Barracuda argues that Wall's other alleged injuries do not “confer standing because they are not related to the information at issue.” Id. at 6. Finally, Barracuda argues that because Wall's allegations of harm are speculative, her “alleged mitigation efforts are equally speculative and insufficient to establish Article III standing.” Id. at 8.
It appears to the Court that whether Wall has suffered an injury to establish standing is a question of fact that is inappropriate for decision on a motion to dismiss. Accordingly, the Court DENIES Barracuda's motion to dismiss Wall's complaint for lack of standing pursuant to Rule 12(b)(1).
B. Barracuda's 12(b)(6) Arguments
1. Claim for Negligence
Barracuda argues that Wall's negligence claim fails because Wall does not allege actual damages. Dkt. 15-1 at 11-12. According to Barracuda, “none of these alleged injuries even establish Article III standing . . ., much less the “actual damages” element of a negligence claim,” which is more stringent. Id. at 12; dkt. 28 at 8. Because Wall has failed to allege that her PII has been misused, Barracuda argues that Wall's loss of privacy from the potential access to her PII cannot establish the damages element of negligence. Dkt. 15-1 at 12. Similarly, Barracuda asserts that the loss of value of PII does not satisfy the damages element without allegations of a market for the PII and “an impairment of [a plaintiff s] ability to participate in that market.” Id. (citing Pruchnicki v. Envision Healthcare Corp., 439 F.Supp.3d 1226, 1234 (D. Nev. 2020)). Finally, it argues that Wall's other alleged injuries, such as potential future harm and lost time, are speculative, vague, and unrelated to the PII that was potentially accessed, and thus do not constitute actual damages. Dkt. 15-1 at 12-13.
In opposition. Wall argues that Barracuda's arguments regarding the negligence claim fail for the same reasons as its arguments regarding standing. Dkt. 25 at 11-12. Further, Wall asserts that she has sufficiently alleged the value of PII in consumer markets and how the value of PII is diminished by “setting] forth both consumer facing marketplaces for personal information and the fact that, when a person's personal information is impaired, they face greater costs or outright denial of participating in everyday transactions.” Id. at 12.
In reply. Barracuda argues that Wall concedes that her alleged loss of privacy cannot establish actual damages since she fails to address this argument in her opposition. Dkt. 28 at 9. With regard to the loss of value of PII, Barracuda asserts that the complaint contains generalizations about PII, which includes social security numbers among other data elements, none of which “are at issue in this case, and the [c]omplaint is completely devoid of any allegation that any value or market exists for non-protected information that cannot be used to perpetrate fraud or identity theft.” Id. Thus, Barracuda argues that Wall's negligence claim fails because Wall does not allege any actual damages. Id. at 10.
At this juncture, the Court finds that it would be inappropriate to dismiss Wall's negligence claim. Wall has alleged that she and the Class Members have suffered several injuries as a result of the Data Breach. Whether the Class Members have suffered actual damages to establish their negligence claim is a question of fact. Accordingly, the Court DENIES Barracuda's motion to dismiss the negligence claim.
2. Claim for Unjust Enrichment/Quasi Contract
Barracuda first argues that unjust enrichment is a remedy, not a claim for relief. Dkt. 15-1 at 13-14. Second, it argues that a quasi-contract claim for restitution also fails because Wall does not allege that Barracuda “obtained a benefit she provided ‘through mistake, fraud, coercion, or request.'” Id. at 14 (citing Astiana v. Hain Celestial Grp., Inc., 783 F.3d 753, 762 (9th Cir. 2015)). Barracuda asserts that Wall fails to allege that she or the Class Members had a relationship with Barracuda, as opposed to with Wescom, or provided a monetary benefit specifically to Barracuda, as opposed to Wescom. Dkt. 15-1 at 14-15. According to Barracuda, “[t]he [c]omplaint makes clear that Barracuda does not provide financial services and does not provide any services to individuals; Barracuda provides data security products to Wescom and other business organizations.” Id. at 15. Thus, Barracuda argues that the unjust enrichment claim must fail since the Class Members did not confer any benefit on Barracuda. Id.
In opposition, Wall cites In re Ambry Genetics Data Breach Litigation. 567 F.Supp.3d 1130, 1145 (CD. Cal. 2021) to argue that:
[c]ourts have concluded that the failure to secure a plaintiff s data can give rise to an unjust enrichment claim,” reasoning “that a defendant has accepted the benefits accompanying plaintiff s data, but does so at the plaintiff s expense by not implementing adequate safeguards, thus making it inequitable and unconscionable to permit defendant to retain funds that it saved by shirking data-security and leaving the plaintiff to suffer the consequences.Dkt. 25 at 13; In re Ambry Genetics Data Breach Litig., 567 F.Supp.3d at 1145 (citation omitted). Wall alleges that she expected that a portion of her payments to Wescom would be applied by Barracuda to provide adequate data security measures and that Barracuda “improperly retained this benefit by failing to implement adequate data security measures to safeguard [plaintiffs' PIE” Dkt. 25 at 13-14. Thus, she contends that she has sufficiently pled a claim for unjust enrichment. Id. at 14.
In reply. Barracuda asserts that “[p]laintiff s specific allegations make it clear that [she] (1) paid for and received financial services from Wescom, and (2) provided her information to Wescom” Dkt. 28 at 11 (emphasis in original). Barracuda argues that a benefit must be conferred directly on a defendant to assert a quasi-contract claim against that defendant. Id.
It appears to the Court that Wall and the Class Members did not confer any benefit on Barracuda and thus may not assert a quasi-contract claim against it. While a claim for unjust enrichment does not require privity between the parties, a defendant against whom the claim is brought must have unjustly retained a benefit from the plaintiff. See Upper Deck Co. v. Flores, 569 F.Supp.3d 1050, 1072 (S.D. Cal. 2021) (“While privity or a direct relationship between the parties is not required. Plaintiff must have conferred a benefit to Defendant which it unjustly retained.”). Here, Wall alleges that she and the Class Members paid for financial services from Wescom and provided their PIE Thus, it is not clear to the Court how Barracuda has been unjustly enriched. See Am. Video Duplicating, Inc, v. City Nat'l Bank, No. 2:20-CV-04036-JFW-JPR, 2020 WL 6882735, at *6 (C.D. Cal. Nov. 20, 2020) (dismissing plaintiff s quasi-contract claims because “[t]he only benefit Defendants allegedly received-a lender fee-came from [the Small Business Administration], not from Plaintiff'). Accordingly, the Court GRANTS Barracuda's motion to dismiss the unjust enrichment/quasi contract claim, with leave to amend.
3. Claim for Violations of Cal. Bus. & Prof Code § 17200, et seq.
Barracuda argues that “a UCL claim specifically requires the alleged injury to involve a loss of money or property” and a “causal connection” between the alleged injury and the wrongful conduct. Dkt. 15-1 at 15-16. As Barracuda contends that Wall cannot allege an injury sufficient to establish standing, it argues that Wall cannot meet the narrower UCL standard. Id. at 15-16. Moreover, Barracuda argues that Wall is not entitled to either restitution, as explained above, or injunctive relief, which are the only available remedies under the UCL. Id. at 16. With regard to injunctive relief, Barracuda asserts that Wall cannot show a “sufficient likelihood that [she] will again be wronged in a similar way” because of Barracuda. Id. (citing Bates v. United Parcel Serv., Inc., 511 F.3d 974, 985 (9th Cir. 2007)). According to Barracuda, “where Barracuda does not have [p]laintiff s information and Wescom stopped using Barracuda's ESG appliance, p]laintiff has no basis for seeking injunctive relief from Barracuda.” Dkt. 15-1 at 17.
In opposition. Wall argues that courts have recognized UCL standing where an individual receives less from a transaction than expected or would not have entered into a transaction if she knew about the data security practices. Dkt. 25 at 15. Wall alleges “that she would not have transacted with Wescom and by extension Barracuda had she known that Barracuda would not adequately safeguard her PII and that money paid for financial services were not applied to data security as anticipated.” Id. Further, Wall contends that personal information is property under the UCL and constitutes an economic loss for purposes of standing. Id. at 15-16; see also Calhoun v. Google LLC, 526 F.Supp.3d 605, 636 (N.D. Cal. 2021). Finally, Wall argues that she has pled “a sufficient basis for the Court to determine she lacks an adequate remedy” and that it would thus be inappropriate to dismiss her claim for restitution or injunctive relief at the pleading stage. Dkt. 26 at 16-17.
In reply. Barracuda asserts that Wall's benefit-of-the-bargain argument fails “because [p]laintiff never entered into any transaction . . ., contract, or bargain with Barracuda and there is no legal authority supporting [p]laintiff s position that benefit-of-the bargain losses apply to a defendant that was not party to an underlying transaction.” Dkt. 28 at 12. Further. Barracuda argues that its grounds for seeking dismissal of the UCL claim is not that Wall has an adequate remedy at law; instead, it contends that the UCL claim should be dismissed because there is no “realistic likelihood that the alleged harm is capable of repetition.” Id. at 12-13. Because Wescom removed Barracuda's ESG appliance and Barracuda lacks access to Wall's PII, Barracuda argues that Wall's UCL claim against Barracuda fails. Id. at 13.
Wall has sufficiently alleged a UCL claim at the pleading stage. Moreover, the Court finds that the UCL claim involves questions of fact and that it would thus be inappropriate to dismiss this claim on a motion to dismiss. Accordingly, the Court DENIES Barracuda's motion to dismiss the UCL claim.
V. CONCLUSION
In accordance with the foregoing, the Court DENIES Barracuda's motion to dismiss the negligence claim and the UCL claim and GRANTS Barracuda's motion to dismiss the unjust enrichment/quasi contract claim, with twenty-one days' leave to amend.
IT IS SO ORDERED.