Opinion
5:21-cv-06074-EJD
06-07-2022
ORDER GRANTING MOTION TO DISMISS RE: DKT. NO. 22
EDWARD J. DAVILA UNITED STATES DISTRICT JUDGE
Plaintiffs Kevin Riordan, Ashley Laurent, Jeremy Bobo, and Nagui Sorial bring claims for injunctive and monetary relief for harm arising out of a data breach. See Plaintiffs' Complaint for Damages, Injunctive and Equitable Relief (“Compl.”), Dkt. No. 1. Defendant Western Digital Corporation moves to dismiss Plaintiffs' Complaint. See Defendant Western Digital Corporation's Motion to Dismiss Plaintiffs' Complaint (“Mot.”), Dkt. No. 22. On October 21, 2021, Plaintiffs filed an opposition, to which Defendant filed a reply. See Plaintiffs' Opposition to Defendant's Motion to Dismiss Plaintiffs' Complaint (“Opp.”), Dkt. No. 24; Defendant's Reply in Support of Motion to Dismiss Plaintiffs' Complaint (“Reply”), Dkt. No. 25. Having considered the record in this case, the Parties' papers, and the relevant law, the Court GRANTS Defendant's motion to dismiss.
On May 27, 2022, the Court found this motion appropriate for decision without oral argument pursuant to Civil Local Rule 7-1(b). See Dkt. No. 33.
I. BACKGROUND
Defendant Western Digital is a leading global and data storage brand that offers technologies, devices, systems, and solutions to businesses and consumers. Compl. ¶ 46. On June 23, 2021, Defendant announced that two of its legacy Internet-connected hard drives, My Book Live and My Book Live Duo (the “Covered Products”), had been attacked by third-party hackers. Compl. ¶ 58. The hackers accessed the Covered Products through vulnerabilities that allowed them to execute malicious code in the storage devices' operating systems and initiate a factory reset. Compl. ¶ 59. Through the factory reset, the hackers remotely erased data stored on certain Covered Products. Compl. ¶ 4. Specifically, Plaintiffs allege that the Covered Products had “multiple security flaws present in their software from their creation that allowed remote hackers to remove customer data thereon and perform a ‘factory reset' of the devices without the customers' login information.” Compl. ¶ 8.
Plaintiffs purchased the Covered Products “in reliance on [Defendant's] representation that [the products] were secure, and that [Defendant] was committed to safely preserving their data.” Compl. ¶ 8. As a result of Defendant's failure to meet this expectation, Plaintiffs contend that they have “suffered damages, including but not limited to years-worth of lost sensitive, intimate, and valuable personal, commercial and/or proprietary information (the ‘Stored Data').” Compl. ¶ 5. The nature of the Stored Data ranges from “important financial information to priceless personal items such as family photos of vacations, childbirths, graduations and holidays.” Compl. ¶ 5. Plaintiffs allege that they stored massive amounts of data on the Covered Products, all of which has been deleted. In many instances, Plaintiffs “kept little or no inventory of what information was stored on their Covered Products, meaning that the full extent of their loss may never be fully known.” Compl. ¶ 7. Plaintiffs worry that their private information is being used by cyber criminals. Compl. ¶ 94.
The My Book Live and My Book Live Duo devices were manufactured by Western Digital in the early 2010s. However, the Covered Products have not been supported by Western Digital since 2015. Compl. ¶ 68. Following the attack, Defendant offered affected users access to a free data recovery service program and the option to trade in impacted devices for upgraded products. Compl. ¶ 62. Affected users were instructed to contact Western Digital's support center by July 31, 2021, to participate in these programs. Compl. ¶ 62. Plaintiffs do not allege that they participated in the data recovery or trade-in programs that Defendant offered. However, Plaintiffs do allege that “such data recovery operations traditionally have mixed rates of success.” Compl. ¶ 63. Plaintiffs speculate that even if “some data might be recovered, ” “it is highly probable that a significant portion . . . would be gone forever” or “corrupted.” Compl. ¶ 63.
Plaintiffs argue that Defendant had a “duty to design and provide products that would not jeopardize [Plaintiffs'] Stored Data” and that Defendant “breached this duty by allowing known issues and/or vulnerabilities with the products to remain without any remedy or notification- issues and abilities that were ultimately used by cyber-criminals to access and/or delete massive volumes of Class Member data.” Compl. ¶ 8. Based on these allegations, Plaintiffs bring claims for: (1) violation of the Song-Beverly Consumer Warranty Act (the “SBA”), Cal. Civ. Code § 1792, et seq.; (2) violation of the Magnuson-Moss Warranty Act (the “MMWA”), 15 U.S.C. § 2301, et seq.; (3) negligence/failure to warn; (4) breach of the covenant of good faith and fair dealing; (5) unfair business practices (“UCL”), Cal. Bus. & Prof. Code § 17200, et seq.; and (6) unjust enrichment. Defendant argues that Plaintiffs' claims must be dismissed under either Federal Rule of Civil Procedure 12(b)(1) or Federal Rule of Civil Procedure 12(b)(6).
II. LEGAL STANDARD
A motion to dismiss under Rule 12(b)(1) is a challenge to the court's subject matter jurisdiction. The party mounting a Rule 12(b)(1) challenge may bring a facial challenge and show that the on the face of the pleadings, the court lacks jurisdiction, or may present extrinsic evidence for the Court's consideration. See White v. Lee, 227 F.3d 1214, 1242 (9th Cir. 2000) (“Rule 12(b)(1) jurisdictional attacks can be either facial or factual”). “In a facial attack, the challenger asserts that the allegations contained in a complaint are insufficient on their face to invoke federal jurisdiction.” Safe Air for Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir. 2004).
In ruling on a Rule 12(b)(1) motion attacking the complaint on its face, the Court accepts the allegations of the complaint as true. See, e.g., Wolfe v. Strankman, 392 F.3d 358, 362 (9th Cir. 2004). “By contrast, in a factual attack, the challenger disputes the truth of the allegations that, by themselves, would otherwise invoke federal jurisdiction.” Safe Air, 373 F.3d at 1039.
“With a factual Rule 12(b)(1) attack . . . a court may look beyond the complaint to matters of public record without having to convert the motion into one for summary judgment. It also need not presume the truthfulness of the plaintiff['s] allegations.” White, 227 F.3d at 1242 (internal citation omitted); see also Thornhill Pub. Co., Inc. v. Gen. Tel. & Elecs. Corp., 594 F.2d 730, 733 (9th Cir. 1979) (“Where the jurisdictional issue is separable from the merits of the case, the judge may consider the evidence presented with respect to the jurisdictional issue and rule on that issue, resolving factual disputes if necessary . . . ‘[N]o presumptive truthfulness attaches to plaintiff's allegations, and the existence of disputed material facts will not preclude the trial court from evaluating for itself the merits of jurisdictional claims.'”) (quoting Mortensen v. First Fed. Sav. & Loan Ass'n, 549 F.2d 884, 891 (9th Cir. 1977)). “However, where the jurisdictional issue and substantive issues are so intertwined that the question of jurisdiction is dependent on the resolution of factual issues going to the merits, the jurisdictional determination should await a determination of the relevant facts on either a motion going to the merits or at trial.” Augustine v. United States, 704 F.2d 1074, 1077 (9th Cir. 1983). Plaintiff bears the burden of demonstrating that the Court has subject matter jurisdiction to hear the action. See Kokkonen v. Guardian Life Ins. Co., 511 U.S. 375, 377 (1994); Stock W., Inc. v. Confederated Tribes, 873 F.2d 1221, 1225 (9th Cir. 1989).
III. DISCUSSION
Defendant first argues that Plaintiffs lack Article III standing and that this action must be dismissed under Federal Rule of Civil Procedure 12(b)(1). In the alternative, Defendant argues that this action must be dismissed under Federal Rule of Civil Procedure 12(b)(6) because the Complaint fails to state a claim that entitles Plaintiffs to relief. Because the Court dismisses on the first ground, it does not reach Defendant's alternative theory of dismissal.
In a class action, “federal courts lack jurisdiction if no named plaintiff has standing.” Frank v. Gaos, 139 S.Ct. 1041, 1046 (2019). To establish standing, Plaintiffs “must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 578 U.S. 330, 339 (2016). Plaintiffs offer two theories of injury. First, that they lost stored data on the My Book Live device because of the factory reset. Second, they face a risk of future data misuse “if [their personal data] has made its way into the hands of cyber-criminals.” Compl. ¶ 78. Defendant argues that under either theory of harm, Plaintiffs lack standing. The Court agrees.
First, Plaintiffs have not demonstrated that loss of their stored data caused them to suffer an injury in fact. An injury in fact is “‘an invasion of a legally protected interest' that is ‘concrete and particularized' and ‘actual or imminent, not conjectural or hypothetical.'” Spokeo, 578 U.S. at 339 (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992)). Plaintiffs' first theory of injury, that they lost stored data, fails to establish that Plaintiffs suffered a “concrete and particularized” harm. Plaintiffs fail to allege any details regarding the data loss or how they were harmed by the loss. Instead, Plaintiffs blanketly allege that the data was “deleted” from the Covered Products, that they were “unable to recover the data deleted, ” and that they were “harmed both personally and economically as a result.” Compl. ¶¶ 23, 29, 35, 41. Plaintiffs fail to describe whether their data was permanently lost, and/or whether another copy of the data was stored elsewhere. Further, for any data that may have been lost, Plaintiffs fail to describe the type of data lost, or explain why it was valuable and why its loss would cause harm. Instead, Plaintiffs assume that the hack itself per se caused harm. This is improper. Without allegations that support Plaintiffs' assumption of harm, Plaintiffs have not established an injury in fact. See Warth v. Seldin, 422 U.S. 490, 501 (1975) (“[T]he plaintiff . . . must allege a distinct and palpable injury to himself, even if it is an injury shared by a large class of other possible litigants.” (emphasis added)).
Second, Plaintiffs' theory that they face a risk of future data misuse fares no better. As stated, an injury in fact is an invasion of a legally protected interest that is not “conjectural or hypothetical.” Lujan, 504 U.S. at 560. Plaintiffs speculate that their lost data may have “made its way into the hands of cyber-criminals.” Compl. ¶ 78. Plaintiffs fail to plead any facts to support this allegation. See Compl. ¶ 78 (“At present, . . . [Plaintiffs] are unaware as to whether their Stored Data was merely deleted, or if such information has made its way into the hands of cyber criminals.”). Plaintiffs' speculative allegations of harm do not establish an injury in fact. See TransUnion LLC v. Ramirez, 141 S.Ct. 2190, 2212 (2021) (“The plaintiffs claimed that TransUnion could have divulged their misleading credit information .... But the plaintiffs did not demonstrate a sufficient likelihood that their individual credit information would be requested by third-party businesses and provided by TransUnion during the relevant time period.” (emphasis added)); see also Giroux v. Essex Prop. Trust, Inc., 2017 WL 1549477, at *2 (N.D. Cal. May 1, 2017) (“The only allegations that Plaintiff makes about herself are generically that she will have to remain vigilant for the rest of her life to combat potential identity theft and tax fraud,' .... Without more clarity about the specific harm that Plaintiff has personally suffered, the Court cannot adequately assess whether Plaintiff has Article III standing.”).
Krottner v. Starbucks Corporation, 628 F.3d 1139 (9th Cir. 2010) provides a good point of contrast. There, a laptop was stolen from Starbucks. Id. at 1140. The laptop contained the unencrypted names, addresses, and social security numbers of approximately 97, 000 Starbucks employees. Id. After the theft, the plaintiffs spent substantial time monitoring their accounts, paid for credit monitoring services, enrolled in fraud alerts, and alleged resulting anxiety and stress. Id. at 1141. One named plaintiff's bank notified him that someone had tried to open an account using his social security number. Id. This established a “credible threat of real and immediate harm stemming from the theft of [the] laptop.” Id. at 1143. However, the Ninth Circuit noted that if the plaintiffs' allegations had been “more conjectural and hypothetical-for example, if no laptop had been stolen, and Plaintiffs had sued based on the risk that it would be stolen at some point in the future, ” the threat of harm would be “far less credible.” Id. (emphases added).
In contrast, here, Plaintiffs do not allege that through the breach, their specific personal information was stolen or that any harm has resulted from the breach (i.e., through hackers). Accordingly, Plaintiffs have not alleged an injury in fact and lack Article III standing to pursue their claims. See Foster v. Essex Prop. Trust, Inc., 2015 WL 7566811, at *3 (N.D. Cal. Nov. 25, 2015) (“Since Plaintiffs have not shown, . . . that any of their information was actually stolen, their theory of future harm is implausible.”); In re LinkedIn User Privacy Litig., 932 F.Supp.2d 1089, 1094 (N.D. Cal. 2013).
IV. CONCLUSION
For the foregoing reasons, the Court GRANTS Defendant's motion to dismiss. When dismissing a complaint for failure to state a claim, a court should grant leave to amend “unless it determines that the pleading could not possibly be cured by the allegation of other facts.” Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000). Although the Court has determined that Plaintiffs have failed to plead sufficient facts to establish Article III standing, it is possible Plaintiffs can cure their allegations by alleging, among other things, more particular facts as to what data was taken and whether the data has been misused. Accordingly, the Court grants Defendant's motion to dismiss with leave to amend.
Should Plaintiffs choose to file an amended complaint, they must do so by June 27, 2022. Failure to do so, or failure to cure the deficiencies addressed in this Order, will result in dismissal of Plaintiffs' claims. Plaintiffs may not add new claims or parties without leave of the Court or stipulation by the parties pursuant to Federal Rule of Civil Procedure 15.
IT IS SO ORDERED.