Opinion
Case No. 2:20-cv-00376-GMN-EJY
2022-11-02
Don Springmeyer, Kemp Jones LLP, Las Vegas, NV, Miles N. Clark, Law Offices of Miles N. Clark, LLC, Las Vegas, NV, Eleanor Michelle Drake, Pro Hac Vice, Berger Montague PC, Minneapolis, MN, Frank B. Ulmer, Pro Hac Vice, Stuart H. McCluer, Pro Hac Vice, R. Bryant McCulley, Pro Hac Vice, McCulley McCluer PLLC, Charleston, SC, Michael C. Dell'Angelo, Pro Hac Vice, Jon Lambiras, Berger Montague PC, Philadelphia, PA, John A. Yanchunis, Morgan & Morgan, P.A., Tampa, FL, for Plaintiffs Larry Lawter, Julie Mutsko, Kerri Shapiro, Victor Wukovits. Andrew Neil Friedman, Pro Hac Vice, Douglas J. McNamara, Pro Hac Vice, Geoffrey A. Graber, Pro Hac Vice, Paul M. Stephan, Pro Hac Vice, Cohen Milstein Sellers & Toll PLLC, Washington, DC, Gary E. Mason, Pro Hac Vice, Mason Lietz & Klinger LLP, Washington, DC, Charles E. Schaffer, Pro Hac Vice, David C. Magagna, Jr., Pro Hac Vice, Levin Sedran & Berman, LLP, Philadelphia, PA, David Berger, Pro Hac Vice, Eric H. Gibbs, Pro Hac Vice, Gibbs Law Group LLP, Oakland, CA, Erica D. Entsminger, Robert M. Adams, Robert T. Eglet, Eglet Prince, Las Vegas, NV, Miles N. Clark, Law Offices of Miles N. Clark, LLC, Las Vegas, NV, Don Springmeyer, Kemp Jones LLP, Las Vegas, NV, Gary M. Klinger, Pro Hac Vice, Milberg Coleman Bryson Phillips Grossman PLLC, Chicago, IL, Jeffrey Goldenberg, Pro Hac Vice, Todd B. Naylor, Pro Hac Vice, Goldenberg Schneider, LPA, Cincinnati, OH, Karen Hanson Riebel, Pro Hac Vice, Kate Baxter-Kauf, Pro Hac Vice, Lockridge Grindal Nauen P.L.L.P., Minneapolis, MN, John A. Yanchunis, Morgan & Morgan, P.A., Tampa, FL, for Plaintiff Ryan Bohlim. Melissa R. Emert, Pro Hac Vice, Kantrowitz, Goldhamer & Graifman, P.C., Chestnut Ridge, NY, Miles N. Clark, Law Offices of Miles N. Clark, LLC, Las Vegas, NV, Don Springmeyer, Kemp Jones LLP, Las Vegas, NV, for Plaintiff Paul Brodsky. Miles N. Clark, Law Offices of Miles N. Clark, LLC, Las Vegas, NV, Don Springmeyer, Kemp Jones LLP, Las Vegas, NV, for Plaintiffs Duke Hwynn, Andrew Sedaghtpour, Gennady Simkin, Robert Taylor, Michael Fossett, John Dvorak.
Don Springmeyer, Kemp Jones LLP, Las Vegas, NV, Miles N. Clark, Law Offices of Miles N. Clark, LLC, Las Vegas, NV, Eleanor Michelle Drake, Pro Hac Vice, Berger Montague PC, Minneapolis, MN, Frank B. Ulmer, Pro Hac Vice, Stuart H. McCluer, Pro Hac Vice, R. Bryant McCulley, Pro Hac Vice, McCulley McCluer PLLC, Charleston, SC, Michael C. Dell'Angelo, Pro Hac Vice, Jon Lambiras, Berger Montague PC, Philadelphia, PA, John A. Yanchunis, Morgan & Morgan, P.A., Tampa, FL, for Plaintiffs Larry Lawter, Julie Mutsko, Kerri Shapiro, Victor Wukovits.
Andrew Neil Friedman, Pro Hac Vice, Douglas J. McNamara, Pro Hac Vice, Geoffrey A. Graber, Pro Hac Vice, Paul M. Stephan, Pro Hac Vice, Cohen Milstein Sellers & Toll PLLC, Washington, DC, Gary E. Mason, Pro Hac Vice, Mason Lietz & Klinger LLP, Washington, DC, Charles E. Schaffer, Pro Hac Vice, David C. Magagna, Jr., Pro Hac Vice, Levin Sedran & Berman, LLP, Philadelphia, PA, David Berger, Pro Hac Vice, Eric H. Gibbs, Pro Hac Vice, Gibbs Law Group LLP, Oakland, CA, Erica D. Entsminger, Robert M. Adams, Robert T. Eglet, Eglet Prince, Las Vegas, NV, Miles N. Clark, Law Offices of Miles N. Clark, LLC, Las Vegas, NV, Don Springmeyer, Kemp Jones LLP, Las Vegas, NV, Gary M. Klinger, Pro Hac Vice, Milberg Coleman Bryson Phillips Grossman PLLC, Chicago, IL, Jeffrey Goldenberg, Pro Hac Vice, Todd B. Naylor, Pro Hac Vice, Goldenberg Schneider, LPA, Cincinnati, OH, Karen Hanson Riebel, Pro Hac Vice, Kate Baxter-Kauf, Pro Hac Vice, Lockridge Grindal Nauen P.L.L.P., Minneapolis, MN, John A. Yanchunis, Morgan & Morgan, P.A., Tampa, FL, for Plaintiff Ryan Bohlim.
Melissa R. Emert, Pro Hac Vice, Kantrowitz, Goldhamer & Graifman, P.C., Chestnut Ridge, NY, Miles N. Clark, Law Offices of Miles N. Clark, LLC, Las Vegas, NV, Don Springmeyer, Kemp Jones LLP, Las Vegas, NV, for Plaintiff Paul Brodsky.
Miles N. Clark, Law Offices of Miles N. Clark, LLC, Las Vegas, NV, Don Springmeyer, Kemp Jones LLP, Las Vegas, NV, for Plaintiffs Duke Hwynn, Andrew Sedaghtpour, Gennady Simkin, Robert Taylor, Michael Fossett, John Dvorak.
ORDER
Gloria M. Navarro, District Judge
Pending before the Court is Defendant MGM Resorts International's ("Defendant MGM's") Motion to Dismiss, (ECF No. 103). Plaintiffs Ryan Bohlim, Duke Hwynn, Andrew Sedaghatpour, Gennady Simkin, Robert Taylor, Michael Fossett, Victor
Wukovits, Kerri Shapiro, Julie Mutsko, John Dvorak, Larry Lawter, individually and on behalf of those similarly situated (collectively "Plaintiffs") filed a Response, (ECF No. 109), and Defendant MGM filed a Reply, (ECF No. 117).
For the reasons discussed below, the Court GRANTS in part and DENIES in part Defendant MGM's Motion to Dismiss.
I. BACKGROUND
This case arises from a July 7, 2019, data breach of Defendant MGM's network in which hackers download the personally identifiable information ("PII") of Defendant MGM guests worldwide ("Data Breach"). (Consolidated Class Action Complaint ("CAC") ¶¶ 1, 29, ECF No. 101). Plaintiffs are a consolidated class action of consumers whose PII was stolen in the Data Breach. (Id.). Specifically, hackers accessed Plaintiffs name, address, phone number, email address, and dates of birth (Id. ¶¶ 2, 29). Furthermore, certain Plaintiffs also had their driver's license number, passports number, and military identification number stolen. (Id.).
Plaintiffs allege that the stolen PII has been posted on the dark web for purchase on at least three separate occasions. (Id. ¶ 46). Cybersecurity journalists have observed that the PII of at least 10.6 million MGM guests are available on a dark web hacking forum. (Id. ¶ 34). In a letter to the North Dakota Attorney General on September 7, 2019, Defendant MGM noted that the hacker "posted the data on a closed internet forum with the intent to sell the information for financial gain." (Id. ¶ 32). Plaintiffs posit that they now face a long-term heightened risk that their PII will be sold or disseminated on the dark web. (Id. 47-65).
Defendant MGM has not disclosed how the hackers were able to obtain consumers PII. (Id. ¶ 37). However, a Defendant MGM spokesperson revealed that the Data Breach may have been caused by "unauthorized access to a cloud server." (Id.) Further, Defendant MGM disclosed to the North Dakota Attorney General that the hackers "exfiltrated data by exploiting a compromised account." (Id. ¶ 38). Despite the Data Breach occurring on July 7, 2019, Defendant MGM did not notify affected consumers until nearly two months later, on September 7, 2019. (Id. ¶ 44). Plaintiffs allege that Defendant MGM's delayed response exacerbated the risk of harm to Plaintiffs. (Id. ¶ 45).
See Details of 10.6 Million MGM Hotel Guests Posted on a Hacking Forum, ZDNet, Feb. 19, 2020, available at https://www.zdnet.com/article/exclusive-details-of-10-6-million-of-mgm-hotel-guests-posted-on-a-hacking-forum/ (quoting unnamed "MGM spokesperson") (last visited Oct. 26, 2022).
Plaintiffs contend that Defendant MGM failed to implement reasonable data security measures to protect their PII, maintain and monitor its server against intrusions, and retained Plaintiffs PII for longer than necessary. (Id. ¶¶ 7, 77, 90-91). Additionally, Plaintiffs allege that Defendant MGM failed to encrypt the PII stored on its server. (Id. ¶ 38). Furthermore, Plaintiffs allege that Defendant MGM failed to adopt reasonable safety measures despite knowing that the hotel industry is frequently targeted by cyber security attacks. (Id. ¶ 77-88).
Following the Data Breach, all Plaintiffs have experienced an increase in spam and phishing phone calls, text messages, and emails. (Id. ¶¶ 10-20). Similarly, all Plaintiffs allege that they have spent a greater amount of time monitoring their financial and other accounts. (Id.). Additionally, all Plaintiffs contend that their PII is available on the dark web, and that they have been forced to expend a significant amount of time and energy resetting passwords
and taking additional steps to protect their PII. (Id.). Plaintiffs posit that the value of their PII has diminished due to its dissemination. (Id. ¶¶ 5, 100). Plaintiffs further contend they have suffered "benefit of the bargain" damages because they paid MGM for services that were "intended to be accompanied by adequate data security[ ] but were not." (Id. ¶ 5, 111-12).
In addition to the alleged injuries set forth above, several Plaintiffs have asserted additional harms. Specifically, multiple Plaintiffs contend that criminals have attempted to make fraudulent purchases on their accounts. (Id. ¶¶ 13-14, 16). Other Plaintiffs assert that criminals have perpetrated ransom attacks against them or attempted to sign into their personal accounts. (Id. ¶ 11, 16, 19). Several Plaintiffs have taken the additional step of purchasing security services to protect their PII. (Id. ¶¶ 12, 16, 20).
On April 4, 2021, Plaintiffs filed the present Consolidated Class Action Complaint asserting claims for: (1) negligence; (2) negligent misrepresentation; (3) breach of implied contract; (4) unjust enrichment; (5) violation of the Nevada Consumer Fraud Act, NRS § 41.600; (6) violation of the California Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq.; (7) violation of the California Consumers Legal Remedies Act, Cal. Civ. Code §§ 1750, et seq.; (8) violation of the California Customer Records Act, Cal. Civ. Code §§ 1798.80, et seq.; (9) violation of the Connecticut Unfair Trade Practices Act, Conn. Gen. Stat. § 42-110a, et seq.; (10) violation of the Georgia Deceptive Trade Practices Act, Ga. Code. Ann. §§ 10-1-370, et seq.; (11) violation of New York General Business Law, N.Y. Gen. Bus. Law § 349; (12) violation of the Ohio Deceptive Trade Practices Act, Ohio Rev. Code §§ 4165.01, et seq.; (13) violation of the Oregon Unlawful Trade Practices Act, Or. Stat. §§ 646.605, et seq.; and (14) violation of the Oregon Consumer Information Protection Act, Or. Stat. §§ 646A.600, et seq. (Id. ¶¶ 143-340). On June 1, 2021, Defendant MGM filed the present Motion to Dismiss. (See generally MTD, ECF No. 103).
II. LEGAL STANDARD
Dismissal is appropriate under Rule 12(b)(6) where a pleader fails to state a claim upon which relief can be granted. Fed. R. Civ. P. 12(b)(6); Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). A pleading must give fair notice of a legally cognizable claim and the grounds on which it rests, and although a court must take all factual allegations as true, legal conclusions couched as factual allegations are insufficient. Twombly, 550 U.S. at 555, 127 S.Ct. 1955. Accordingly, Rule 12(b)(6) requires "more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do." Id. "To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to 'state a claim to relief that is plausible on its face.'" Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (quoting Twombly, 550 U.S. at 570, 127 S.Ct. 1955). "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. This standard "asks for more than a sheer possibility that a defendant has acted unlawfully." Id.
"Generally, a district court may not consider any material beyond the pleadings in ruling on a Rule 12(b)(6) motion." Hal Roach Studios, Inc. v. Richard Feiner & Co., 896 F.2d 1542, 1555 n.19 (9th Cir. 1990). "However, material which is properly submitted as part of the complaint may be considered." Id. Similarly, "documents whose contents are alleged in
a complaint and whose authenticity no party questions, but which are not physically attached to the pleading, may be considered in ruling on a Rule 12(b)(6) motion to dismiss." Branch v. Tunnell, 14 F.3d 449, 454 (9th Cir. 1994). On a motion to dismiss, a court may also take judicial notice of "matters of public record." Mack v. S. Bay Beer Distrib., 798 F.2d 1279, 1282 (9th Cir. 1986). Otherwise, if a court considers materials outside of the pleadings, the motion to dismiss is converted into a motion for summary judgment. Fed. R. Civ. P. 12(d).
If the court grants a motion to dismiss for failure to state a claim, leave to amend should be granted unless it is clear that the deficiencies of the complaint cannot be cured by amendment. DeSoto v. Yellow Freight Sys., Inc., 957 F.2d 655, 658 (9th Cir. 1992). Pursuant to Rule 15(a), the court should "freely" give leave to amend "when justice so requires," and in the absence of a reason such as "undue delay, bad faith or dilatory motive on the part of the movant, repeated failure to cure deficiencies by amendments previously allowed undue prejudice to the opposing party by virtue of allowance of the amendment, futility of the amendment, etc." Foman v. Davis, 371 U.S. 178, 182, 83 S.Ct. 227, 9 L.Ed.2d 222 (1962).
III. DISCUSSION
Defendant MGM moves to dismiss all of Plaintiffs' common law and statutory claims. The Court will first examine Plaintiffs negligence claim.
The parties do not dispute that Nevada substantive law controls the common law tort and contract-based in this action. (CAC ¶ 127); (MTD 21:23-22:3).
A. NEGLIGENCE
Defendant MGM argues that Plaintiffs negligence claim cannot survive the economic loss doctrine. (MTD 28:23-24). Alternatively, Defendant MGM contends that Plaintiffs have failed to allege that Defendant MGM breached a legal duty or suffered cognizable damages. (Id. 29:10-17). In rebuttal, Plaintiffs assert that their negligence claim survives the economic loss doctrine because they allege both economic and non-economic losses. (Resp. 27:8-29:16, ECF No. 109). Additionally, Plaintiffs argue that they sufficiently alleged Defendant MGM's deviation from industry standard data security procedure. (Id. 30:16-19). The Court will first examine whether Plaintiffs negligence claim is barred by the economic loss doctrine.
1. Economic Loss Doctrine
Here, Plaintiffs assert the economic loss doctrine does not apply because they allege non-economic harms in the form diminished value to their PII and intangible damage to their privacy caused by the Data Breach. (Resp. 27:18-27).
The Nevada Supreme Court has "applied the economic loss doctrine in product liability cases, as well as in negligence cases unrelated to product liability." Giles v. Gen. Motors Acceptance Corp., 494 F.3d 865, 879 (9th Cir. 2007) (citing Nevada cases). "Under the economic loss doctrine 'there can be no recovery in tort for purely economic losses.'" Urban Outfitters, Inc. v. Dermody Operating Co., LLC, 572 F. Supp. 3d 977, 995 (D. Nev. 2021) (quoting Calloway v. City of Reno, 116 Nev. 250, 993 P.2d 1259, 1263 (2000)) (economic losses are not recoverable in negligence absent personal injury or damage to property other than the defective entity itself.). "Thus, the doctrine provides that certain economic losses are properly remediable only in contract." Peri & Sons Farms, 933 F. Supp. 2d 1279, 1283-84 (D. Nev. 2013). Nevada has defined the economic loss doctrine as "the loss of the benefit of the user's bargain including pecuniary damage for all inadequate value,
the cost of repair and replacement of the defective product, or consequent loss of profits, without any claim of personal injury or damage to other property." Id. (citation omitted). Therefore, the economic loss doctrine "does not bar actions seeking damage for pecuniary losses that are 'accompan[ied by] personal injury or property damage.'" Id. (quoting Terracon Consultants Western, Inc. v. Mandalay Resort Grp., 125 Nev. 66, 206 P.3d 81, 86 (2009)).
In the data breach context, courts within the Ninth Circuit have found that an individual's loss of control over the use of their identity due to a data breach and the accompanying impairment in value of PII constitutes non-economic harms. See Flores-Mendez v. Zoosk, Inc., No. 20-04929, 2021 WL 308543, at *3 (N.D. Cal. Jan. 30, 2021) ("Plaintiffs allege their loss of time, risk of embarrassment, and enlarged risk of identity theft as harms and so do not allege pure economic loss."); Mehta v. Robinhood Financial LLC, No. 21-cv-01013, 2021 WL 6882377, at *6 (N.D. Cal. May 6, 2021) (finding that the plaintiffs did not allege solely economic loss where they alleged harms derived from the "loss of control over their use of their identity" and right to privacy); Stasi v. Inmediata Health Grp. Corp., 501 F. Supp. 3d 898, 913 (S.D. Cal. 2020) (concluding that the plaintiffs alleged noneconomic harms in the form of the privacy injury they suffered, irrespective of whether they subsequently suffered identity fraud). Indeed, it is difficult to conceive how the dissemination of an individual's PII does not necessarily diminish their control over their digital and physical identity. Such an invasion implicates non-economic harms. Accordingly, the Court finds that the economic loss doctrine does not bar Plaintiffs' negligence claim because they allege both economic and non-economic harms.
Because Plaintiffs have sufficiently pled non-economic losses, the Court need not consider Plaintiffs remaining arguments regarding the economic loss doctrine.
2. Breach of Duty
Defendant MGM also argues that Plaintiffs failed to allege that Defendant MGM breached their owed duty of care. (MTD 29:10-17). In response, Plaintiffs contend that have alleged specific deficient security practices employed by Defendant MGM that led to the breach. (Resp. 29:27-30:22).
Under Nevada law, "[t]o prevail on a negligence claim, a plaintiff must establish four elements: (1) the existence of a duty of care, (2) breach of that duty, (3) legal causation, and (4) damages." Sanchez ex rel. Sanchez v. Wal-Mart Stores, Inc., 125 Nev. 818, 824, 221 P.3d 1276 (2009). Plaintiffs allege that Defendant MGM breached their duty of care in their manner of collecting, maintaining, and controlling their customers' sensitive personal and financial information. (CAC ¶ 7). Specifically, Plaintiffs contend that Defendants breached this duty by retaining Plaintiffs PII for longer than necessary (Id. ¶¶ 7, 91), "fail[ing] to encrypt the PII stores on its server" (Id. ¶ 40), deviating from industry best practices as laid in the Federal Trade Commission and National Institute of Standards and Technology guidelines, (Id. ¶¶ 66-76), and otherwise "fail[ing] to adopt reasonable safeguard to protect Class members' PII (Id. ¶ 87)." At this stage in the pleading, Plaintiffs have sufficiently alleged that Defendants breached the duty of care owed to them.
3. Cognizable Harm
Defendant MGM further argues that Plaintiffs failed to allege a cognizable harm. (MTD 29:10-17). In rebuttal, Plaintiffs argue they alleged cognizable damages
in the form of: (1) diminished value of their PII; (2) benefit of the bargain damages; (3) increased risk of identity theft and fraud; (4) and lost time and expenditures mitigating the effects of the Data Breach. (Resp. 13:21-23). The Court will first examine whether Plaintiffs' diminished value of PII constitutes a cognizable harm.
a. Benefit of the Bargain Damages
Defendant MGM contends that Plaintiffs benefit of the bargain theory fails as a matter of law because Defendant MGM did not affirmatively represent that adequate data security was included in the cost of hotel rooms. (MTD 25:3-10); (Reply 9:15-25, ECF No. 117). In rebuttal, Plaintiffs contend that at the motion to dismiss stage, they are not required to specifically allege what portion of their hotel payments were designated for data security. (Resp. 19:27-20:7). Instead, Plaintiffs posit that it is sufficient for them to generally allege that part of the price they paid to Defendant MGM was intended to provide adequate data security, and that had they known Defendant MMG utilized deficient data security practices, they would have paid less for their rooms. (Id. 18:25-19:26).
In data breach cases, courts are divided on the level of detailed factual allegation required to show that data security was part of the bargain. Many district courts within this Circuit have accepted more general allegations that data security was expected and was part of the bargain. See In re Yahoo! Inc. Customer Data Sec. Breach Litig., 313 F.Supp.3d 1113, 1130 (N.D. Cal. 2018) (concluding that plaintiff's "allegations are sufficient to allege that he suffered benefit-of-the-bargain losses" because he "pleads that he has paid $ 19.95 each year since December 2007 for Yahoo's premium email service," which was supposed to be "secure," and he would not have signed up "had he known that Yahoo's email service was not as secure as [Yahoo] represented"); In re Anthem, Inc. Data Breach Litig., 162 F.Supp.3d 953, 992, 995 (N.D. Cal. 2016) (adopting "loss of benefit of the bargain" theory of "actual harm" for New York plaintiffs who alleged they had contracted for "reasonable and adequate security measures" that Anthem failed to deliver, causing plaintiffs to overpay for their health insurance); In re Anthem, Inc. Data Breach Litig., No. 15-md-2617, 2016 WL 3029783, at *12-13 (N.D. Cal. May 27, 2016) (concluding same for California plaintiffs' breach-of-contract claim, which required "appreciable and actual" damages); In re Facebook Privacy Litig., 192 F. Supp. 3d 1053, 1059 (N.D. Cal. 2016) (accepting benefit-of-the bargain damages based on allegations that the plaintiffs gave up something of value in exchange for access to Facebook and Facebook's promises relating to privacy, that Facebook breached the contract by violating its privacy terms, and that Facebook thus deprived the plaintiffs of their benefit of the bargain); Svenson v. Google Inc., No. 13-cv-04080, 2015 WL 1503429, at *4 (N.D. Cal. Apr. 1, 2015) (accepting benefit-of-the-bargain damages based on allegations that the plaintiff and putative class members paid Google for services that included protecting confidential information, that the services received "were worth quantifiably less than the services [the plaintiffs] agreed to accept," and that the plaintiffs would not have purchased the services had they known that the services they received included insufficient data protection); In re LinkedIn User Privacy Litig., No. 5:12-cv-03088, 2014 WL 1323713, at *6 (N.D. Cal. Mar. 28, 2014) (accepting overpayment damages based on allegations that the plaintiff bought services from the defendant because it represented the services as secure, that the defendant's services were not in fact secure, and that the plaintiff thus overpaid
for the defendant's services as a result of the defendant's misrepresentations).
Defendant MGM relies upon a line of cases which required more specific factual allegations showing how data security was a part of the bargain or how much of the money spent was for data security. See Ables v. Brooks Bros. Grp., No. 17-4309, 2018 WL 8806667, at *7 (C.D. Cal. June 7, 2018); Gardiner v. Walmart, Inc., No. 20-cv-04618, 2021 WL 4992539, at *5 (N.D. Cal. July 28, 2021); Jackson v. Lowes Hotels, Inc., No. 18-827, 2019 WL 6721637, at *2 (C.D. Cal. July 24, 2019). The Court considers, but does not find persuasive, these cases "requiring allegations of a particular sum of the purchase price being explicitly allocated for data security. That is requiring too much." In re Intel Corp. CPU Marketing, Sales Practices and Products Liability Litigation, No. 3:18-2828, 2020 WL 1495304, at *8 (D. Or. Mar. 27, 2020). Instead, the Court finds "more persuasive the line of cases that accept at the pleading stage more general factual allegations about the plaintiff's expectations for data security and the contours of the parties' bargain." Id.
Here, Plaintiffs pled that they "overpaid for hotel services that should have been—but were not—accompanied by reasonable data security." (CAC ¶ 111). Plaintiffs contend that "part of the price consumers paid to [Defendant] MGM was intended to be used to provide adequate data security...." (Id. ¶ 113). Plaintiffs further allege that had Defendant MGM disclosed its deficient security policies, they would either have paid less for the room, or not purchased a room from Defendant MGM. (Id. ¶¶ 10-20, 114, 118(b)). The Court finds that at this stage of the proceeding, Plaintiffs have sufficiently alleged benefit of the bargain damages.
b. Diminished Value of PII
Defendant MGM contends that diminution in value of PII does not constitute a compensable harm. (MTD 11:3-6). Alternatively, Defendant MGM argues that Plaintiffs have not alleged that they have been impaired from selling their own PII. (Reply 9:3-10). In rebuttal, Plaintiffs allege that diminution in value of PII is a viable theory of damages, and that the Data Breach diminished the value of Plaintiffs PII. (Resp. 61:16-62:18).
"Diminution in value of personal information can be a viable theory of damages." Pruchnicki v. Envision Healthcare Corp., 439 F. Supp. 3d 1226, 1234 (D. Nev. 2020), affirmed 845 Fed. App'x 613 (9th Cir. 2021). Defendant MGM contends that to obtain damages under this theory, Plaintiffs "must establish both the existence of a market for [his] personal information and an impairment of [his] ability to participate in that market." (Reply 8:9-9:14); see Svenson v. Google Inc., No. 13-cv-04080, 2016 WL 8943301, at *8 (N.D. Cal. Dec. 21, 2016). Under this formulation of the test, Plaintiffs must prove that they intended to sell their own PII. Id.; Pruchnicki, 439 F. Supp. 3d at 1235 (examining whether there was specific allegations that plaintiff was "unable to sell" her own PII in assessing any diminution of the value of the PII). However, these pleading requirements, that Plaintiffs must establish both the existence of a market for their PII and an impairment of their ability to participate in that market, is not supported by Ninth Circuit precedent and other district courts in this Circuit have rejected them. See In re: Anthem, 2016 WL 3029783, at *15 ("These statements [in the case law] appear to require a plaintiff to allege that there was either an economic market for their PII or that it would be harder to sell their own PII, not both.") (emphasis in original); Svenson v. Google, 2015 WL 1503429, at *5 (N.D. Cal. April 1, 2015) ("The Ninth Circuit's holding does not require [this] type of explication ...")
(emphasis in original); In re Zappos.com, Inc., 108 F. Supp. 3d 949, 954 (D.Nev. 2015) rev'd on other grounds by In re Zappos.com, Inc., 888 F.3d 1020 (9th Cir. 2018) (rejecting plaintiffs' claim that the Zappos security deprived them of the "substantial value" of their personal information where they did not allege they attempted to sell their information and were rebuffed because of a lower price-point attributable to the security breach).
Here, Plaintiffs sufficiently allege details about the existence of an economic market for selling stolen PII, including the fact that PII can be bought and sold at identifiable prices on established markets. (CAC ¶¶ 101-104). Moreover, Plaintiffs have shown that a market exists for their PII because their information has already been posted for sale on "multiple dark web sites." (Id. ¶¶ 47, 104). The "value of consumer [PII] is not derived solely (or even realistically) by its worth in some imagined marketplace where the consumer actually seeks to sell it to the highest bidder, but rather in the economic benefit the consumer derives from being able to purchase goods and services remotely and without the need to pay in cash or a check." In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 440 F. Supp. 3d 447, 462 (D. Md. 2020). Put another way, the Data Breach devalued Plaintiffs' PII by interfering with their fiscal autonomy. Any past and potential future misuse of Plaintiffs' PII impairs their ability to participate in the economic marketplace. (CAC ¶ 109). Accordingly, the Court finds that Plaintiffs' have stated a cognizable theory of damages as a matter of law.
c. Increased Risk of Identity Theft and Fraud
Defendant MGM contends that the dissemination of the PII at issue is not the type of particularly sensitive personal information that creates a credible threat of fraud or identity theft. (MTD 27:20-28:7). In rebuttal, Plaintiffs argue that an imminent risk of harm is evidenced by the fact that their PII has already been posted on the dark web for sale on several occasions. (Resp. 20:9-22:14).
The Court finds that the rightful determination is "not to look at the minutia of what information has been taken — such as credit card information — or social security numbers — but to specifically determine whether the data taken 'gave hackers the means to commit fraud or identity theft.'" Bass v. Facebook, Inc., 394 F. Supp. 3d 1024, 1034 (N.D. Cal. 2019) (quoting Zappos, 888 F.3d at 1027-29). "The information taken ... need not be sensitive to weaponize hackers in their quest to commit further fraud or identity theft." Bass, 394 F. Supp. 3d at 1034. "Imminent injury in fact can be established through information similar in function to [a] social security number[ ]," which "derives its value in that it is immutable." Id.
Here, Plaintiffs have alleged that their PII has already been posted for sale on the dark web. (Id. ¶ 46). Moreover, multiple Plaintiffs contend that criminals have attempted to make fraudulent purchases on their accounts. (Id. ¶¶ 13-14, 16). Other Plaintiffs assert that criminals have perpetrated ransom attacks against them or attempted to sign into their personal accounts. (Id. ¶ 11, 16, 19). It is difficult to reconcile Defendant MGM's argument that the PII at issue does not provide hackers with the ability to commit fraud or identity theft when the PII has already been posted for sale or used in attempt identity theft attacks. Instead, the Court finds it is evident that the PII stolen here will "provide further ammo" for hackers to commit identity fraud or threat in the future. Bass, 394 F. Supp. 3d at 1034.
Furthermore, as the United States Court of Appeals for the Seventh Circuit
acknowledged, "[w]hy else would hackers break into a store's database and steal consumers' private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers' identities." Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir. 2015); see also Galaria v. Nationwide Mut. Ins. Co., 663 F App'x 384, 388 (6th Cir. 2016). ("Where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims' data for the fraudulent purposes alleged in Plaintiffs' complaints."). Accordingly, Plaintiffs have sufficiently shown that the PII stolen creates a substantial risk of future harm.
d. Lost Time & Expenditures
Defendant MGM contend that Plaintiffs lost time monitoring their accounts does not constitute cognizable damages. (MTD 27:7-10). Moreover, Defendant MGM posits that the Plaintiffs who did purchase identity protection services cannot allege damages because these prophylactic measures were not reasonable and necessary. (MTD 26:9-27:6). In response, Plaintiffs argue that lost time and out-of-pocket expenses both constitute viable theory of damages. (Resp. 22:16-23:22).
In Pruchnicki v. Envision Healthcare Corp ., this Court held that "tangible, out-of-pocket expenses are required in order for lost time spent monitoring credit to be cognizable as damages." 439 F. Supp. 3d 1226, 1233 (D. Nev. 2020), affirmed 845 Fed. App'x 613 (9th Cir. 2021). "In data breach cases involving negligence claims, district courts have found it sufficient to allege out-of-pocket expenses in purchasing identity theft protection to show damages." Stasi v. Inmediata Health Grp. Corp., 501 F. Supp. 3d 898, 918 (S.D. Cal. 2020); see Castillo v. Seagate Tech., LLC, No. 16-cv-01958, 2016 WL 9280242, at *4 (N.D. Cal. Sept. 14, 2016) ("Those who have incurred such out-of-pocket expenses [such as purchasing identity protection services] have pleaded cognizable injuries[.]").
Here, all Plaintiffs assert they have all lost time monitoring their personal accounts and sifting through phishing messages. (CAC. ¶¶ 10-20). Lost time alone does not establish compensable damages. See Pruchnicki, 845 Fed. App'x at 614; Stasi, 501 F. Supp. 3d at 918. However, several Plaintiffs have expended money to mitigate the risk of harm posed by the data breach. (Id. ¶¶ 12, 16, 20). As to the Plaintiffs who expended money on mitigating measures, Defendant MGM additionally argues that Plaintiffs "cannot show expenditures on credit monitoring or other prophylactic measures are reasonable, much less necessary." (MTD 26:19-21). The Court disagrees with Defendant MGM that such prophylactic actions were not reasonable and necessary. As noted above, Plaintiffs have alleged that their PII has been posted on the dark web or has already been misused. (CAC ¶¶ 11-19). Plaintiffs have sufficiently alleged that the hacker's intent was not benign, and that purchasing prophylactic measures was necessary to mitigate any future risk of harm. See, e.g., Stasi, 501 F.Supp.3d at 915-919 (finding that credit monitoring was warranted where the information involved was not the type courts have recognized as enabling identity theft, such as financial information or Social Security numbers); Solara, 613 F.Supp.3d at 1295-96 (finding that credit monitoring was reasonable where PII was stolen); Castillo, 2016 WL 9280242, at *4 (finding that purchase of a subscription to a premium credit monitoring service was warranted); Corona v. Sony Pictures Entertainment, Inc., 2015 WL 3916744, at *4-5 (applying California's medical monitoring test in Potter to conclude that the theft of employees'
PII warranted credit monitoring). Accordingly, the Court dismisses Plaintiffs' negligence claim to the extent it alleges damages based solely on lost time. The negligence claims of those Plaintiffs who purchased identity protection services may proceed.
B. NEGLIGENT MISREPRESENTATION
Defendant MGM contends that Plaintiffs' negligent misrepresentation claim is barred by the economic loss doctrine because there is no "special relationship" between Defendant MGM and Plaintiffs. (MTD 30:2-18). Defendant MGM further argues that Plaintiffs' claim fails because a cognizable negligent misrepresentation claim under Nevada law requires an affirmative false statement, whereas Defendant MGM is guilty, at most, of an omission. (Id. 30:19-30:28). In rebuttal, Plaintiffs argue that a fiduciary-like relationship existed between Defendant MGM and Plaintiffs because Plaintiffs entrusted Defendant MGM with their confidential PII. (Resp. 31:3-31:21). Additionally, Plaintiffs argue that contrary to Defendant MGM's assertion, an omission can constitute negligent misrepresentation under Nevada law. (Id. 31:22-32:18). However, before an omission can constitute negligent misrepresentation, a special relationship must exist between the parties such that the defendant had a duty to speak. See Copper Sands Homeowners Ass'n v. Copper Sands Realty, LLC, No. 2:10-cv-00510, 2012 WL 934294, at *4 (D. Nev. Mar. 20, 2012) ("Nevada also recognizes negligent misrepresentation by non-disclosure when the defendant had a duty to speak. However, such a duty generally only exists when there is a special relationship between the parties.") (citing In re Agribiotech, Inc., 291 F. Supp. 2d 1186, 1191-92 (D. Nev. 2003)); Weinstein v. Mortg. Capital Assoc., Inc., No. 2:10-cv-01551, 2011 WL 90085, at *7 (D. Nev. Jan. 11, 2011) (same). The Court has already determined that the economic loss doctrine does not preclude Plaintiffs claim. Accordingly, the Court will solely examine whether a special relationship existed between Plaintiffs and Defendant MGM such that Defendant MGM's alleged omission can constitute negligent misrepresentation.
a. Special Relationship
"The Nevada Supreme Court has held that a special relationship may exist where 'one party interposes confidence in the other because of that person's position and the other party knows of this confidence.'" Bond Mfg. Co., Inc. v. Ashley Furniture Indus., Inc., No. 2:17-cv-1522, 2018 WL 1511717, at *7 (D. Nev. Mar. 27, 2018) (quoting Mackintosh v. Matthews & Co., 109 Nev. 628, 855 P.2d 549, 553 (1993)). "[T]he existence of a special relationship is a factual question." Mackintosh v. Cal. Fed. Sav. & Loan Ass'n, 113 Nev. 393, 935 P.2d 1154, 1160 (1997) (per curiam). For example, "[t]he Nevada Supreme Court has recognized such a 'special relationship' between real estate agents/buyers, insurers/insureds/, trustees/beneficiaries, and attorneys/clients," such that nondisclosure becomes "the equivalent of fraudulent concealment." Peri & Sons Farms, Inc. v. Jain Irr., Inc., 933 F. Supp. 2d 1279, 1292 (D. Nev. 2013) (quoting Nevada Power Co. v. Monsanto Co., 891 F. Supp. 1406, 1416 n.3 (D.Nev. 1995)). "On the other hand, 'a straightforward vendor-vendee relationship,' or an association characterized by 'routine, arms-length dealings' will not suffice to establish a special relationship.'" Silver State Broad., LLC v. Crown Castle MU, LLC, No. 2:18-cv-00734, 2018 WL 6606064, at *3 (D. Nev. Dec. 17, 2018) (quoting Nevada Power Co., 891 F. Supp. at 1417); see also Weingartner v. Chase
Home Fin., LLC, 702 F. Supp. 2d 1276, 1288 (D. Nev. 2010).
Here, "[Defendant MGM] collected names, addresses, phone numbers, email addresses, dates of birth, and for some class members their driver's license numbers, passport numbers, or military ID numbers[.]" (Resp. 31:11-21). The Court recognizes that the transmittal of the PII at issue is not typical of many standard ordinary daily transactions. However, the Court declines to conclude that the transmittal of PII alone necessarily transforms an arms-length business relationship into a special or fiduciary-like relationship. See In re Ambry Genetics Data Breach Litig., 567 F. Supp. 3d 1130, 1145-46 (C.D. Cal. 2021) ("Plaintiffs simply allege that Defendants collected Plaintiffs' private information so Defendants could prove their genetic testing to screen for and diagnose diseases. This is not a situation where the parties have a special relationship."); In re Premera Blue Cross Customer Data Sec. Breach Litig., 198 F. Supp. 3d 1183, 1203 (D. Or. 2016) (explaining that a fiduciary relationship was not created solely because the defendant required plaintiffs to disclose their PII as part of their transaction); Fero v. Excellus Health Plan, 236 F. Supp. 3d 735, 773-74 (W.D.N.Y. 2017) (finding that the plaintiffs negligent misrepresentation failed because no special relationship existed where the plaintiffs "allege[d] that a special relationship existed because the Excellus Defendants had exclusive knowledge about their data security policies, and plaintiffs provided their personal information and received assurances about the Excellus Defendants' data security"); Attias v. CareFirst, Inc., 365 F. Supp. 3d 1, 24 (D.D.C. 2019) (noting that despite defendant insurer requiring the "plaintiffs to provide [PII]," the plaintiffs failed to "allege a relationship beyond that envisioned in every day interactions with a health insurance provider that would give rise to either a common law duty to safeguard private information or a fiduciary duty").
Compared to the categories of special relationships approved by the Nevada Supreme Court, the nature of the relationship here is not what has historically been considered special in character. See Peri & Sons Farms, Inc., 933 F. Supp. 2d at 1292. Defendant MGM's alleged abdication of its duty to adequately protect Plaintiffs' PII may support a claim of breach of duty, but it is insufficient to establish a special relationship. Instead, Plaintiffs entered an arms-length business relationship with Defendant MGM, which other courts have found to be insufficient to create a special relationship at law despite Plaintiffs entrusting Defendant MGM with their PII as part of the relationship. See Silver State Broad., LLC, 2018 WL 6606064, at *3. In the absence of a special relationship, Plaintiffs negligent misrepresentation to the extent it is based on an omission, fails as a matter of law. Accordingly, the Court dismisses Plaintiffs' negligent misrepresentation claim with prejudice.
C. BREACH OF IMPLIED CONTRACT
Defendant MGM asserts that Plaintiffs' claim for breach of implied contract fails because Plaintiffs "cannot plead the nature and scope of any implied contract." (MTD 31:10-11). Specifically, Defendant MGM argues that Plaintiffs' conclusory allegations that Defendant MGM agreed to protect Plaintiffs PII when they purchased a hotel room neither constitutes the formation of an implied contract, nor shows it was breached if one is found. (Id. 31:12-32:15). In rebuttal, Plaintiffs contend that the formation of an implied contract is a question of fact that the Court should decline to address on a Rule 12(b)(6) motion. (Resp. 32:20-33:2). Alternatively, Plaintiffs posit that the parties entered into an implied contract during the "reservation and/or hotel check-in process" when
Plaintiffs provided Defendant MGM with their PII and Defendant MGM impliedly promised to protect that information. (Id. 33:4-35:20).
Nevada law requires the plaintiff in a breach of contract action to show: (1) the existence of a valid contract; (2) a breach by the defendant; and (3) damage as a result of the breach. Mizrahi v. Wells Fargo Home Mortg., 2010 WL 2521742, at *3 (D. Nev. June 16, 2010) (citing Saini v. Int'l Game Tech., 434 F. Supp. 2d 913, 919-20 (D. Nev. 2006)). Although the terms of an implied contract are manifested by conduct rather than written words as in an express contract, both "are founded upon an ascertainable agreement." Smith v. Recrion Corp., 91 Nev. 666, 541 P.2d 663, 664-65 (1975). To form an enforceable contract requires the following: (1) offer and acceptance, (2) meeting of the minds, and (3) consideration. May v. Anderson, 121 Nev. 668, 119 P.3d 1254, 1257 (Nev. 2005).
The Court finds that Plaintiffs have adequately stated a claim for breach of implied contract. Specifically, Plaintiffs allege that they "were required to" provide their PII to Defendant MGM as a condition of staying at its hotels. (CAC ¶¶ 8, 93). Thus, Plaintiffs provided their PII to Defendant MGM for lodging, with the understanding that Defendant MGM, while it held the information, would take adequate measures to protect it. (Id. ¶¶ 185-86). In terms of consideration, it is undisputed that Plaintiffs paid for their hotel rooms. These alleged actions plausibly demonstrate that Plaintiffs manifested their assent to Defendant MGM's privacy statements. See In re Marriott, 440 F. Supp. 3d at 486 (finding that plaintiffs sufficiently alleged an implied contract claim where the Marriot required the plaintiffs to provide their PII in order to stay at the hotel). Although Plaintiffs did not allege that Defendant MGM made any explicit promises "as to the ongoing protection of [their PII], it is difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of ... sensitive personal information would not imply the recipient's assent to protect [the] information sufficiently." Castillo v. Seagate Tech., LLC, No. 16-cv-01958, 2016 WL 9280242, at *9 (N.D. Cal. Sept. 14, 2016); see In re Ambry Genetics Data Breach Litig., 567 F. Supp. 3d 1130, 1143-44 (C.D. Cal. 2021) (finding that plaintiffs adequately stated a breach of implied contract despite defendants not expressly agreeing to protect their PII where "[p]laintiffs allege[d] that they gave their [PII] to defendants for purposes of obtaining genetic testing, with the understanding that defendants would take adequate measures to protect the information); In re Target Corp. Customer Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1171 (D. Minn. 2014) (concluding that the plaintiffs had sufficiently pleaded "an implied contract in which plaintiffs agreed to use their credit or debit cards to purchase goods at Target and Target agreed to safeguard plaintiffs' personal and financial information"); Gordon v. Chipotle Mexican Grill, Inc., 344 F. Supp. 3d 1231, 1247-48 (D. Col. 2018) (same). For the reasons set forth above, Plaintiffs have adequately alleged damages as a result of Defendant MGM's breach. Accordingly, the Court finds that Plaintiffs have adequately pled their implied contract claims.
The Court additionally finds that Plaintiffs have adequately pled damages and breach for the reasons set forth above.
D. UNJUST ENRICHMENT
Defendant MGM argues that Plaintiffs' unjust enrichment claim fails for two reasons. First, Defendant MGM contends that Plaintiffs' claim is "barred by
virtue of Plaintiffs' inability to plead a lack of legal remedies." (MTD 32:25). Second, Defendant posits that "Plaintiffs fail to plead facts sufficient to state an unjust enrichment claim." (Id. 33:12). In rebuttal, Plaintiffs argue that Defendant MGM has been unjustly enriched because Plaintiffs paid for a hotel room and adequate PII protection. (Resp. 37:16-24). Plaintiffs contend they only received the hotel room. (Id.)
In Nevada, the elements of an unjust enrichment claim are: "(1) a benefit conferred on the defendant by the plaintiff; (2) appreciation of the benefit by the defendant; and (3) acceptance and retention of the benefit by the defendant; (4) in circumstances where it would be inequitable to retain the benefit without payment." Ames v. Caesars Ent. Corp., No. 2:17-cv-02910, 2019 WL 1441613, at *5 (D. Nev. April 1, 2019) (quoting Leasepartners Corp., Inc. v. Robert L. Brooks Tr., 113 Nev. 747, 942 P.2d 182, 187 (1997)).
It is undisputed that unjust enrichment and disgorgement are equitable remedies. See Small v. Univ. Med. Ctr. of S. Nevada, No. 2:13-cv-00298, 2016 WL 4157309, at *3 (D. Nev. Aug. 3, 2016) ("Nevada recognizes the general rule that an equitable claim, like unjust enrichment, is not available where the plaintiff has a full and adequate remedy at law."); Sunlighten, Inc. v. Finnmark Designs, LLC, 595 F.Supp.3d 957, 972 (D. Nev. 2022) ("Disgorgement is an equitable remedy...."). In Sonner v. Premier Nutrition Corp., the Ninth Circuit held that "federal courts must apply equitable principles derived from federal common law to claims for equitable restitution under the California Unfair Competition Law ("UCL") and California Consumer Legal Remedies Act ("CLRA"). 971 F.3d 834 (9th Cir. 2020). "That holding, the Ninth Circuit explained, flowed from the general principle that 'a federal court must apply traditional equitable principles before awarding restitution,' an equitable remedy." Zeiger v. WellPet LLC, 526 F. Supp. 3d 652, 686-87 (N.D. Cal. 2021) (quoting Sonner, 971 F.3d at 841). Thus, the Ninth Circuit "affirmed the dismissal of the plaintiff's UCL and CLRA claims for equitable restitution because the plaintiff failed to: (i) allege she lacked an adequate remedy at law, and (ii) show she lacked an adequate remedy at law for damages under [the] CLRA." Souter v. Edgewell Pers. Care Co., No. 20-cv-1486, 2022 WL 485000, at *12 (S.D. Cal. Feb. 16, 2022) (citing Sonner, 971 F.3d at 844-45). Under Sonner, Plaintiffs must show that they lack an adequate remedy at law for their unjust enrichment claim to proceed.
Plaintiffs argue that Sonner is inapplicable to the instant action for three reasons. First, Plaintiffs posit that Sonner only applies later in proceedings. (Resp. 36:22-37:12). Second, Plaintiffs contend that the scope of Sonner is limited to claims arising from California's UCL and CLRA. (Id. 36:26-37:5). Lastly, Plaintiffs argue that under Fed. R. Civ. P 8(d)(2), they can plead their unjust enrichment claim in the alternative to their implied contract claim. (Resp. 36:13-21). The Court will first address Plaintiffs argument that Sonner does not apply at the motion to dismiss stage.
The Court agrees with Plaintiffs that the circumstances examined in Sonner arose late in the case on the eve of trial; the Court disagrees, however, that Sonner's language suggests it reasoning applies only late in a case's life cycle and not at the pleading stage. Indeed, district court's
Plaintiffs also argue Sonner is distinguishable because the plaintiff in Sonner attempted to avoid a jury trial by voluntarily dismissing her CLRA damages claim. In contrast, Plaintiffs have not engaged in legal gamesmanship. Sonner, 971 F.3d at 838; (Resp. 42:20-43:1). However, the Ninth Circuit recently clarified that "Sonner's holding applies to equitable claims when there is a viable CLRA damages claim, regardless of whether the plaintiff has tried to avoid the bar to equitable jurisdiction through gamesmanship. Nothing in Sonner's reasoning suggested that its holding was limited to cases in which a party had voluntarily dismissed a damages claim to avoid a jury trial." Guzman v. Polaris, 49 F.4th 1308, 1313 (9th Cir. 2022).
relying on Sonner have not made this distinction in applying Sonner's reasoning at the pleading stage. See Forrett v. Gourmet Nut, Inc., No. 22-cv-02405, 634 F.Supp.3d 761, 768 (N.D. Cal. 2022) (dismissing plaintiff's unjust enrichment claim, despite plaintiff's arguments "that courts allow plaintiffs to plead equitable relief in the alternative to legal relief and that the adequacy of a remedy at law is not properly decided at the motion to dismiss stage"); In re ZF-TRW Airbag Control Units Prod. Liab. Litig., No. 19-02905, 601 F.Supp.3d 625, 769 (C.D. Cal. 2022) (noting that "[n]othing in Sonner limits its precedential value" to late in a case, and rejecting plaintiffs argument that Sonner was inapplicable because the case was at the pleading stage) (quoting Zaback v. Kellog Sales Co., No. 3:20-cv-00268, 2020 WL 6381987, at *4 (S.D. Cal. Oct. 29, 2020)); Zaback, 2020 WL 6381987, at *4 (collecting cases).
Plaintiffs further argue that the Ninth Circuit's decision in Sonner is limited to equitable restitution under California's UCL and CLRA and thereby does not apply to Plaintiffs' unjust enrichment claim under Nevada law. (Resp. 35:26-36:5). However, the Sonner court explicitly held "that state law cannot circumscribe a federal court's equitable powers even when state law affords the rule of decision." Sonner, 971 F.3d at 843; see Audrey Heredia v. Sunrise Senior Living LLC, No. 8:18-cv-01974, 2021 WL 819159, at *4 (C.D. Cal. Feb. 10, 2021) (finding that Sonner's holding regarding an inadequate remedy at law applies to all claims for equitable relief). Therefore, the Court finds that Sonner applies to the instant action.
Plaintiffs additionally argue that pursuant to Fed. R. Civ. P. 8(d)(2), they may plead their unjust enrichment claim in the alternative to their legal claims. (Resp. 36:13-21). Specifically, Plaintiffs contend that their unjust enrichment claim may be brought as an alternative claim to their claim for breach of implied contract. Under Fed. R. Civ. P. 8(d)(2), "[a] party may set out two or more statements of a claim or defense alternatively or hypothetically, either in a single count or defense or in separate ones. If a party makes alternative statements, the pleading is sufficient if any one of them is sufficient." Plaintiffs are correct that under this rule, they may plead unjust enrichment in the alternative to legal claims. However, "[t]he issue is not whether a pleading may seek distinct forms of relief in the alternative, but rather whether a prayer for equitable relief states a claim if the pleading does not demonstrate the inadequacy of a legal remedy. On that point, Sonner holds that it does not." Sharma v. Volkswagen AG, 524 F. Supp. 3d 891, 907 (N.D. Cal. 2021) (citing Sonner, 971 F.3d at 844); see Goldstein v. Gen. Motors LLC, No. 19-cv-1778, 2022 WL 484995, at *6 (S.D. Cal. Feb. 16, 2022) (explaining that Sonner "made clear that a claim for equitable relief" plead in the alternative under Fed. R. Civ. P. 8 "may be dismissed if the plaintiff does not establish that there is no adequate remedy at law"); In re Intel Corp., 2021 WL 1198299, at *11 (applying Sonner and dismissing the plaintiffs unjust enrichment claim because they failed to allege they lacked an adequate remedy at law); Shay v. Apple Inc., No. 20-cv-1629, 2021 WL 1733385, at *5 (S.D. Cal. May 3, 2021) (same). Accordingly, the Court finds that
Plaintiffs must allege that there is no adequate remedy at law for their unjust enrichment claim to proceed.
As stated, Defendant MGM argues that Plaintiffs unjust enrichment claim fails because they cannot show a lack of legal remedies. (MTD 32:25-33:11). In rebuttal, Plaintiffs argue they do not have an adequate remedy at law because Defendant MGM "continues to retain [Plaintiffs'] PII while exposing the PII to a risk of future data breaches while in [Defendant] MGM's possession." (Id. ¶ 203). Plaintiffs further contend that Defendant MGM should not be permitted to retain the monetary benefits it accrued from its transactions with Plaintiffs, and that Defendant MGM should be forced to disgorge any profits it received from Plaintiffs. (Id. ¶¶ 200, 205). As to the former, the Court recognizes that Defendant MGM's continued retention of Plaintiffs' PII poses a risk of prospective harm. The issue, however, is that the remedy ultimately sought by Plaintiffs is money damages. Plaintiffs seek retrospective damages for the past harm derived by Plaintiffs overpayment for hotel rooms and prospective damages for the continued profit Defendant MGM derives from their use of Plaintiffs PII. The Court is unable to conclude that Plaintiffs' alleged injuries cannot be remedied by money damages when that is the precise remedy requested. (CAC ¶¶ 203-05). Plaintiffs have not alleged, even in the alternative, that they do not have adequate legal remedies. Therefore, Plaintiffs' unjust enrichment claims are dismissed, with leave to amend.
In contrast, a claim for injunctive relief to prevent future harm would seek a remedy qualitatively different from money damages: an order requiring Defendant MGM to timely delete and cease to use or share Plaintiffs' PII or implement reasonable data security requirements to prevent any future data breaches.
E. NEVADA CONSUMER FRAUD ACT
Defendant MGM asserts that Plaintiffs' Nevada Consumer Fraud Act ("NCFA") claim fails because they have not alleged a cognizable injury caused by the Data Breach. (MTD 34: 24-25). Alternatively, Defendant MGM argues that Plaintiffs failed to plead their claims with sufficient particularity under the heightened standard of Fed. R. Civ. P. 9(b). (Id. 34:26-35:1). As an initial matter, Plaintiffs argue that the heightened standard of Fed. R. Civ. Pro 9(b) is inapplicable because they only allege negligence-based conduct rather than intentional fraud. (Resp. 37:25-38:10). Even if Rule 9(b) is applicable, however, Plaintiffs assert that their allegations satisfy the heightened pleading standard by describing the "specific data security practices [Defendant] MGM neglected, explains what [Defendant] MGM should have done, describes how [Defendant] MGM knew it was a prime target for hackers, and explains that [Defendant] MGM should have disclosed its deficient practices when it collected Plaintiffs' information at booking and check-in." (Id. 38:18-25).
For the reasons set forth above, the Court finds that Plaintiffs have alleged a cognizable injury.
"Fraud claims must meet a heightened pleading standard under [Fed. R. Civ. P. 9(b)], which requires a party to 'state with particularity the circumstances constituting fraud.'" Brandstorm, Inc. v. Global Sterilization and Fumigation, Inc., 2020 WL 1469687, at *2. "Claims of consumer fraud brought, brought under NRS § 41.600, 'must satisfy NRCP 9(b)'s heightened pleading standards.'" Cage v. Cox
"Both courts within the District of Nevada and the Nevada Supreme Court have applied Rule 9(b)'s heightened pleading standard to consumer fraud/deceptive trade practices under Nevada law." Urban Outfitters, Inc. v. Dermody Operating Co., LLC, No. 3:21-cv-00109, 2022 WL 4134127, at *3 (D. Nev. Sept. 12, 2022). "While these courts apply two different sets of civil procedure rules—state and federal—to fraud-based claims, the courts' analyses are virtually identical." Id. at *3 n.2.
Communic'n, Inc., No. 2:16-cv-01708, 2017 WL 153629, at *2 (D. Nev. April 27, 2017) (quoting Davenport v. Homecomings Fi., LLC, 130 Nev. 1169, 2014 WL 1318964, at *2 (D. Nev. Mar. 31, 2014)); see Allstate Ins. Co. v. Belsky, No. 2:15-cv-02265, 2017 WL 7199651, at *7 (D. Nev. Mar. 31, 2017) ("Consumer fraud claims brought under [NRS § 41.600] are subject to Rule 9(b)'s heightened pleading requirements."); Bank of New York Mellon v. Stewart Information Services Corporation, 2022 WL 4290308, at *5 (same).
NRS § 41.600 provides that "[a]n action may be brought by any person who is a victim of consumer fraud." Id. "Consumer fraud" is defined as "a deceptive trade practice as defined in NRS § 598.0915 to 598.025, inclusive." Id. § (2)(e). A claim under NRS § 41.600 "requires a 'victim of consumer fraud to prove that (1) an act of consumer fraud by the defendant (2) caused (3) damage to the plaintiff.'" Whittum v. Acceptance Now, No. 2:18-cv-01574, 2019 WL 4781846, at *3 (D. Nev. Sept. 30, 2019) (quoting Sattari v. Wash. Mut., 475 Fed. App'x 648, 648 (9th Cir. 2011)).
NRS § 598.0923(1)(b) in turn provides that, "a person engages in a 'deceptive trade practice' when in the course of his or her business or occupation he or she knowingly ... [f]ails to disclose a material fact in connection with the sale or lease of goods or services." The Court of Appeals of Nevada has explained that a "knowing[ ]' act or omission ... does not require that the defendant intend to deceive with the act or omission, or even know of the prohibition against the act or commission, but simply that the defendant is aware that the facts exist that constitute the act or omission." Poole v. Nevada Auto Dealership Invs., LLC, 135 Nev. 280, 449 P.3d 479, 483 (Ct. App. Nev. 2019).
As a preliminary matter, Defendant MGM relies on Soffer v. Five Mile Capital Partners, LLC, for the proposition that fraud by omission requires an affirmative duty to disclose to constitute a violation of NRS § 598.0923(1)(b). No. 12-cv-1407, 2013 WL 638832, at *10 (D. Nev. Feb. 19, 2013); (MTD 35:19-36:3). However, Soffer involved a claim for common law fraud, as opposed to Plaintiffs instant statutory fraud claim. Soffer, 2013 WL 638832, at *10. As the Supreme Court of Nevada recently observed, "[s]tatutory offenses that sound in fraud are separate and distinct from common law fraud." Leigh-Pink v. Rio Props, LLC, 512 P.3d 322, 328 (Nev. 2022) (quoting Betsinger v. D.R. Horton, Inc., 126 Nev. 162, 232 P.3d 433, 436 (2010)). Therefore, Defendant MGM has not shown that fraud by omission under NRS § 598.0923(1)(b) requires an affirmative duty to disclose.
Defendant MGM also relies on Taddeo v. Taddeo, No. 2:08-cv-01463, 2011 WL 4074433 (D. Nev. Sept. 13, 2011). In Taddeo, this Court noted that "[t]he suppression or omission of a material fact is 'equivalent to a false representation, since it constitutes an indirect representation that such fact does not exist." Id. at *6 n.3 (quoting Nelson v. Heer, 123 Nev. 217, 163 P.3d 420, 426 (2007)). It is unclear to the Court how Taddeo demonstrates that NRS § 598.0923(1)(b) requires an affirmative duty for an omission to constitute fraud. To the contrary, Taddeo indicates that omission can constitute a fraudulent representation.
Here, Plaintiffs' allegations meet the requirements of Fed. R. Civ. P. 9(b). Plaintiffs allege that Defendant MGM knew its data security practices were deficient and that the hotel industry is a frequent target of sophisticated cyberattacks, (CAC ¶¶ 78,
208). Despite this knowledge, Plaintiffs allege that Defendant MGM declined to disclose any facts regarding its cybersecurity when it sold hotel rooms to Plaintiffs. The Court finds that Defendant MGM's data security, or lack thereof, is a material fact connected to the sale of hotel rooms. At this stage in the pleading, Plaintiffs sufficiently allege that Defendant MGM's failure to disclose its data security deficiency or vulnerability to Plaintiffs constitutes a "knowing" omission. Poole, 449 P.3d at 483.
Additionally, Plaintiffs allege that Defendant MGM failed to implement reasonable security measures to protect its servers, including encrypting consumer's PII, (Id. ¶¶ 7, 38, 40, 66-77), retained Plaintiffs PII for longer than necessary, (Id. ¶¶ 90-94), and that Plaintiffs were damaged as a result of the Data Breach. (Id. ¶¶ 95-125). These damages include loss of the benefit-of-the bargain, money spent mitigating harms, diminished value of PII, and identity theft in the form of unauthorized charges and accounts. (Id.). Accordingly, the Court finds that Plaintiffs have adequately pled a claim under NRS §§ 41.600 and 598.0923(b)(1).
The Court finds that these damages equally apply to all of Plaintiffs statutory claims.
Furthermore, pursuant to NRS § 598.0923(1)(c), a person also engages in a "deceptive trade practice" when he or she knowingly "[v]iolates a state or federal statute or regulation relating to the sale or lease of goods or services." Because Plaintiffs have adequately pled violations of NRS §§ 41.600 and 598.0923(b)(1), the Court declines to dismiss Plaintiffs NCFA claims.
F. CALIFORNIA STATUTORY LAW CLAIMS
Plaintiffs Ryan Bohlim, Duke Hwynn, Andrew Sedaghatpour, and Gennady Simkin (collectively "California Plaintiffs") seek injunctive relief, in addition to damages, pursuant to their California statutory law claims. (CAC ¶¶ 10-13, 233-34, 250, 266). Because the California Plaintiffs seek injunctive relief, Defendant MGM contends that pursuant to Sonner, the Court should dismiss the California Plaintiffs' California statutory law claims.
For the reasons set forth above, the Court finds that Sonner applies to the instant action.
Here, the California Plaintiffs sufficiently plead an inadequate remedy at law with respect to Defendant MGM's alleged continuing unlawful conduct. The California Plaintiffs remedy at law, money damages, is retrospective. An injunction is prospective. While damages would compensate the California Plaintiffs for past harms, an injunction would ensure that the California Plaintiffs and other consumers can rely on Defendant MGM's representations in the future. See Brooks v. Thomson Reuters Corp., No. 21-cv-01418, 2021 WL 3621837, at *11 (N.D. Cal. Aug. 16, 2021) (declining to apply Sonner to bar UCL claims for prospective injunctive relief because "the prospect of paying damages is sometimes insufficient to deter a defendant from engaging in an alleged unlawful, unfair, or fraudulent business practice"); Stewart v. Kodiak Cakes, LLC, 537 F. Supp. 3d 1103, 1160 (S.D. Cal. Apr. 29, 2021) (finding the plaintiffs allegations of future harm based on defendant's continued deceptive marketing statements as sufficient to show a lack of adequate remedy at law at the motion to dismiss stage). Accordingly, damages are not an adequate remedy for the prospective harm caused by Defendant MGM's continued retention of the California Plaintiffs PII.
The Court will first examine whether the California Plaintiffs have sufficiently pled a claim under the UCL. a. Unfair Competition Law
The California UCL prohibits "unfair competition" and defines the term as a "business act or practice" that is (1) "fraudulent," (2) "unlawful," or (3) "unfair." Bus. & Prof. Code § 17200. Each prong of the UCL provides "a separate and distinct theory of liability[.]" Kearns v. Ford Motor Co., 567 F.3d 1120, 1127 (9th Cir. 2009). To have standing to pursue a UCL claim, the California Plaintiffs must show that they "lost money or property" because of Defendant MGM's conduct. Cal. Bus. & Prof. Code § 17204; see In re Facebook, Inc., Consumer Privacy User Profile Litig., 402 F. Supp. 3d 767, 804 (N.D. Cal. 2019).
a. Standing
To establish standing under the UCL, "[a] plaintiff must show he personally lost money or property because of his own actual and reasonable reliance on the allegedly unlawful business practice." In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1071 (N.D. Cal. 2012) (citing Kwikset Corp. v. Superior Court, 51 Cal.4th 310, 120 Cal.Rptr.3d 741, 246 P.3d 877, 885 (2011)). However, "there are innumerable ways in which economic injury from unfair competition may be shown." Kwikset Corp., 120 Cal.Rptr.3d 741, 246 P.3d at 885-86. For example, "[a] plaintiff may (1) surrender in a transaction more, or acquire in a transaction less, than he or she otherwise would have; (2) have a present or future property interest diminished; (3) be deprived of money or property to which he or she has a cognizable claim; or (4) be required to enter into a transaction, costing money or property, that would otherwise have been unnecessary." Id. (citation omitted)."
In In re Anthem, the court found that the plaintiffs' allegations that they lost the benefit of their bargain was sufficient to satisfy the economic injury requirement for standing under the UCL, explaining that this type of loss "mirrors the California Supreme Court's determination in Kwikset that a plaintiff who has 'surrender[ed] in a transaction more, or acquire[d] in a transaction less, than he or she otherwise would have' may bring a UCL claim." 162 F. Supp. 3d 953, 985 (N.D. Cal. 2016) (quoting Kwikset, 120 Cal. Rptr.3d 741, 246 P.3d at 885); see also In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1224 (N.D. Cal. 2014) (holding plaintiffs had UCL standing where "[f]our of the six Plaintiffs allege they personally spent more on Adobe products than they would had they known Adobe was not providing the reasonable security Adobe represented it was providing"); In re LinkedIn User Privacy Litig., No. 12-cv-3088-EJD, 2014 WL 1323713, *4 (N.D. Cal. Mar. 28, 2014) (holding benefit-of-the-bargain losses "sufficient to confer ... statutory standing under the UCL.")
Here, the California Plaintiffs' loss of money or property is in the form of the allegedly overinflated cost of the hotel rooms they purchased as a result of Defendant MGM's omissions regarding the adequacy of data security policies. (Resp. 43:21-27). The California Plaintiffs allege that had Defendant MGM disclosed its deficient security policies, they would either have paid less for the room, or not purchased a room from Defendant MGM. (CAC ¶¶ 10-20, 114, 118(b)); see, e.g., Kwikset Corp., 120 Cal.Rptr.3d 741, 246 P. 3d at 890 (writing that a plaintiff can establish UCL standing by alleging that the consumer "would not have bought the product but for" the unfair business practice or by alleging that the consumer "paid more than he or she actually valued the product"). Therefore, the California Plaintiffs have sufficiently alleged a loss of money or property as a result of the UCL violation. As the California Plaintiffs have pleaded their UCL claim under all three
prongs, the Court will first address whether the California Plaintiffs have sufficiently alleged a claim under the fraudulent prong.
b. Fraud Prong
Defendant MGM contends that its alleged omission cannot constitute fraudulent conduct under the UCL because they were not obligated to disclose their security practices to Plaintiffs. (MTD 38:8-24). In response, the California Plaintiffs claim that Defendant MGM was obligated to disclose its security practices because it had exclusive knowledge of the fact that its security practices were beneath industry standards, and that this fact was material. (CAC ¶¶ 169-170, 235, 244(a), 243-245).
Claims stated under the fraud prong of the UCL are subject to the particularity requirements of Fed. R. Civ. P. 9(b). See Kearns, 567 F. 3d at 1125. For an omission to be actionable under the UCL, "the omission must be contrary to a representation actually made by the defendant, or an omission of fact the defendant was obliged to disclose." Daugherty v. Am. Honda Motor Co., 144 Cal. App. 4th 824, 835, 51 Cal.Rptr.3d 118 (2006); see also Berryman v. Merit Prop. Mgmt., Inc., 152 Cal. App. 4th 1544, 1557, 62 Cal.Rptr.3d 177 (2007) ("[A] failure to disclose a fact one has no affirmative duty to disclose is [not] 'likely to deceive' anyone within the meaning of the UCL." (quoting Daughter, 144 Cal. App. 4th at 838, 51 Cal.Rptr.3d 118). There are four circumstances in which a duty to disclose may arise: "(1) when the defendant is the plaintiff's fiduciary; (2) when the defendant has exclusive knowledge of material facts not known or reasonably accessible to the plaintiff; (3) when the defendant actively conceals a material fact from the plaintiff; [or] (4) when the defendant makes partial representations that are misleading because some other material fact has not been disclosed." Collins v. eMachines, Inc., 202 Cal. App. 4th 249, 255, 134 Cal.Rptr.3d 588 (2011). "[A] fact is deemed 'material,' and obligates an exclusively knowledgeable defendant to disclose it, if a 'reasonable [consumer]' would deem it important in determining how to act in the transaction at issue." Id. at 256, 134 Cal.Rptr.3d 588 (citing Engalla v. Permanente Med. Grp., Inc., 15 Cal. 4th 951, 977, 64 Cal.Rptr.2d 843, 938 P.2d 903 (1997)).
The California Plaintiffs have adequately pled a duty to disclose based upon Defendant's exclusive knowledge of the alleged inadequacy of its security measures. See In re Solara, 613 F.Supp.3d 1284, 1303 (S.D.Cal. 2020) (finding that the plaintiffs adequately alleged a fraudulent omission UCL claim where they pled "a duty to disclose based upon [d]efendant's exclusive knowledge of the alleged inadequacy of its security measures"); In re Carrier IQ, Inc., 78 F. Supp. 3d 1051, 1113-14 (N.D. Cal. 2015) ("Finally, Plaintiffs have alleged that the information regarding the Carrier IQ Software was in the exclusive knowledge of Defendants. These allegations are sufficient to plausible allege that Defendants had exclusive knowledge of a material fact that they had a duty to disclose but chose to omit."). Accordingly, the Court declines to dismiss the California Plaintiffs' fraudulent omission UCL claim.
c. Unfair Prong
Defendant MGM argues that the California Plaintiffs' conclusory assertion that it failed to implement and maintain reasonable data security measures is insufficient to satisfy the unfair prong of the UCL. (MTD 38:1-3).
The unfair prong of the UCL creates a cause of action for a business practice that is unfair even if not proscribed by some other law. See In re Yahoo! Inc. Customer Data Sec. Breach Litig., 2017 WL 3727318, at *23 (citing Korea Supply
Co. v. Lockheed Martin Corp., 29 Cal. 4th 1134, 1143, 131 Cal.Rptr.2d 29, 63 P.3d 937 (2003)). "The UCL does not define the term 'unfair' ... [and] the proper definition of 'unfair' conduct against consumers 'is currently in flux' among California courts." Id.
Some California courts apply a balancing approach, which requires courts to "weigh the utility of the defendant's conduct against the gravity of the harm to the alleged victim." Davis v. HSBC Bank Nevada, N.A., 691 F.3d 1152, 1169 (9th Cir. 2012) (internal quotation marks omitted). Other California courts have held that "unfairness must be tethered to some legislatively declared policy or proof of some actual or threatened impact on competition." Lozano v. AT&T Wireless Servs., Inc., 504 F.3d 718, 735 (9th Cir. 2007) (internal quotation marks omitted). These tests are typically referred to as the "balancing test" and the "tethering test."
The California Plaintiffs "may proceed with a UCL claim under the balancing test by either alleging immoral, unethical, oppressive, unscrupulous or substantially injurious conduct by Defendant[] [MGM] or by demonstrating that Defendant [MGM's] conduct violated an established public policy." In re Anthem, 162 F. Supp. 3d at 990. In In re Adobe, the court observed that various California statutes—including several statutes upon which Plaintiffs rely here—reflect "California's public policy of protecting consumer data." Id. at 1227. Based on the California Plaintiffs allegations, Defendant MGM's actions violated this public policy by purportedly utilizing substandard data security practices. Whether Defendant MGM's public policy violation is out-weighed by the utility of their conduct under the balancing test is a question more appropriately resolved at a later stage of this litigation. See Mehta v. Robinhood Fin. LLC, No. 21-cv-01013, 2021 WL 6882377, at *12 (N.D. Cal. May 6, 2021) ("At the motion to dismiss stage, the Court cannot say that the benefit from Robinhood's business practices of allegedly emphasizing growth and profit over protecting their customers' personal and financial information and failing to implement industry-standard security measures outweighs the harms."); In re Anthem, 162 F. Supp. 3d at 990 (holding, on a motion to dismiss, that "[w]hether Defendants' public policy violation is out-weighed by the utility of their conduct under the balancing test is a question to be resolved at a later stage in this litigation"); In re iPhone Application Litig., 844 F. Supp. 2d at 1073 (same). Accordingly, based on the balancing test alone, the Court denies Defendant MGM's motion to dismiss the California Plaintiffs' UCL claim under the unfair prong.
d. Unlawful Prong
"The unlawful prong of the UCL prohibits anything that can properly be called a business practice and that at the same time is forbidden by law." In re iPhone Application Litig., 844 F. Supp. 2d at 1072 (citing Cel-Tech Commc'ns, Inc. v. L.A. Cellular Tel. Co., 20 Cal.4th 163, 83 Cal.Rptr.2d 548, 973 P.3d 527, 540 (1999)) (internal quotation marks omitted). Section 17200 of the Business and Professions Code permits injured customers to "borrow" violations of other laws and treat them as unfair competition that is independently actionable. Id.
The Court has already considered the adequacy of the California Plaintiffs' allegations under the fraud and unfair prongs of the UCL. Accordingly, the Court finds that the California Plaintiffs have sufficiently pled "unlawful" conduct in violation of the UCL. G. CALIFORNIA CONSUMER LEGAL REMEDIES ACT
As addressed below, the Court finds that the California Plaintiffs additionally alleged cognizable claims under the California Consumers Legal Remedies Act, Cal. Civ. Code § 1770, and California Customer Records Act, Cal. Civ. Code §§ 1798.90. Therefore, the unlawful prong is alternatively satisfied based on violations of these statutes.
As with the California Plaintiffs claim for fraud by omission under the UCL, Defendant MGM again asserts that the California Plaintiffs California Consumers Legal Remedies Act ("CLRA") fails because they failed to plead that Defendant MGM had a duty to disclose. (MTD 38:25-39:6).
The CLRA prohibits "unfair methods of competition and unfair or deceptive acts or practices." Cal. Civ. Code § 1770. To state a claim under CLRA §§ 1770(a)(5) and (7), a plaintiff must allege: "(1) a misrepresentation; (2) reliance on that misrepresentation; and (3) damages caused by that misrepresentation." In re Sony PS3 Other OS Litig., 551 F. App'x 916, 920 (9th Cir. 2014). "CLRA claims are governed by the 'reasonable consumer' test, under which a plaintiff must allege that 'members of the public are likely to be deceived.'" Id. (quoting Williams v. Gerber Prods. Co., 552 F.3d 934, 938 (9th Cir. 2008)).
The CLRA applies the same standard as the UCL for determining whether a defendant engaged in fraud by omission. See Barrett v. Apple Inc., 523 F. Supp. 3d 1132, 1149 (N.D. Cal. 2021) (applying the same standard for an actionable duty to disclose under the UCL and CLRA); Stewart v. Electrolux Home Prod., Inc., 304 F. Supp. 3d 894, 906 (E.D. Cal. 2018) ("Generally, the standard for deceptive practices under the fraudulent prong of the UCL applies equally to claims for misrepresentation under the CLRA.").
The Court has already considered the adequacy of the California Plaintiffs' fraudulent omission UCL claim. Accordingly, the Court declines to dismiss Plaintiffs' fraudulent omission CLRA claim for the reasons set forth above.
H. CALIFORNIA CUSTOMER RECORDS ACT
Defendant MGM contends that the California Plaintiffs California Customer Records Act ("CRA") claim fails because their allegations do no explain how Defendant MGM took insufficient measures to protect customer's PII. (MTD 39:7-17); (Reply 23:11-18). In response, the California Plaintiffs contend they asserted detailed allegations of how Defendant MGM failed to maintain reasonable security practices, including a failure to encrypt PII. (Resp. 46:3-47:2).
The CRA "regulates businesses with regard to treatment and notification procedures relating to their customers' personal information." Corona, 2015 WL 3916744, at *6; Civ. Code §§ 1798.90. The California Plaintiffs allege that Defendant Violated § 1798.81.5(b) of the CRA. This provision provides, in relevant part, that "[a] business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access...." Cal. Civ. Code. § 1798.81.5(b). "Personal information" is defined to include a person's name "in combination with ... credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account." Id. § 1798.81.5(d)(1)(A)(iii).
The Court finds that the California Plaintiffs adequately alleged that Defendant MGM failed to maintain reasonable
cybersecurity practices as required by the CRA. Specifically, the California Plaintiffs allege that Defendant MGM failed to encrypt the PII stored on its server in violation of industry practice. (CAC ¶ 38); see In re Mednax Servs., Inc., Customer Data Sec. Breach Litig., No. 21-02994, 603 F.Supp.3d 1183, 1219 (S.D. Fla. 2022) (finding, on a motion to dismiss, that the plaintiffs sufficiently alleged a claim under the CRA by alleging that their "PII [was] maintained and/or exchanged in unencrypted email accounts, in violation of industry practice"). Moreover, the California Plaintiffs contend that Defendant MGM retained their PII for longer than was necessary. (CAC ¶¶ 7, 77, 90-91). Accordingly, the Court declines to dismiss the California Plaintiffs CRA claim.
Defendant MGM also argues in a single sentence that the California Plaintiffs failed to plead the requisite damages needed to sustain a CRA claim. (Reply 23:16-18). However, for the reasons set forth above, the Court finds that the California Plaintiffs' alleged cognizable damages.
I. CONNECTICUT UNFAIR TRADE PRACTICES ACT
Defendant MGM alleges that Plaintiff Robert Taylor's ("Connecticut Plaintiff's") claim under Connecticut's Unfair Trade Practices Act ("CUTPA") fails because the Connecticut Plaintiff have not alleged an unfair or deceptive practice. (MTD 39:19-40:3). The Connecticut Plaintiff, in response, contend that the "unfair or deceptive practice at issue" is Defendant MGM's failure to implement adequate safeguards and notify the Connecticut class representative of its inadequate security.
The CUTPA provides: "No person shall engage in unfair methods of competition or deceptive acts or practices in the conduct of any trade or commerce." Conn. Gen. St. § 42-110b(a). "Any person who suffers any ascertainable loss of money or property, real or personal, as a result of the use or employment of a method, act or practice prohibited by section 42-110b, may bring an action" to recover actual damages, punitive damages, and equitable relief. Conn. Gen. St. 42-110g(a).
Here, the Connecticut Plaintiff sufficiently alleged that Defendant MGM knew or should have known about its allegedly inadequate data security practices and the risk of a data breach. The Connecticut Plaintiff alleges that Defendant MGM (1) knew it was a target for hackers, (2) was aware that its data security practices were inadequate, and (3) failed to disclose to the Connecticut Plaintiff when he purchased a hotel room that they did not employ reasonable safeguards to protect Plaintiffs' PII. (CAC ¶¶ 38-41, 66-77, 78-87, 162-177, 270(a)-(e)). The Connecticut Plaintiff alleges he relied on these omissions and "would not have stayed at MGM properties or would have paid less than he did for his rooms" had he known of Defendant MGM's allegedly inadequate security practices. (Id. ¶ 14). Therefore, the Court declines to dismiss the Connecticut Plaintiffs CUTPA claim.
The Court finds that Plaintiffs have adequately alleged unfair or deceptive acts that adequately satisfy Rule 9(b).
J. GEORGIA DECEPTIVE TRADE PRACTICES ACT
Defendant MGM contends that Plaintiff Michael Fossett's ("Georgia Plaintiff's") claim under Georgia's Uniform Deceptive Trade Practices Act ("GUDTPA") fails pursuant to Sonner because GUDTPA only provides equitable remedies, and the Georgia Plaintiff cannot show a lack of legal remedies. (MTD 40:4-10); (Reply 24:1-7). In rebuttal, the Georgia Plaintiff contend that Sonner does not bar his claim
because injunctive relief is necessary to prospectively protect against future data breaches. (Resp. 48:2-22).
For the reasons set forth above, the Georgia Plaintiff has plausibly alleged the inadequacy of remedies at law with respect to their claims for injunctive relief. The Georgia Plaintiff sufficiently alleged that monetary damages for past harm are an inadequate remedy for the future harm an injunction is designed to prevent. Accordingly, the Court declines to dismiss the Georgia Plaintiff's GUDTPA claim.
K. NEW YORK GENERAL BUSINESS LAW
Plaintiff Kerri Shapiro ("New York Plaintiff") alleges claims under the New York General Business Law ("GBL"), N.Y. Gen. Bus. §§ 349, et seq. Section § 349(a) of the GBL prohibits "[d]eceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service." N.Y. Gen. Bus. § 349(a). To state a § GBL claim, the New York Plaintiff must allege (1) that defendant's "act or practice was consumer-oriented," (2) that the act or practice "was misleading in a material way," and (3) that plaintiff "suffered injury as a result of the deceptive act." Stutman v. Chem. Bank, 95 N.Y.2d 24, 709 N.Y.S.2d 892, 731 N.E.2d 608, 611 (2000). "[T]o qualify as a prohibited act under the statute, the deception of a consumer must occur in New York." Goshen v. Mut. Life Ins. Co. of New York, 98 N.Y.2d 314, 746 N.Y.S.2d 858, 774 N.E.2d 1190, 1195 (2002).
To begin with, the parties dispute whether Rule 9(b)'s pleading requirements apply to the GBL claim. (MTD 34:3-17). Several federal courts have held that Rule 9(b)'s pleading requirements do not apply to GBL claims. See, e.g., Pelman ex rel. Pelman v. McDonald's Corp., 396 F.3d 508, 511 (2d Cir. 2005) ("[B]ecause a private action under § 3499 is not subject to the pleading-with-particularity requirements of Rule 9(b), Fed. R. Civ. P., but need only meet the bare-bones notice-pleading requirements of Rule 8(a), Fed. R. Civ. P."); Greene v. Gerber Prod. Co., 262 F. Supp. 3d 38, 67 (E.D.N.Y. 2017) (same). The Court declines to decide this issue however, because the New York Plaintiff's allegations meet the requirements of Fed. R. Civ. P. 8(a) or 9(b).
Foremost, the New York Plaintiff alleges that she is a "resident of New York." (CAC ¶ 17). The New York Plaintiff further alleges that she transacted with Defendant MGM by "making hotel reservations from New York and paying any necessary room deposits form New York." (Id. ¶ 296). The New York Plaintiff asserts that Defendant MGM's deceptive acts or practices including failing to implement reasonable security and privacy measures, failing to identify and remediate foreseeable privacy risks, misrepresenting that it would protect the Plaintiffs' PII, and failing to comply with statutory duties regarding the security and privacy of Plaintiffs' personal information, including duties imposed by the FTC Act, 15 U.S.C. § 45. (Id. ¶¶ 295-96). The New York Plaintiff claims that these acts affected the public interest and consumers at large, and that the New York class representative suffered damages as a result of Defendant MGM's alleged practices. (Id. ¶¶ 300-05). Based on the foregoing, the New York Plaintiff has adequately pled that the alleged deception took place in New York, that Defendant MGM misrepresented their security and privacy measures, and that she suffered an injury as result of this deception. Therefore, the Court declines to dismiss the New York Plaintiff's GBL claim.
L. OHIO DECEPTIVE TRADE PRACTICES ACT
Defendant MGM argues that the Ohio Deceptive Trade Practices Act.
("ODTPA") does not provide a cause of action for consumers like Plaintiff Julie Mutsko ("Ohio Plaintiff"). (MTD 40:25-41:4). In rebuttal, the Ohio Plaintiff contend that there a split of authority on the issue of whether individual consumers have standing to assert a claim under the ODTPA, and that this Court should find that individual consumers have standing. (Resp. 49:23-50:24).
The ODTPA gives standing to bring a civil action to a "person who is likely to be damaged by a person who commits a deceptive trade practice" or a "person who is injured by a person who commits a deceptive trade practice." Ohio Rev. Code § 4165.03(A)(1)-(2). ODTPA defines a "person" as "an individual, corporation, government, governmental subdivision or agency, business trust, estate, trust, partnership, unincorporated association, limited liability company, two or more of any of the foregoing having a joint or common interest, or any other legal or commercial entity." Ohio Rev. Code § 4165.01(D).
Here, the Court adopts the reasoning of the United States District Court for the Northern District of Ohio in Hamilton v. Ulta Beauty and finds that Plaintiffs do not have standing to pursue a claim under ODTPA. See Hamilton v. Ulta Beauty, No. 5:18-cv-754, 2018 WL 3093527, at *3 (N.D. Ohio June 21, 2018) ("A broad majority of the courts to directly address this issue have held that the ODTPA does not give consumers standing."). The Hamilton court explained that there are three reasons why ODTPA does not provide for consumer standing. First, "Ohio courts look to the federal Lanham Act when interpreting the ODTPA, and the Lanham Act does not give a consumer right of action." Id. at *3. Second, the definition of "person" in the ODTPA qualifies the list of individuals and entities with the phrase "or any other legal or commercial entity," thereby implying that an individual "may not bring suit as a non-commercial consumer." Id. Third, the Hamilton court recognized that the Ohio Consumer Sales Practice Act ("OCSPA") already "provides for consumer standing and prohibits virtually the same practices as the ODTPA." Id. The court thereby reasoned that OCSPA would be rendered superfluous if ODTPA also provided consumer standing. Id.
This Court sides with the majority of courts that have found that consumers do not have standing under ODTPA, as the OCSPA would be rendered superfluous if consumers could sue under ODTPA. Accordingly, the Court dismisses the Ohio Plaintiff's ODTPA claim with prejudice.
In contrast, Plaintiffs cite two cases finding that consumers have standing under the ODTPA. See Schumacher v. State Auto. Mut. Ins. Co., 47 F. Supp. 3d 618, 630-32 (S.D. Ohio 2014) (determining that consumers have standing to sue under the ODTPA while acknowledging that most courts deciding the issue have interpreted the statute as providing standing only for commercial entities); Bower v. Int'l Bus. Machines, Inc., 495 F. Supp. 2d 837, 844 (S.D. Ohio 2007) (interpreting consumers to fall within the definition of "persons" under the ODTPA). In Hamilton, the court noted that "these decisions represent a minority view among the state and federal courts to consider this issue." Hamilton, 2018 WL 3093527, at *3.
M. OREGON UNLAWFUL TRADE PRACTICES ACT
Defendant MGM moves to dismiss Plaintiff John Dvorak's ("Oregon Plaintiff's") Oregon Unlawful Trade Practices Act ("OUTPA") claim, arguing that he has not alleged an "unlawful" trade practice or have pled fraud with the requisite particularity required under Rule 9(b). (MTD 41:6-12).
Several courts have applied Rule 9(b)'s heightened pleading to OUTPA. See Martell v. General Motors LLC, 492 F. Supp. 3d 1131, 1146 (D. Or. 2020) (applying
Rule 9(b)'s heightened pleading standard to the plaintiffs' OUTPA claim); Ahern v. Apple Inc., 411 F. Supp. 3d 541, 559 (N.D. Cal. 2019) (same); Vinci v. Hyundai Motor Am., No. 17-0997, 2018 WL 6136828, at **11-12 (C.D. Cal. April 10, 2018) (same). The OUTPA imposes liability for "unlawful trade practice[s]" specified in the statute. See Or. Rev. Stat. § 646.608(1)(e), (g), (i). Specifically, OUTPA § 646.608(1)(e) provides "[a] person engages in an unlawful practice if in the course of a the person's business" they "represent[] ... goods or services have ... characteristics, ... benefits ... or qualities that the ... goods or services do not have...." OUTPA § 646.608(1)(g) in turn states that a person engages in an unlawful practice by representing that "goods or services are of a particular standard, quality, or grad.... if the ... goods or services are of another." A plaintiff bringing an OUTPA claim must prove "(1) the defendant committed an unlawful trade practice; (2) plaintiff suffered an ascertainable loss of money or property; and (3) plaintiff's injury (ascertainable loss) was the result of the unlawful trade practice." Pearson v. Philip Morris, Inc., 358 Or. 88, 361 P.3d 3, 28 (2015).
Under the first element, the Oregon Plaintiff alleges that Defendant MGM knew or should have known about its allegedly inadequate data security practices and the risk of a data breach and that its alleged failures and omissions were material and relied upon by consumers. (CAC ¶¶ 38-41, 66-77, 78-87, 162-177, 270(a)-(e)). At this stage in the pleadings, the Court finds that this satisfies the first element. Pursuant to the second element, the Oregon Plaintiff posits he suffered damages in the form of include loss of the benefit-of-the bargain, money spent mitigating harms, diminished value of PII, and attempted identity theft. (Id. ¶¶ 19, 95-125). Turning to the third element, the Oregon Plaintiff contends he would not have stayed at Defendant MGM's property or would have paid less for the room had he known about Defendant MGM's deficient data security. (Id. ¶ 19).
Additionally, Defendant MGM argues that dismissal of the OUTPA is warranted because a portion of the Oregon Plaintiff's claim is based on violation of Oregon's Consumer Information Protection Act ("OCIPA"), which Defendant MGM contends does not provide a private right of action. (MTD 41:13-22). The Oregon Plaintiff, in rebuttal, contends that a private right of action can be inferred. (Resp. 52:8-53:12).
The Oregon Court of Appeals has found that under OCIPA, "only the state can prosecute trade practices declared unlawful by ORS 646.607." Horton v. Nelson, 252 Or.App. 611, 288 P.3d 967, 971-72 (2012); see Advanced Steel Recovery, LLC v. X-Body Equip., Inc., No. 2:16-cv-00148, 2022 WL 398645, at *7 (D. Nev. Feb. 9, 2022) ("In addition, 'only the [state of Oregon] can prosecute trade practices declared unlawful by ORS 646.607." (quoting Horton, 288 P.3d at 971-72)). Under the statute, the Director of Oregon's Department of Consumer and Business Services may only order compensation to consumers after a showing is made that a "private civil action would be so burdensome or expensive as to be impractical." Or. Stat. § 646.24. Despite the Oregon Court of Appeals decision in Horton, one district court has found that this "implies that private civil actions are available." In re Target Corp. Data Sec. Breach Litigation, 66 F. Supp. 3d 1154, 1167 (D. Minn. 2014). In Oregon, however, "[i]n general, an individual has no private remedy for a statutory violation unless the statute expressly provides one." Praegitzer Indus., Inc. v. Rollins Burdick Hunter of Oregon, Inc., 129 Or.App. 628, 880 P.2d 479, 481 (1994). Here, the statute does not expressly provide a private remedy for a statutory violation,
and the Court declines to find one. See Patton v. Experian Data Corp., No. 27-01559, 2018 WL 6190349, at *10 (C.D. Cal. Jan 23, 2018) (dismissing Oregon UDTPA claim predicated on an alleged violation of CIPA because no private right of enforcements exists under the CIPA). Accordingly, the Court dismisses the Oregon Plaintiff's OUTPA claim with prejudice to the extent it is based on a violation of OCIPA.
N. OREGON CONSUMER INFORMATION PROTECTION ACT
For the reasons set forth above, the Court finds that OCIPA does not provide the Oregon Plaintiff with a private cause of action. Accordingly, the Court dismisses the Oregon Plaintiff's OCIPA claim with prejudice.
The Ninth Circuit "ha[s] held that in dismissing for failure to state a claim under Rule 12(b)(6) 'a district court should grant leave to amend even if no request to amend the pleading was made, unless it determines that the pleading could not possibly be cured by the allegation of other facts.'" Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000) (quoting Doe v. United States, 58 F.3d 494, 497 (9th Cir. 1995)).
Here, the Court finds that Plaintiffs' negligence claim to the extent it alleges damages based solely on lost time, negligent misrepresentation, ODPTA, and OCIPA claims cannot be cured by the inclusion of other facts. Accordingly, the Court dismisses these claims without leave to amend. Plaintiffs' unjust enrichment is dismissed with leave to amend.
IV. CONCLUSION
IT IS HEREBY ORDERED that Defendant MGM's Motion to Dismiss, (ECF No. ECF No. 103), is GRANTED in part and DENIED in part.