Opinion
19-cv-01860-MMC
04-20-2022
JAKE THOMAS, et al., Plaintiffs, v. KIMPTON HOTEL & RESTAURANT GROUP, LLC, Defendant.
ORDER DENYING PLAINTIFFS' MOTION FOR CLASS CERTIFICATION; DENYING AS MOOT DEFENDANT'S MOTION TO EXCLUDE OPINIONS OF PLAINTIFFS' DAMAGES EXPERT
MAXINE M. CHESNEY UNITED STATES DISTRICT JUDGE
Before the Court are two motions: (1) plaintiffs Jake Thomas ("Thomas"), Salvatore Galati ("Galati"), and Jonathan Martin's ("Martin") Motion for Class Certification, filed September 21, 2021, and (2) defendant Kimpton Hotel & Restaurant Group, LLC's ("Kimpton") Motion to Exclude the Opinions of Plaintiffs' Damages Expert, filed November 22, 2021. The motions have been fully briefed. Having read and considered the papers filed in support of and in opposition to the motions, the Court rules as follows.
By order filed March 9, 2022, the Court took the motions under submission.
BACKGROUND
In the operative complaint, the Third Amended Complaint ("TAC"), plaintiffs allege that Kimpton, an entity that "own[s] or manage[s]" hotels (see TAC ¶ 1), contracted with Sabre Corporation ("Sabre") "to provide a reservation system" (see TAC ¶ 3). Plaintiffs further allege they booked hotel reservations at Kimpton hotels (see TAC ¶ 2), and, in so doing, provided "private identifiable information" ("PII") (see TAC ¶¶ 11, 13, 15), which PII was subsequently "accessed by hackers" who "obtained credentials" for Sabre's "Central Reservations system" and "used those credentials to access customer data" (see TAC ¶¶ 6, 12, 14, 16). According to plaintiffs, if Sabre had "employed multiple levels of authentication," rather than "single factor authorization," the "hacker would not . . . have been able to access the system." (See TAC ¶ 6.) Plaintiffs further allege that Sabre was Kimpton's "agent" and thus that Kimpton is responsible for Sabre's conduct. (See, e.g., TAC ¶ 23.) Based on the above allegations, plaintiffs, on their own behalf and on behalf of a putative class, assert claims under state law.
Sabre is not a party to the above-titled action.
In an order filed June 30, 2020, the Court granted in part Kimpton's motion to dismiss the TAC. In particular, the Court denied the motion as to three Claims, specifically, the First Claim for Relief, the Third Claim for Relief, and a portion of the Eighth Claim for Relief. As to those three Claims, plaintiffs, by the instant motion, now seek to proceed on behalf of a certified class.
LEGAL STANDARD
A district court may not certify a class unless the plaintiff has "establish[ed] the four prerequisites of [Rule] 23(a)," see Valentino v. Carter-Wallace, Inc., 97 F.3d 1227, 1234 (9th Cir. 1996), namely: "(1) the class is so numerous that joinder of all members is impracticable; (2) there are questions of law or fact common to the class; (3) the claims or defenses of the representative parties are typical of the claims or defenses of the class; and (4) the representative parties will fairly and adequately protect the interests of the class," see Fed.R.Civ.P. 23(a).
Further, the plaintiff must establish "at least one of the alternative requirements of [Rule] 23(b)." See Valentino, 97 F.3d at 1234. Rule 23(b)(3), upon which plaintiffs herein rely, provides for certification of a class where "the court finds that the questions of law or fact common to class members predominate over any questions affecting only individual members, and that a class action is superior to other available methods for fairly and efficiently adjudicating the controversy." See Fed.R.Civ.P. 23(b)(3).
DISCUSSION
As noted, plaintiffs seek to proceed with their three remaining Claims on behalf of a class. The Court next considers the three Claims in turn.
A. First Claim for Relief: Breach of Contract
In the First Claim for Relief, plaintiffs allege that the terms of a "Privacy Statement" located on Kimpton's website were part of the contract formed when each plaintiff and putative class member reserved a hotel room, in that each was "required to accept the Privacy Statement" during the reservations process. (See TAC ¶ 68.) Plaintiffs also allege that the "Privacy Statement" included a "promise to safeguard and protect the [c]lass [m]embers' PII from disclosure to third parties" (see TAC ¶ 70), and that such promise was breached by the "failure to safeguard and protect the PII" (see TAC ¶ 75).
In support of their motion for class certification, plaintiffs offer copies of Kimpton's "Privacy Policy" in effect during the relevant time period, which Policy contains the following language, on which plaintiffs base their breach of contract claim:
Plaintiffs allege that the "unauthorized third party" who breached Sabre's system was able to access, "during the period between August 10, 2016[, ] and March 9, 2017," the "data of customers that stayed at [Kimpton's] hotels." (See TAC ¶¶ 1, 6.)
We work diligently to protect the security of your personal information, including credit card information, during transmission by using Secure Sockets Layer (SSL) software, which encrypts information you input. Your data is kept in a highly secure environment protected from access by unauthorized parties. It is important for you to protect against unauthorized access to your password and to your customer profile by ensuring that you logoff when you have finished visiting our site.(See Marquez Decl., filed September 21, 2021, Ex. 10 at 4, Ex. 11 at 4.)
Additionally, plaintiffs state they are basing their breach of contract claim on the following statement, which they assert was shown to them on the "payment page" when they made their reservations:
We at Kimpton are committed to keeping your personal information safe. Our secure server software (SSL) is the industry standard and among the best software available today for secure commerce transactions. It encrypts all of your personal information, including payment card number, name, and address, so that it cannot be read as the information travels over the internet.(See Pls.' Mot. at 11:24-12:2, Thomas Decl. ¶ 3, Galati Decl. ¶ 3; Martin Decl. ¶ 5; TAC ¶ 27.)
As noted, plaintiffs do not allege hackers accessed PII located in Kimpton's system, but, rather, PII located in Sabre's system. Nonetheless, plaintiffs assert, Kimpton can be deemed to have failed to comply with the above-referenced language because it is "liable for Sabre's misconduct on an ostensible agency theory." (See Pls.' Mot. at 8:10.)
Assuming, arguendo, plaintiffs can establish, with regard to their breach of contract claim, the four prerequisites of Rule 23(a), the Court finds, as discussed below, plaintiffs have not shown questions of law or fact common to class members predominate over questions affecting individual class members, as required by Rule 23(b)(3).
Under California law, "[a]n agency is ostensible when the principal intentionally, or by want of ordinary care, causes a third person to believe another to be his agent who is not really employed by him." See Cal. Civ. Code § 2300. "Liability of the principal for the acts of an ostensible agent rests on the doctrine of 'estoppel,' the essential elements of which are representations made by the principal, justifiable reliance by a third party, and a change of position from such reliance resulting in injury." Kaplan v. Coldwell Banker Residential Affiliates, Inc., 59 Cal.App.4th 741, 747 (1997) (internal quotation and citation omitted). Put another way, "[t]he person dealing with the agent must do so with belief in the agent's authority and this belief must be a reasonable one," the "belief must be generated by some act or neglect of the principal sought to be charged," and the plaintiff, "in relying [to his detriment] on the agent's apparent authority[, ] must not be guilty of negligence." See id. (internal quotation and citation omitted).
Here, in contending common questions of fact exist for purposes of determining whether Sabre was the ostensible agent of Kimpton, plaintiffs assert that Kimpton's website contains no language indicating that "a third party, Sabre, would be processing the payment information." (See Pls. Mot. at 10:17-18.) Additionally, plaintiffs rely on the experiences of the three named plaintiffs, which experiences, they argue, made it reasonable for each of them to have erroneously believed Kimpton "controlled the data," rather than Sabre. (See id. at 10:13-17.) Specifically, each named plaintiff states that when he made a reservation, he went to Kimpton's website, where he clicked on a "Book Now" button, which resulted in a "drop-down menu" on which he entered "travel information to find an available hotel room," that he next was directed to a webpage on which he selected a hotel room, after which he was directed to a webpage on which he entered his credit card information, and lastly, that he was directed to a "confirmation page." (See Thomas Decl. ¶ 3, Galati Decl. ¶ 3; Martin Decl. ¶ 4.) Each named plaintiff further states that, during the reservations process, he "d[id] not recall leaving the Kimpton website." (See Thomas Decl. ¶ 3, Galati Decl. ¶ 3; Martin Decl. ¶ 5.)
As noted, to establish the existence of an ostensible agency, justifiable reliance must be shown. Here, Kimpton argues such determination cannot be made without consideration of each putative class member's individual experience, and, in support thereof, relies on the following provision in its Privacy Policy:
Third party Internet sites available through advertising and other links on our site have separate privacy and data collection practices. If you click on a link found on our websites or on any other website, you should always look at the location bar within your browser to determine whether you have been linked to a different website. This Policy, and our responsibility, is limited to our own information collection practices. We are not responsible for, and cannot always ensure, the information collection practices or privacy policies of other websites maintained by third parties or our service providers where you submit your personal information directly to such websites. In addition, we cannot ensure the content of the websites maintained by these third parties or our service providers.(See Marquez Decl., filed September 21, 2021, Ex. 10 at 3, Ex. 11 at 3.)
Contrary to plaintiffs' argument that the above-quoted provision in the Privacy Policy only applies to "third party advertising links," the provision, as noted, applies to both "advertising and other links on [Kimpton's] site," including links to websites maintained by Kimpton's "service providers." (See id. Ex. 10 at 3, Ex. 11 at 3.)
Additionally, Kimpton offers evidence, undisputed by plaintiffs, that, during the relevant time period, when individuals made reservations by clicking the "Book Now" link on Kimpton's website, they were taken to a website operated by Sabre's SynXis Central Reservations system, and that the uniform resource locator ("URL") displayed on the location bar was "synxis.com," either as "mobile.synxis.com" or "gc.synxis.com." (See O'Grady Decl., filed December 9, 2021, ¶¶ 4, 7; Kardassakis Decl., filed November 19, 2021, Ex. 21 at 45:10:10-14, 58:3-7, 58:8-16.)
In sum, persons who visited Kimpton's website and read the Privacy Policy, as plaintiffs allege each putative class member did (see TAC ¶ 36 (alleging all putative class members "read" the Privacy Policy "prior to reserving their hotel rooms")), were told that, if they clicked on a link, they should look at the location bar to determine if they were on a webpage maintained by another company, and that, if so, such other entity would have its own information collection practices and privacy policies. Moreover, once the "Book Now" link was clicked, the location bar, as noted, indicated the webpage was not a Kimpton webpage.
Under such circumstances, the Court finds a determination of whether a putative class member held a reasonable belief that he/she was at all times on a Kimpton.com website presents individual issues that predominate over common issues. Stated otherwise, plaintiffs have not shown the issue of whether Sabre acted as Kimpton's ostensible agent can be determined other than by considering the individual experience of each putative class member. In particular, plaintiffs have not shown every putative class member necessarily would have believed, at the time PII was provided, he/she was providing it to Kimpton under Kimpton's privacy policy, as opposed to Sabre under Sabre's privacy policy. See, e.g., Salazar v. McDonald's Corp., 2017 WL 88999, at *3, *6 (N.D. Cal. January 5, 2017) (holding, where plaintiffs asserted defendant could be held liable for state law violations committed by defendant's alleged ostensible agent, plaintiffs failed to show reliance could be established on classwide basis, as "inquiry require[d] proof of what each [putative class member] knew or should have known" and each had varying "knowledge and expectations" about relationship between defendant and ostensible agent) (internal quotation and citation omitted); see also In re Coordinated Pretrial Proceedings in Petroleum Products Antitrust Litig., 691 F.2d 1335, 1342 (9th Cir. 1982) (holding court, in ruling on motion to certify class, "is required to consider the nature and range of proof necessary to establish [the claims]").
Accordingly, to the extent plaintiffs seek an order allowing them to proceed with their breach of contract claim on behalf of a class, the motion will be denied.
B. Third Claim for Relief: Violation of California Civil Code § 1798.81.5
In the Third Claim for Relief, plaintiffs assert Kimpton violated section 1798.81.5 of the California Civil Code. Although the Third Claim for Relief is titled "Violation of Cal. Civil Code § 1798.81.5(c)," the supporting allegations pertain solely to California Civil Code § 1798.85.5(b). Specifically, plaintiffs, in the TAC, quote subdivision (b), which provides that "[a] business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure" (see TAC ¶ 88 (quoting Cal. Civ. Code § 1798.81.5(b)), and allege as the factual basis for such violation that Kimpton "employed single factor authorization and/or allowed its contractor to employ single factor authorization in its reservation system" (see TAC ¶ 92).
In the instant motion, plaintiffs do not appear to seek certification of a class for purposes of plaintiffs' pursuing a claim under § 1798.81.5(b). Rather, plaintiffs appear to argue they are entitled to pursue, on behalf of a class, a claim under § 1798.81.5(c), which provides that "[a] business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party that is not subject to subdivision (b) shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure." See Cal. Civ. Code § 1798.81.5(c).
As Kimpton points out, however, subdivision (c) is not implicated by the allegations made in the TAC. Rather, as noted, plaintiffs allege in the TAC that it was plaintiffs themselves, as well as all members of the putative class, that provided their PII to Sabre, whose system was compromised by an unknown hacker (see TAC ¶¶ 23, 28), and confirm in their motion for class certification that their claims are based on such allegations (see Pls.' Mot. for Class Cert. at 2:2-7, 10:13-18; Pls.' Reply at 7:12). Plaintiffs do not allege that Kimpton "disclose[d] personal information about a California resident pursuant to a contract with a nonaffiliated third party," see Cal. Civ. Code § 1798.81.5(c), nor do they allege that Sabre, acting as Kimpton's agent, "disclose[d]" such personal information pursuant to a contract Sabre had with a nonaffiliated third party, see id. In the absence of any such allegation, § 1798.81.5(c) is inapplicable.
Further, to the extent plaintiffs seek to certify a class under 1798.81.5(b), plaintiffs again must rely on a theory of ostensible agency, and, as discussed above with regard to the First Claim for Relief, a determination as to that question requires an individualized inquiry.
Accordingly, to the extent plaintiffs seek an order allowing them to proceed with a claim under § 1798.81.5 on behalf of a class, the motion will be denied.
C. Eighth Cause of Action: Violation of Texas Deceptive Trade Practices Act
In the Eighth Claim for Relief, titled "Violation of Texas' Deceptive Trade Practices - Consumer Protection Act, Texas. Bus. & Com. Code § 17.41, et seq. ['DTPA']," plaintiffs allege that Kimpton engaged in "misleading" and "deceptive" acts or practices. (See TAC ¶ 140.) As explained in their motion, plaintiffs base this claim on the same two representations by Kimpton as those on which plaintiffs base their breach of contract claim. (See Pls.' Mot. at 18:4:6.) According to plaintiffs, such representations were "misleading and deceptive" in light of Sabre's "actual protective measures," which measures did not "employ multi-layer authentication." (See Pls.' Mot. at 18:4-8.)
By order filed June 30, 2020, the Court dismissed with leave to amend the Eighth Claim for Relief to the extent it was based on "Kimpton's having made false statements." (See Order, filed June 30, 2020, at 15:7-9.) Thereafter, no further amended complaint was filed. Rather, as to the remaining bases for such claim, plaintiffs state they seek to certify a class based solely on Kimpton's having made two "misleading" and "deceptive" statements and appear to distinguish between, on the one hand, a "false" statement, and, on the other hand, a "misleading" or "deceptive" statement. As Kimpton has not challenged plaintiffs' proceeding in such manner, the Court does not further consider the matter at this time.
Misleading and deceptive business practices are unlawful under § 17.50(a)(1) of DTPA. Specifically, § 17.50(a)(1) prohibits "the use or employment by any person of a false, misleading, or deceptive act or practice that is: (A) specifically enumerated in a subdivision of Subsection (b) of Section 17.46 of [the DTPA]; and (B) relied on by a consumer to the consumer's detriment." See Tex. Bus. & Com. Code § 17.50(a)(1).
Plaintiffs rely on three acts enumerated in § 17.46(b): "Representing that goods or services have sponsorship, approval, characteristics, ingredients, uses, benefits, or quantities which they do not have," see Tex. Bus. & Com. Code § 17.46(b)(5); "Representing that goods or services are of a particular standard, quality, or grade . . . if they are of another," see Tex. Bus. & Com. Code § 17.45(b)(7); and "Advertising goods or services with intent not to sell them as advertised," see Tex. Bus. & Com. Code § 17.46(b)(9). (See TAC ¶ 140.)
Here, assuming, arguendo, plaintiffs can establish, with regard to their DTPA claim, the four prerequisites of Rule 23(a), the Court finds, as discussed below, plaintiffs have not shown questions of law or fact common to class members predominate over questions affecting individual class members.
As noted, § 17.50(a)(1) requires a plaintiff to prove he relied to his detriment on a misleading or deceptive act. See Cruz v. Andrews Restoration, Inc., 364 S.W.3d 817, 824 (Tex. 2012) (holding violation of § 17.50(a) "is not complete without a finding of reliance"). Although plaintiffs fail to expressly assert how reliance can be established on a classwide basis, plaintiffs impliedly argue reliance can be shown on behalf of the entire class because Kimpton's representations were uniform. As the Texas Court of Appeals has observed, however, receipt by class members of the same representation is insufficient to establish reliance on a classwide basis, as reliance "can be shown only by demonstrating [each] person's thought processes in reaching the decision," and, consequently, even "under all the same facts and circumstances, one person may have relied on the misrepresentation in reaching a decision while another did not rely on it in reaching the same decision." See Fidelity & Guaranty Life Ins. Co., 165 S.W.3d 416, 423 (Tex. App. 2005) (internal quotation and citation omitted).
Here, the question of whether a putative class member relied on any statement describing Kimpton's privacy policy is, in the first instance, dependent on whether such individual believed he/she was providing PII to Kimpton or to Sabre, and, consequently, cannot be resolved on a classwide basis. See id. (noting "[t]he [Supreme Court of Texas] did not entirely preclude class actions in which reliance was an issue, but it did make such cases a near-impossibility").
Accordingly, to the extent plaintiffs seek an order allowing them to proceed with a claim under the DTPA on behalf of a class, the motion will be denied.
CONCLUSION
For the reasons stated:
1. Plaintiffs motion for class certification is hereby DENIED.
2. Kimpton's motion to exclude the opinions of plaintiffs' damages expert, which opinions pertain exclusively to calculating damages on a classwide basis, is hereby DENIED as moot.
IT IS SO ORDERED.