Claridge v. RockYou, Inc.
2011 U.S. Dist. LEXIS 39145
N.D. Cal.2011Background
- Plaintiff alleges RockYou failed to secure users' sensitive PII (emails, passwords) stored in its database.
- RockYou apps operate on social networks and display paid ads; users register with RockYou and provide PII.
- Plaintiff was a RockYou user and alleges his PII was compromised in a 2009 breach after a SQL injection vulnerability was exposed.
- Imperva notified RockYou of a SQL injection flaw; RockYou allegedly delayed patching, allowing further access to user data.
- Plaintiff asserts nine causes of action, including SCA, UCL, Penal Code 502, CLRA, contract-based claims, and tort claims.
- Court grants in part and denies in part RockYou’s motion to dismiss; several claims are dismissed with prejudice, others may be amended.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Standing and injury in fact | Claridge has suffered a concrete, particularized injury from PII disclosure. | Plaintiff's alleged injury is too speculative and not adequately concrete. | General standing adequate at pleading; some specific injury elements not yet pled for each claim. |
| SCA claim properly pleaded | Wrong subsection pleaded; intends 2702(a)(1) covering contents in electronic storage. | Even 2702(a)(1) merits dismissal if not properly pled or if contents not covered. | Dismissal of 2702(a)(3) granted; leave to amend to plead 2702(a)(1). |
| UCL claim viability | PII constitutes injury; unfair competition occurred. | PII loss does not constitute lost money or property under heightened UCL standing. | UCL claim dismissed with prejudice for failure to plead the required injury. |
| CLRA claim viability | PII value supports consumer status and deceptive practices under CLRA. | Plaintiff is not a consumer; CLRA requires personal purchase of goods/services. | CLRA claim dismissed with prejudice for lack of consumer status. |
| Contractual claims and implied covenant | Breach of contract/implied contract damages traced to PII value loss; covenant breached by not safeguarding data. | Damages required; Careau standard requires conscious, deliberate acts beyond mere breach; missing here. | Breach of contract and breach of implied contract survive; implied covenant claim dismissed with leave to amend. |
Key Cases Cited
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (injury in fact requires concrete, particularized injury)
- Erickson v. Pardus, 551 U.S. 89 (2007) (notice pleading standard)
- Twombly v. Bell Atlantic Corp., 550 U.S. 544 (2007) (pleading must states claims plausible on their face)
- Ashcroft v. Iqbal, 129 S. Ct. 1937 (2009) (plausibility standard governs pleading of claims)
- Silvaco Data Systems v. Intel Corp., 184 Cal.App.4th 210 (2010) (UCL injury requires loss of money or property under heightened standard)
- Careau & Co. v. Security Pacific Business Credit, Inc., 222 Cal.App.3d 1371 (1990) (implied covenant requires more than mere breach; conscious and deliberate acts)
- Hal Roach Studios, Inc. v. Richard Feiner & Co., Inc., 896 F.2d 1542 (9th Cir. 1989) (exhibits attached to complaint may be considered on motion to dismiss)
- Van Buskirk v. Cable News Network, Inc., 284 F.3d 977 (9th Cir. 2002) (documents referenced by complaint can be considered authentic on motion to dismiss)
- Allarcom Pay Television, Ltd. v. Gen. Instrument Corp., 69 F.3d 381 (9th Cir. 1995) (courts may consider public records on 12(b)(6) motions)