In re Adobe Systems, Inc. Privacy Litigation
66 F. Supp. 3d 1197
N.D. Cal.2014Background
- Adobe, a large software company, suffered a 2013 data breach exposing personal info of millions of customers; plaintiffs seek relief from the 2013 breach under California CRA provisions and related UCL theories.
- Plaintiffs allege Adobe failed to maintain “reasonable security” and delayed breach notification under CA Civ. Code §§ 1798.81.5, 1798.82; they seek injunctive relief and UCL remedies.
- The case is part of consolidated litigation filed 2013–2014; the court grants in part and denies in part Adobe’s motion to dismiss.
- Plaintiffs allege standing theories including increased risk of future harm and mitigation costs; four named Californians are class representatives, with two non-California plaintiffs also named.
- The court addresses four claims (CRA, Declaratory Relief, UCL Injunction, UCL Restitution) and allows some claims to proceed while dismissing others without prejudice.
- The court takes judicial notice of various Adobe policies and public records in considering the motion to dismiss.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether plaintiffs have Article III standing for the CRA claim | Plaintiffs have injury-in-fact from risk of future harm and remediation costs | Plaintiffs lack standing due to no concrete injury from security failures or notification delays | Plaintiff standing found for CRA claim (injury-in-fact and causation) |
| Whether plaintiffs have standing to pursue Section 1798.82 (breach notification) | Plaintiffs suffered injury from delayed notification | No alleged incremental harm from delay stated | Dismissed for lack of Article III standing, with leave to amend |
| Whether the Declaratory Judgment Act claim is ripe and proper | There is a current dispute over Adobe’s obligation to provide reasonable security | No real dispute; request is advisory or future-oriented | Declaratory relief claim plausibly arises from current dispute and proper jurisdictional basis exists |
| Whether the UCL injunction claim is viable for all plaintiffs | UCL unlawfully/inaccurately alleges failure to safeguard data; standing supported | Duke and Page lack standing; contract-remedy concerns; lack of unlawfulness | UCL injunction survives for four plaintiffs (Duke/Page dismissed without prejudice) |
| Whether the UCL restitution claim is viable for ColdFusion/Creative Cloud class | Claims for overpayment due to alleged misrepresentations regarding security apply to both products | Standing to represent ColdFusion customers and pleading omissions contested | Restitution claim allowed; standing for Halpain and McGlynn to represent ColdFusion and Creative Cloud; others denied without prejudice |
Key Cases Cited
- Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (standing based on credible threat of imminent harm from data breach)
- Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013) (standing requires certainly impending injury; rejects mere possible future injury; discusses substantial risk)
- Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139 (2010) (standing where a substantial risk of harm may prompt mitigation)
- Whitmore v. Arkansas, 495 U.S. 149 (1990) (injury-in-fact requirement; discussion of threatened injury)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (basic standing elements: injury, causation, redressability)
- O’Shea v. Littleton, 414 U.S. 488 (1974) (standing in class actions; named plaintiffs must show individual injury)
- Cel-Tech Communications, Inc. v. Los Angeles Cellular Tel. Co., 20 Cal.4th 163 (1999) (UCL unlawful prong allows borrowing of other statutes)
- Kwikset Corp. v. Superior Court, 51 Cal.4th 310 (2011) (standing for UCL by showing economic injury from unfair competition)