Plaintiff Montgomery Beyer (hereafter "Beyer") brings the instant action alleging that certain network security software products sold by Defendant Symantec Corporation (hereafter "Symantec"), specifically network security software products sold or licensed to consumers under the Norton brand ("Norton Products") and to businesses under the Symantec brand ("Enterprise Products," and together with the Norton Products, the "Affected Products"), contained critical defects. See Docket No. 1 ("Compl.") ¶¶ 1-2. Beyer's allegations arise out of a report by Google Inc.'s team of expert cybersecurity analysts, Project Zero, which detail alleged vulnerabilities in a component of Symantec's software, the AntiVirus Decomposer Engine. Id. ¶¶ 2, 25. Beyer argues that Symantec advertises that the Affected Products "protects against the latest online threats" or "protects against viruses, spyware, hackers, rootkits, identity theft, phishing scams, and fraudulent Web sites" while knowing that its products suffered from a core decomposer engine defect that exposed entire computer operating systems to various security vulnerabilities. Id. ¶¶ 20-24. Beyer further argues that Symantec failed to disclose that it did not implement patches for third-party source code that it used throughout its product line, and various Symantec misrepresentations and omissions form the basis for his causes of action. Id.
Beyer asserts five causes of action, namely (i) a California Consumer Legal Remedies Act ("CLRA") claim,
Symantec has moved to dismiss for (i) failure to plead the facts and circumstances of the alleged fraud with particularity under Fed. R. Civ. P. 9(b), (ii) failure to state a claim under Fed. R. Civ. P. 12(b)(6), and (iii) lack of Article III standing under Fed. R. Civ. P. 12(b)(1). For the following reasons, the Court DISMISSES without prejudice the CLRA, FAL, UCL, and unjust enrichment claims as to the Third Software. The Court also DISMISSES Beyer's Song-Beverly Act claim without prejudice. The Court otherwise DENIES the motion to dismiss. The motion to strike is also DENIED.
II. FACTUAL AND PROCEDURAL BACKGROUND
The complaint alleges the following:
Symantec produces and sells security software under the Symantec and Norton brands. Both the Symantec and Norton products contain a key component called the AntiVirus Decomposer Engine. This component unpacks compressed executable files so that they can be scanned for malicious code.
Beyer alleges he purchased five Norton Products containing these defects. See Compl. ¶¶ 10, 20-24. He seeks recovery for the second and third purchases only. See Docket No. 22 ("Opp"), at 8 n.3. Beyer made his second purchase "in March 2009," when he bought Norton 360 Premier, v. 2.0 ("Second Software").
"That same year," Beyer purchased another Norton 360 Premier, v. 2.0, from Best Buy ("Third Software").
III. DISCUSSION
A. Article III Standing as to the Enterprise Products
To satisfy Article III's case or controversy requirement, a plaintiff must demonstrate that he or she has suffered an injury in fact, that the injury is traceable to the defendant's conduct, and that the injury can be redressed by a favorable decision. See Fortyune v. Am. Multi-Cinema, Inc. ,
However, this does not necessary deprive Beyer of standing to bring class allegations for purchasers of the Enterprise Products. The ability to centrally manage security data does not gainsay the fundamental defect in the way the Symantec products were designed. The same alleged defects exist in both lines of products. Compl. ¶ 3.
This Court, like others in the Northern District, has held that a plaintiff may proceed on class claims against unpurchased products if they are "substantially similar" to products he has purchased. Swearingen v. Late July Snacks LLC , No. 13-cv-4324-EMC,
In Astiana , the plaintiffs challenged food labels on Dreyer's ice cream products, some of which they had not purchased. In that case,
Plaintiffs are challenging the same kind of food products (i.e. , ice cream) as well as the same labels for all of the products-i.e. , "All Natural Flavors" for the Dreyer's/Edy's products and "All Natural Ice Cream" for the Haagen-Dazs products. That the different ice creams may ultimately have different ingredients is not dispositive as Plaintiffs are challenging the same basic mislabeling practice across different product flavors. Indeed, many of the ingredients are the same ....
Astiana ,
Similarly, this Court held in Swearingen that the plaintiff had pleaded sufficient similarity between purchased and non-purchased cracker and snack chips, because "the non-purchased products are different flavors of the same Multigrain Snack Chips product purchased by Plaintiffs." Swearingen ,
This case is analogous to Astiana and Swearingen . As in Astiana , where the same kind of food product (ice cream) was at issue, the same kind of software product is in dispute here, namely antivirus software. And as in Astiana , where the different ingredients did not preclude standing because the plaintiff challenged "the same basic mislabeling practice," the fact that Enterprise Products have central management features does not preclude standing, because Plaintiff alleges the same security defects in the enterprise and consumer products.
Kane is distinguishable for the same reasons discussed in Swearingen : The Kane complaint failed to specify which products contained the flawed labels, while Plaintiff here has alleged that the AntiVirus Decomposer Engine is in both consumer and enterprise products. See Compl. ¶ 1. Defendant's citation of Romero v. HP, Inc. , No. 16-cv-5415-LHK,
Defendant raises a number of dissimilarities between the two product lines, i.e. , different purchasers (sophisticated business purchasers compared to lay consumer purchasers), different sales materials, and different marketing channels. See Mot. at 31. To Defendant, these dissimilarities would result in dissimilar injuries (though it does not explain how). See
B. Beyer's Fraud Claims Under the UCL, FAL, and CLRA
Beyer alleges that Symantec's statements constitute misrepresentations about its products in violation of the CLRA, the FLA, and the UCL's fraudulent prong. Beyer also alleges that Symantec's failure to disclose the defects was an omission in violation of the same statutes.
The FAL prohibits businesses from disseminating statements that are "untrue or misleading, and which is known, or which by the exercise of reasonable care should be known, to be untrue or misleading."
Because Beyer's claims sound in fraud, the heightened pleading requirements of Rule 9(b) apply. Under Rule 9(b), the plaintiff must plead the "who, what, when, where, and how" of the alleged misconduct. Kearns v. Ford Motor Co. ,
1. Misrepresentation or Omission
Symantec contends that Beyer's claims must be dismissed because Symantec's statements about Norton 360, v. 2.0, are mere puffery and would therefore not mislead a "reasonable consumer," as required by the statutes at issue. Consumer Advocate v. Echostar Satellite Corp. ,
a. Affirmative Statements
For the purposes of this motion, the Court only needs to consider whether the following representations are actionable
• The Second Software "defends you against a broad range of online threats through key technologies, including antivirus, antispyware, rootkit detection, and automatic updates." See Compl. ¶ 21.
• The Second Software provides "enhanced protection" through "industry leading virus, spyware and firewall protection."Id.
• The statement on Best Buy's website that the Third Software "[p]rotects against viruses, spyware, hackers, rootkits, identity theft, phishing scams, and fraudulent Web sites." Id. ¶ 22; see Docket No. 23-1.
• The "comparable statements and representations" on the Third Software's packaging and box. Id.
As an initial matter, the statements regarding the Third Software cannot support Beyer's claims. The statement that the software protects against various digital maladies was on Best Buy's website; the FAC does not allege that this statement is attributable to Symantec. In the absence of allegations to the contrary, absent allegations that the statement is attributable to Symantec and not just Best Buy, no claim against Symantec is stated.
In contrast, the "comparable statements and representations" on the packaging and box, id. , are attributable to Symantec. However, that allegation runs afoul Rule 9(b), which requires Beyer to identify the statements at issue with particularity. The mere allegation that the statements
The above claims regarding the Third Software are therefore DISMISSED. Because Beyer may be able to make additional allegations to cure these defects, the dismissal is without prejudice.
That leaves the statements regarding the Second Software. Symantec argues that these statements are puffery.
A misrepresentation must be a "specific and measurable claim, capable of being proved false or of being reasonably interpreted as a statement of objective fact." Rasmussen v. Apple Inc. ,
For example, in Consumer Advocate , the plaintiffs brought a putative class action against a satellite television company under the UCL, FAL, and CLRA for false or misleading ads. The statements were that the service would provide "crystal clear digital video," "CD-quality" audio, an on-screen program guide showing the schedule "up to 7 days in advance," and 50 channels of content. Consumer Advocate ,
In Elias , a consumer brought a putative class action against Hewlett-Packard. He had purchased a laptop from the manufacturer, and he had selected a customization option for a graphics card that, unbeknownst to him, required a higher power supply than the laptop supplied. This allegedly causes computers to overheat, freeze, crash, and even catch fire. As a result, the plaintiff's laptop malfunctioned and was damaged beyond repair. The plaintiff brought, inter alia , claims under the CLRA, FAL, and the fraudulent prong of the UCL for the manufacturer's alleged misrepresentations in the laptop's capabilities. In purchasing the laptop, the plaintiff had relied on statements on the manufacturer's website advertising that the computers at issue had "ultra-reliable performance," "full power and performance," "versatile, reliable system[s]," and were "packed with power" and "delivers the power you need." Elias ,
In L.A. Taxi Cooperative, Inc. v. Uber Techs., Inc. ,
For example, Uber claims that it is "setting the strictest safety standards possible," that its safety is "already best in class," and that its "three-step screening" background check procedure, which includes "county, federal and multi-state checks," adheres to a "comprehensive and new industry standard." Uber has historically described its background check procedures as "industry-leading." Uber's statements also explicitly compare the safety of its services with those offered by taxi cab companies. For example, a statement on Uber's blog describing its "rigorous" background check procedures reads, "Unlike the taxi industry, our background checking process and standards are consistent across the United States and often more rigorous than what is required to become a taxi driver."
Symantec's statements about the Second Software while somewhat general are sufficiently specific so as to not constitute mere puffery at the pleading stage. This case is similar to L.A. Taxi , in which Uber's description of its background checks as "industry-leading" contributed to an actionable impression that an Uber ride is objectively safer. See
In contrast, Symantec's alleged statement that the software "defends you against a broad range of online threats through key technologies, including antivirus, antispyware, rootkit detection, and automatic updates," Compl. ¶ 21, is similar to the claims in Elias that the laptops have "ultra-reliable performance" and "full power and performance," Elias ,
As for the "industry leading" claim, its misleading nature is dependent on Symantec's failure to disclose the two Defects. The Court therefore turns to California law on misleading omissions.
An omission is actionable "if the omitted fact is (1) contrary to a [material] representation actually made by the defendant or (2) is a fact the defendant was obliged to disclose." Gutierrez v. Carmax Auto Superstores Cal. ,
The Defects are also material. The complaint alleges that the High Privilege Defect opened up affected machines to "a wide variety of cyberattacks," some of which qualify as "critical" vulnerabilities and require "[v]ery little knowledge or skill" to exploit, according to a standard vulnerability scoring system. Id. ¶ 28 (alteration in original). Likewise, the Outdated Source Code Defect allegedly exposed affected machines to "[d]ozens of public vulnerabilities," including some that were publicly known. Id. ¶ 29. These vulnerabilities were also rated "critical" and required little knowledge to exploit. Id. ¶ 30. Symantec argues that there is no indication that the Defects were ever actually exploited and so they cannot be material. It is true that the complaint lacks any allegations of such exploits. However, Symantec's argument is factual in nature and is premature on a motion to dismiss. At the pleading stage, the court draws reasonable inferences in the plaintiff's favor. Given the allegations described above, it is reasonable to infer that the Defects are important and material, because they affect the effectiveness and function of Affected Products.
The second prong of omission under Gutierrez regards the duty to disclose even in the absence of a particular representation. Traditionally under California law, "[t]o state a claim for failing to disclose a defect, a party must allege '(1) the existence of a design defect; (2) the existence of an unreasonable safety hazard; (3) a causal connection between the alleged defect and the alleged safety hazard; and that the manufacturer knew of the defect at the time a sale was made.' " Williams v. Yamaha Motor Co. Ltd. ,
The requirement in Williams that there be a safety hazard has been cast into doubt by recent California Court of Appeal opinions. See Collins v. eMachines, Inc. ,
Although the Williams test was employed by the Ninth Circuit in Wilson v. Hewlett-Packard Co. ,
The recent California cases show that Wilson 's safety hazard pleading requirement is not necessary in all omission cases, but that the requirement may remain applicable in some circumstances. In other words, Collins and Rutledge are not necessarily irreconcilable with Wilson because, where the challenged omission does not concern a central functional defect, the plaintiff may still have to plead a safety hazard to establish that the defendant had a duty to disclose. For example, ... Wilson may still apply where the defect in question does not go to the central functionality of the product, but still creates a safety hazard.
Because the complaint in the instant case does not allege a safety hazard, the issue under Collins and Rutledge is whether the High Privilege Defect and Outdated Source Code Defect constitute "physical" defects that were "central" to the Affected Products' function.
These Defects may be considered "physical." As the California appellate court has noted in the very context, "computer software ... may be characterized as tangible property" because the software is " 'recorded in a physical form which has physical existence, takes up space on the tape, disc, or hard drive, makes physical things happen, and can be perceived by the senses.' " Microsoft Corp. v. Franchise Tax Bd. ,
The next question is whether under Collins and Rutledge these High Privilege Defect and Outdated Source Code Defect are central to the Affected Products' function. In Collins plaintiffs had complained that a computer chip in eMachine computers caused "critical data corruption" of the hard drive.
Here, the complaint sufficiently alleges the Defects are central to the function of the Affected Products of safeguarding computers against online threats, virus, spyware, etc. The Defects allegedly open up the operating systems to corruption, create a "critical vulnerability" to online threats, and make computers more susceptible to cyberattacks than they would have otherwise been without the software. Compl. ¶¶ 3, 7, 29-30. Although the complaint does not identify specific instances of resulting damage to computers loaded with the Affected Products, cf. Williams v. Yamaha Motor Co., Ltd. ,
2. Reliance
Reliance is required to achieve standing under the UCL, FAL, and CLRA. See
Symantec argues, however, that Beyer's vague allegations of reliance fall short under Rule 9(b) because he fails to allege he actually read or relied on any representation. See Mot. at 18. It is true that Beyer only alleges that he "reviewed the product page" for the Second Software and does not explicitly allege that he saw the statement that the software was "industry leading." Compl. ¶ 21. Nevertheless, it is reasonable to infer for purposes of the motion to dismiss from the fact that he reviewed the product page that he saw the "industry leading" statement on the page.
Symantec also argues that Beyer fails to sufficiently allege that it knew of the Defects at the time of sale. As an initial matter, Symantec fails to note differences amongst the three statutes as to the knowledge requirement. Knowledge of an undisclosed defect is required for a claim of misrepresentation to lie under the CLRA. See Coleman-Anacleto v. Samsung Elecs. Am., Inc. , No. 16-cv-2941-LHK,
As for the other claims, Symantec argues that the complaint does not allege that it knew of the defects. It points out that the earliest specific allegation of knowledge is when Project Zero revealed the defects in 2016, seven years after Beyer's 2009 purchase of the Second Software. The allegations that it knew of the defects at the time of sale, Symantec argues, are conclusory. Symantec singles out ¶ 40 of the complaint, which alleges:
As the proprietary owner and licensor of the Affected Products, Symantec knew, or was otherwise reckless or willfully blind in not knowing, that its AntiVirus Decomposer Engine suffered from extremely serious defects, i.e., the High Privilege Defect and the Outdated Source Code Defect. Furthermore, Symantec knew, or was otherwise reckless or willfully blind in not knowing, that its security practices diverged significantly from its own best practices recommendations.
Beyer's Opposition merely parrots this paragraph. See Docket No. 22 ("Opp.") at 16. Despite this, the complaint sufficiently alleges knowledge, because it alleges that Symantec designed and produced the software in question. It plausibly follows from this fact that Symantec knew how the Second Software functioned, including that the software unpacked potentially malicious files in a high-privilege environment. It also plausibly follows that Symantec knew it had used third-party code and knew it did not patch that code when updates were released by the third parties. Furthermore, as early as 2007, Symantec published best-practice guidelines advising readers to the principle of least privilege and to keep third-party code updated. See Compl. ¶ 21. Together, this suffices to establish knowledge, which need only be plead generally. See Fed. R. Civ. P. 9(b) ("Malice, intent, knowledge, and other conditions of a person's mind may be plead generally."). But the allegations suffice at the pleading stage. The CLRA and FAL claims therefore survive.
In sum, the Court DISMISSES without prejudice Beyer's fraud claims as to the Third Software. The motion is otherwise DENIED.
4. Song-Beverly Act Claim
Under the Song-Beverly Act, "every sale of consumer goods that are sold at retail in this state shall be accompanied by the manufacturer's and retail seller's implied warranty that the goods are merchantable,"
(1) Pass without objection in the trade under the contract description.
(2) Are fit for the ordinary purposes for which such goods are used.
(3) Are adequately contained, packaged, and labeled.
(4) Conform to the promises or affirmations of fact made on the container or label.
Symantec argues that the Song-Beverly claim fails because Beyer failed to allege that the Second Software was "sold at retail in this state." It notes that Beyer is a resident of Michigan and that Beyer alleges only that he "purchased an upgrade to Norton 360 Premier, v. 2.0." Compl. ¶ 21. Beyer's responds that the Second Software's end user license agreement selects California law in its choice of law provision. See
5. UCL Claim
Apart from the fraudulent and unlawful prongs of the UCL, Beyer also asserts claims under the unfair prong:
90. Defendant's actions as alleged in this Complaint constitute an "unfair" practice, because they offend established public policy and are immoral, unethical, oppressive, unscrupulous, and substantially injurious to Defendant's customers. The harm caused by Defendant's wrongful conduct outweighs any utility of such conduct and has caused substantial injury to Plaintiff and the Nationwide Class. Defendant could and should have chosen one of many reasonably available alternatives, including not selling antivirus products that contained fundamental defects with the core engine, disclosing the defects to prospective purchasers, and/or not representing that its products were suitable for ordinary consumer or business use. Additionally, Defendant's conduct was "unfair," because it violated the legislatively declared policies reflected by California's strong consumer protection and false advertising laws, including the CLRA,CAL. CIV. CODE §§ 1750 et seq. and the FAL, CAL. BUS. & PROF. CODE §§ 17500 et seq.
See Compl. ¶ 90.
As an initial matter, the Court agrees with Symantec that the "unfair" claim relies on the same factual allegations as those underlying the "unlawful" and "fraudulent" claims, meaning it sounds in fraud and Rule 9(b) applies. See Kearns v. Ford Motor Co. ,
Symantec also argues that Beyer's unfairness claim fails the applicable substantive standard. Since Cel-Tech Communications, Inc. v. Los Angeles Cellular Telephone Co. ,
Under either test, the complaint survives. Under the more rigorous test, Beyer has sufficiently identified a California public policy against misleading marketing statements, as embodied in the CLRA, FAL, and the UCL's fraudulent prong. Because Symantec's statements regarding the Second Software, as alleged, contravene this public policy, Beyer has made out a claim as to that product. Cf. In re Carrier IQ, Inc. ,
6. Quasi-Contract/Unjust Enrichment Claim
That leaves Beyer's claim for unjust enrichment. California courts have stated that courts may construe an unjust enrichment claim "as a quasi-contract claim seeking restitution." Rutherford Holdings, LLC v. Plaza Del Rey ,
IV. CONCLUSION
For the foregoing reasons, the Court DISMISSES without prejudice the CLRA, FAL, UCL, and unjust enrichment claims as to the Third Software. The Court otherwise DENIES the motion to dismiss. The motion to strike is also DENIED.
This order disposes of Docket No. 17.
IT IS SO ORDERED.
Notes
Representations cited in paragraph 18 and 19 in the Complaint are not actionable as they are all after Beyer's dates of purchase. See Compl. ¶¶ 18-19. Beyer's citation of these materials in his opposition to Symantec's motion to dismiss are thus irrelevant. See Docket No. 22, at 16-17.
This conclusion is without prejudice to future motions, e.g. , for summary judgment or adjudication which take into accord the factual record of, inter alia , the frequency of harm suffered as a result of the defects.
Again, this ruling is without prejudice to any future motions or adjudication should the factual record establish Plaintiff cannot meet his burden of proving, e.g. , that he saw and read the product statement.
Symantec also argues that the cases Beyer cites are inapposite because they pertain to conventional purchases not conducted online. See Docket No 24 (Reply) at 11. However, California case law supports Beyer's position that § 2401(2)(a) applies to online purchases. See Cal. State Elecs. Ass'n v. Zeos Int'l Ltd. ,
Symantec also argues that the unfairness claim should fail, because its factual basis overlaps entirely with the fraudulent and unlawful claims, which fail. Because the fraudulent and unlawful claims survive, this argument in inapposite.