ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS
Defendant’s motion to dismiss the complaint came on for hearing on February 2, 2011 before this court. Plaintiff Alan Claridge (“plaintiff’ or “Claridge”), appeared through his counsel, Christopher Dore and Michael Aschenbrener. Defendant RockYou, Inc. (“defendant” or “Rock-You”) appeared through its counsel, Daniel Weinberg, and Karen Johnson-McKewan. Having read all the papers submitted and carefully considered the relevant legal authority, the court hereby GRANTS defendant’s motion to dismiss in part and DENIES the motion to dismiss in part, for the reasons stated at the hearing, and as follows.
*858 BACKGROUND
Plaintiff brings the instant action against defendant for allegedly failing to secure and safeguard its users’ sensitive personally identifiable information (“PII”), including email addresses, passwords, and login credentials for social networks like MySpace and Facebook. See First Amended Complaint (“FAC”), ¶ 1.
Defendant RoekYou is a publisher and developer of online services and applications for use with social networking sites such as Facebook, MySpace, hi5 and Bebo. Applications developed by RoekYou include those that enable users to share photos, write special text on a friend’s page, or play games with other users. FAC, ¶ 10. Customers sign up to use RockYou’s applications through rock-you.com, and they are asked to provide a valid e-mail address and registration password, which RoekYou then stores in its database. FAC, ¶ 11. Additionally, a customer may be required to provide Rock-You with a username and password for accessing a particular social network. Id. When users operate a RoekYou application on a social networking site, RoekYou utilizes the application as a platform to display paid advertisements. See FAC, ¶ 10. Defendant claims to be the leading provider of social networking application-based advertising services, with more than 130 million unique customers using its applications on a monthly basis. Id.
Plaintiff Claridge was a registered account holder with RoekYou during the relevant time period, having registered with RoekYou on August 13, 2008. FAC, ¶ 52. He signed up to utilize a photo sharing application offered by defendant, and submitted his e-mail address and password to defendant in order to do so. Id. at ¶ 53.
Plaintiff alleges that RoekYou promised through its website that it would safeguard its users sensitive PII, through a written policy that stated: “RoekYou! uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your personal information ...” FAC, ¶ 12. Despite this promise, plaintiff alleges that RoekYou— which collects and stores millions of users’ PII in a large-scale commercial database— stored all PII in “clear” or “plain” text, which means that RoekYou utilized no form of encryption in order to prevent intruders from easily reading and removing users’ PII. FAC, ¶ 15. The PII was therefore readily accessible to anyone with access to the database. Id., ¶ 16.
Among the options available to protect its customers, plaintiff alleges that Rock-You could have followed a commonly used method of protecting sensitive data that requires conversion and storage of a “hashed” form of a plain text password. Defendant failed, however, to use hashing, or any other common and reasonable method of data protection. FAC, ¶¶ 18-19. Plaintiff alleges that, by failing to secure its users’ PII, RoekYou made email account and social networking account access available to even the least capable hacker. Id., ¶ 21.
On December 4, 2009, an online security firm called Imperva, Inc. (“Imperva”) notified RoekYou of a security problem with its SQL database (SQL is a database computer language designed for storing data in database management systems). Imperva specifically informed RoekYou that it had become aware of a ‘SQL injection flaw’ in RockYou’s system — which would allow a hacker to take advantage of web software to introduce malicious code into a company’s network. FAC, ¶25. According to Imperva, hackers were regularly discussing RockYou’s SQL injection vulnerability in underground hacker forums, and the fact that this vulnerability was being actively exploited. Id. Imperva allegedly believed that prior to warning *859 RockYou, it was likely that breaches had already occurred through RockYou’s SQL injection flaw, and that RockYou users’ webmail accounts had been accessed as a result of such breaches. Id., ¶ 28.
Plaintiff alleges that knowledge and understanding of SQL injection flaws has been widespread for more than a decade, and that such flaws are easy to prevent and well known to any web developer handling a large-scale commercial website. See FAC, ¶27. However, because Rock-You did not have proper security in place and failed to use commercially reasonable methods to prevent a well-known method of attack, its security flaw was being actively exploited and the contents of its database were known and being made public through underground hacker forums on or before November 29, 2009. Id., ¶ 31.
After Imperva warned RockYou of its SQL injection flaw, RockYou issued a press release stating that RockYou had immediately brought down its site in response to the warning, and kept it down until a security patch was in place. FAC, ¶ 34. Plaintiff alleges, however, that RockYou did not in fact respond immediately to Imperva’s warning, and waited at least one day to take action to repair the SQL vulnerability. Id., ¶ 35.
In the time prior to fixing the SQL vulnerability flaw — and prior to Imperva’s warning — plaintiff alleges that at least one confirmed hacker known as “igigi” accessed RockYou’s database and accessed and copied the email and social networking login credentials of approximately 32 million registered RockYou users. FAC, ¶ 36.
In a statement issued after RockYou publicly announced the security breach, defendant acknowledged that one or more individuals had illegally breached its databases, and further acknowledged that at the time of the breach, the hacked database had not been up to date with regard to “industry standard security protocols.” FAC, ¶ 41.
On December 15, 2009, plaintiff Claridge received an e-mail from RockYou informing him that his sensitive PII stored with RockYou may have been compromised through a security breach. See FAC, ¶ 54.
Based on the foregoing allegations, plaintiff filed the instant suit against Rock-You, on behalf of himself and a class of similarly situated individuals, defined as: “All individuals and entities in the United States who had RockYou accounts in 2009.” FAC, ¶ 55.
Plaintiff asserts the following nine causes of action against RockYou:
1. violation of the Stored Communications Act, 18 U.S.C. § 2702;
2. violation of California’s Unfair Competition Law, Cal. Bus. & Prof.Code § 17200;
3. violation of California’s Computer Crime Law, CaLPenal Code § 502;
4. violation of the California Consumer Legal Remedies Act, Cal. Civ.Code § 1750;
5. breach of contract;
6. breach of the implied covenant of good faith and fair dealing;
7. breach of implied contracts;
8. negligence; and
9. negligence per se
See generally FAC.
Defendant now moves to dismiss all nine causes of action, for failure to state a claim.
DISCUSSION
A. Legal Standard
A motion to dismiss under Rule 12(b)(6) tests for the legal sufficiency of the claims alleged in the complaint.
Ileto v. Glock,
*860
Inc.,
Rule 8(a)(2) requires only that the complaint include a “short and plain statement of the claim showing that the pleader is entitled to relief.” Fed.R.Civ.P. 8(a)(2). Specific facts are unnecessary — the statement need only give the defendant “fair notice of the claim and the grounds upon which it rests.”
Erickson v. Pardus,
A motion to dismiss should be granted if the complaint does not proffer enough facts to state a claim for relief that is plausible on its face.
See id.
at 558-59,
In addition, when resolving a motion to dismiss for failure to state a claim, the court may not generally consider materials outside the pleadings.
Lee v. City of Los Angeles,
B. Analysis
Defendant’s motion requires a straightforward analysis of each of the nine claims stated in plaintiffs complaint. As a preliminary matter, however, the court first turns its attention to the parties’ standing arguments. Defendant, who challenges plaintiffs ability to adequately allege standing, appears to subsume within its arguments two different sub-arguments: plaintiffs ability to allege injury in fact standing (i.e., Article III standing); and plaintiffs ability to adequately allege the elements of injury in connection with the individual claims asserted against defendant.
To the extent the former is at issue, the parties dispute whether plaintiff has sufficiently alleged any actionable harm or concrete, tangible, non-speculative harm or loss.
See, e.g., Lujan v. Defenders of Wildlife,
In the face of defendant’s contention that these allegations are both insufficient and unprecedented in establishing either a concrete or non-speculative injury, plaintiff admits to advancing a novel theory of damages for which supporting case law is scarce. And indeed, the case law cited by the parties demonstrates no clearly established law regarding the sufficiency of allegations of injury in the context of the disclosure of online personal information.
See, e.g., Ruiz v. Gap, Inc.,
On balance, the court declines to hold at this juncture that, as a matter of law, plaintiff has failed to allege an injury in fact sufficient to support Article III standing. Not only is there a paucity of controlling authority regarding the legal sufficiency of plaintiffs damages theory, but the court also takes note that the context in which plaintiffs theory arises — i.e., the unauthorized disclosure of personal information via the Internet — is itself relatively new, and therefore more likely to raise issues of law not yet settled in the courts. For that reason, and although the court has doubts about plaintiffs ultimate ability to prove his damages theory in this case, the court finds plaintiffs allegations of harm sufficient at this stage to allege a generalized injury in fact. If it becomes apparent, through discovery, that no basis exists upon which plaintiff could legally demonstrate tangible harm via the unauthorized disclosure of personal information, the court will dismiss plaintiffs claims for lack of standing at the dispositive motion stage.
Notwithstanding the court’s conclusion that Article III standing has generally been adequately pled at this juncture, the court further concludes that plaintiff has nonetheless failed to allege the more particularized elements of injury with respect to several of plaintiffs numerous individual causes of action.
The court now turns to the sufficiency of plaintiffs allegations with respect to each individual claim asserted.
1. Stored Communications Act (“SCA”) (Claim 1)
In response to defendant’s motion to dismiss this claim, plaintiff concedes from the outset that his complaint has inadvertently alleged the wrong provision of the Stored Communications Act. Specifically, the complaint alleges a cause of action pursuant to section 2702(a)(3) of the Act, which prohibits the disclosure of qualifying information to government entities. FAC, ¶¶ 66-74. Since this provision does not reach the merits of the instant lawsuit, *862 plaintiff contends that he instead meant to allege a claim under section 2702(a)(1) of the Act, which provides that: “a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service ... See 18 U.S.C. § 2702(a)(1).
In view of plaintiffs concession, defendant’s motion to dismiss plaintiffs claim pursuant to section 2703(a)(3) of the SCA is GRANTED. Plaintiff is granted leave to amend the complaint, however, in order to state a proper claim pursuant to section 2702(a)(1). Although defendant has argued that even a claim brought pursuant to section 2702(a)(1) should be dismissed on grounds that the alleged login credentials stolen by hackers do not constitute “contents of a communication” that would be covered by the statute, and on grounds that plaintiff fails to allege that RockYou “knowingly divulge[d]” any communications to any person, the merits of these arguments are not properly before the court absent amendment.
2. Unfair Competition Law (“UCL") (Claim 2)
“California’s unfair competition statute prohibits any unfair competition, which means ‘any unlawful, unfair or fraudulent business act or practice.’ ”
In re Pomona Valley Med. (Group,
Defendant here asserts plaintiff has failed to allege any loss of money or property as a result of defendant’s allegedly unfair competition. The court agrees. As defendant notes, the California appellate court has recently passed upon the meaning of ‘lost money or property’ under the UCL specifically. In
Silvaco Data Systems v. Intel Corp.,
*863 Applying this heightened concept of injury under the UCL, plaintiffs claim that his PII constitutes lost ‘money’ — based on plaintiffs untested theory that PII constitutes ‘currency’ — strains the acceptable boundaries of ‘injury’ under the statute. Similarly, to the extent that plaintiff makes the equally untested claim that his PII constitutes ‘property,’ plaintiff makes no allegation — nor can he — that his PII was ‘lost’ in the sense understood under the UCL. For as defendant points out, plaintiffs PII — e.g., his login and password information — did not cease to belong to him, or pass beyond his control.
In sum, plaintiff has failed to plead the heightened degree of injury required under the UCL. The court need not therefore delve into an analysis of whether plaintiff has met the remaining substantive prongs of a UCL claim, but instead GRANTS defendant’s motion to dismiss the plaintiffs UCL claim based on the injury requirement alone. Because plaintiff cannot cure the foregoing deficiencies, the dismissal is with prejudice.
3. California Penal Code § 502 (Claim 3)
CahPenal Code § 502(c)(6) prohibits any person from committing the following act: “Knowingly and without permission providing] or assisting] in providing a means of accessing a computer, computer system, or computer network in violation of this section.” Defendant asserts that this claim fails, however, because defendant is not a proper defendant under this subsection, and because plaintiff fails to allege that he suffered any “loss” under this provision.
Defendant is correct that dismissal is warranted by reason of the former. Plaintiff argues that defendant “provided a means” for hackers to access defendant’s computer system, by failing to establish commercially reasonable security methods to protect the PII on its system. Plaintiff further relies on his allegations that defendant’s actions were knowing and “without permission,” because plaintiff never gave defendant permission to provide its PII to any hackers. FAC, ¶ 96. Review of section 502(c), however — -which, as a penal statute, is to be strictly construed — reveals that the legislature’s intent in drafting the statute was to protect against “tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems.” See CahPenal Code § 502(a). And while plaintiff is correct that this protection is broadly read to include protection for all — i.e., individuals, private companies, government entities — it is less than clear that the statute is meant to subject individuals or entities to liability who took no active role in tampering with, or in gaining unauthorized access to computer systems. Indeed, the relatively few cases interpreting the statute largely seek to impose liability against individuals or entities who are alleged to have actually participated in unauthorized ‘hacking’ or the unlawful disclosure of information. This scenario is distinguishable from the present action, in which plaintiff seeks to impose liability on defendant for third party hackers’ unauthorized access of and tampering with defendant’s system.
In the absence of case law submitted firmly suggesting liability over defendant on grounds that defendant failed to provide a sufficiently secure computer system, the court agrees with defendant that plaintiff has failed to allege that defendant falls within the scope of liability contemplated by section 502(c)(6). Accordingly, defendant’s motion to dismiss this claim is GRANTED. The dismissal is with prejudice.
4. Consumer Legal Remedies Act Claim (Claims)
Defendant asserts that plaintiff cannot state a valid claim under the Con *864 sumer Legal Remedies Act (“CLRA”). The CLRA proscribes various practices that are deemed unfair and/or deceptive to consumers. • In alleging that defendant violated the CLRA, plaintiff relies on Cal. Civ.Code § 1770(a)(5), which prohibits any person “in a transaction intended to result or which results in the sale or lease of goods or services to any consumer” from: “Representing that goods or services have sponsorship, approval, characteristics, ingredients, uses, benefits, or quantities which they do not have or that a person has a sponsorship, approval, status, affiliation, or connection which he or she does not have.”
Defendant here correctly argues that plaintiff cannot state a valid claim under this provision of the CLRA because he has not alleged that he is a “consumer” within the meaning of the statute. The CLRA permits “consumers” to file suit pursuant to section 1770 and further defines a “consumer” to be “an individual who seeks or acquires, by purchase or lease, any goods or services for personal, family, or household purposes.” See Cal. Civ.Code § 1761(d). Plaintiff, however, does not fall under this definition, since he did not “purchase or lease” any goods or services from defendant — a strict requirement under the statute. To be sure, plaintiff relies on his oft-repeated theory that, because his PII has an “ascertainable value” and constitutes both currency and property, his transfer of PII information to defendant in exchange for free applications, constitutes a “purchase” or “lease” under the CLRA. However, this argument — and the more generalized notion that the phrase “purchase” or “lease” contemplates any less than tangible form of payment — finds no support under the specific statutory language of the CLRA, nor has plaintiff relied on any legal authority suggesting as much.
All of which requires the court to conclude that plaintiff has failed to allege the requisite “consumer” status under the CLRA, such that a viable claim under the Act may be stated. The court therefore GRANTS defendant’s motion to dismiss plaintiffs CLRA claim. Since there are no allegations that would cure the foregoing deficiency, the dismissal is with prejudice.
5. Contractual Claims (Claims 5-7)
Plaintiff alleges three contractual based claims: breach of contract, breach of implied contract; and breach of the implied covenant of good faith and fair dealing. See FAC, ¶¶ 110-133. Defendant challenges all contractual claims, in part, for failure to allege any actionable damages. Specifically, defendant asserts that plaintiff has failed to allege that the value of his PII has diminished as a result of defendant’s actions, how the breach of his PII affects him, or any loss whatsoever.
As a general matter, defendant is correct that plaintiff must plead damages resulting from any alleged contractual breach.
See, e.g., First Comm. Mort. Co. v. Reece,
For the reasons already noted at the outset, therefore, the court concludes that at the present pleading stage, plaintiff has sufficiently alleged a general basis for harm by alleging that the breach of his PII has caused him to lose some ascertainable but unidentified “value” and/or property right inherent in the PII. As such, the court declines to dismiss plaintiffs breach claims on grounds that plaintiff has failed to allege damages or harm as a matter of law.
To the extent that defendant has also argued, moreover, that plaintiffs contractual claims should be dismissed because the provisions of the privacy policy maintained by defendant expressly provide that no liability will result due to a third party’s unauthorized access of defendant’s computer system, defendant’s argument is unpersuasive. For as plaintiff points out, the policy upon which the parties rely actually provides that: “RockYou! ... assumes no liability or responsibility for ... (Ill) any unauthorized access to or use of our secure servers and/or any and all personal information and/or financial information stored therein ... ”. See Mot. Dismiss at 19:26-20:2 (emphasis added). Since plaintiff is alleging that the servers were not, in fact, secure, this provision of the policy does not automatically preclude plaintiffs contract claims.
However, to the extent defendant additionally argues that plaintiffs claim for breach of the implied covenant of good faith and fair dealing must fail pursuant to
Careau & Co. v. Security Pacific Business Credit, Inc.,
Accordingly, while the court is unpersuaded that dismissal of plaintiffs contractual claims for breach of contract and breach of implied contract is warranted and therefore DENIES the motion with respect to these two claims, the court agrees with defendant that plaintiffs claim for breach of the implied covenant of good faith and fair dealing is fatally deficient, and GRANTS the motion with respect to *866 that claim. Leave to amend is granted, however, so that plaintiff may re-allege any additional facts sufficient to state a proper claim, if available.
6. Negligence Claims (Claims 8-9)
Defendant also contends that plaintiffs negligence and negligence per se claims fail to state valid claims. An action in negligence requires a showing that the defendant owed the plaintiff a legal duty, that the defendant breached the duty, and that the breach was a proximate or legal cause of injuries suffered by the plaintiff.
See United States Liab. Ins. Co. v. Haidinger-Hayes, Inc.,
First, beginning with plaintiffs negligence claim, defendant again reiterates that plaintiffs negligence claim fails because plaintiff has failed to plead any sufficiently cognizable injuries to establish damages.
See, e.g., Ruiz v. Gap, Inc.,
Second, and turning to plaintiffs negligence per se claim, defendant asserts that plaintiff has failed to establish that any statutory violation — -under the Stored Communications Act, UCL, Penal Code § 502, or CLRA — has been sufficiently pled, such that a claim for negligence per se may be stated. As already stated elsewhere herein, each of these claims- — with the exception of plaintiffs SCA claim — has been dismissed with prejudice. Plaintiff has been given leave, however, to amend his SCA claim. Accordingly, since plaintiffs negligence per se claim may yet be premised upon a viable claim under the SCA, the court DENIES defendant’s motion to dismiss the negligence per se claim at this time.
C. Conclusion
For all the foregoing reasons, defendant’s motion to dismiss plaintiffs complaint is GRANTED in part and DENIED in part. Specifically, the court dismisses plaintiffs first, second, third, fourth, and sixth causes of action. The dismissal is with prejudice as to plaintiffs second, third, and fourth causes of action, and leave to amend is granted with respect to plaintiffs first and sixth causes of action. The court denies dismissal, however, with respect to plaintiffs fifth, seventh, eighth, and ninth causes of action.
Plaintiff must file any amended complaint no later than May 11, 2011. Leave is not granted to add any additional claims.
IT IS SO ORDERED.