Case Information
UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA SAN JOSE DIVISION
ALEXANDER HUYNH, et al., Case No. 5:18-cv-07597-BLF Plaintiffs, ORDER GRANTING IN PART AND v. DENYING IN PART DEFENDANT’S
MOTION FOR SUMMARY QUORA, INC., JUDGMENT Defendant. [Re: ECF 140]
In this putative class action, Plaintiff Jeri Connor (“Plaintiff”) alleges that Defendant Quora, Inc. (“Defendant”) failed to safeguard its users’ personal identifying information (“PII”) from a data breach of their platform. Before the Court is Defendant’s Motion for Summary Judgment on the remaining claims for (1) negligence and (2) California’s Unfair Competition Law (the “UCL”). Mot. for Summary J. (“Mot.”), ECF 140. Having considered the parties’ briefing, oral arguments on October 29, 2020, and the applicable law, the Court GRANTS IN PART and DENIES IN PART Defendant’s Motion.
I. BACKGROUND
A. The Undisputed Facts of the Data Breach [1]
21
Defendant Quora is a question-and-answer social media platform. Decl. of Paula Griffin 22
(“Griffin Decl.”) ¶ 3, ECF 140-1; Decl. of Zhe Fu (“Fu Decl.”) ¶ 3, ECF 140-2. To become one of 23
its users, a person must create an account and provide Defendant certain PII, which the company 24
collects and maintains under its Privacy Policy. Griffin Decl. ¶ 4; Decl. of Steven R.
25
Weinmann (“Weinmann Decl.”) Ex. C (“Terms of Service”), ECF 151-1, and Ex. F (“Privacy 26
27
Policy”), ECF 151-4. Defendant also provides users the ability to link their accounts with other social media accounts such as Facebook and LinkedIn. See Weinmann Decl. Ex. B, at 20:6-9, ECF 152-1, and Decl. of Rebekah S. Guyon (“Guyon Decl.”) Ex. 13, ECF 140-4 (collectively “Connor Tr.”); see also Guyon Decl. Ex. 11 (“Disclosure Email”), ECF 140-4.
On November 30, 2018, Defendant learned that a third-party had breached its platform approximately six months earlier (the “Data Breach”). Fu Decl. ¶ 4; Weinmann Decl. Ex. D (“Griffin Tr.”), at 41:13-19, ECF 151-2; Decl. of Paul R. Wood (“Wood Decl.”) Ex. 2 (“Quora Blog Post”), ECF 150-4. Days later on December 3, 2018, Defendant disclosed the Data Breach via email to its affected users, including Plaintiff Jeri Connor. See Disclosure Email. One month later in January 2019, Plaintiff purchased premium credit monitoring from ClickFreeScore for five months, costing $39.90 per month. [2] See Guyon Decl. Ex. 12 (“Purchase Receipt”) and Ex. 17 (“Cancellation Receipt”), ECF 140-4; Connor Tr. 197:1-198:11. Since she received notice of the Data Breach, Plaintiff says she has spent approximately one hour per day monitoring her accounts. Connor Tr. 242:16-24. While Plaintiff has been the victim of numerous other data breaches and feels she has been put at risk for identity theft, she does not allege that she has yet suffered actual identity theft or fraud since the Data Breach. Connor Tr. 10:5-11:13, 16:18-23, 17:5-15, 39:6-10, 44:4-9. B. Procedural History
Plaintiff Alexander Huynh commenced this action on December 18, 2018. Compl., ECF 1. After several other cases were consolidated into this one, Plaintiffs filed the Second Amended Complaint on April 25, 2019. See Order, ECF 17; Order, ECF 19; Order, ECF 45; Second Am. Compl. (“SAC”), ECF 55. On December 19, 2019, the Court granted in part and denied in part Defendant’s motion to dismiss the Second Amended Complaint. Order (“Prior Order I”), ECF 72.
On February 25, 2020, Plaintiffs filed the Third Amended Complaint, alleging four causes of action: (1) violation of California’s Unfair Competition Law (“UCL”), Cal. Bus. & Prof. Code § 17200 et seq. ; (2) negligence; (3) breach of confidence; and (4) breach of contract. [3] See Consol. Third Am. Class Action Compl. (“TAC”) ¶¶ 68-115, ECF 85. On February 28, 2020, Defendant moved to dismiss the Third Amended Complaint. Mot., ECF 88. On June 1, 2020, the Court granted in part and denied in part Defendant’s motion to dismiss, allowing Plaintiffs’ negligence and UCL claims to proceed. Order (“Prior Order II”), ECF 116.
Defendant filed this Motion for Summary Judgment on September 4, 2020. See generally Mot. Plaintiff timely filed the Opposition on October 5, 2020. See generally Opp’n, ECF 154. Defendant filed the Reply on October 15, 2020. See generally Reply, ECF 161.
II. RULE 56 SUMMARY JUDGMENT LEGAL STANDARD
“A party is entitled to summary judgment if the ‘movant shows that there is no genuine
dispute as to any material fact and the movant is entitled to judgment as a matter of law.’”
City of
Pomona v. SQM N. Am. Corp.
,
If the moving party meets its initial burden, the burden shifts to the nonmoving party to
produce evidence supporting its claims or defenses.
Nissan Fire
,
Plaintiff alleges that Defendant has obfuscated the nature and details of the Data Breach, undermining her ability to determine whether any compromised information can be used to perpetrate fraud or identity theft. Opp’n 4. Plaintiff therefore moves to delay or deny Defendant’s Motion for Summary Judgment pursuant to Rule 56(d) so that she can develop facts regarding the scope of the Data Breach. Opp’n 4, 6-7. Plaintiff’s request is DENIED.
Federal Rule of Civil Procedure 56(d) is “a device for litigants to avoid summary judgment
when they have not had sufficient time to develop affirmative evidence.”
U.S. v. Kitsap
Physicians Serv.
,
If a nonmovant shows by affidavit or declaration that, for specified reasons, it cannot present facts essential to justify its opposition, the court may: (1) defer considering the motion or deny it; (2) allow time to obtain affidavits or declarations or to take discovery; or
(3) issue any other appropriate order.
To prevail on a Rule 56(d) request, the party seeking relief must show that “(1) it has set
forth in affidavit form the specific facts it hopes to elicit from further discovery; (2) the facts
sought exist; and (3) the sought-after facts are essential to oppose summary judgment.”
Family
Home & Fin. Ctr., Inc. v. Fed. Home Loan Mortg. Corp.
,
Here, Plaintiff sets forth the discovery sought in the Declaration of Paul R. Wood and in the Opposition. Plaintiff seeks further discovery to determine “whether Quora’s conclusory ‘facts’ regarding the breach and the extent of the data compromised are supported or accurate.” Opp’n 7; see also Wood Decl. ¶¶ 3-8. With the discovery of these facts, she aims to rebut the facts in Defendant’s declarations “regarding (1) when the breach occurred; (2) the Quora databases that were compromised; (3) the storage and characteristics of the Quora access tokens; and (4) whether the searches run by Griffin in the backup data base captured all data related to Plaintiff.” Opp’n 7. Plaintiff also requests more time to depose Defendant’s witnesses. Opp’n 7; Wood Decl. ¶¶ 5-7. In response, Defendant argues that “(1) the discovery [Plaintiff] seeks . . . is not essential; (2) she has identified no facts that actually exist that would refute summary judgment (which is premised on her own lack of causation or harm); and (3) she delayed discovery without excuse.” Reply 3.
This Court agrees that Plaintiff does not explain how the information that she seeks to
discover is “essential” to justifying her Opposition.
See
Fed. R. Civ. P. 56(d). Neither the
Opposition nor the Declaration of Paul R. Wood explains how a continuance or denial would
allow Plaintiff to develop the factual issues surrounding actionable causation or damages, the
bases for Defendant’s Motion as to Plaintiff’s negligence claim. Mot. 9-20;
see also Tatum v.
City & Cnty. of San Francisco
,
judgment.”
Brae Transp., Inc. v. Coopers & Lybrand
,
A. Connor Tr. 242:15-18: Response to Allegedly Leading Question on Redirect Plaintiff testified to the following at her deposition:
Q. And in addition to purchasing credit monitoring through ClickFreeScore.com from January to June, did you also . . . monitor your credit during that period? A. Yes.
Q. And did you monitor it more than you did prior to the Quora Breach?
MR. BALLON: Objection to form; more than? Vague and ambiguous. Q. Excuse me. Let me rephrase it. Did the level of your monitoring increase after the Quora breach? A. Yes.
Q. And . . . how frequently would you monitor your credit after the Quora breach? A. Daily. Q. And approximately how much time would you spend monitoring your credit after the
Quora breach?
A. Depending on the day, but typically an hour. Connor Tr. 242:2-24. Defendant objects to the assertion that Connor spent more time monitoring her credit after learning of the Data Breach because it was given in response to a leading question on re-direct. Reply 6; Connor Tr. 242:15-18. Ruling: OVERRULED. “A leading question is a question that suggests the answer to the
person being interrogated.”
Ochave v. I.N.S.
,
Here, “[t]he facts elicited by the leading question are evidence that would be admissible at
trial, and the Court shall consider those facts.”
Anderson v. SeaWorld Parks and Entm’t, Inc.
, No.
15-cv-02172-JSW,
B. Rule 702 Objections
Defendant moves to exclude both Sun as an expert and statements from his declaration
under Federal Rule of Evidence 702 and
Daubert v. Merrell Down Pharm., Inc.
,
1. Legal Standard Federal Rule of Evidence 702 provides that an expert must be qualified to testify by “knowledge, skill, experience, training, or education.” Fed. R. Evid. 702. As such, a qualified expert may testify if (a) the expert’s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue; (b) the testimony is based on sufficient facts or data; (c) the testimony is the product of reliable principles and methods; and (d) the expert has reliably applied the principles and methods to the facts of the
case.
Id.
The district court acts as the gatekeeper to “ensure that any and all scientific testimony or
evidence admitted is not only relevant, but reliable.”
Daubert
,
Daubert
explains that evidence is relevant if it will “assist the trier of fact to understand the
evidence or to determine a fact in issue.”
The “basic gatekeeping obligation” articulated in
Daubert
applies not only to scientific
testimony but to all expert testimony.
Kumho Tire Co., Ltd. v. Carmichael
,
Keeping this framework in mind, the Court turns to Defendant’s evidentiary objections regarding Plaintiff’s main expert witness, David Sun.
2. Sun Decl. ¶¶ 3-6: Sun’s Qualifications Plaintiff submits the Declaration of David Sun in support of her Opposition to offer testimony regarding the nature and scope of the Data Breach and the distinction among the various credit monitoring services at issue. See generally Sun Decl. Defendant objects to the admission of the entire declaration because Sun does not claim expertise in identity theft or fraud. Reply 8.
Ruling: OVERRULED. Here, Sun bases his qualifications on his experience dealing with cyber security and computer forensics. Sun Decl. ¶¶ 3-6. He is a partner in charge of the cyber security and forensics practice at his firm and previously owned a consulting firm specializing in these areas. Id. ¶ 3. Sun is also a Certified Information Systems Security Professional, a Certified Computer Examiner, and an EnCase Certified Examiner with a master’s degree in electrical engineering. Id. ¶ 5. Finally, he has prior experience testifying in litigation matters regarding “cyber security incidents, computer forensic examinations and cyber-intrusion and breach investigations.” Id. ¶ 6. While he does not premise his expertise in knowledge of identity theft or financial fraud, his background qualifies him to opine on the nature, scope, and impact of the Data Breach. Thus, Defendant’s objection is overruled without prejudice for the purpose of this Motion. However, because this ruling is without prejudice, it does not preclude Defendant from seeking to exclude Sun’s testimony later on these same grounds.
3. Sun Decl. ¶¶ 14-16: Sun’s Review of Plaintiff’s Compromised Data Plaintiff submits Sun’s expert testimony that combining certain compromised information such as IP addresses, browser information, and the type of device associated with Plaintiff’s account enables a third party to “piece together a pattern of the Plaintiff’s location and cell phone ownership history.” Sun Decl. ¶ 14. He states that such information is unavailable to the public and could allow a hacker to pose as Plaintiff. Id. ¶ 14. Additionally, Sun proposes, based on his prior experience with other telecommunication carriers, that combining general nonpublic information about a person with past cell phone ownership on their account “could satisfy the criteria for some level of account authorization.” Id. ¶ 16. Defendant objects to this testimony on the grounds that it is highly speculative and is based on an assessment of Sprint, whereas Plaintiff’s mobile carrier was Boost Mobile. Reply 8; see also Connor Tr. 172:17-20. As such, Defendant argues that Sun’s opinion is unreliable and irrelevant, making it unhelpful. Reply 8.
Ruling: OVERRULED. Here, Sun bases his conclusions on an assessment of the
Declaration of Paula Griffin, which describes the data elements included in the compromise. Sun
Decl. ¶ 14;
see also
Griffin Decl. ¶¶ 15-18. Relying on his prior experience, he was able to
uncover the personal information regarding Connor’s location and cell phone ownership history.
Sun Decl. ¶ 14. The times of the phone records acquired by Sun in his review range from October
2016 to June 2018.
Id.
His review identifies the mobile carrier as “Boost Mobile/Virgin (Sprint).”
Id.
On the dates in question, Boost Mobile was Sprint’s for-pay service. Mot. Hr’g Tr. 36:5-12,
ECF 200. Thus, such information is both (1) reliable in that Sun explains how he can uncover
nonpublic information from the compromised data that could be used for some level of account
authorization, and (2) relevant in that it could help the factfinder determine whether the
compromised information puts Plaintiff at risk for identity theft and financial fraud.
See Daubert
,
Ruling: OVERRULED. Here, Sun does not explicitly claim qualifications in credit
monitoring, but he does claim an extensive background in technology consulting and has authored
technical publications covering telecommunications. Sun Decl. ¶ 4-5. He has also testified in
numerous litigations regarding computer breach investigations.
Id.
¶ 6. Therefore, he is qualified
to help the jury understand how victims may use commonly offered tools like credit monitoring
services to deal with compromised data.
See
Fed. R. Evid. 702(a). Furthermore, his testimony
can help explain the rationale behind purchasing a premium credit monitoring service when other
free services are available.
See
Mot. 9-15; Opp’n 8-17; Reply 6-10. And the facts in
Stollenwerk
are not analogous to the facts here. In
Stollenwerk
, the expert evidence at issue “did not mention
or account for the availability of free services,” causing the court to conclude that the report was
“entirely too conclusory to establish that a reasonable person faced with Stollenwerk’s level of risk
of identity theft would incur significant monitoring costs rather than take advantage of these
services.”
Stollenwerk
,
5. Sun Decl. ¶¶ 8-11: Sun’s Assessment of the Declaration of Zhe Fu Sun analyzes the Declaration of Zhe Fu, who provides testimony regarding Defendant’s platform infrastructure and the scope of the Data Breach. Sun Decl. ¶¶ 8-11; Fu Decl. ¶¶ 5-7. Sun posits that because Fu bases his findings of significant data transfers on billing records, Fu’s analysis is insufficiently thorough to determine the scope of the Data Breach. See Sun Decl. ¶¶ 8- 9. He explains that Fu references “significant data transfers” in his analysis but “does not provide any details beyond the graph to determine if [Fu] examined smaller, protracted transfers that would not be noticeable in the graph.” Id. ¶ 8. Furthermore, Sun declares that “assurances by Fu of what data was stored in AWS S3 and subject to the security incident is not corroborated by any information available.” Id. ¶ 10. Defendant contends that Sun’s assertions are speculative and “based on a misreading of ‘significant’ in the Fu Declaration and lifting words out of context, not a material dispute.” Reply 9.
Ruling: OVERRULED. Here, it is unclear how Sun misreads the Declaration of Zhe Fu or
lifts words out of context.
See
Reply 9. Sun explains that more information is required to
determine if “a small, imperceptible increase in transfer volume over a 6-month period” occurred,
which he asserts could result in a significant amount of data. Sun Decl. ¶ 8. Sun does not
speculate to draw conclusions about the Data Breach itself; rather, he uses his background to posit
that more information is required to assess the scope of the Data Breach.
See Id.
¶¶ 8-10. Such
information is helpful to determine the risk to Plaintiff.
See Daubert
,
there is a “cost” to Defendant’s users. Opp’n 4-5. Defendant objects to such assertions as inadmissible on the grounds that (1) Plaintiff provides no evidence and (2) they are irrelevant since Plaintiff cannot claim Defendant’s profits. Reply 15. Ruling: OVERRULED. Here, Plaintiff submits Defendant’s Terms of Service and Privacy Policy as evidence to support her assertions in the Opposition. Terms of Service; Privacy Policy; see also Opp’n 5. And while Plaintiff cannot claim Defendant’s profits, such background information is relevant to establishing context regarding the nature of the relationship between Defendant and Plaintiff. Thus, this Court will not strike the material.
V. DISCUSSION [4] Defendant brings this Motion seeking summary adjudication of Plaintiff’s remaining claims for (1) negligence and (2) violation of the UCL. See generally Mot. Defendant’s arguments generally focus on the nature of Plaintiff’s asserted harms and remedies as well as an alleged lack of causation. See Mot. 9, 20-22. Plaintiff maintains that there are genuine disputes of material fact sufficient to withstand granting this Motion. See Opp’n 3-4. Viewing all evidence in the light most favorable to Plaintiff, the Court DENIES summary judgment as to the negligence claim and GRANTS summary judgment as to the UCL claim.
A. Negligence
Plaintiff’s negligence cause of action is based on Defendant’s alleged failure to adequately
protect her PII, causing her to spend time and money monitoring her credit after the Data Breach.
TAC ¶¶ 82-89. To prevail on a negligence claim in California, a plaintiff must allege facts to
satisfy these elements: “(1) the existence of a duty to exercise due care; (2) breach of that duty;
(3) causation; and (4) damages.”
In re Sony Gaming Networks & Customer Data Sec. Breach
Litig.
(
Sony Gaming I
),
“Under California law, appreciable, nonspeculative, present harm is an essential element of
a negligence cause of action.”
Sony Gaming I
,
Relying on Aas , Defendant moves for summary judgment based on Plaintiff’s failure to show “appreciable, nonspeculative, present harm.” Mot. 9. Defendant bases its Motion on the fact that Plaintiff has not suffered identity theft and asserts that she has voluntarily attempted to repair any hypothetical threat of future harm by temporarily purchasing credit monitoring services and monitoring her accounts. Mot. 10-11. Plaintiff contends that Aas is factually distinct “from a data breach where the harm is from the theft of PII, some of which is just now being revealed to Plaintiff.” Opp’n 9. It appears that California courts have not considered whether time and money lost to credit
monitoring from the future threat posed by compromised PII are damages to support a negligence
claim.
Ruiz v. Gap, Inc.
,
Furthermore, California does carve out an exception to the present harm requirement for
medical monitoring cases in which victims were exposed to toxic chemicals.
See Potter v.
Firestone Tire & Rubber Co.
,
Here, this Court agrees with Plaintiff that the time and money she spent on credit
monitoring in response to the Data Breach is cognizable harm to support her negligence claim.
See
Opp’n 9. Like several victims in
Castillo
, Plaintiff spent money purchasing a premium
version of an identity-protection service. Connor Tr. 32:4-34:23, 94:2-17; Purchase Receipt;
Cancellation Receipt; Sun Decl. ¶¶ 19-20;
see also Castillo
,
Accordingly, this Court DENIES Defendant’s Motion for Summary Judgment based on the claim that Plaintiff cannot produce sufficient evidence supporting cognizable harm in negligence.
2. Causation
“Causation is generally a question of fact for the jury unless ‘the proof is insufficient to
raise a reasonable inference that the act complained of was the proximate cause of the injury.’”
Lies v. Farrell Lines, Inc.
,
Here, Defendant first argues that Plaintiff cannot prove causation because she has been the
victim of numerous other data breaches in which her compromised information could have been
used to commit fraud. Mot. 11-13;
see also
Decl. of Anthony J. Ferrante (“Ferrante Decl.”) ¶¶ 21-
31, ECF 140-5. But the mere fact that Plaintiff has been a victim of other more serious breaches
in the past does not mean a substantial connection between this breach and her decision to monitor
her credit more closely is lacking.
See Gardner I
,
Defendant next argues that Plaintiff’s decision to purchase ClickFreeScore and mitigate
any risk of harm was neither reasonable nor necessary. Mot. 13. In support of this argument,
Defendant cites several cases that predate more recent data breach litigation cases, most of which
are factually distinct because they involve the theft of actual hardware, as opposed to a hack into a
company’s systems.
Compare Ruiz
,
Finally, the parties dispute whether it was reasonable and necessary for Plaintiff to purchase a premium version of ClickFreeScore. Mot. 14-15; Opp’n 14-16. It is undisputed that Plaintiff had other free credit monitoring services available to her to mitigate prior data breaches. Mot. 14-15; Opp’n 15; Sun. Decl. 19-20. Defendant offers Plaintiff’s deposition testimony that ClickFreeScore’s paid service provided “pretty much the same services” as Credit Karma’s free services, causing her to downgrade to the “basic package.” Connor Tr. 33:9-34:23. Defendant argues that these statements show Plaintiff knew she had the same services for free that ClickFreeScore offered for a fee. See Mot. 14; Reply 11; Connor Tr. 76-79, 99. Plaintiff, however, presents evidence elaborating on her initial statements, explaining that she downgraded to the basic package, not because she did not feel the need for additional services, but because the subscription cost money that she would rather spend on her four children, as opposed to “something that should have already been protected in the first place.” Connor Tr. 34:25-35:10. She further testified that ClickFreeScore’s premium service offered additional protections such as $1 million in fraud protection against which ClickFreeScore would insure. Connor Tr. 35:12-24. And Plaintiff presents evidence that “only the ClickFreeScore.com Platinum service provides coverage of all three [credit reporting] bureaus, providing access to the actual credit reports and scores from all of them.” Sun Decl. ¶ 20. Hence, this Court finds that there remains a genuine dispute of material fact over whether ClickFreeScore’s premium services offered the “same” services that Plaintiff could already use for free.
In sum, the evidence demonstrates genuine disputes of material fact regarding whether the Data Breach caused Plaintiff to spend time and money monitoring her credit and whether Plaintiff’s decision to purchase enhanced credit monitoring was reasonable and necessary. Accordingly, this Court DENIES Defendant’s Motion for Summary Judgment based on the claim that Plaintiff cannot produce sufficient evidence supporting causation in negligence.
3. The Economic Loss Rule Defendant argues that the economic loss rule bars recovery for Plaintiff’s asserted harms. Mot. 15. Specifically, Defendant contends that all Plaintiff’s asserted harms are purely economic and that no exception to the economic loss rule applies because the parties do not have a special relationship. Mot. 16-17. The Court disagrees for the reasons discussed below.
“[T]he economic loss rule prevents the law of contract and the law of tort from dissolving
into one another” and “requires a [plaintiff] to recover in contract for purely economic loss due to
disappointed expectations, unless he can demonstrate harm above and beyond a broken contractual
promise.”
Robinson Helicopter Co. v. Dana Corp.
,
This Court does not disturb its prior ruling that Plaintiff alleged sufficient facts to show
that the parties have a special relationship, which is an exception to the economic loss doctrine.
And Plaintiff has now offered sufficient evidence to defeat summary judgment on that claim.
Whether there is a special relationship under
J’Aire
presents a question of law for the court.
Greystone Homes, Inc. v. Midtec, Inc.
,
(1) the extent to which the transaction was intended to affect the plaintiff, (2) the foreseeability of harm to the plaintiff, (3) the degree of certainty that the plaintiff suffered injury, (4) the closeness of the connection between the defendant’s conduct and the injury suffered, (5) the moral blame attached to the defendant’s conduct and (6) the policy of preventing future harm.
J’Aire Corp. v. Gregory
,
plaintiff.”
J’Aire
,
With Defendants’ new arguments, the Court has reassessed this first factor. Cases decided
after
Sony Gaming II
have found that the first factor is met when plaintiffs share personal data
with a company with the understanding that the company will protect that data.
See e.g.
,
Terpin v.
AT&T Mobility, LLC
, No. 2:18-CV-06975-ODW (KSx),
Here, it is undisputed that as part of Defendant’s Terms of Service, Plaintiff was required to provide certain information upon creating an account. Terms of Service 1. Contained within the Terms of Service was a privacy promise, described in Defendant’s Privacy Policy. Terms of Service 7. The Privacy Policy explained Defendant’s “policies and procedures on the collection, use, disclosure, and sharing of [users’] personal information or personal data when [users] use the Quora Platform.” Privacy Policy 1. Emphasizing the importance of users’ privacy and the security of their information, the Privacy Policy assured users that Defendant implemented safeguards to protect their information. Privacy Policy 1, 6. And the Privacy Policy clarified to the user: “You may, of course, decline to submit information through the Quora Platform, in which case we [Defendant] may not be able to provide certain services to you.” Privacy Policy 6. Such a transaction mirrors that of Terpin , Yahoo! , and Corona ; Plaintiff was required to provide her personal information as a condition of using Defendant’s services, with the expectation that Defendant would take reasonable steps to safeguard against misuse of that information.
After reviewing the applicable law, the Court is no longer persuaded by Defendant’s
argument that Plaintiff cannot establish the first factor because she provides no evidence that she
herself intended to use the platform in a manner that varied from that of Defendant’s other
millions of users. Mot. 17-18; Reply 13;
see also
Prior Order II 13. This Court now concludes
that Plaintiff need only demonstrate she is a member of a class of people intended to be affected,
not that she alone was in that position.
See Centinela Freeman Emergency Med. Assoc. v. Health
Net of Cal., Inc.
,
Privacy law is a rapidly evolving area, and the Court finds from
Corona
, as well as
Terpin
and
Yahoo!
, that entrusting PII to a company establishes a “transaction intended to affect the
plaintiff.”
J’Aire
,
The second factor is the “foreseeability of harm to the plaintiff.”
Id.
Courts “determine
foreseeability not by reference to specific parties but instead based on the general sort of conduct
at issue.”
S. Cal. Gas Leak
,
The third factor is “the degree of certainty that the plaintiff suffered injury.”
J’Aire
, 24
Cal. 3d at 804. Here, Plaintiff provides evidence that she spent money on credit monitoring
amounting to $39.90 per month for five months and an average of one hour per day in time lost
responding to the Data Breach. Purchase Receipt. Such evidence shows that Plaintiff has
suffered harm.
See, e.g., Stasi
,
The fourth factor is “the closeness of the connection between the defendant’s conduct and
the injury suffered.”
J’Aire
,
The sixth factor is “the policy of preventing future harm.”
J’Aire
,
In sum, Plaintiff has offered evidence sufficient to show that all six J’Aire factors weigh in her favor. Therefore, summary judgment based on Defendant’s contention that the facts do not support the special relationship exception to the economic loss rule is not appropriate. Accordingly, this Court DENIES Defendant’s Motion for Summary Judgment based on the argument that the economic loss rule bars Plaintiff’s negligence claim.
4. Conclusion Plaintiff has presented evidence sufficient to demonstrate that (1) the harm alleged is cognizable, (2) there is a genuine dispute of material fact as to causation, and (3) the special relationship exception to the economic loss rule applies. Thus, Defendants’ Motion for Summary Judgment is DENIED as to the negligence claim.
B. California’s Unfair Competition Law (“UCL”)
Plaintiff’s UCL cause of action is based on Defendant’s alleged representations and omissions surrounding its failure to adequately protect Plaintiff’s PII and disclose the details of the Data Breach. TAC ¶¶ 68-81. Plaintiff seeks an injunction requiring Defendant (1) to provide updated information about exactly what was exposed and (2) to institute industry-standard practices to protect its users’ data. [5] Opp’n 25. Defendant moves for summary judgment on the UCL claim based on two grounds. Mot. 20-25. First, Defendant argues that because the Data Breach did not cause Plaintiff to lose money, she lacks statutory standing to bring a UCL claim. Mot. 20-22. Second, Defendant argues that because Plaintiff has an adequate remedy at law, she cannot claim injunctive relief under the UCL. Mot. 23-25. Each ground is discussed in turn. 1. Statutory Standing The UCL provides a cause of action for business practices that are (1) unlawful, (2) unfair, or (3) fraudulent. Cal. Bus. & Prof. Code § 17200. But whether a UCL claim is actionable turns first on a plaintiff’s standing to bring it. In re Anthem, Inc. Data Breach Litig. , 162 F. Supp. 3d 953, 985 (2016). To establish standing for a UCL claim, a plaintiff must demonstrate that the
alleged unfair competition caused him or her to personally lose money or property, i.e., suffer
economic injury-in-fact.
Yahoo!
,
Here, Plaintiff presents evidence that Defendant’s unfair business practices compelled her to spend money on enhanced credit monitoring protection in January 2019. Opp’n 24-25; Disclosure Email; Purchase Receipt. Defendant argues that its alleged unfair competition did not cause Plaintiff to purchase the enhanced credit monitoring, since she already had other free services available and bought the services after filing this action. Mot. 21; Reply 14-15.
To support its argument, Defendant first asserts that the Data Breach did not cause Plaintiff
to lose money because she purchased ClickFreeScore “after seeing a pop-up ad for the service in
January 2019, not in response to learning of the [Data Breach] in December 2018.” Mot. 21;
see
also
Reply 14-15; Connor Tr. 94:2-13. The Court finds that this argument lacks merit. It is
reasonable to infer that Plaintiff, after learning of the Data Breach only one month earlier,
responded to the ClickFreeScore advertisement because she saw benefit in greater protection
against her increased risk of identity theft and fraud. It is likewise reasonable to infer that, had the
Data Breach not recently occurred, Plaintiff would have ignored the advertisement. The pop-up ad
informed Plaintiff of an available service to help her deal with an already existing problem; it did
not destroy the required “causal connection.”
Kwikset
,
Q. Okay. Can you explain what it is about the Quora credit breach that caused you to spend more time than you were spending before, given that your information was also exposed— given that more sensitive information was exposed in the Experian and TaskRabbit credit breaches?
MR. WOOD: Objection; form.
A. I have no idea. Q. (By Mr. Ballon) What was it that’s different about the Quora credit breach except that you have sued over this one?
A. Maybe the straw that kind of broke the camel’s back. Q. But you do agree that you had more sensitive information exposed previously in the TaskRabbit security breach, correct?
A. I don’t know that for sure. Q. Well, based on the notices you got, at least you were told that you had more sensitive information disclosed, correct? A. Probably, yes. Q. And you had more sensitive financial information disclosed in the [Equifax] breach,
correct? []
A. I’m not—I don’t know for sure. Q. But at least you were told that more sensitive financial information was exposed in the Equifax breach than in the Quora breach?
A. Possibly. Q. But your testimony is the reason you spent more time as a result of the Quora breach is that it was the straw that broke the camel’s back; is that correct?
A. Pretty much, yes, sir.
Connor Tr. 251:10-252:15. Defendant urges this Court to focus on Plaintiff’s answer that she had
“no idea” why she spent more time monitoring her credit after this Data Breach as opposed to the
other data breaches. Mot. 21. But such a reading takes Plaintiff’s deposition testimony out of
context. Read as a whole, Plaintiff’s deposition testimony suggests that she may have been
confused by the wording of the original question and that her motivations in purchasing enhanced
credit monitoring stem not from the seriousness of the compromised data, but from the Data
Breach itself as the last straw in a history of data breaches. Connor Tr. 251:20. At a
minimum, the evidence creates a genuine dispute of material fact as to whether this Data Breach
caused her to purchase ClickFreeScore.
See Troyk v. Famers Grp. Inc.
,
Defendant further posits that Plaintiff has not suffered a cognizable loss as a result of the
Data Breach because she could use other free services to monitor her credit. Mot. 21. To support
its argument, Defendant relies on
Ruiz v. Gap, Inc.
, No. 07-5739 SC,
Thus, this Court finds that Plaintiff has provided evidence sufficient to raise a genuine dispute of material fact as to statutory standing under the UCL.
2. Injunctive Relief
“The UCL’s coverage is sweeping, and its standard for wrongful business conduct
intentionally broad.”
Moore v. Apple, Inc.
,
In
Sonner v. Premier Nutrition Corp.
,
Furthermore, Defendant has met its burden of showing that Plaintiff has an adequate
remedy at law.
See
Mot. 23-25; Reply 15. But Plaintiff does not produce evidence rebutting
Defendant’s assertions. Opp’n 25. The Declaration of David Sun, which Plaintiff cites in the
Opposition but does not explain, offers expert testimony that Defendant should have relied on
more sophisticated information and tools to assess the Data Breach. Opp’n 25; Sun Decl. ¶ 9. It
does not, however, provide evidence demonstrating that Defendant’s failure to change its practices
or provide timely updates could produce harm for which legal relief is inadequate.
See id.
As
such, even if it were possible for Plaintiff to demonstrate she has no adequate remedy at law, she
has failed to meet her burden of production to offer contradictory evidence that one exists.
See
Nissan Fire
,
Accordingly, summary judgment as to the UCL claim is warranted.
3. Conclusion Defendant has demonstrated that there is an adequate remedy at law for the conduct described in the injunction Plaintiff seeks. But Plaintiff does not produce, and this Court cannot find, any evidence that meaningfully rebuts the evidence offered by Defendant. Thus, the Court GRANTS summary judgment on the UCL claim.
VI. ORDER
For the foregoing reasons, IT IS HEREBY ORDERED that Defendants’ Motion for Summary Judgment is DENIED as to the negligence claim and GRANTED as to the UCL claim. Dated: December 21, 2020
______________________________________ BETH LABSON FREEMAN United States District Judge
Notes
[1] The facts set forth in this section are undisputed unless otherwise noted. For the purposes of this Motion only, Defendant concedes that all the data Plaintiff claims was stolen was, in fact, stolen.
[2] Plaintiff states that she spent $39.95 per month on ClickFreeScore while Defendant states that she spent $19.95 per month. Opp’n 6; Mot. 7. The transcript evidence cited by either party does not provide a sum certain amount. See Connor Tr. 33, 197-198. It appears, based on the submitted receipt reflecting the purchase, that Plaintiff was to be charged $39.90 per month after being charged a $1 refundable processing fee to create her account. Purchase Receipt.
[3] After the filing of the Third Amended Complaint, this Court granted the voluntary dismissal of Plaintiffs Alexander Huynh, Rick Musgrave, Erica Cooper. Order, ECF 96; Order, ECF 138; Order, ECF 139.
[4] Defendant requests judicial notice of two documents. Mot. 6 n.2. Courts may take judicial
24
notice of matters either that are “generally known within the trial court’s territorial jurisdiction” or
that “can be accurately and readily determined from sources whose accuracy cannot reasonably be
25
questioned.” Fed. R. Evid. 201(b). “Specifically, a court may take judicial notice: (1) of matters
of public record, (2) that the market was aware of information contained in news articles, and
26
(3) publicly accessible websites whose accuracy and authenticity is not subject to dispute.”
In re
Facebook, Inc. Sec. Litig.
,
[5] Plaintiff originally requested restitution under the UCL claim. TAC ¶ 81. Now conceding that 28 she cannot obtain restitution, she requests only injunctive relief. Opp’n 25.