In this consolidated litigation, Plaintiffs Christian Duke (“Duke”), Joseph Kar (“Kar”), Christina Halpain (“Halpain”), Jacob McHenry (“McHenry”), Anne McGlynn (“McGlynn”), and Marcel Page (“Page”), individually and on behalf of those similarly situated (collectively, “Plaintiffs”) bring claims against Defendant Adobe Systems, Inc. (“Adobe”) arising out of an intrusion into Adobe’s computer network in 2018 and the resulting data breach. Consol. Compl. (“Compl.”) ECF No. 39. Pending before the Court is Adobe’s Motion to Dismiss, in which Adobe seeks dismissal of all of Plaintiffs’ claims. (“Mot.”) ECF No. 45. Plaintiffs have filed an Opposition, (“Opp’n”) ECF No. 47, and Adobe has filed a Reply, (“Reply”) ECF No. 50. Having considered the submissions of the parties and the relevant law, the Court hereby GRANTS IN PART and DENIES IN PART Adobe’s Motion to Dismiss.
I. BACKGROUND
A. Factual Allegations
Except where indicated, the facts in this section are taken from Plaintiffs’ Complaint and accepted as true for the purposes of this Motion.
1. Adobe’s Products and Services
Adobe is a multinational software company that sells and licenses printing, publishing, multimedia, and graphics software. Compl. ¶ 17. Adobe sells a wide range of products, including Photoshop (a widely-used digital, imaging program) and Cold-Fusion (used by web developers to build websites and Internet applications). Id. ¶ 19. Adobe’s products and services are available in two forms. Some Adobe software, such as ColdFusion, is sold through licenses, where customers pay a single licensing fee to use the software. Id. Other Adobe products are available through Adobe’s subscription-based “Creative Cloud,” where customers pay a monthly
Adobe collects a variety of customer information. Customers of licensed-based products must register their products, which requires customers to provide Adobe with their e-mail addresses and create a username and password for Adobe’s website. Id. Some of these customers purchased their licenses online from Adobe directly, and thus also provided Adobe with their credit card numbers and expiration dates, as well as other billing information. E.g. id. ¶¶ 19, 78, 96. Creative Cloud customers are required to keep an active credit card on file with Adobe, which is charged automatically according to the customer’s subscription plan. Id. ¶ 19. In addition, some Creative Cloud customers store their files and work products in Adobe’s “cloud.” E.g., id. ¶ 84. As a result of the popularity of Adobe’s products, Adobe has collected personal information in the form of names, e-mail and mailing addresses, telephone numbers, passwords, credit card numbers and expiration dates from millions of customers. Id. ¶¶ 22, 50-55.
All customers of Adobe products, including Creative Cloud subscribers, are required to accept Adobe’s End-User License Agreements (“EULA”) or General Terms of Use. Id. ¶ 29. Both incorporate Adobe’s Privacy Policy, which provides in relevant part: “[Adobe] provide[s] reasonable administrative, technical, and physical security controls to protect your information. However, despite our efforts, no security controls are 100% effective and Adobe cannot ensure or warrant the security of your personal information.” (“Agreement”) ECF No. 46-2 at 4. Adobe’s Safe Harbor Privacy Policy, which supplements Adobe’s Privacy Policy, similarly provides that “Adobe ... uses reasonable physical, electronic, and administrative safeguards to protect your personal information from loss; misuse; or unauthorized access, disclosure, alteration, or destruction.” Compl. ¶ 32. Adobe makes similar representations regarding its security practices on its websites. Id. ¶¶ 33-39.
2. The 2013 Data Breach
In July 2013, hackers gained unauthorized access to Adobe’s servers. Id. ¶ 48. The hackers spent several weeks inside Adobe’s network without being detected. Id. By August 2013, the hackers reached the databases containing customers’ personal information, as well as the source code repositories for Adobe products. Id. The hackers then spent up to several weeks removing customer data and Adobe source code from Adobe’s network, all while remaining undetected. Id. The data breach did not come to light until September, when independent security researchers discovered stolen Adobe source code on the Internet. Id. ¶ 49. Adobe announced the data breach on October 3, 2013. Id. ¶ 50. Adobe announced that the hackers accessed the personal information of at least 38 million customers, including names, login IDs, passwords, credit and debit card numbers, expiration dates, and mailing and e-mail addresses. Id. ¶¶ 50-52. Adobe confirmed that the hackers copied the source code for a number of its products, including ColdFusion. Id. ¶53. Adobe subsequently disclosed that the hackers were able to use Adobe’s systems to decrypt customers’ credit card numbers, which had been stored in an encrypted form. Id. ¶ 57. The Court will refer to this sequence of events as the “2013 data breach.”
Following the 2013 data breach, researchers concluded that Adobe’s security practices were deeply flawed and did not conform to industry standards. Id. ¶ 59. For example, though customers’ passwords
3. The Plaintiffs
Plaintiffs are customers of Adobe licensed products or Creative Cloud subscribers who provided Adobe with their personal information. Plaintiffs Kar and Page purchased licensed products directly from Adobe and provided Adobe with their names, email addresses, credit card numbers, other billing information, and other personal information. Id. ¶¶ 77-78, 95-96. Plaintiff McHenry purchased an Adobe licensed product, and provided Adobe with a username and password. Id. ¶¶ 98-99. Plaintiffs Duke, Halpain, and McGlynn subscribed to Adobe’s products, and provided Adobe with their names, email addresses, credit card numbers, other billing information, and other personal information. Id. ¶¶ 74-75, 83-84, 90. Plaintiffs Duke, Kar, Halpain, and McGlynn are California citizens and residents. Id. ¶¶ 10-12, 14. Adobe informed all Plaintiffs that their personal information had been- compromised as a result of the 2013 data breach. Id. ¶¶ 76, 80, 85, 92, 97, 100. Following the 2013 data breach, Plaintiffs Kar and Halpain purchased additional credit monitoring services. Id. ¶¶ 81, 86.
B. Procedural History
The seven cases underlying this consolidated action were filed in this Court between November 2013 and January 2014. See ECF No. 1; Case No. 13-CV-5611, ECF No. 1; Case No. 13-CV-5596, ECF No. 1; Case No. 13-CV-5930, ECF No. 1; Case No. 14-CV-14, ECF No. 1; Case No. 14-CV-30, ECF No. 1; Case No. 14-CV-157, ECF No. 1. The Court related the individual eases in December 2013 and January 2014, ECF Nos. 19, 22, 26,
A. Rule 12(b)(1)
A defendant may move to dismiss an action for lack of subject matter jurisdiction pursuant to Federal Rule of Civil Procedure 12(b)(1). A motion to dismiss for lack of subject matter jurisdiction will be granted if the complaint on its face fails to allege facts sufficient to establish subject matter jurisdiction. See Savage v. Glendale Union High Sch.,
B. Rule 8(a)
Rule 8(a)(2) of the Federal Rules of Civil Procedure requires a complaint to include “a short and plain statement of the claim showing that the pleader is entitled to relief.” A complaint that fails to meet this standard may be dismissed pursuant to Federal Rule of Civil Procedure 12(b)(6). The Supreme Court has held that Rule 8(a) requires a plaintiff to plead “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly,
However, the Court need not accept as true allegations contradicted by judicially noticeable facts, Shwarz v. United States,
C. Rule 9(b)
Claims sounding in fraud or mistake are subject to the heightened pleading requirements of Federal Rule of Civil Procedure 9(b), which requires that a plaintiff alleging fraud “must state with particularity the circumstances constituting fraud.” Fed. R. Civ. P. 9(b); see Kearns v. Ford Motor Co.,
D. Leave to Amend
If the Court determines that the complaint should be dismissed, it must then decide whether to grant leave to amend. Under Rule 15(a) of the Federal Rules of Civil Procedure, leave to amend “should be freely granted when justice so requires,” bearing in mind that “the underlying purpose of Rule 15 ... [is] to facilitate decision on the merits, rather than on the pleadings or technicalities.” Lopez v. Smith,
III. DISCUSSION
Plaintiffs assert four causes of action in their Complaint. Adobe seeks dismissal of all four claims. The.Court will address each claim and Adobe’s corresponding objections in turn. ■
A. Customer Records Act Claim
Plaintiffs’ first cause of action is for injunctive relief on behalf of the California Plaintiffs for violations of Sections 1798.81.5 and 1798.82 of the California Civil Code (“CRA”).
A business that owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
Cal. Civ. Code § 1798.81.5(b). Section 1798.82, for its part, requires businesses to “disclose any breach of the security of the system following discovery or notification of the breach ... in the most expedient time possible and without unreasonable delay.” Cal. Civ. Code § 1798.82(a). Plaintiffs allege that Adobe did not and does not maintain “reasonable security practices” to protect customer data, in violation of Section 1798.81.5 of the CRA, and did not promptly notify customers following the 2013 data breach, in violation of Section 1798.82 of the CRA. Compl. ¶¶ 112-113.
Plaintiffs request injunctive relief pursuant to Section 1798.84(e) of the CRA, which provides that “[a]ny business that violates, proposes to violate, of has violated this title may be enjoined.” Plaintiffs also base their request for relief on the “unlawful” prong of California’s Unfair Competition Law (“UCL”), Cal. Bus. & Prof. Code § 17200 et seq., which allows plaintiffs to “borrow” violations of other laws and treat them as unlawful competition that is independently actionable. Cel-Tech Common’s, Inc. v. L.A. Cellular Tel. Co.,
Adobe argues that Plaintiffs do not allege injury-in-fact resulting from Adobe’s alleged violation of the CRA and thus do not have Article III standing to bring their CRA claim. Mot. at 6-7. For the same reasons, Adobe contends that Plaintiffs .do not have statutory standing under Section 1798.84(e), which also requires a showing of injury. Id. As a result, Adobe contends that Plaintiffs’ CRA claim must be dismissed for lack of jurisdiction. The Court addresses both contentions in turn,
1. Article III Standing
To have Article III standing, a plaintiff must plead and prove that she has suffered sufficient injury to satisfy the “ease or controversy” requirement of Article III of the United States Constitution. See Clapper v. Amnesty Int’l USA, — U.S. -,
In a class action, named plaintiffs representing a class “must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.” Worth v. Seldin,
In the instant case, Plaintiffs allege that they have all suffered at least one of three types of cognizable injuries-in-fact: (1) increased risk of future harm; (2) cost to mitigate the risk of future harm; and/or (3) loss of the value of their Adobe products. Opp’n at 7-11. The Court begins by assessing the adequacy Plaintiffs’ alleged injuries. The Court will then address Adobe’s argument that even if Plaintiffs have Article III standing to bring a claim based on Adobe’s alleged violation of Section 1798.81.5 (the “reasonable” security measures provision), Plaintiffs do not have standing to bring a claim based on Adobe’s alleged violation of Section 1798.82 (the notification provision), because Plaintiffs do not allege that they suffered any particular injury stemming from Adobe’s failure to reasonably notify Plaintiffs of the 2013 data breach. Mot. at 7.
a. Increased Risk of Harm
Plaintiffs claim that they are all at increased risk of future harm as a result of the 2013 data breach. Opp’n at 7. Adobe counters that such “increased risk” is not a cognizable injury for Article III standing purposes. Mot. at 10. The Ninth Circuit addressed Article III standing in the context of stolen personal information in Krottner v. Starbucks Corp.,
Adobe does not dispute that Krottner is directly on point. See Mot. at 11; Reply at 3. However, Adobe contends that subsequent Supreme Court authority forecloses the approach the Ninth Circuit took to standing in Krottner. Reply at 3. Specifically, Adobe claims that the Supreme Court’s decision in Clapper v. Amnesty International USA expressly rejected “[a]negations of possible future injury” as a basis for Article III standing, requiring instead that a “threatened injury [] be certainly impending to constitute injury in fact.” Mot. at 10 (citing Clapper,
Clapper addressed a challenge to Section 702 of the Foreign Intelligence Surveillance Act of 1978 (“FISA”), 50 U.S.C. § 1881a.
As the Supreme Court noted, the respondents did not allege that any of their communications had actually been intercepted, or even that the Government sought to target them directly. Id. at 1148. Rather, the respondents’ argument rested on the “highly speculative fear” that:
(1) the Government will decide to target the communications of non-U.S. persons with whom they communicate; (2) in doing so, the Government will choose to invoke its authority under [Section 702] rather than utilizing another method of surveillance; (3) the Article III judges who serve on the Foreign Intelligence Surveillance Court will conclude that the Government’s proposed surveillance procedures satisfy [Section 702]’s many safeguards and are consistent with the Fourth Amendment; (4) the Government will succeed in intercepting the communications of respondents’ contacts; and (5) respondents will be parties to the particular communications that the Government intercepts
Id. The Supreme Court held that this “highly attenuated” chain of possibilities did not result in a “certainly impending” injury. Id. The Court observed that the first three steps of the chain depended on the independent choices of the Government and the Foreign Intelligence Surveillance Court, yet the respondents could only speculate as to what decision those third parties would take at each step. Id. at 1149-50 (“[W]e have been reluctant to endorse standing theories that require guesswork as to how independent decision-makers will exercise their judgment....”). Moreover, respondents could not show with any certainty that their communications with the foreign persons allegedly under surveillance would be intercepted. Id. As a result, the overall chain of inferences was “too speculative” to constitute a cognizable injury. Id. at 1143.
The Supreme Court acknowledged that its precedents “do not uniformly require plaintiffs to demonstrate that it is literally certain that the harms they identify will come about” in order to have standing. Id. at 1150 n. 5 (emphasis added). Rather, in some cases, the Supreme Court has found standing “based on a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.” Id. (citing Monsanto, 561- U.S. at 153-54,
Clapper did not change the law governing Article III standing. The Supreme Court did not overrule any precedent, nor did it reformulate the familiar standing requirements of injury-in-fact, causation, and redressability.
“[District courts should consider themselves bound by [ ] intervening higher authority and reject the prior opinion of [the Ninth Circuit] as having been effectively overruled” only when the intervening higher authority is “clearly irreconcilable with [the] prior circuit authority.” Miller v. Gammie,
In any event, even if Krottner is no longer good law, the threatened harm alleged here is sufficiently concrete and imminent to satisfy Clapper. Unlike in Clapper, where respondents’ claim that they would suffer future harm rested on a chain of events that was both “highly attenuated” and “highly speculative,”
Neither is there any need to speculate as to whether the hackers intend to misuse the personal information stolen in the 2013 data breach or whether they will be able to do so. Not only did the hackers deliberately target Adobe’s servers, but Plaintiffs allege that the hackers used Adobe’s own systems to decrypt customer credit card numbers. Compl. ¶ 57. Some of the stolen data has already surfaced on the Internet, and other hackers have allegedly misused it to discover vulnerabilities in Adobe’s products. Id. ¶¶ 49, 70. Given this, the danger that Plaintiffs’ stolen data will be subject to misuse can plausibly be described as “certainly impending.” Indeed, the threatened injury here could be more imminent only if Plaintiffs could allege that their stolen personal information had already been misused. However, to require Plaintiffs to wait until they actually suffer identity theft or credit card fraud in order to have standing would run counter to the well-established principle that harm need not have already occurred or be “literally certain” in order to constitute injury-in-fact.
The cases Adobe cites in which district courts have relied on Clapper to dismiss data breach cases on standing grounds are factually distinct from the present case. In SAIC, the case on which Adobe most heavily relies,, a thief broke into a car in San Antonio, Texas and stole the car’s GPS and stereo, as well as encrypted backup data tapes containing personal medical information for over four million U.S. military members and their families.
Adobe’s other authorities are similarly distinct. The thief in Polanco also stole a laptop out of a car.
The case with facts closest to those at issue here is Galaria. In that case, hackers obtained a variety of personal information, though not credit card information, from the servers of an insurance company. Galaria,
In sum, the Court finds that Plaintiffs’ allegations of a concrete and imminent threat of future harm suffice to establish Article III injury-in-fact at the pleadings stage under both Krottner and Clapper.
b. Cost to Mitigate
In addition, Plaintiffs allege that Plaintiffs Halpain and Kar have standing based on the reasonable costs they incurred to mitigate the increased risk of harm resulting from the 2013 data breach. Opp’n at 10; see Compl. ¶¶ 80-81, 86-87 (alleging that Halpain and Kar paid for data monitoring services). The Supreme Court held in Clapper that plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”
As this last quote indicates, the Supreme Court’s primary concern was that the Article III standing standard would be “water[ed] down” if a plaintiff who otherwise lacked standing could manufacture an injury-in-fact “for the price of a plane ticket.” Id. (internal quotation marks omitted); accord SAIC,
For the foregoing reasons, the Court finds that Plaintiffs have plausibly alleged that the substantial risk of harm Plaintiffs face following the 2013 data breach constitutes a cognizable injury-in-fact. The costs Plaintiffs Halpain and Kar incurred to mitigate this risk of harm constitute an additional cognizable injury. The Court further finds that Plaintiffs plausibly allege both that these injuries are “fairly traceable” to Adobe’s alleged failure to maintain “reasonable” security measures in violation of Section 1798.81.5 and that the relief sought would redress these injuries. The Court therefore concludes that Plaintiffs have adequately pleaded that they have Article III standing to, bring a CRA claim for violations of Section 1798.81.5.
c. Section 1798.82
Adobe argues that even if Plaintiffs have adequately alleged injury-in-fact stemming from Adobe’s alleged failure to implement reasonable security measures, Plaintiffs have not alleged any injury traceable to Adobe’s alleged failure to reasonably notify customers of, the 2013 data breach in violation of Section 1798.82, because Plaintiffs do not allege that they suffered any incremental harm as a result of the delay. Mot. at 7. The Court agrees that Plaintiffs do not allege any harm resulting from the delay in their Complaint, and Plaintiffs do not address this argument in their Opposition except to argue that they have statutory (as opposed to Article III) standing to bring a Section 1798.82 claim. See Opp’n at 11.
2. Statutory Standing
The CRA also contains a statutory standing requirement. Section 1798.84, the remedies provision of the CRA, provides that “[a]ny customer injured by a violation of this title may institute a civil action to recover damages,” Cal. Civ. Code § 1798.84(b), and the California Court of Appeal has held that this injury requirement applies “regardless of the remedies [a plaintiff] seek[s],” Boorstein v. CBS Interactive, Inc.,
Although Section 1798.84 does not define what qualifies as an injury under the statute, other courts in the Ninth Circuit have found that an injury that satisfies Article Ill’s injury-in-fact standard suffices to establish statutory injury under the CRA. See, e.g., Miller v. Hearst Commc’ns, Inc., No. 12-733,
In summary, the Court DENIES Adobe’s Motion to Dismiss Plaintiffs’ CRA claim for violations of Section 1798.81.5.
B. Declaratory Relief
Plaintiffs’ second cause of action is for declaratory relief on behalf of all Plaintiffs. Compl. ¶¶ 118-124. As a preliminary matter, the parties disagree over whether the federal Declaratory Judgment Act, 28 U.S.C. § 2201, applies, as Adobe contends, or if the California Declaratory Relief Act, Cal. Civ. Proc. Code § 1060, applies, as Plaintiffs contend. Compare Reply at 5 n.4, with Opp’n at 14.
The Court finds that the federal Declaratory Judgment Act governs in this case. Although district courts in the Ninth Circuit have at times applied the California Declaratory Relief Act when sitting in diversity, see Valley Forge Ins. Co. v. APL Co. Pte. Ltd., No. 09-9328,
The federal Declaratory Judgment Act provides that “[i]n a case of actual controversy within its jurisdiction ... any court of the United States ... may declare the rights and other legal relations of any interested party seeking such declaration, whether or not further relief is or could be sought.” 28 U.S.C. § 2201(a). To fall within the Act’s ambit, the “case of actual
Adobe moves to dismiss Plaintiffs declaratory relief claim on three grounds. First, Adobe asserts that Plaintiffs have not suffered an injury-in-fact and therefore lack standing. Mot. at 13. Second, Adobe contends that what Plaintiffs actually seek is an impermissible advisory opinion that lays the foundation for future litigation, rather than adjudication of an actual controversy between the parties. Id. at 13-14. Third, Adobe argues that Plaintiffs’ declaratory relief claim is actually a breach of contract claim in disguise, and that the claim fails because Plaintiffs have failed to plead all the elements of a breach of contract claim. Id. at 15. The Court addresses each contention in turn.
1. Article III Standing
Adobe first claims that, just as the California Plaintiffs fail to allege injury-in-fact for purposes of their CRA claim, the California Plaintiffs fail to allege a cognizable injury-in-fact for purposes of declaratory relief. Mot. at 13; see also Dizol,
The Court finds that Plaintiffs have adequately pleaded that they have Article III standing to bring a claim for declaratory relief. First, as discussed above, the Court finds that all Plaintiffs have plausibly alleged that they face a substantial, “certainly impending” risk of harm from the 2013 data breach. See supra Part III.A. l.a. This alleged injury is fairly traceable to Adobe’s failure to abide by its contractual obligation to provide “reasonable ... security controls,” Agreement at 4, and will plausibly be redressed by the declaratory relief Plaintiffs seek. Accordingly, the Court declines to dismiss Plaintiffs’ declaratory relief claim for lack of Article III standing.
2. Presence of an Actionable Dispute
Adobe next seeks dismissal of Plaintiffs’ declaratory relief claim on the ground that Plaintiffs do not fulfill the Declaratory Judgment Act’s statutory jurisdictional requirements. Adobe contends that there is no actionable dispute over whether Adobe is in breach of its contractual obligation to provide “reasonable _ security controls,” given that the Agreement expressly provides that no security measure is “100%” effective and that “Adobe cannot ensure or warrant the security of your personal information.” Mot. at 14. Adobe further contends that Plaintiffs do not allege that a declaration of rights is necessary at this time. Id. Adobe asserts that Plaintiffs’ claim is consequently unripe,
A claim for relief under the Declaratory Judgment Act requires a dispute that is: (1) “definite and concrete, touching the legal relations of parties having adverse legal interests”; (2) “real and substantial”; and (3) “admit[ting] of specific relief through a decree of a conclusive character, as distinguished from an opinion advising what the law would be upon a hypothetical state of facts.” MedImmune,
The Court finds that Plaintiffs have adequately alleged the existence of an actionable dispute for purposes of the Declaratory Judgment Act. Plaintiffs have plausibly alleged the existence of a “definite and concrete” dispute over the meaning and the scope of Adobe’s contractual obligation to provide “reasonable” security measures. See Compl. ¶¶ 120-123. According to the Complaint, although “Adobe maintains that its security measures were adequate and remain adequate,” there were in fact a number of standard industry practices that Adobe failed to follow. Id. ¶¶ 62, 123-124. Although Adobe contends that there can be no actionable dispute concerning the adequacy of Adobe’s security controls because the Agreement expressly provides that no security measure is “100%” effective, Mot. at 14, this disclaimer does not reheve Adobe of the responsibility (also contained in the Agreement) to provide “reasonable” security, see Agreement at 4; Compl. ¶ 120.
The remaining jurisdictional prerequisites for a declaratory relief claim are met here as well. The dispute over the reasonableness of Adobe’s security controls touches on the parties’ legal relations, and the parties’ legal interests are adverse. See MedImmune,
The Court concludes that Plaintiffs have plausibly alleged that they satisfy the statutory jurisdictional requirements for obtaining declaratory relief. Adobe is not entitled to dismissal of Plaintiffs’ claim on •this basis.
3. Breach of Contract Claim in “Disguise”
Adobe’s third and final challenge to Plaintiffs’ declaratory relief claim is that Plaintiffs are “seeking a declaration that Adobe has breached its contractual obligations” without having alleged all the elements of a breach of contract claim. Mot. at 15. Relying on Gamble v. GMAC Mortgage Corp., No. 08-5532,
Adobe miseharacterizes Plaintiffs’ declaratory relief claim. In both Gamble and Household Financial, the plaintiffs sought a judicial decree stating that the defendants had breached their contractual obligations. Gamble,
For the foregoing reasons, the Court finds that Plaintiffs have plausibly pleaded that they fulfill both Article Ill’s standing requirements and the statutory jurisdictional requirements of the Declaratory Judgment Act. The Court also finds that Plaintiffs have plausibly stated a claim for declaratory relief. Accordingly, the Court DENIES Adobe’s Motion to Dismiss Plaintiffs’ declaratory relief claim.
C. UCL Injunction Claim
Plaintiffs’ third cause of action is for injunctive relief under the UCL on behalf of all Plaintiffs (“UCL injunction claim”). See Compl. ¶¶ 125-132. The UCL creates a cause of action for business practices that are: (1) unlawful, (2) unfair^ or (3) fraudulent. Cal. Bus. & Prof. Code § 17200 et seq. The UCL’s coverage is “sweeping,” and its standard for wrongful business conduct is “intentionally broad.” In re First Alliance Mortg. Co.,
Adobe seeks dismissal of Plaintiffs’ UCL injunction claim on three grounds. First, Adobe contends that Plaintiffs lack standing to bring this claim. Mot at 16. Second, Adobe contends that Plaintiffs imper-missibly seek a contract remedy without bringing a breach of contract claim. Id. Finally, Adobe contends that Plaintiffs have failed to allege any conduct that is unfair or unlawful within the meaning of the UCL. Id. The Court addresses each of Adobe’s contentions below.
1. Standing
Adobe argues that, just as with Plaintiffs’ CRA and declaratory relief claims, Plaintiffs lack Article III standing to bring their UCL injunction claim because no Plaintiff has suffered an injury-in-fact. Id. For the same reason, Adobe contends that Plaintiffs lack statutory standing to bring a claim under the UCL. Id. The Court finds that Plaintiffs have Article III standing to bring their UCL injunction claim for the same reasons that Plaintiffs have Article III standing to bring their CRA and declaratory relief claims. See supra Part III.A.l; Part III.B.l.
Adobe further argues that Plaintiffs lack statutory standing under the UCL. Mot. at 16. In order to establish standing for a UCL claim, plaintiffs must show they personally lost money or property “as a result of the unfair competition.” Cal. Bus. & Prof. Code § 17204; Kwikset Corp. v. Superior Court,
Four of the six Plaintiffs allege they personally spent more on Adobe products than they would had they known Adobe was not providing the reasonable security Adobe represented it was providing. See Compl. ¶ 79 (“Had Mr. Kar known that Adobe’s security practices were inferior to industry standard security practices, he would not have purchased [a] license online .... ”); id. ¶ 84 (“Had Ms. Halpain known that Adobe employed substandard security practices, she would not have subscribed to the Creative Cloud service.”); id. ¶ 91 (“Had Ms. McGlynn known that Adobe employed substandard security practices, she would not have subscribed to the Creative Cloud Service.”); id. ¶¶ 98-99 (“McHenry purchased Adobe Illustrator ... for approximately $579.99 _ [He] relied on Adobe’s Privacy Policy and believed that Adobe would provide reasonable security....”). Only Plaintiffs Duke and Page do not allege this or any other UCL injury.
The Court finds plausible Plaintiffs Kar, Halpain, McGlynn, and McHenry’s allegations that they relied on Adobe’s representations regarding security to their detriment. The parties agree that every Plaintiff was required to accept Adobe’s Privacy Policy before creating an account or providing Adobe with their personal information. Compl. ¶¶ 31-32; Mot. at 3. In that policy, Adobe represented that it would provide reasonable measures to protect customers’ personal identifying and financial information. See Mot. at 12. It is also plausible that a company’s reasonable security practices reduce the risk of theft of customer’s personal data and thus that a company’s security practices have economic value. See Kwikset,
Accordingly, the Court finds that Plaintiffs Kar, Halpain, McGlynn, and McHenry have plausibly pleaded that they have standing to bring their UCL injunction claim. Plaintiffs Duke and Page, however, have not, though the Court cannot conclude they would be unable to cure this deficiency in an amended complaint. Accordingly, the Court GRANTS Adobe’s Motion to Dismiss Plaintiffs’ UCL injunction claim as to Plaintiffs Duke and Page without prejudice. As to the remaining Plaintiffs, Adobe is not entitled to dismissal of Plaintiffs’ UCL injunction claim on the basis of standing.
2. Contract Remedy
Adobe additionally argues that Plaintiffs’ UCL injunction claim, like Plaintiffs’ declaratory relief claim, is actually a contract claim in disguise. Mot. at 17. Specifically, Adobe claims that the UCL injunction claim is, in reality, a claim for specific performance of the Agreement. Id. (“Plaintiffs’ claim ... is that Adobe should be ordered to ‘honor the terms of its contracts’ .... Thus, what Plaintiffs seek is the contract remedy of specific performance.” (quoting Compl. ¶ 129)). As specific performance is a contract remedy, Adobe contends that Plaintiffs need to plead a breach of contract claim in order to seek specific performance. Id. (citing Forever 21, Inc. v. Nat’l Stores Inc., No. 12-10807,
Plaintiffs acknowledge that they have not pleaded a breach of contract claim. Opp’n at 21. Nevertheless, Plaintiffs contend that their request for an injunction is just that — a request for an injunction under the UCL, not one for the contract remedy of specific performance. Id. As Plaintiffs are not seeking a contract remedy, Plaintiffs contend they do not need to plead the elements of breach of contract. Id.
The Court agrees with Plaintiffs that their request is indeed a request for an injunction under the UCL, and not one for specific performance. Plaintiffs do not allege that Adobe violated the UCL solely on the grounds that Adobe failed to “honor the terms of its contracts.” See Compl. ¶¶ 128-131. While Plaintiffs do allege “systematic breach of [ ] contracts” as one of Adobe’s allegedly unlawful practices, Plaintiffs also allege that Adobe’s actions are independently unlawful because they violate the duty California imposes on businesses to reasonably safeguard customers’ data under the CRA. Compl. ¶ 130; accord Opp’n at 21 (“Adobe’s duties arose from promises it made in its contracts and elsewhere, and from statute.” (emphasis added)). The Court has already determined that Plaintiffs have standing to bring claims under this statute. See supra Part III.A. Thus, contrary to Adobe’s assertion, Plaintiffs have alleged a basis for a UCL violation other than breach of contract. The Court therefore concludes that Plaintiffs’ request is for an injunction to remedy Adobe’s alleged UCL violations, and not to remedy an unalleged breach of contract.
3. Unlawful or Unfair
Adobe further challenges Plaintiffs’ UCL injunction claim on the ground that Plaintiffs do not plead any “unlawful” or “unfair” conduct that- violates the UCL. Mot. at 18-19. The Court first considers Plaintiffs’ “unlawful” allegations, then turns to Plaintiffs’ “unfair” allegations,
a. Unlawful
The “unlawful” prong of the UCL prohibits “anything that can properly be called a business practice and that at the same time is forbidden by law.” Cel-Tech,
Adobe argues that none of these allegations are adequate to sustain a UCL claim. As to Plaintiffs’ CRA allegation, Adobe contends that because Plaintiffs lack standing to bring a CRA claim, Plaintiffs similarly lack standing to pursue a UCL claim premised on a violation of the CRA. Mot. at 18. However, the Court has found •that Plaintiffs do have standing to bring their CRA claim, and thus standing presents no barrier to Plaintiffs’ efforts to base their UCL unlawful claim on Adobe’s alleged violation of the CRA. Accordingly, the Court finds that Plaintiffs have ade
b. Unfair
The “unfair” prong of the UCL creates a cause of action for a business practice that is unfair even if not proscribed by some other law. Korea Supply Co. v. Lockheed Martin Corp.,
Adobe contends that Plaintiffs’ claim under the “balancing test” is “conclusory and formulaic.” Mot. at 19. Specifically, Adobe claims that Plaintiffs do not allege any injuries stemming from Adobe’s allegedly unfair conduct and thus that there is no “harm” to balance against any “utility.” Reply at 9-10. As to the “tethering test,” Adobe contends that Plaintiffs’ allegations fail because Plaintiffs do not allege any violations of the OPPA or the IPA, Mot. at 19, or any effects that are “comparable to ... a violation of’ those statutes, Reply at 9 (quoting Cel-Tech,
Adobe’s argument that Plaintiffs’ “balancing test” allegations are insufficient is unpersuasive. Adobe appears to object that Plaintiffs do not allege any injuries resulting from Adobe’s allegedly unfair conduct in the precise paragraph of the
Turning to the “tethering test,” the Court notes that contrary to Adobe’s assertion, Plaintiffs do not need to plead any direct violations of a statute to bring a claim under the UCL’s unfair prong. Instead, Plaintiffs need merely to show that the effects of Adobe’s conduct “are comparable to or the same as a violation of the law, or otherwise significantly threaten[] or harm[ ] competition.” Cel-Tech,
In sum, the Court concludes that Plaintiffs Duke and Page have not adequately pleaded that they have standing to bring a claim under the UCL. The Court therefore GRANTS Adobe’s Motion to Dismiss this claim as to Plaintiffs Duke and Page without prejudice. However, the Court finds that Plaintiffs Halpain, McGlynn, Kar, and McHenry have adequately pleaded both standing and the necessary elements to bring their UCL injunction claim. Accordingly, the Court DENIES Adobe’s Motion to Dismiss this claim as to those Plaintiffs.
D. UCL Restitution Claim
Plaintiffs’ fourth and final cause of action is for restitution under the UCL on behalf of purchasers of Adobe’s ColdFu
1. Standing to Bring Restitution Claims for ColdFusion Customers
Some courts reserve the question of whether plaintiffs may assert claims based on products they did not buy until ruling on a motion for class certification. See, e.g., Forcellati v. Hyland’s, Inc.,
This Court has previously applied the “substantially similar” approach and will do so again here. E.g., Werdebaugh v. Blue Diamond Growers, No. 12-2724,
The Court finds that the remaining two differences between ColdFusion and Creative Cloud are not significant enough to prevent the products from being “substantially similar” for purposes of the claims alleged here. Plaintiff's’ theory of harm for their UCL restitution claim is that ColdFusion and Creative Cloud are “heavily security-dependent” products that Plaintiffs either would not have purchased or for which Plaintiffs would not have paid as much had Plaintiffs known the truth about Adobe’s inadequate security practices. Opp’n at 17; Compl. ¶¶ 136-139. Neither the cost of a product nor whether the product is license- or subscription-based is relevant to the inquiry here, i.e., whether purchasers of the products valued security, and thus whether they overpaid for their Adobe products in light of Adobe’s alleged misrepresentations and omissions regarding security. This distinguishes this case from cases applying the substantially similar approach in the food mislabeling context, where differences in the products could be expected to have an impact on whether the customer purchased the product in reliance on the defendant’s misrepresentations. See, e.g., Larsen v. Trader Joe’s Co., No. 11-5188,
2. Fraudulent
For an omission to be actionable under the UCL, “the omission must be contrary to a representation actually made by the defendant, or an omission of a fact the defendant was obliged to disclose.” Daugherty v. Am. Honda Motor Co.,
Adobe does not dispute that facts regarding its security practices are material. Rather, Adobe contends that Adobe did not have exclusive knowledge of its security practices because Adobe’s security shortcomings were widely reported in the press before the 2013 data breach. Mot. at 21-22; Reply at 11-13. Specifically, Adobe notes that its security problems were detailed in articles published by CNN Money, the New York Times, the Wall Street Journal, and Reuters, Reply at 12, and further that Plaintiffs knew of these reports, id. (noting that the original individual complaints cite some of these reports); see Compl. ¶¶ 42-46 (listing security problems prior to the 2013 data breach under the heading “Adobe’s Abysmal Security Record”). Adobe notes that courts in other cases have found that defendants did not have “exclusive knowledge” of the alleged omission when the allegedly omitted fact was widely reported in similarly reputable news sources. Reply at 11-12 (citing Herron v. Best Buy Co.,
The Court is not convinced. It is one thing to have a poor reputation for security in general, but that does not mean that Adobe’s specific security shortcomings were widely known. None of the press reports Adobe identifies discusses any specific security deficiencies, and Plaintiffs expressly allege that the extent of Adobe’s security shortcomings were revealed only after the 2013 data breach. Compl. ¶ 59. Given that prior reports of Adobe’s security problems were highly generic, the Court cannot say that Adobe did not have exclusive knowledge of its failure to implement industry-standard security measures.
Adobe further argues that even if Plaintiffs identify an actionable omission, Plaintiffs cannot allege that they relied on that omission, as is required for a claim under the “fraudulent” prong of the UCL. Mot. at 23 (citing In re Facebook PPC Adver. Litig., No. 09-3043,
The Court disagrees. Plaintiffs allege that they would not have subscribed to Creative Cloud in the first instance had they known of Adobe’s allegedly unsound security practices. Compl. ¶¶ 84, 91. Having invested time, money, and energy in Creative Cloud, however, Plaintiffs allege that the costs to switch to another product — which include early cancellation fees, id. ¶¶ 88, 93 — are now too high to justify abandoning their Creative Cloud subscriptions. See Opp’n at 19 (citing Compl. ¶ 137). This is a plausible allegation. Moreover, a plaintiff need not allege that a product became totally worthless to her once the defendant’s misrepresentation came to light in order to plead actionable reliance. Rather, it is enough to allege that the product is worth less to the plaintiff in light of the misrepresentation. See Kwikset,
For these reasons, the Court concludes that Plaintiffs have adequately pleaded that Adobe had a duty to disclose that its security practices were not up to industry standards, that this omission was material, and that Plaintiffs relied on this omission to their detriment. Thus, Plaintiffs have adequately pleaded their UCL restitution claim under the UCL’s “fraudulent” prong, and Adobe is not entitled to dismissal of this claim.
3. Unfair
Plaintiffs also assert two claims under the UCL’s “unfair” prong for their UCL restitution claim. First, Plaintiffs allege that Adobe’s competition invested in industry-standard security practices, and therefore Adobe gained an unfair competitive advantage to the extent that Adobe did not. Compl. ¶ 138. Plaintiffs contend that this conduct was “unethical, unscrupulous, and substantially injurious.” Id. Second, Plaintiffs allege that Adobe’s conduct undermined California public policy as embodied in the OPPA, the IPA, and the CRA. Id.
Adobe’s objection to these claims again is that Plaintiffs did not include all of the
Adobe also repeats the argument that Plaintiffs’ “public policy” allegations are flawed because Plaintiffs do not plead violations of the OPPA, the IPA, and the CRA. Mot. at 25. As previously discussed, see supra Part III.C.3.b, the “unfair” prong does not require Plaintiffs to plead direct violations of these statutes. Instead, the Court has already found that Plaintiffs plausibly allege that the OPPA, the IPA, and the CRA reflect California’s policy objective of reasonably securing customer data. See supra Part III.C.3.b. Plaintiffs further plausibly allege that Adobe’s purported failure to provide industry-standard security undermines that policy objective. The Court therefore finds that Plaintiffs have pleaded with sufficient specificity all the necessary elements of a claim under the UCL’s “unfair” prong for their UCL restitution claim, and Adobe is not entitled to dismissal of the claim on that basis.
For the foregoing reasons, the Court DENIES Adobe’s Motion to Dismiss Plaintiffs’ UCL restitution claim.
IY. CONCLUSION
For the reasons discussed above, the Court:
1. GRANTS Adobe’s Motion to Dismiss Plaintiffs’ CRA claim for violations of Section 1798.82 without prejudice;
2. GRANTS Adobe’s Motion to Dismiss Plaintiffs’ UCL injunction claim as to Plaintiffs Duke and Page without prejudice; and
3. DENIES the remainder of Adobe’s Motion to Dismiss.
Should Plaintiffs elect to file a Second Amended Complaint curing the deficiencies identified herein, Plaintiffs shall do so within thirty days of the date of this Order. Failure to meet the thirty-day deadline to file an amended complaint or failure to cure the deficiencies identified in this Order will result in a dismissal with prejudice. Plaintiffs may not add new causes of actions or .parties without leave of the Court or stipulation of the parties pursuant to Federal Rule of Civil Procedure 15.
IT IS SO ORDERED.
Notes
. Unless otherwise noted, all remaining ECF citations refer to Case Number 13-CV-5226.
. Although a district court generally may not consider any material beyond the pleadings in deciding a Rule 12(b)(6) motion, the Court may take judicial notice of documents referenced in the complaint, as well as matters in the public record, without converting a motion to dismiss into one for summary judgment. See Lee v. City of L.A.,
Here, Adobe requests that the Court take judicial notice of the transcript of the case management conference hearing held before this Court on March 13, 2014. Def. May 21 RJN Ex. A. This transcript is an appropriate subject for judicial notice, as it is a matter of public record. Adobe also requests that the
Plaintiffs request that the Court take judicial notice of one of Adobe’s End User License Agreements ("EULA”). Pl. RJN Ex. A. The EULA is referenced in the Complaint, see, e.g., Compl. ¶¶ 29-32, 41, 105, and is publicly available on Adobe’s website. Accordingly, the Court GRANTS Plaintiffs’ Request for Judicial Notice. See Knievel,
. Adobe refers to Sections 1798.81.5 and 1798.82 as the "California Data Breach Notification Act," see Mot. at 6, whereas Plaintiffs refer to those sections as the “California Customer Records Act,” see Opp’n at 6. The Court agrees with Plaintiffs that Section 1798.81.5 deals with more than notification in the event of a breach. See Cal. Civ. Code § 1798.81.5(d) ("[T]he purpose of this section is to encourage businesses that own or license personal information about Californians to provide reasonable security for that information.”). Accordingly, the Court will refer to these sections as the Customer Records Act ("CRA”), after the name of the Title under which they appear. See Cal. Civ.Code tit. 1.81 (“Customer Records”).
. Indeed, the “certainly impending” language can be traced back to a 1923 decision, Pennsylvania v. West Virginia,
. The Court further notes that requiring Plaintiffs to wait for the threatened harm to materialize in order to sue would pose a standing problem of its own, because the more time that passes between a data breach and an instance of identity theft, the more latitude a defendant has to argue that the . identity theft is not “fairly traceable” to the defendant's data breach. Indeed, Adobe makes this very argument in its Motion. Specifically, Adobe speculates that Plaintiff' Hal-pain may also have been a victim of recent data breaches involving Target and Neiman Marcus, and thus that Halpain’s allegation that her personal data appeared on "black market websites” is not fairly traceable to Adobe’s 2013 data breach. Mot. at 9 & n.8. This argument fails, given that there is no factual basis for Adobe’s speculation that Hal-pain was a customer of either Target or Nei-man Marcus, let alone that Halpain’s personal data was compromised in data breaches involving these companies.
. It is also worth noting that Clapper was decided on summary judgment, see
. The precise degree of imminence required is somewhat uncertain. While a "certainly impending” risk of future harm would undoubtedly be sufficiently imminent to confer standing on a plaintiff who took costly measures to mitigate that risk, Clapper did not overrule prior cases that have found standing where a plaintiff incurs costs in order to -mitigate a risk of harm that is "substantial.”
. Plaintiffs additionally allege that they suffered economic injury in the form of lost value, both because the software Plaintiffs paid for is now "highly vulnerable to attacks,” and because Plaintiffs Halpain and McGlynn would not have subscribed to Creative Cloud had they known of Adobe's substandard security practices. See Opp’n at 10. As the Court has already found that all Plaintiffs have Article III standing to pursue their CRA claims based on an increased risk of harm and, in the case of Plaintiffs Halpain and Kar, costs incurred to mitigate that risk of harm, the Court need not address this additional theory of standing.
. Compare 28 U.S.C. § 2201 ("In a case of actual controversy within its jurisdiction ... any court of the United States, upon the filing of an appropriate pleading, may declare the rights and other legal relations of any interested party seeking such declaration, whether or not further relief is or could be sought.”), with Cal. Civ. Proc. Code § 1060 ("Any person interested under a written instrument ... or under a contract ... may, in cases of actual controversy relating to the legal rights and duties of the respective parties, bring an original action ... for a declaration of his or her rights and duties.... [T]he court may make a binding declaration of these rights or duties, whether or not further relief is or could be claimed at the time.”).
. Adobe contends that Plaintiffs do not allege "any adverse consequences of sufficient immediacy and reality [] in the absence of their requested judicial declarations.” Mot. at 14 (emphasis removed). However, Plaintiffs' complaint specifically alleges that "Adobe's customers will remain at risk of attack until the company completely revamps its security practices.” Compl. ¶ 66. Plaintiffs then substantiate this allegation of threatened harm by listing a number of Adobe’s allegedly unreasonable security practices, id. ¶ 62, and identifying previous instances in which Adobe has allegedly inadequately responded to security threats, id. ¶¶ 43, 55.
. Adobe resists this conclusion on the grounds that the remedial security measures Plaintiffs propose do not take into account the evolving meaning of "reasonable” and are not sufficiently specific or definitive because they refer to "industry standards” and similar undefined terms. Reply at 6. This is unpersuasive. For one thing, the Court is not bound to adopt the precise wording of any potential declaration set forth in a plaintiff’s complaint
. In Williamson v. Reinalt-Thomas Corp., No. 11-3548,
. Adobe’s reliance on Herron and Gray is misplaced. In both those cases, the press had widely reported the exact omission for which the plaintiffs sought to hold the defendant liable. See Heiron,
. Adobe's authority is not to the contrary. In Noll, the plaintiffs alleged that defendant eBay failed to disclose that listing fees automatically recurred every 30 days.