932 F. Supp. 2d 1089 | N.D. Cal. | 2013
ORDER GRANTING DEFENDANT’S MOTION TO DISMISS THE FIRST AMENDED CONSOLIDATED CLASS ACTION COMPLAINT
Plaintiffs Katie Szpyrka (“Szpyrka”) and Khalilah Wright (“Wright”), collectively “Plaintiffs,” bring this putative class action against Defendant Linkedln- Corporation (“Defendant” or “Linkedln”). Presently before the Court is Linkedln’s Motion to Dismiss Plaintiffs’ First Amended Consolidated Complaint (the “FAC”). Having reviewed the parties’ papers and after having heard oral arguments of counsel, the Court has determined that Linkedln’s Motion will be GRANTED.
I. Background
Linkedln owns and operates the website www.LinkedIn.com, which provides an online community for professional networking. First Am. Consolidated Class Action Compl. (“FAC”) ¶ 12, Docket Item No. 54. Prospective members may sign up for a membership by providing a valid email address and registration password, which Linkedln stores on its database. Id. ¶ 13. Once registered, a member may create a free online professional profile containing such information as employment and educational history. Id.
When members register, they are required to confirm that they agree to Linkedln’s User Agreement (“User Agreement”) and Privacy Policy (“Privacy Policy”).
Of course, maintaining your trust is our top concern, so we adhere to the following principles to protect your privacy:
• All information that you provide will be protected with industry standard protocols and technology.
Id. The “Security” section of the Privacy Policy states,
In order to help secure your personal information, access to your data on Linkedln is password-protected, and sensitive data (such as credit card information) is protected by SSL encryption when it is exchanged between your web browser and the Linkedln website. To protect any data you store on our servers, Linkedln also regularly audits its system for possible vulnerabilities and attacks, and we use a tierone seeuredaccess data center. However, since the internet is not a 100% secure environment, we cannot ensure or warrant the security of any information you transmit to Linkedln. There is no guarantee that information may not he accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. It is your responsibility to protect the security of your login information. Please note that emails, instant messaging, and similar means of communication with other Users of Linkedln are not encrypted, and we strongly advise you not to communicate any confidential information through these means.
Id.
For a monthly fee, members can upgrade to a paid “premium” account which grants them increased networking tools and capabilities. FAC ¶ 14. Members who purchase a premium account agree to the same terms and services of the User Agreement and Privacy Policy as if they were non-paying members. Heath Deck ¶ 3, Exs. A, C.
Plaintiffs allege that sometime in 2012 hackers infiltrated Linkedln’s computer systems and services. FAC ¶ 4. On June 6, 2012, the hackers posted approximately 6.5 million stolen Linkedln users’ passwords on the Internet. Id. ¶27. Plaintiffs also allege that the stolen information also included the users’ email addresses. Id. ¶ 29. On or around June 9, 2012, Linkedln released a statement on its blog stating that it had recently completed a switch of its password encryption method from a system that stored member passwords in a hashed
Plaintiff Wright registered for a premium Linkedln account on or around March 2010, paying a monthly fee of $99.95 for the premium, upgraded services. Id. ¶¶ 46-47. She alleges that her password was one of the ones retrieved by the hackers and posted on the Internet on June 6, 2012. Id. ¶49. Plaintiff Szpyrka registered for a Linkedln account in late 2010, and since December 2011 she has been paying $26.95 per month for a premium membership. Id. ¶¶ 38-40. The FAC contains no allegation that Szpyrka’s password or any other personal information was stolen or posted on the Internet as a result of the 2012 hacking incident.
The FAC contains a total of nine Causes of Action. Seven Causes of Action are brought on behalf of the Class: violation of California’s Unfair Competition Law (“UCL”), Cal. Bus. & Prof.Code §§ 17200, et seq. (Count 1); breach of contract (Count 2); restitution or unjust enrichment (Count 3, as an alternative to Count 2); breach of the implied covenant of good faith and fair dealing (Count 6); breach of an implied contract to reasonably safeguard user information (Count 7); negligence (Count 8); and negligence per se (Count 9). Two Causes of Action are brought on behalf of the Subclass: breach of contract (Count 4); restitution or unjust enrichment (Count 5, as an alternative to Count 4).
Linkedln filed the present Motion to Dismiss the FAC on December 20, 2012. See Docket Item No. 59. A hearing was held before the Court on February 8, 2013. See Minute Entry, Docket Item No. 69.
II. Discussion
A. Article III Standing
An Article III federal court must ask whether a plaintiff has suffered sufficient injury to satisfy the “case or controversy” requirement of Article III of the U.S. Constitution. To satisfy Article III standing, plaintiff must allege: (1) an injury in fact that is concrete and particularized, as well as actual and imminent; (2) that the injury is fairly traceable to the challenged action of the defendant; and (3) that it is likely (not merely speculative) that injury will be redressed by a favorable decision. Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 180-81, 120 S.Ct. 693, 145 L.Ed.2d 610 (2000); Lujan v. Defenders of Wildlife, 504 U.S. 555, 561-62, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992). A suit brought by a plaintiff without Article III standing is not a “case or controversy,” and an Article III federal court therefore lacks subject matter jurisdiction over the suit. Steel Co. v. Citizens for a Better Environment, 523 U.S. 83, 101, 118 S.Ct. 1003, 140 L.Ed.2d 210 (1998). In that event, the suit should be dismissed under Rule 12(b)(1). See id. at 109-10, 118 S.Ct. 1003. A defendant may challenge standing through a Federal Rule of Civil Procedure 12(b)(1) motion and may either attack the complaint on its face or the existence of jurisdiction in fact. Thornhill Publ’g Co. v. Gen. Tel. & Elecs. Corp., 594 F.2d 730, 732-33 (9th Cir.1979). At least one named plaintiff must have suffered an .injury in fact. See Lierboe v. State Farm Mut. Auto. Ins. Co., 350 F.3d 1018, 1022 (9th Cir.2003) (“[I]f none of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class.”). The party seeking to invoke federal court jurisdiction has the burden of establishing the constitutional elements of standing. See Lujan, 504 U.S. at 561, 112 S.Ct. 2130.
B. Economic Harm
Plaintiffs argue that they have standing to sue under a theory of economic
Economic harm based on the “benefit of the bargain” theory Plaintiff proffers has been recognized as a viable basis for standing. See, e.g., Chavez v. Blue Sky Natural Beverage Co., 340 Fed.Appx. 359, 360-61 (9th Cir.2009) (finding a sufficient pleading of injury-in-fact where a plaintiff alleged that he would not have paid for allegedly mislabeled products had he known the truth about the products’ geographic origins); Khasin v. Hershey, No. 12-CV-01862 EJD, 2012 WL 5471153, at *6 (N.D.Cal. Nov. 9, 2012) (finding sufficient standing where a plaintiff alleged that he had “lost money or property when he purchased the [food] products in question because he did not receive the full value of those products as advertised and labeled due to the alleged misrepresentation”). In such cases, plaintiffs had standing to sue where they alleged that they would not have purchased a food product had they known that the product was not as advertised on the product’s labeling. Id. The Court distinguishes those cases from the present case for several reasons.
First, the FAC fails to sufficiently allege that Plaintiffs actually provided consideration for the security services which they claim were not provided. Plaintiffs contend that in exchange for the fees they paid for the premium membership account, Linkedln promised, among other things, to provide them with a particular level of security to protect their data. However, the User Agreement and Privacy Policy are the same for the premium membership as they are for the nonpaying basic membership. Any alleged promise Linkedln made to paying premium account holders regarding security protocols was also made to non-paying members. Thus, when a member purchases a premium account upgrade, the bargain is not for a particular level of security, but actually for the advanced networking tools and capabilities to facilitate enhanced usage of TdnkedIn’s services. The FAC does not sufficiently demonstrate that included in Plaintiffs’ bargain for premium membership was the promise of a particular (or greater) level of security that was not part of the free membership.
Second, unlike in the food-labeling misrepresentation cases, Plaintiffs do not even allege that they actually read the alleged misrepresentation — the Privacy Policy— which would be necessary to support a claim of misrepresentation. See Chavez, 340 Fed.Appx. at 361-62; Kwikset Corp. v. Superior Court, 51 Cal.4th 310, 120 Cal.Rptr.3d 741, 246 P.3d 877 (2011). Because a causal connection between a defendant’s actions and plaintiffs alleged harm is required for standing, Plaintiffs have not established standing based on an alleged misrepresentation.
Third, as Plaintiffs’ counsel asserted in oral arguments before the Court, Plaintiffs’ suit is primarily based on an alleged breach of contract.
And fourth, in cases where the alleged wrong stems from allegations about insufficient performance or how a product functions, courts have required plaintiffs to allege “something more” than “overpaying for a ‘defective’ product.” In re Toyota Motor Corp., 790 F.Supp.2d 1152, 1165 n. 11 (C.D.Cal.2011); see also Whitson v. Bumbo, No. C 07-05597 MHP, 2009 WL 1515597 (N.D.Cal. Apr. 16, 2009); Boysen v. Walgreen Co., No. 11-CV-6262, 2012 WL 2953069 (N.D.Cal. July 19, 2012). Plaintiffs do not argue that they did not receive security services; rather, they argue the security services were defective in some way, as evinced by the 2012 hacking incident. This is not the case where consumers paid for a product, and the product they received was different from the one as advertised on the product’s packaging. See, e.g., Khasin, No. 12-CV01862 EJD, 2012 WL 5471153. Because Plaintiffs take issue with the way in which Linkedln performed the security services, they must alleged “something more” than pure economic harm. See Toyota Motor Corp., 790 F.Supp.2d at 1165. This “something more” could be a harm that occurred as a result of the deficient security services and security breach, such as, for example, theft of their personally identifiable information.
For the foregoing reasons, Plaintiffs cannot rely solely on the “benefit of the bargain” theory of economic harm to sufficiently meet the requirements for Article III standing.
C. Increased Risk of Future Theory
Plaintiff Wright offers an additional theory of injury-in-fact to support her claim of standing. She contends that, as a result of the 2012 hacking incident and the posting of her password on the Internet, there is now an increased risk of future harm. Pis.’ Opp’n to Def.’s Mot. to Dismiss 10. The Court finds that standing on this ground has not been met because these allegations have not been alleged in the FAC. Plaintiff Wright merely alleges that her Linkedln password was “publically posted on the Internet on June 6, 2012.” FAC ¶ 49. In doing so, Plaintiff Wright
III. Conclusion and Order
Because the Court has found that Plaintiffs have failed to meet the requirements of Article III standing, Defendant Linked-In’s Motion to Dismiss for lack of standing is GRANTED without prejudice. Accordingly, Plaintiffs’ FAC will be DISMISSED WITH LEAVE TO AMEND. Any amended complaint shall be file within 30 days of this filing of this Order.
IT IS SO ORDERED.
. The Privacy Policy is incorporated by reference to the User Agreement. Heath Decl. ¶ 3.
. According to the FAC, "hashing” is a process by which a password is inputted into a cryptographic hash function and converted into an unreadable, encrypted format. FAC ¶ 18 n. 3.
. According to the FAC, "salting” is an encryption process in which random values are combined with a password before the 'text undergoes the hashing process. FAC. ¶ 19.
. Seven of the nine causes of action asserted in the FAC are rooted in breach of contract— related theories. The remaining two — negligence and negligence per se — are inextricably
. Plaintiff Wright does argue that the alleged security failure did cause damage to her in the form of an "increased risk of future harm.” Pis.’ Opp’n to Def.’s Mot. to Dismiss 10. This argument will be address in Part 11. B of this Order.