613 F.Supp.3d 1284
S.D. Cal.20201
2
3
4
5
6
7
8 UNITED STATES DISTRICT COURT
9 SOUTHERN DISTRICT OF CALIFORNIA
10
11 In re: SOLARA MEDICAL SUPPLIES, Case No.: 3:19-cv-2284-H-KSC
LLC CUSTOMER DATA SECURITY
12
BREACH LITIGATION ORDER GRANTING IN PART AND
13 DENYING IN PART DEFENDANT’S
MOTION TO DISMISS; GRANTING
14
PLAINTIFFS THIRTY DAYS LEAVE
15 TO AMEND
16
[Doc. No. 31.]
17
18
This is a data privacy class action. On November 13, 2019, Solara Medical Supplies,
19
LLC (“Solara”) notified its customers of a security incident that may have compromised
20
the information related to certain individuals associated with Solara. This class action seeks
21
redress for that incident. On November 29, 2019, Plaintiff Juan Maldonado filed a
22
complaint alleging various common law and other state law causes of action. (Doc. No. 1.)
23
On January 7, 2020, the Court consolidated the Maldonado matter with two other pending
24
actions related to the same security incident. (Doc. No. 10.) On January 23, 2020, Plaintiffs
25
filed their Consolidated Class Action Complaint. (Doc. No. 24.) Plaintiffs seek to represent
26
a nationwide class of all persons “whose Personal and Medical Information was
27
compromised by the Data Breach.” (Doc. No. 24 ¶147.) Alternatively, Plaintiffs propose
28
1 representing subclasses based on state or on the type of personal and medical information
2 compromised. (Id. ¶¶152-153.)
3 On March 9, 2020, Defendant Solara filed a motion to dismiss. (Doc. No. 31.) On
4 March 30, 2020, Plaintiffs responded. (Doc. No. 32.) On April 6, 2020, Defendant replied.
5 (Doc. No. 34.) On April 10, 2020, Plaintiffs filed a Notice of Supplemental Authority
6 regarding the Ninth Circuit’s recent decision in In re Facebook, Inc. Internet Tracking
7 Litig. No. 17-17486, 2020 WL 1807978 (9th Cir. Apr. 9, 2020). (Doc. No. 35.) The Court
8 held a hearing on April 13, 2020 and requested supplemental briefing from the parties on
9 the application of In re Facebook to this case. (Doc. No. 37.) Stuart A. Davidson, William
10 B. Federman, and William M. Sweetnam appeared for Plaintiffs and Jon Peter Kardassakis
11 appeared for the Defendant. On April 24, 2020, Defendant filed its Objection to Plaintiffs’
12 Notice of Supplemental Authority. (Doc. No. 40.) On May 1, 2020, Plaintiffs replied. (Doc.
13 No. 41.) For the following reasons, the Court GRANTS in part and DENIES in part
14 Defendant’s motion to dismiss.
15 I. Background
16 In this putative class action, Plaintiffs are six individuals who allege that their
17 personal and medical information was exposed after Solara’s computer systems were
18 compromised by cyber criminals in 2019. (Doc. No. 24.) Defendant Solara is a direct-to- 19 consumer supplier of medical devices related to the care of diabetes as well as a registered
20 pharmacy in the state of California. (Id. ¶1.) Solara’s principle place of business is
21 California. (Id.) Plaintiffs allege that between April 2, 2019 and June 20, 2019, cyber
22 criminals were able to gain access to Solara’s computer systems which contained the health
23 and personal information of tens of thousands of individuals (the “Breach”). (Id.) Plaintiffs
24 allege that a variety of personal information was exposed in the breach including names,
25 addresses, dates of birth, Social Security numbers, Employee Identification Numbers,
26 confidential medical information, health insurance information, Medicare and Medicaid
27 IDs, as well as financial information for thousands of individuals. (Id. ¶2)
28
1 On or around November 11, 2019, Plaintiffs received a letter from Solara regarding
2 the breach and offering “Plaintiffs and Class members twelve months of identity repair and
3 monitoring services.” (Id. ¶95.) On or around November 13, 2019, Solara issued a press
4 release notifying the public that on June 14, 2019, it had “determined that an unknown
5 actor gained access to a limited number of employee Office 365 accounts . . . .” (Id. ¶25.)
6 Plaintiffs further allege that these Office 365 accounts were not encrypted. (Id. ¶30.)
7 Plaintiff Juan Maldonado, a citizen of Pennsylvania, received a letter from Solara on
8 or around November 20, 2019, informing him that his “name, date of birth, medical
9 information, and health insurance information” had been compromised in the Breach. (Id.
10 ¶100.) Plaintiff Maldonado, alleges that on December 2, 2019, while visiting the hospital
11 for urgent medical care, he learned that his health insurance and billing information had
12 been changed. (Id. ¶101.) Plaintiff Maldonado alleges that he has also suffered stress and
13 anxiety as a result of the Breach. (Id. ¶102.)
14 Plaintiff Adam William Bickford, a citizen of Connecticut, received a letter from
15 Solara, on or around November 11, 2019, informing him that his “name, date of birth, and
16 medical information” was present on a Solara employee’s email account that was
17 compromised in the Breach. (Id. ¶106.) Plaintiff Bickford alleges that he has spent over
18 three hours responding to the threat posed by the data breach and has “noticed an increase
19 in medical-related spam phone calls . . . .” (Id. ¶108.)
20 Plaintiff Jeffrey Harris, a citizen of North Carolina, received a letter from Solara
21 informing him that his “name, date of birth, Social Security number, medical information,
22 billing/claims information, health insurance information, and Medicare ID/Medicaid ID”
23 was exposed by the Breach. (Id. ¶114.) Plaintiff Harris alleges that he has spent hours
24 addressing the data breach and has suffered anxiety as a result. (Id. ¶116.)
25 Plaintiff Alex Mercado, a citizen of California, received a letter from Solara
26 informing him that his “name, date of birth, Social Security number, medical information,
27 billing/claims information, health insurance information, and Medicare ID/Medicaid ID”
28
1 was exposed by the Breach. (Id. ¶125.) Plaintiff Mercado also alleges that he has suffered
2 anxiety as a result of the Breach. (Id. ¶129.)
3 Plaintiff Thomas Wardrop, a citizen of Michigan, received a letter from Solara
4 informing him that his “name, date of birth, medical information, billing and claims
5 information, and health insurance information was compromised in the Data Breach.” (Id.
6 ¶132.) Plaintiff Wardrop alleges that he has “experienced unexplained credit inquiries and
7 spam/phishing attempts that he believes are related to the Data Breach.” (Id. ¶135.)
8 Plaintiff Kristi Keally, legal guardian of minor plaintiff M.K., a citizen of
9 Pennsylvania, received a letter from Solara informing her that her minor child’s “name,
10 date of birth, medical information, medical insurance information, and billing and claims
11 information was compromised in the Data Breach.” (Id. ¶139.) Plaintiff Keally alleges that
12 she has “expended time and suffered loss of productivity from taking time to address and
13 attempt to” deal with the consequences of the Breach for M.K. (Id. ¶141.)
14 II. Legal Standards
15 Defendant moves to dismiss the claims of all Plaintiffs for failure to state a claim
16 under Federal Rule of Civil Procedure 12(b)(6). A defendant may move to dismiss a
17 complaint for failing to state a claim upon which relief can be granted under Rule 12(b)(6).
18 “Dismissal under Rule 12(b)(6) is appropriate only where the complaint lacks a cognizable
19 legal theory or sufficient facts to support a cognizable legal theory.” Mendiondo v.
20 Centinela Hosp. Med. Ctr., 521 F.3d 1097 , 1104 (9th Cir. 2008). To survive a 12(b)(6)
21 motion, a plaintiff must plead “enough facts to state a claim to relief that is plausible on its
22 face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544 , 570 (2007). A claim is facially plausible
23 when a plaintiff pleads “factual content that allows the court to draw the reasonable
24 inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556
25 U.S. 662, 678 (2009).
26 In reviewing the plausibility of a complaint, courts “accept factual allegations in the
27 complaint as true and construe the pleadings in the light most favorable to the nonmoving
28 party.” Manzarek v. St. Paul Fire & Marine Ins. Co., 519 F.3d 1025 , 1031 (9th Cir. 2008).
1 Nonetheless, courts do not “accept as true allegations that are merely conclusory,
2 unwarranted deductions of fact, or unreasonable inferences.” In re Gilead Scis. Secs. Litig.,
3 536 F.3d 1049 , 1055 (9th Cir. 2008) (quoting Sprewell v. Golden State Warriors, 266 F.3d
4 979, 988 (9th Cir. 2001)). The Court also need not accept as true allegations that contradict
5 matter properly subject to judicial notice or allegations contradicting the exhibits attached
6 to the complaint. Sprewell, 266 F.3d at 988 .
7 Additionally, claims sounding in fraud are subject to the heightened pleading
8 requirements of Rule 9(b) of the Federal Rules of Civil Procedure, which requires that a
9 plaintiff alleging fraud “must state with particularity the circumstances constituting fraud.”
10 Fed. R. Civ. P. 9(b); see Kearns v. Ford Motor Co., 567 F.3d 1120 , 1124 (9th Cir. 2009).
11 To satisfy the heightened standard under Rule 9(b), the allegations must be “specific
12 enough to give defendants notice of the particular misconduct which is alleged to constitute
13 the fraud charged so that they can defend against the charge and not just deny that they
14 have done anything wrong.” Semegen v. Weidner, 780 F.2d 727 , 731 (9th Cir. 1985). Thus,
15 claims sounding in fraud must allege “an account of the time, place, and specific content
16 of the false representations as well as the identities of the parties to the misrepresentations.”
17 Swartz v. KPMG LLP, 476 F.3d 756 , 764 (9th Cir. 2007) (per curiam) (internal quotation
18 marks omitted); see also Vess v. Ciba-Geigy Corp. USA, 317 F.3d 1097 , 1106 (9th Cir.
19 2003) (“Averments of fraud must be accompanied by the who, what, when, where, and
20 how of the misconduct charged.”) (internal quotation marks omitted).
21 Where a motion to dismiss is granted, “leave to amend should be granted ‘unless the
22 court determines that the allegation of other facts consistent with the challenged pleading
23 could not possibly cure the deficiency.’” DeSoto v. Yellow Freight Sys., Inc., 957 F.2d
24 655, 658 (9th Cir. 1992) (quoting Schreiber Distrib. Co. v. Serv-Well Furniture Co., 806
25 F.2d 1393, 1401 (9th Cir. 1986)). In other words, where leave to amend would be futile,
26 the Court may deny leave to amend. See Desoto, 957 F.2d at 658 ; Schreiber, 806 F.2d at
27 1401.
28
1 III. Discussion
2 1. Negligence
3 Defendant argues that Plaintiffs cannot maintain a cause of action for negligence
4 because the economic loss doctrine bars their claims and because Plaintiffs cannot
5 adequately allege causation. (Doc. No. 31 at 4-6.) Plaintiffs argue that they fall within one
6 of the exceptions to the economic loss doctrine. (Doc No. 32 at 3-4.) Specifically, Plaintiffs
7 argue that they have: (1) pled non-economic harm, (2) that Solara owed them an
8 independent duty to safeguard their information, and (3) that a special relationship existed
9 between the parties. (Doc No. 32 at 3-4.) Plaintiffs also argue that they have adequately
10 alleged causation. (Id.)
11 To state a claim for negligence in California, a plaintiff must establish the following
12 elements: (1) the defendant had a duty, or an “obligation to conform to a certain standard
13 of conduct for the protection of others against unreasonable risks,” (2) the defendant
14 breached that duty, (3) that breach proximately caused the plaintiff's injuries, and (4)
15 damages. Corales v. Bennett, 567 F.3d 554 , 572 (9th Cir. 2009).
16 Generally, purely economic losses are not recoverable in tort. Seely v. White Motor
17 Co., 63 Cal. 2d 9 , 16–17 (1965). “[T]he economic loss rule prevent[s] the law of contract
18 and the law of tort from dissolving one into the other.” Robinson Helicopter Co. v. Dana
19 Corp., 34 Cal. 4th 979 , 988 (2004) (quotation omitted). The rule serves to “limit liability
20 in commercial activities that negligently or inadvertently go awry.” Id. at 991 n.7, 22
21 Cal.Rptr.3d 352, 102 P.3d 268 . “Economic loss consists of damages for inadequate value,
22 costs of repair and replace of the defective product or consequent loss of profits—without
23 any claim of personal injury or damages to other property.” Id. at 272 (Cal. 2004) (internal
24 quotation marks omitted). Here, Plaintiffs have alleged they have lost time responding to
25 the Breach as well as suffering from increased anxiety and so do not allege purely economic
26 losses. (Doc. No. 24 ¶¶ 102, 108, 116, 129, 135, and 141.) The economic loss rule therefore
27 does not apply. See Bass v. Facebook, Inc., 394 F.Supp. 3d 1024 , 1039 (N.D. Cal. 2019).
28
1 Since Plaintiffs have pled non-economic losses, the Court need not consider the remaining
2 two exceptions to the economic loss doctrine.
3 Defendant also argues that the negligence cause of action should be dismissed for
4 “the independent reason that plaintiffs are unable to allege” that the Breach caused them
5 cognizable, non-speculative harm. (Doc. No. 31 at 14.) Plaintiffs argue that they have
6 articulated specific “non-general damages in their costs and lost time caused by the
7 breach.” (Doc. No. 32 at 15.) The Court agrees. Increased time spent monitoring one’s
8 credit and other tasks associated with responding to a data breach have been found by
9 others courts to be specific, concrete, and non-speculative. See Bass, 394 F. Supp 3d at
10 1039; Corona v. Sony Pictures Entertainment, Inc., No. 14-CV-09600, 2015 WL 3916744 ,
11 at *4 (C.D. Cal. June 15, 2015). The Court denies Defendant’s motion to dismiss Plaintiffs’
12 negligence cause of action.
13 2. Negligence Per Se
14 Next, Defendant argues that Plaintiffs’ negligence per se claim is not an independent
15 cause of action but an evidentiary presumption. (Doc. No. 31 at 6-7.) Plaintiffs concede
16 that it is not a separate cause of action but argue that in order to invoke the presumption
17 they are “required to allege facts to support its application.” (Doc. No. 32 at 16.)
18 In order to invoke negligence per se under California law, Plaintiffs must allege four
19 essential elements: (1) Defendant violated a statute, ordinance or regulation of a public
20 entity; (2) the violation was the proximate cause of Plaintiff's injury; (3) the injury resulted
21 from an occurrence, the nature of which the statute, ordinance or regulation was designed
22 to prevent; and (4) the person suffering the injury was one of the class of persons for whose
23 protection the statute, ordinance or regulation was adopted. Carson v. Depuy Spine, Inc.,
24 365 Fed.Appx. 812 , 815 (9th Cir. 2010.); Cal. Evid. Code § 669.
25 Defendant is correct that negligence per se is not a separate cause of action but an
26 evidentiary doctrine. Plaintiffs are also correct that they need to allege facts supporting
27 application of the doctrine. Harris v. Burlington Northern Santa Fe Railroad., No. EDCV
28 09-197 ABC, 2013 WL 1212268 , at *3 (C.D. Cal. July 12, 2013). To do so under the law,
1 Plaintiffs should plead facts to support application of the negligence per se doctrine within
2 the negligence cause of action in an amended complaint. As a result, the Court grants the
3 Defendant’s motion to dismiss the negligence per se cause of action without prejudice.
4 3. Breach of Contract
5 Defendant moves to dismiss Plaintiffs’ breach of contract claim arguing Plaintiffs
6 have not adequately alleged who entered into a contract with Solara. (Doc. No. 31 at 7.)
7 Defendant also argues that Plaintiffs fail to plead facts “demonstrating cognizable
8 damages.” (Id. at 8-9.) Plaintiffs argue that they have alleged entering into contracts with
9 Solara in exchange for medical supplies. (Doc. No. 32 at 7.)
10 Under California law, to state a claim for breach of contract, a plaintiff must plead
11 “the contract, plaintiffs’ performance (or excuse for nonperformance), defendant’s breach,
12 and damage to plaintiff therefrom.” Low v. LinkedIn Corp., 900 F. Supp. 2d 1010 , 1028
13 (N.D. Cal. 2012). A plaintiff must plead “appreciable and actual damage” in relation to
14 their breach of contract claim. Id. (citing Aguilera v. Pirelli Armstrong Tire Corp., 223 F.3d
15 1010, 1015 (9th Cir. 2000)). “Nominal damages, speculative harm, or threat of future harm
16 do not suffice to show legally cognizable injury.” Id.
17 Plaintiffs’ complaint alleges that “Defendant entered into contracts with Plaintiffs
18 and Class Members.” (Doc. No. 24 ¶207.) “In an action for breach of a written contract, a
19 plaintiff must allege the specific provisions in the contract creating the obligation the
20 defendant is said to have breached.” Young v. Facebook, Inc., 790 F.Supp.2d 1110 , 1117
21 (N.D. Cal. 2011); see also Miron v. Herbalife Int’l, Inc., 11 Fed.Appx. 927 , 929 (9th Cir.
22 2001) (“The district court's dismissal of the Mirons’ breach of contract claims was proper
23 because the Mirons failed to allege any provision of the contract which supports their
24 claim.”). Plaintiffs argue that Solara’s “Notice of Privacy Practices” and “Patient Bill of
25 Rights” form the basis for their express contract claim. (Doc. No. 32 at 7-8.) Solara’s
26 Notice of Privacy Practices states that:
27 Solara Medical Supplies . . . is committed to protecting your privacy
and understands the importance of safeguarding your personal health
28
1 information. We are required by federal law to maintain the privacy of
health information that identifies you or that could be used to identify
2
you . . . .
3 (Doc. No. 24 ¶37.) And Solara’s Patient Bill of Rights enumerates the following
rights:
4
The Client Bill of Rights is designed to recognize, promote, and protect,
5 an individual’s right to be treated with dignity and respect within the
health care system. . . . As our client you have the right to . . .
6
Confidentiality of your records and Solara Medical Supplies, LLC
7 policy for accessing and disclosure of records.
8
(Id. ¶38.) Plaintiffs allege that these documents form the basis for their express
9
breach of contract claim and that every Plaintiff was provided with a copy of both
10
documents. (Id.) In reviewing a Rule 12(b)(6) motion to dismiss, this Court must accept
11
as true all facts alleged in the complaint and draws all reasonable inferences in favor of
12
the claimant. See Retail Prop. Trust v. United Bhd. of Carpenters & Joiners of Am., 768
13
F.3d 938, 945 (9th Cir. 2014). Accordingly, the Court declines to dismiss Plaintiffs’
14
express breach of contract claim.
15
Next, Defendant argues that Plaintiffs have not pled facts “demonstrating
16
cognizable damage.” (Doc. No. 31 at 8.) Plaintiffs argue that they have adequately pled a
17
diminution in the value of their personal information as a result of the Breach. (Doc. No.
18
32 at 8.) The dissemination of one’s personal information can satisfy the damages element
19
of a breach of contract claim. See In re Facebook Privacy Litigation., 572 Fed.Appx. 494
20
(9th Cir. 2014). As a result, the Court declines to dismiss Plaintiffs’ breach of express
21
contract claim.
22
4. Breach of Implied Contract
23
As an alternative theory, Plaintiffs plead breach of an implied contract. “An
24
implied-in-fact contract requires proof of the same elements necessary to evidence an
25
express contract: mutual assent or offer and acceptance, consideration, legal capacity and
26
lawful subject matter.” Northstar Financial Advisors Inc. v. Schwab Investments, 779 F.3d
27
28
1 1036, 1050–51 (9th Cir. 2015). Plaintiffs have adequately alleged facts to support a theory
2 of breach of implied contract in the alternative to breach of express contract.
3 5. Breach of Implied Covenant of Good Faith and Fair Dealing
4 Defendant moves to dismiss Plaintiffs’ claim for a breach of the implied covenant
5 of good faith and fair dealing arguing that Plaintiffs fail to allege a conscious and deliberate
6 act” by Solara to frustrate the purposes of the parties’ agreement. (Doc. No. 31 at 11.)
7 Plaintiffs argue that Solara’s security failures were “conscious and deliberate.” (Doc. No.
8 32 at 11.)
9 Under California law, “[e]very contract imposes on each party a duty of good faith
10 and fair dealing in each performance and its enforcement.” Carson v. Mercury Ins. Co.,
11 210 Cal. App. 4th 409 , 429 (2012) (internal quotation marks omitted). “The covenant ‘is
12 based on general contract law and the long-standing rule that neither party will do anything
13 which will injure the right of the other to receive the benefits of the agreement.’” Rosenfeld
14 v. JP Morgan Chase Bank, N.A., 732 F. Supp. 2d 952 , 968 (N.D. Cal. 2010) (quoting
15 Waller v. Truck Ins. Exchange, Inc., 11 Cal. 4th 1 , 36 (1995)). In order to establish a breach
16 of the covenant of good faith and fair dealing, a plaintiff must show: “(1) the parties entered
17 into a contract; (2) the plaintiff fulfilled his obligations under the contract; (3) any
18 conditions precedent to the defendant’s performance occurred; (4) the defendant unfairly
19 interfered with the plaintiff's rights to receive the benefits of the contract; and (5) the
20 plaintiff was harmed by the defendant's conduct.” Id. “California law makes clear that
21 establishing breach of the implied covenant requires proof of a conscious and deliberate
22 act, which unfairly frustrates the agreed common purpose of the agreement.” Claridge v.
23 RockYou, Inc., 785 F.Supp.2d 855 , 865 (N.D. Cal. 2011).
24 Plaintiffs argue that Solara’s security failures are evidence of a conscious and
25 deliberate act. They argue that Solara’s actions were “plausibly conscious and deliberate
26 since they contravened Solara’s own policies and violated various laws and regulations
27 including HIPPA requirements.” (Doc. No. 32 at 11.) Plaintiffs argue that Solara should
28 “have known about its weakness toward email-related threats” and yet failed to take action.
1 (Doc. No. 1. ¶71.) In reviewing a Rule 12(b)(6) motion to dismiss, this Court must accept
2 as true all facts alleged in the complaint and draws all reasonable inferences in favor of the
3 claimant. See Retail Prop. Trust v. United Bhd. of Carpenters & Joiners of Am., 768 F.3d
4 938, 945 (9th Cir. 2014). Defendant’s arguments are better suited for a motion for summary
5 judgment when the record is more fully developed. Accordingly, the Court declines to
6 dismiss Plaintiffs’ claim for a breach of the covenant of good faith and fair dealing at this
7 time.
8 6. Unjust Enrichment
9 Defendant moves to dismiss Plaintiffs’ unjust enrichment claim arguing that “there
10 is no cause of action in California for unjust enrichment. (Doc. No. 31 at 11.) Plaintiffs
11 argue that this is not the case. (Doc. No. 32 at 12.) Plaintiffs are correct. “The California
12 Supreme Court has clarified California law and allowed independent claims for unjust
13 enrichment to proceed.” Bruton v. Gerber Prod. Co., 703 Fed.Appx. 468 , 470 (9th Cir.
14 2017) (citing Hartford Cas. Ins. Co. v. J.R. Mktg., 61 Cal. 4th 988, 1000 (2015)).
15 Accordingly, the Court declines to dismiss Plaintiffs’ unjust enrichment claim.
16 7. California Confidentiality of Medical Information Act Claim
17 Solara moves to dismiss Plaintiffs’ California Confidential of Medical Information
18 Act (“CMIA”) claims, which arise under California Civil Code sections 56.101(a) and
19 56.36(b). Section 56.101(a) requires health care providers to maintain medical information
20 “in a manner that preserves the confidentiality of the information contained therein” and
21 creates a private right of action, enforced through section 56.36(b), for patients’ whose
22 health care provider “negligently creates, maintains, preserves, stores, abandons, destroys,
23 or disposes of medical information.” Cal. Civ. Code § 56.101(a).
24 Under section 56.36(b), “any individual may bring an action against any person or
25 entity who has negligently released information concerning him or her in violation of this
26 part for . . . nominal damages of one thousand dollars ($1,000).” Cal. Civ. Code §
27 56.36(b)(1). When suing for nominal damages, plaintiffs do not have to prove they
28 “suffered or [were] threatened with actual damages,” Cal. Civ.Code § 56.36(b)(1), but they
1 must plead that an unauthorized third party viewed or accessed their confidential
2 information. Regents of the Univ. of Cal. v. Super Ct., 220 Cal.App. 4th 549 , 570 (2013);
3 Sutter Health v. Super Ct., 227 Cal.App. 4th 1546 , 1555 (2014) (“[W]ithout an actual
4 confidentiality breach, a health care provider has not violated section 56.101 and therefore
5 does not invoke the remedy provided in section 56.36.”).
6 Defendant argues that the CMIA claim should be dismissed because the statute
7 requires an “affirmative act of communication” and that Plaintiffs do not plead that an
8 unauthorized person actually viewed their confidential medical information. (Doc. No. 31
9 at 12-13.) Solara also argues that the employee email accounts at issue are not subject to
10 the electronic health record system provision of California Civil Code §56.101(b). (Id.)
11 Plaintiffs argue that they are not required to allege an “affirmative disclosure” by Solara at
12 the pleading stage. (Doc. No. 32 at 13.) Furthermore, Plaintiffs argue that they have alleged
13 that their “medical information was actually viewed in the breach.” (Id.) Plaintiffs also
14 argue that email accounts are subject to California Civil Code §56.101(b). (Id. at 15.)
15 The CMIA does not require an affirmative act of communication by the Defendant.
16 Section 56.101(a) obligates every provider of health care “who creates, maintains,
17 preserves, stores, abandons, destroys, or disposes of medical information shall do so in a
18 manner that preserves the confidentiality of the information contained therein” and that any
19 health care provider who “who negligently creates, maintains, preserves, stores, abandons,
20 destroys, or disposes of medical information shall be subject to the remedies and penalties
21 provided under subdivisions (b) and (c) of Section 56.36.” The plain text of the statute does
22 not require an affirmative disclosure by the medical provider to create liability but in fact
23 creates a remedy for those who store records negligently. California courts that have had
24 occasion to consider Defendant’s argument have rejected it. See Regents of Univ. of Cal.
25 v. Superior Court, 220 Cal. App. 4th 549 , 568 (2013).
26 Next, Defendant’s argument that Plaintiffs have not pled unauthorized viewing of
27 their medical records is unavailing. Plaintiffs have plausibly pled facts that could give rise
28 to the inference that their medical information has been viewed by an unauthorized third
1 party. Plaintiffs attach to their complaint letters they received from Solara indicating that
2 their information was exposed in the breach. (Doc. No. 24 Exh. 1-6.) Plaintiffs have also
3 pled an increase in medical-related spam emails and phone calls following the data breach.
4 (Id. ¶¶108, 117, 128, 135.) These events plausibly give rise to the inference that Plaintiffs’
5 information was exposed in the Breach.
6 Finally, Defendant’s argument that no electronic health record system is at issue in
7 Plaintiffs’ complaint is not persuasive. The text of the statute broadly defines “electronic
8 medical record” as “an electronic record of health-related information on an individual that
9 is created, gather, managed, and consulted by authorized health care clinicians and staff.”
10 §56.101(c). Defendant’s arguments are better suited for a motion for summary judgment
11 when the record is more fully developed as to whether the communications are subject to
12 the CMIA. In reviewing a Rule 12(b)(6) motion to dismiss, this Court must accept as true
13 all facts alleged in the complaint and draws all reasonable inferences in favor of the
14 claimant. See Retail Prop. Trust v. United Bhd. of Carpenters & Joiners of Am., 768 F.3d
15 938, 945 (9th Cir. 2014). Accordingly, the Court declines to dismiss Plaintiffs’ CMIA
16 claim.
17 8. California Consumer Records Act
18 Next, Defendant moves to dismiss Plaintiffs’ California Records Act Claim
19 (“CRA”). (Doc. No. 31 at 14.) The CRA “regulates businesses with regard to treatment
20 and notification procedures relating to their customers’ personal information.” Corona v.
21 Sony Pictures Ent'mt, 2015 WL 3916744 , at *6 (C.D. Cal. June 15, 2015). Plaintiffs allege
22 that Defendant violated § 1798.82 of the CRA. This provision provides, in relevant part:
23 A person or business that conducts business in California, and that owns or
licenses computerized data that includes personal information, shall disclose
24
a breach of the security of the system following discovery or notification of
25 the breach in the security of the data to a resident of California (1) whose
unencrypted personal information was, or is reasonably believed to have
26
been, acquired by an unauthorized person . . . .
27
28
1 Cal. Civ. Code § 1798.82(a). The statute requires that disclosure “shall be made in the most
2 expedient time possible and without unreasonable delay.” Id. The statute also describes the
3 information that must be included in the security breach notification and the form that the
4 security breach notification must take. See § 1798.82(d).
5 To allege a “cognizable injury” arising from Defendant’s alleged failure to timely
6 notify Plaintiffs of the Data Breach, Plaintiffs must allege “incremental harm suffered as a
7 result of the alleged delay in notification,” as opposed to harm from the Data Breach itself.
8 Dugas v. Starwood Hotels & Resorts Worldwide, Inc., 2016 WL 6523428 , at *7 (S.D. Cal.
9 Nov. 3, 2016); see also In re Sony Gaming Networks, 996 F. Supp. 2d 942 , 1010 (S.D. Cal
10 Jan. 21, 2014) (“[A] plaintiff must allege actual damages flowing from the unreasonable
11 delay (and not the intrusion itself) in order to recover actual damages”).
12 Where Plaintiffs have failed to allege injury arising from a Defendant’s “delayed
13 notification,” courts have dismissed § 1798.82 claims. See, e.g., Dugas, 2016 WL 6523428 ,
14 at *7 (dismissing § 1798.82 claim because Plaintiff did not allege “what, if any, concrete
15 harm resulted from Defendants’ alleged failure to promptly notify [its] customers of the
16 data breach”); In re Sony Gaming Networks, 996 F. Supp. 2d at 1010 (dismissing § 1798.82
17 claim where plaintiffs “failed to allege how” a ten-day delay in notification caused
18 plaintiffs’ injuries).
19 Defendant argues that the CRA claim should be dismissed because Plaintiffs fail to
20 allege damages as a result of the alleged delay in notification. (Doc. No. 31 at 14.) Plaintiffs
21 argue that “Solara waited nearly five months after discovering the breach” to notify them
22 and that this delay prevented Plaintiffs from taking steps to protect their personal
23 information from identify theft. (Doc. No. 32 at 23.) Plaintiffs have adequately alleged
24 incremental harm as a result of Solara’s five-month delay in notification. See In re Yahoo!
25 Inc. Customer Data Security Breach Litig., 2017 WL 37277318 (N.D. Cal. Aug. 30, 2017)
26 (finding incremental harm adequately pled in a data breach case when plaintiffs plausibly
27 alleged that they could not take mitigation steps based upon delay). Defendant’s arguments
28
1 are better suited for a motion for summary judgment when the record is more fully
2 developed. As a result, the Court declines to dismiss Plaintiffs’ CRA claim at this time.
3 9. California Unfair Competition Law
4 California's Unfair Competition Law (“UCL”) provides a cause of action for
5 business practices that are (1) unlawful, (2) unfair, or (3) fraudulent. Cal. Bus. & Prof.
6 Code § 17200, et seq. Each prong of the UCL provides a “separate and distinct theory of
7 liability.” Lozano v. AT&T Wireless Servs., Inc., 504 F.3d 718 , 731 (9th Cir. 2007).
8 Plaintiffs allege that Defendant’s conduct violated all three prongs of the UCL. Defendant
9 argues that Plaintiffs’ UCL claims fail for several reasons. First, Defendant argues that
10 Plaintiffs lack standing to bring claims under the UCL. Second, Defendant argues that the
11 UCL claim fails to satisfy Rule 9(b). Third, Defendant argues that Plaintiffs have not pled
12 that Defendant’s actions were either unlawful or unfair. The Court addresses each of these
13 arguments below.
14 a. UCL Standing
15 In order to establish standing for a UCL claim, Plaintiffs must show that they
16 personally lost money or property “as a result of the unfair competition.” Cal. Bus. & Prof.
17 Code § 17204; Kwikset Corp. v. Sup. Ct., 51 Cal. 4th 310 , 330 (2011). The California
18 Supreme Court has explained standing.
19 There are innumerable ways in which economic injury from unfair
competition may be shown. A plaintiff may (1) surrender in a transaction
20
more, or acquire in a transaction less, than he or she otherwise would have;
21 (2) have a present or future property interest diminished; (3) be deprived
of money or property to which he or she has a cognizable claim; (4) be
22
required to enter into a transaction, costing money or property, that would
23 otherwise have been unnecessary.
Id. at 323.
24
Defendant argues that “Plaintiffs fail to allege actual lost money or property.” (Doc.
25
No. 31 at 15.) Plaintiffs respond that they have all experienced injury under the UCL in
26
two legally cognizable ways. First, Plaintiffs “acquired less in their transactions with Solara
27
than they would have if Solara had sufficiently protected their Personal Information.” (Doc.
28
1 No. 32 at 16-17.) Second, Plaintiffs lost “their legally protected interest in their Personal
2 Information” as a result of the breach. (Id.)
3 Plaintiffs first theory of damages is sufficient to establish standing under the UCL.
4 Courts in California have consistently held that benefit of the bargain damages represents
5 economic injury for purposes of the UCL. See In re Adobe Sys., Inc. Privacy Litig., 66
6 F.Supp.3d 1197, 1224 (N.D. Cal. 2014) (finding standing under the UCL because “[f]our
7 of the six [p]laintiffs allege they personally spent more on Adobe products than they would
8 had they known Adobe was not providing the reasonable security Adobe represented it was
9 providing.”); In re LinkedIn User Privacy Litig., 2014 WL 1323713 , *4 (N.D. Cal. Mar.
10 28, 2014) (finding that benefit of the bargain losses are “sufficient to confer . . . statutory
11 standing under the UCL.”). Taken together, Kwikset, In re Adobe, and In re LinkedIn
12 demonstrate that benefit of the bargain losses, as alleged in the consolidated amended
13 complaint, constitute economic injury cognizable under the UCL. Here, Plaintiffs have all
14 pled that “they acquired less in their transactions with Solara than they would have if Solara
15 had sufficiently protected their Personal Information.” (Doc. No. 24 ¶¶78-95.) These
16 allegations are enough to establish standing for purposes of the UCL.
17 b. Rule 9(b)
18 “To state a claim under the ‘fraud’ prong of [the UCL], a plaintiff must allege facts
19 showing that members of the public are likely to be deceived by the alleged fraudulent
20 business practice.” Antman v. Uber Technologies, Inc., 2015 WL 6123054 , *6 (N.D. Cal.
21 Oct. 19, 2015). Claims stated under the fraud prong of the UCL are subject to the
22 particularity requirements of Federal Rule of Civil Procedure 9(b). Kearns v. Ford Motor
23 Co., 567 F. 3d 1120 , 1125 (9th Cir. 2009). Under Rule 9(b), “[i]n alleging fraud or mistake,
24 a party must state with particularity the circumstances constituting fraud or mistake.” Fed.
25 R. Civ. P. 9(b). Plaintiffs must include “an account of the time, place, and specific content
26 of the false representations” at issue. Swartz v. KPMG LLP, 476 F.3d 756 (9th Cir. 2007).
27 Lastly, a plaintiff must plead that he or she “actually relied on the misrepresentation or
28 omission” to bring a UCL claim. Backhaut v. Apple, Inc., 74 F. Supp. 3d 1033 , 1047 (N.D.
1 Cal. 2014) (citing In re Tobacco II Cases, 46 Cal. 4th 298 , 326 (2009)). “This showing of
2 actual reliance under the UCL requires a plaintiff to allege that ‘the defendant’s
3 misrepresentation or nondisclosure was an immediate cause of the plaintiff’s injury- 4 producing conduct.’” Perkins v. LinkedIn Corp., 53 F. Supp. 3d 1190 , 1220 (N.D. Cal.
5 2014) (quoting In re Tobacco II, 46 Cal. 4th at 326 ). Defendant argues that Plaintiffs’
6 fraudulent misrepresentation and omission claims fail. The Court will address each now.
7 i. Fraudulent Misrepresentation
8 Plaintiffs’ fraudulent misrepresentation claims stem from Solara’s statements in (1)
9 its Notice of Privacy Practices, (2) its patient Bill of Rights, (3) the Privacy Policy for its
10 software application and (4) the Terms and Conditions for it’s website. (Doc. No. 32 at 17- 11 18.) Defendant argues that “no plaintiff alleges who they received these statements from,
12 how they received them, when, or where.” (Doc. No. 31 at 16.)
13 All Plaintiffs allege that they were given a copy of the Notice of Privacy Practices
14 and the Patient Bill of Rights. However, Defendant is correct that Plaintiffs fail to
15 adequately plead their misrepresentation claim to the extent they rely on statements in the
16 Privacy Policy for Solara’s software application and the Terms and Service of their
17 website. Plaintiffs do not allege having been exposed to the statements in either the
18 software application or Solara’s website. Accordingly, to the extent Plaintiffs’ UCL claim
19 is premised on statements in the Privacy Policy and the Terms of Service, the Court grants
20 Defendant’s motion to dismiss the fraudulent misrepresentation claim.
21 Where a motion to dismiss is granted, “leave to amend should be granted ‘unless the
22 court determines that the allegation of other facts consistent with the challenged pleading
23 could not possibly cure the deficiency.’” DeSoto v. Yellow Freight Sys., Inc., 957 F.2d
24 655, 658 (9th Cir. 1992) (quoting Schreiber Distrib. Co. v. Serv-Well Furniture Co., 806
25 F.2d 1393, 1401 (9th Cir. 1986)). In other words, where leave to amend would be futile,
26 the Court may deny leave to amend. See Desoto, 957 F.2d at 658 ; Schreiber, 806 F.2d at
27 1401. The Court permits Plaintiffs an attempt to cure the deficiency under the UCL
28
1 fraudulent misrepresentation prong under the standards of Rule 9(b) in an amended
2 complaint if they can do so.
3 ii. Fraudulent Omission
4 For an omission to be actionable under the UCL, “the omission must be contrary to
5 a representation actually made by the defendant, or an omission of a fact the defendant was
6 obliged to disclose.” Daugherty v. Am. Honda Motor Co., 144 Cal.App.4th 824 , 835
7 (2006); see also Berryman v. Merit Prop. Mgmt., Inc., 152 Cal.App.4th 1544 , 1557 (2007)
8 (“[A] failure to disclose a fact one has no affirmative duty to disclose is [not] ‘likely to
9 deceive’ anyone within the meaning of the UCL.” (quoting Daugherty, 144 Cal.App.4th at
10 838, 51 Cal.Rptr.3d 118 )). There are four circumstances in which a duty to disclose may
11 arise: “(1) when the defendant is the plaintiff's fiduciary; (2) when the defendant has
12 exclusive knowledge of material facts not known or reasonably accessible to the plaintiff;
13 (3) when the defendant actively conceals a material fact from the plaintiff; [or] (4) when
14 the defendant makes partial representations that are misleading because some other
15 material fact has not been disclosed.” Collins v. eMachines, Inc., 202 Cal.App.4th 249 , 255
16 (2011). “[A] fact is deemed ‘material,’ and obligates an exclusively knowledgeable
17 defendant to disclose it, if a ‘reasonable [consumer]’ would deem it important in
18 determining how to act in the transaction at issue.” Id. at 256, 134 Cal.Rptr.3d 588 (citing
19 Engalla v. Permanente Med. Grp., Inc., 15 Cal.4th 951 , 977 (1997)).
20 Plaintiffs claim that Solara had exclusive knowledge of the fact that its security
21 practices fell short of industry standards, and that this fact was material. (Doc. No. 32 at
22 20.) Plaintiffs also claim that Solara had a duty to disclose this fact, and that Solara's failure
23 to do so is an actionable omission under the UCL. (Id.) Defendant argues that Plaintiffs fail
24 to plead a duty to disclose. (Doc. No. 31 at 26.)
25 Plaintiffs have adequately pled a duty to disclose based upon Defendant’s exclusive
26 knowledge of the alleged inadequacy of its security measures. Plaintiffs adequately allege
27 that the omission was a material fact. (Doc. No. 24 ¶¶24-35, 341.) As a result, the Court
28 declines to dismiss Plaintiffs’ fraudulent omission UCL claim.
1 iii. Unlawful
2 “The unlawful prong of the UCL prohibits anything that can properly be called a
3 business practice and that at the same time is forbidden by law.” In re Adobe, 66 F.Supp.3d
4 at 1225 (internal quotation marks omitted). “Generally, violation of almost any law may
5 serve as a basis for a UCL claim.” Antman v. Uber Technologies, Inc., 2015 WL 6123054 ,
6 *6 (N.D. Cal. Oct. 19, 2015) (internal quotation marks omitted). However, a UCL claim
7 “must identify the particular section of the statute that was violated, and must describe with
8 reasonable particularity the facts supporting the violation.” Baba v. Hewlett–Packard Co.,
9 2010 WL 2486353 , *6 (N.D. Cal. June 16, 2010) (internal quotation marks omitted).
10 Defendant argues that Plaintiffs have failed to allege conduct that equates to a
11 violation of another law. (Doc. No. 31 at 27.) Plaintiffs argue that they have alleged that
12 Solara has unlawfully violated “the CMIA, the California Consumer Records Act, and
13 several state laws.” (Doc. No. 32.) The Court agrees. Defendant’s arguments are better
14 suited for a motion for summary judgment when the record is more fully developed. As a
15 result, the Court denies Defendant’s motion to dismiss Plaintiffs’ unlawful UCL claim at
16 this time.
17 iv. Unfair
18 The “unfair” prong of the UCL creates a cause of action for a business practice that
19 is unfair even if not proscribed by some other law. Korea Supply Co. v. Lockheed Martin
20 Corp., 29 Cal. 4th 1134 , 1143 (2003). “The UCL does not define the term ‘unfair’ . . . [and]
21 the proper definition of ‘unfair’ conduct against consumers ‘is currently in flux’ among
22 California courts.” Id.
23 The balancing approach requires the Court to “weigh the utility of the defendant’s
24 conduct against the gravity of the harm to the alleged victim.” Davis v. HSBC Bank
25 Nevada, N.A., 691 F.3d 1152 , 1169 (9th Cir. 2012) (internal quotation marks omitted).
26 Plaintiffs “may proceed with a UCL claim under the balancing test by either alleging
27 immoral, unethical, oppressive, unscrupulous or substantially injurious conduct by
28 Defendants or by demonstrating that Defendants' conduct violated an established public
1 policy.” Anthem, 162 F. Supp. 3d at 990 . In opposition, Defendant argues that Plaintiffs’
2 claims are insufficient. (Doc. No. 31 at 19-20.)
3 At this stage of the proceeding, Plaintiffs’ complaint sufficiently alleges that
4 Defendant’s conduct was unfair. Here, Plaintiffs allege that Solara advertised “adequate
5 data privacy and security practices and procedures” when such practices were deficient.
6 (Doc. No. 24 ¶241.) Plaintiffs allege that a variety of personal information was exposed in
7 the breach including: names, addresses, dates of birth, Social Security numbers, Employee
8 Identification Numbers, confidential medical information, health insurance information,
9 Medicare and Medicaid IDs, as well as financial information for thousands of individuals.
10 (Id. ¶2). They further allege that Solara promised to protect their privacy and understood
11 the importance of protecting health information. Plaintiffs additionally allege that Solara’s
12 action were plausibly conscious and deliberate since they contravened Solara’s own
13 policies and violated various laws and regulations including HIPPA requirements.” (Doc.
14 No. 32 at 11.). Plaintiffs also allege that Solara should have known about its weakness
15 toward email related threats and failed to take action to prevent the Breach.
16 Defendant’s arguments are better suited for a motion for summary judgment when
17 the record is more fully developed. Under Anthem, Plaintiffs have sufficiently alleged that
18 Defendant’s conduct has violated public policy. 162 F. Supp. 3d at 990 . Accordingly, the
19 Court declines to dismiss the unfair prong of Plaintiffs’ UCL claim at this time.
20 10. Connecticut Unfair Trade Practices Claim
21 Defendant moves to dismiss Plaintiff Bickford’s Connecticut Unfair Trade Practices
22 Claim (“CUTPA”). The CUTPA provides: “No person shall engage in unfair methods of
23 competition and unfair or deceptive acts or practices in the conduct of any trade or
24 commerce.” Conn. Gen. St. § 42–110b(a). “Any person who suffers any ascertainable loss
25 of money or property, real or personal, as a result of the use or employment of a method,
26 act or practice prohibited by section 42–110b, may bring an action” to recover actual
27 damages, punitive damages, and equitable relief. Conn. Gen. St. 42–110g(a).
28
1 Defendant argues that Plaintiff Bickford lacks standing and fails to allege a violation
2 of the CUTPA. Plaintiff Bickford argues that his “benefit of the bargain” losses are
3 sufficient to satisfy standing and that he has adequately alleged a violation of the CUTPA.
4 The Supreme Court of Connecticut held that “[w]henever a consumer has received
5 something other than what he bargained for, he has suffered a loss of money or property.”
6 Hinchliffe v. Ameican Motors Corp., 440, A.2d 810, 814 (Ct. 1981). Plaintiff Bickford
7 alleges that he has suffered an injury based on “the difference in value between what
8 Plaintiff Bickford should have received from Defendant when Defendant represented
9 Plaintiff Bickford’s Personal and Medical Information would be protected by reasonable
10 data security and Defendant’s defective and deficient performance of that obligation . . . .”
11 (Doc. No. 24 ¶114.) These allegations are sufficient to satisfy CUPTA’s standing
12 requirement.
13 Next, Defendant argues that Plaintiff Bickford failed to plead a violation of the
14 CUPTA. The elements are “substantially the same as those alleged under the California
15 UCL claim.” (Doc. No. 31 at 21.) Plaintiff Bickford argues that he has plausibly alleged
16 that “Solara’s inadequate security measures violated various statutes and the well- 17 established public policy of protecting people’s personal information . . . .” (Doc. No. 32.)
18 The Court agrees.
19 The CUTPA is to be construed in accord with interpretations by the Federal Trade
20 Commission and by the federal courts of the Federal Trade Commission Act. Conn. Gen.
21 St. § 42–110b(b). The FTC weights the following factors in determining whether a practice
22 is unfair:
23 1) Whether the practice, without necessarily having been previously
considered unlawful, offends public policy as it has been established by
24
statutes, the common law, or otherwise-whether, in other words, it is within
25 at least the penumbra of some common law, statutory, or other established
concept of unfairness; (2) whether it is immoral, unethical, oppressive, or
26
unscrupulous; (3) whether it causes substantial injury to consumers . . . .
27
28
1 Cheshire Mortgage Serv. Inc. v. Montes, 223 Conn. 80 , 612 A.2d 1130 , 1143 (1992). Here,
2 Plaintiff Bickford alleges that “Defendant engaged in unlawful, unfair, and deceptive acts
3 and practices with respect to the sale of medical supplies by failing to disclose the Data
4 Breach to the alternative Connecticut Class in a timely and accurate manner” and by
5 “failing to take proper action following the Data Breach to enact adequate privacy and
6 security measures and protect the alternative Connecticut Class’ Personal and Medical
7 Information from further unauthorized disclosure, release, data breach, and theft.” (Doc.
8 No. 24 ¶293.)
9 In reviewing a Rule 12(b)(6) motion to dismiss, this Court must accept as true all
10 facts alleged in the complaint and draws all reasonable inferences in favor of the claimant.
11 See Retail Prop. Trust, 768 F.3d 938 , 945 (9th Cir. 2014). Defendant’s arguments are better
12 suited for a motion for summary judgment when the record is more fully developed. As a
13 result, the Court denies Defendant’s motion to dismiss Plaintiff Bickford’s CUPTA claim.
14 11. Michigan Consumer Protection Act Claim
15 Defendant moves to dismiss Plaintiff Wardrop’s Michigan Consumer Protection Act
16 (“MCPA”) claim. (Doc. No. 32 at 26). The MCPA prohibits “[u]nfair, unconscionable, or
17 deceptive methods, acts, or practices in the conduct of trade or commerce [.]” Mich. Comp.
18 Laws Ann. § 445.903(1). A plaintiff can pursue a claim under the MCPA based on fraud,
19 deception, or breach of express or implied warranties. See Parsley v. Monaco Coach Corp.,
20 327 F.Supp.2d 797 , 807 (W.D. Mich. 2004).
21 Defendant argues that Plaintiff Wardrop lacks standing and fails to allege a violation
22 of the MCPA. (Doc. No. 31 at 23.) Plaintiff Wardrop argues that his “benefit of the bargain”
23 and non-economic losses are sufficient to satisfy standing. (Doc. No. 32 at 26-27.) Plaintiff
24 is correct.
25 Courts in Michigan have interpreted the MCPA to allow for damages for a
26 “frustration of the plaintiff’s expectation” as well as other non-economic harms. Mayhall
27 v. A.H. Pond Co., 341 N.W.2d 268 , 271-72 (Mich. App. 1983); Avery v. Indus Mortg. Co.,
28 135 F. Supp. 2d 840 , 845 (W.D. Mich. 2001). Plaintiff Wardrop alleges that he has suffered
1 damages in the form of the “the difference in value between what Plaintiff Wardrop should
2 have received from Defendant when Defendant represented Plaintiff Wardrop’s Personal
3 and Medical Information would be protected by reasonable data security and Defendant’s
4 defective and deficient performance of that obligation.” (Doc. No. 24 ¶138.) Plaintiff
5 Wardrop also alleges anxiety as a result of the breach. (Doc. No. 24 ¶136.) These
6 allegations are sufficient to satisfy the standing requirement of the MCPA.
7 Next, Solara argues that Plaintiff Wardrop has not “pled fraudulent conduct” and
8 therefore “has not pled a violation of the MCPA based on fraudulent representation with
9 the particularity required under Rule 9(b).” (Doc. No. 31 at 24.) Defendant also maintains
10 that Plaintiff’s allegations are “substantially the same as his allegations for fraudulent
11 conduct under the California UCL.” (Id. at 24.) The Court has granted the motion to dismiss
12 the fraudulent misrepresentation claim under the UCL to the extent it is premised on
13 statements in Solara’s Privacy Policy and the Terms of Service but denied the remainder
14 of Defendant’s motion.
15 Plaintiff Wardrop alleges fraudulent acts consisting of misrepresentation and
16 concealment but he fails to allege the fraudulent misrepresentation with the particularity
17 required by Rule 9(b). Plaintiff Wardrop fails to adequately plead misrepresentation to the
18 extent it is premised on statements in Solara’s Privacy Policy and the Terms of Service.
19 Plaintiff Wardrop has not alleged that he has been exposed to the statements in either
20 document. As a result, the Court grants Defendant’s motion to dismiss Plaintiff Wardrop’s
21 MCPA claim for failure to plead the fraudulent misrepresentation claim with particularity
22 under Rule 9(b).
23 Where a motion to dismiss is granted, “leave to amend should be granted ‘unless the
24 court determines that the allegation of other facts consistent with the challenged pleading
25 could not possibly cure the deficiency.’” DeSoto v. Yellow Freight Sys., Inc., 957 F.2d
26 655, 658 (9th Cir. 1992) (quoting Schreiber Distrib. Co. v. Serv-Well Furniture Co., 806
27 F.2d 1393, 1401 (9th Cir. 1986)). In other words, where leave to amend would be futile,
28 the Court may deny leave to amend. See Desoto, 957 F.2d at 658 ; Schreiber, 806 F.2d at
1 1401. The Court grants leave to amend to cure the deficiency or to delete the fraudulent
2 misrepresentation claim from an amended complaint.
3 12. Michigan Identify Theft Protection Act Claim
4 Next, Defendant moves to dismiss Plaintiff Wardrop’s claim under the Michigan
5 Identify Theft Protection Act (“ITPA”). (Doc. No. 31 at 28.) The ITPA requires businesses
6 to provide notice of a security breach, “without unreasonable delay” to a Michigan resident
7 if that resident's unencrypted and unredacted “personal information” was accessed by an
8 unauthorized person. Mich. Comp. Laws § 445.72(1). “Personal information” is defined as
9 a person's “first name or first initial and last name” linked to one or more data elements
10 including a “credit or debit card number, in combination with any required security code,
11 access code, or password that would permit access to any of the resident's financial
12 accounts.” Id. at § 445.63(r). The ITPA notice provision applies when the business
13 discovers a security breach or receives notice of a security breach, unless the breach is not
14 likely to cause harm. Id. at § 445.7
15 Defendant argues that Plaintiff Wardrop’s claim must be dismissed because the
16 statute only allows recovery of a fine through state prosecution. (Doc. No. 31 at 28.)
17 Michigan law provides for a civil fine for a violation of the data-breach notice statute, and
18 that the “attorney general or a prosecuting attorney may bring an action to recover” that
19 fine. Mich. Comp. Laws § 445.72(13). However, the statute also provides that the quoted
20 subsection 13 does “not affect the availability of any civil remedy for a violation of state
21 or federal law.” Id. § 445.72(15). Courts have found that consumers may bring a civil action
22 to enforce Michigan's data-breach notice statute through Michigan's consumer-protection
23 statute or other laws. In re Target Corp. Data Sec. Breach Litig., 66 F.Supp.3d 1154 , 1169
24 (D. Minn. 2014).
25 Next, Defendant argues that Plaintiff Wardrop fails to allege an “unreasonable
26 delay” by Solara in notifying him of the Breach. Plaintiff Wardrop alleges that Solara
27 discovered the data breach on June 28, 2019 but did not notify him of its occurrence until
28 nearly five months later. (Doc. No. 32 at 39.) Plaintiff Wardrop also alleges experiencing
1 “unexplained credit inquires and spam/phishing attempts” as a result of the Breach. (Doc.
2 No. 24 ¶135.) Plaintiff Wardrop further alleges that this delay prevented him from taking
3 steps to protect his personal information from identify theft. (Doc. No. 32 at 23.) In
4 reviewing a Rule 12(b)(6) motion to dismiss, this Court must accept as true all facts alleged
5 in the complaint and draws all reasonable inferences in favor of the claimant. See Retail
6 Prop. Trust v. United Bhd. of Carpenters & Joiners of Am., 768 F.3d 938 , 945 (9th Cir.
7 2014). As a result, the Court denies the motion to dismiss Plaintiff Wardrop’s ITPA claim.
8 13. North Carolina Deceptive Trade Practices Act Claim
9 Defendant also moves to dismiss Plaintiff Harris’s claim under the North Carolina
10 Deceptive Trade Practices Act (“NCUDTPA”). Under the NCUDTPA a plaintiff must
11 demonstrate the following: (1) the defendant committed an unfair or deceptive trade
12 practice; (2) the action in question was in or affecting commerce; and (3) the act
13 proximately caused injury to the plaintiff. Spartan Leasing v. Pollard, 101 N.C.App. 450 ,
14 400 S.E.2d 476 , 482 (1991). An act is unfair when it is unethical or unscrupulous, and it is
15 deceptive if it tends to deceive. Marshall v. Miller, 302 N.C. 539 , 276 S.E.2d 397 , 403
16 (1981).
17 Defendant argues that the claim must be dismissed because Plaintiff Harris has failed
18 to plead facts showing “actual damages.” (Doc. No. 31 at 25.) Plaintiff Harris alleges that
19 he has adequately alleged damages by describing significant distress and anxiety as a result
20 of the Breach. (Doc. No. 24 ¶325.) Plaintiff Harris also alleges that he was “subjected to a
21 barrage of spam calls” and was “prevented from protecting himself sooner.” (Id.) These
22 allegations satisfy the injury requirement of the NCUDTPA. See e.g., Salami v. JPMorgan
23 Chase Bank, N.A., 2019 WL 2526467 , at *8 (M.D.N.C. June 19, 2019).
24 Defendant also argues that the NCUDTPA claim sounds in fraud and must be plead
25 with particularity and therefore the claim fails “for the same reasons . . . the California
26 UCL claim” does. (Id. at 26.) The Court has granted the motion to dismiss the fraudulent
27 misrepresentation claim under the UCL to the extent it is premised on statements in
28
1 Solara’s Privacy Policy and the Terms of Service but denied the remainder of Defendant’s
2 motion.
3 Plaintiff Harris alleges fraudulent acts consisting of misrepresentation and
4 concealment but he fails to allege the fraudulent misrepresentation with the particularity
5 required by Rule 9(b). Plaintiff Harris fails to adequately plead misrepresentation to the
6 extent it is premised on statements in Solara’s Privacy Policy and the Terms of Service.
7 Plaintiff Harris has not alleged that he has been exposed to the statements in either
8 document. As a result, the Court grants Defendant’s motion to dismiss Plaintiff Harris’s
9 NCUDTPA claim for failure to plead the fraudulent misrepresentation claim with
10 particularity under Rule 9(b).
11 Where a motion to dismiss is granted, “leave to amend should be granted ‘unless the
12 court determines that the allegation of other facts consistent with the challenged pleading
13 could not possibly cure the deficiency.’” DeSoto v. Yellow Freight Sys., Inc., 957 F.2d
14 655, 658 (9th Cir. 1992) (quoting Schreiber Distrib. Co. v. Serv-Well Furniture Co., 806
15 F.2d 1393, 1401 (9th Cir. 1986)). In other words, where leave to amend would be futile,
16 the Court may deny leave to amend. See Desoto, 957 F.2d at 658 ; Schreiber, 806 F.2d at
17 1401. The Court grants leave to amend to cure the deficiency or to delete the fraudulent
18 misrepresentation claim from an amended complaint.
19 14. Pennsylvania Unfair Trade Practices Act Claims
20 Defendant moves to dismiss Plaintiff Maldonado’s and Keally’s claims for violating
21 the Pennsylvania Unfair Trade Practices and Consumer Protection Law (“UTPCPL”).
22 (Doc. No. 31 at 26.) To prevail on a claim under the catch-all provision of Pennsylvania's
23 Uniform Trade Practices and Consumer Protection Law, a plaintiff need not establish
24 common law fraud; he need only show (1) a deceptive act likely to deceive a reasonable
25 consumer, (2) justifiable reliance on that act, and (3) a resulting ascertainable loss. Malibu
26 Media, LLC v. Doe, 238 F.Supp.3d 638 , 647 (M.D. Pa. 2017).
27 Pennsylvania courts have found that the lost benefit of the bargain can satisfy the
28 “ascertainable loss” element of a UTPCPL claim. See e.g., Dibish v. Ameriprise Fin., Inc.,
1 134 A.3d 1079 , 1089 (Pa. Super. Ct. 2016). Plaintiff Maldonado and Plaintiff Keally each
2 allege an ascertainable loss in the diminution in value of their personal information and the
3 loss of the benefit of their bargain. (Doc. No. 24 ¶105, 142.) Accordingly, the Court
4 declines at this time to dismiss the UTPCPL claims.
5 15. Declaratory or Injunctive Relief
6 Defendant moves to dismiss Plaintiffs’ request for declaratory or injunctive relief.
7 (Doc. No. 31 at 29-30.) Defendant argues that a claim for declaratory relief cannot survive
8 independently of other claims. In this order, the Court grants in part and denies in part the
9 Defendant’s motion to dismiss. As a result, Plaintiffs’ claim for declaratory relief stands.
10 Defendant also moves to dismiss Plaintiffs’ claim for injunctive relief. The Court
11 notes that a request for injunctive relief is more properly classified as a prayer for relief
12 and not a separate cause of action. In an amended complaint, any request for injunctive
13 relief should be in a prayer for relief and not a separate cause of action.
14 CONCLUSION
15 For the foregoing reasons, the Court GRANTS in part and DENIES in part
16 Defendant’s Motion to Dismiss. (Doc. No. 31.) The Court GRANTS Plaintiffs thirty days
17 to file an amended complaint, to cure the deficiencies outlined above if they can do so.
18 IT IS SO ORDERED.
19 DATED: May 7, 2020
20
MARILYN L. HUFF, District Judge
21 UNITED STATES DISTRICT COURT
22
23
24
25
26
27
28