Barton et al v. Ledger SAS et al, No. 3:2021cv02470 - Document 79 (N.D. Cal. 2021)
Court Description: AMENDED ORDER Granting 55 56 58 Defendants' Motions to Dismiss. Signed by Judge Edward M. Chen on 11/9/2021. (emcsec, COURT STAFF) (Filed on 11/9/2021)
Download PDF
<![CDATA[
Barton et al v. Ledger SAS et al Doc. 79 1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 7 EDWARD BATON, et al., Plaintiffs, 8 LEDGER SAS, et al., Docket Nos. 55, 56, 58 Defendants. 11 United States District Court Northern District of California AMENDED ORDER GRANTING DEFENDANTS’ MOTIONS TO DISMISS v. 9 10 Case No. 21-cv-02470-EMC 12 13 I. 14 INTRODUCTION 15 Plaintiffs, customers who purchased a hardware wallet to protect cryptocurrency assets, 16 bring a putative class action seeking redress for harms they allegedly suffered stemming from a 17 data breach exposing over 270,000 pieces of personally identifiable information, including 18 customer names, email addresses, postal addresses and telephone numbers. Docket No. 33 (First 19 Amended Complaint or “FAC”). Now pending before the Court are Defendants Shopify USA, 20 Shopify, Inc. and Ledger’s respective motions to dismiss the complaint for, among other reasons, 21 lack of personal jurisdiction. Docket Nos. 55, 56, 58. For the following reasons, the Court finds that it lacks personal jurisdiction over each 22 23 defendant and that jurisdictional discovery is unwarranted. Therefore, the Court GRANTS the 24 motions to dismiss and dismisses the case with prejudice. II. 25 26 27 28 A. BACKGROUND Summary of Allegations in the FAC Plaintiffs are customers of Defendant Ledger SAS (“Ledger”), a French company based in Paris that sells hardware wallets to allow customers to manage cryptocurrency. Docket No. 33 Dockets.Justia.com United States District Court Northern District of California 1 (“FAC”) ¶ 2, 21. Ledger sells its hardware wallets—the Ledger Nano X and Ledger Nano S— 2 through its e-commerce website, which operates on Defendant Shopify, Inc.’s platform. FAC ¶¶ 3 2, 16-17. Plaintiffs allege they, and several putative classes, each bought a Ledger hardware 4 wallet on Ledger’s e-commerce website, through Shopify’s platform, between July 2017 and June 5 2020. Id. ¶¶ 16-20. When Plaintiffs made their purchases, they provided their name, email 6 addresses, telephone numbers and postal addresses. Id. 7 Plaintiffs’ claims arise of two security incidents involving data breaches exposing 8 Plaintiffs’ contact information. FAC ¶¶ 78, 79, 88. First, Plaintiffs allege that between April and 9 June 2020, rogue Shopify, Inc. employees exported a trove of data, including Ledger’s customer 10 transactional records. Id. ¶¶ 78-79. Shopify allegedly publicly announced the theft on September 11 22, 2020, which involved the data of approximately 272,000 people. Id. ¶¶ 79, 82. Plaintiffs 12 allege that Ledger did not inform them that their data was involved in the Shopify breach at that 13 time. Id. ¶ 83. Second, Plaintiffs allege that Ledger publicly announced that an unauthorized 14 third-party gained access to Ledger’s e-commerce database through an application programming 15 interface key on June 25, 2020 and acquired the email addresses of one million customers and 16 physical contact information of 9,500 customers. Id. ¶ 88. Plaintiffs allege that Ledger did not 17 disclose that the attack on Ledger’s website and the theft of Shopify’s data were connected, that 18 Ledger downplayed the scale of the actual attack, and, as a result, Plaintiffs and putative class 19 members were subject to phishing scams, cyber-attacks, and demands for ransom and threats. Id. 20 ¶¶ 95-118. Plaintiffs contend that Ledger knew that its customer list was highly valuable to 21 hackers, because it was a list of people who have converted substantial wealth into anonymized 22 crypto-assets that are transferrable without a trace. Id. ¶ 5. 23 Plaintiffs allege that despite knowing the high value of its customer list and the need for 24 confidentiality, Ledger did not implement security measures to protect its customers by regularly 25 deleting and/or archiving the customer data to protect that information from online accessibility. 26 FAC ¶ 136, and that Ledger failed to exercise reasonable care in obtaining, retaining, securing, 27 safeguarding, deleting, and protecting its customers personal information that Ledger had in its 28 possession from being compromised, lost, or stolen, and from being accessed, and misused by 2 1 unauthorized persons, id. ¶ 117. Similarly, Plaintiffs allege Shopify failed to exercise reasonable 2 care in obtaining, retaining, securing, safeguarding, deleting, and protecting their personal 3 information in their possession from being compromised, lost, or stolen, and from being accessed, 4 and misused by unauthorized persons. FAC ¶¶ 78-83. Plaintiffs are five Ledger customers who reside, respectively, in California, Georgia, New United States District Court Northern District of California 5 6 York, London, United Kingdom and Tel Aviv, Israel. Id. ¶¶ 26-20. They purport to represent 7 several classes and subclasses, ranging from customers internationally to customers in particular 8 states who suffered particular harms. Id. ¶ 145. Plaintiffs bring claims for, among others, 9 negligence, negligence per se, injunctive relief and remedies under California’s unfair competition 10 law, Georgia’s Fair Business Practices Act and New York’s General Business Law. Id. ¶¶ 168- 11 276. 12 B. Relevant Factual Background Contained in Jurisdictional Declarations Defendants include additional factual background relevant to the Court’s jurisdictional 13 14 inquiries at the motion to dismiss stage. Shopify USA states that it is incorporated in Delaware, 15 has its principal place of business in Ontario, Canada, and never had a business relationship with 16 Ledger. Docket No. 55-1 (“Harris-John Decl.”) ¶¶ 3-6. Shopify Inc., explains it is a Canadian 17 corporation that it is not registered to do business in California and, does not have any employees 18 in California. Docket No. 56-1 (“McIntomny Decl.”) ¶¶ 2-5. It explains that the “rogue” 19 individuals who were responsible for the data breach of Shopify, Inc.’s platform were not 20 employees of Shopify or any of its affiliated companies, but independent contractors of a company 21 called TaskUs, who were located in the Philippines. Id. ¶¶ 11-12. Ledger explains that it is a 22 French company with no California or U.S. employees. Docket No. 59 (“Ricomard Decl.”) ¶¶ 5, 23 11, 17. 24 C. 25 Procedural Background Defendant Ledger Technologies was voluntarily dismissed from this case. Docket No. 36. 26 Remaining Defendants Shopify USA, Shopify, Inc. and Ledger move to dismiss Plaintiffs’ First 27 Amended Complaint on multiple grounds, including for lack of personal jurisdiction and failure to 28 state a claim. Docket Nos. 55, 56, 58. 3 III. 1 2 A. Federal Rule of Civil Procedure 12(b)(2). 5 In opposing a defendant's motion to dismiss for lack of personal jurisdiction, the plaintiff bears the burden of establishing that jurisdiction is proper. Where, as here, the defendant's motion is based on written materials rather than an evidentiary hearing, the plaintiff need only make a prima facie showing of jurisdictional facts to withstand the motion to dismiss. The plaintiff cannot “simply rest on the bare allegations of its complaint,” but uncontroverted allegations in the complaint must be taken as true. 6 7 8 9 United States District Court Northern District of California Federal Rule of Procedure 12(b)(2) A defendant may move to dismiss based on lack of personal jurisdiction pursuant to 3 4 LEGAL STANDARD 10 Mavrix Photo, Inc. v. Brand Techs., Inc., 647 F.3d 1218, 1223 (9th Cir. 2011); see also Data Disc, 11 Inc. v. Sys. Tech. Assocs., Inc., 557 F.2d 1280, 1285 (9th Cir. 1977) (noting that “[t]he limits 12 which the district judge imposes on the pre-trial proceedings will affect the burden which the 13 plaintiff is required to meet”). In addition, all disputed facts are resolved in favor of the plaintiff. 14 See Pebble Beach Co. v. Caddy, 453 F.3d 1151, 1154 (9th Cir. 2006); see also Freestream 15 Aircraft (Berm.) Ltd. v. Aero Law Grp., 905 F.3d 597, 602 (9th Cir. 2018) (stating that 16 “[u]ncontroverted allegations in the complaint must be taken as true, and factual disputes are 17 construed in the plaintiff's favor”). IV. 18 19 20 21 22 23 24 25 26 27 28 A. DISCUSSION Personal Jurisdiction The test for personal jurisdiction is generally stated as follows: Where, as here, no federal statute authorizes personal jurisdiction, the district court applies the law of the state in which the court sits. California's long-arm statute, Cal. Civ. Proc. Code § 410.10, is coextensive with federal due process requirements, so the jurisdictional analyses under state law and federal due process are the same. For a court to exercise personal jurisdiction over a nonresident defendant consistent with due process, that defendant must have “certain minimum contacts” with the relevant forum “such that the maintenance of the suit does not offend ‘traditional notions of fair play and substantial justice.’” Mavrix, 647 F.3d at 1223. There are two categories of personal jurisdiction: (1) general jurisdiction and (2) specific 4 1 jurisdiction. Freestream, 905 F.3d at 602. Plaintiffs contend that the Court has general 2 jurisdiction (and, in the alternative, specific jurisdiction) over Shopify USA and specific 3 jurisdiction over Shopify, Inc. and Ledger. 4 United States District Court Northern District of California 5 As explained below, the Court lacks general jurisdiction (and specific jurisdiction) over Shopify USA, and lacks specific jurisdiction over Shopify, Inc. and Ledger. 6 1. The Court Lacks General Jurisdiction Over Shopify USA 7 Where there is general jurisdiction over a defendant, the plaintiff can bring any claim 8 against the defendant in the forum state. Thus, in order for general jurisdiction to obtain, the 9 defendant's contacts with the forum state must be so continuous and systematic as to render the 10 defendant essentially at home in the forum State. See Daimler AG v. Bauman, 571 U.S. 117, 122, 11 128 (2014); see also Schwarzenegger v. Fred Martin Motor Co., 374 F.3d 797, 807 (9th Cir. 12 2004) (asking whether the defendant has continuous and systematic contacts that approximate 13 physical presence in the forum state). “With respect to a corporation, the place of incorporation 14 and principal place of business are ‘paradig[m] ... bases for general jurisdiction.’” Daimler, 571 15 U.S. at 137. General jurisdiction outside of those forums is available “[o]nly in an exceptional 16 case,” Martinez v. Aero Caribbean, 764 F.3d 1062, 1070 (9th Cir. 2014), where the defendant’s 17 contacts are so “continuous and systematic” as to “‘approximate physical presence’ in the forum 18 state,” Pestmaster Franchise Network, Inc. v. Mata, 2017 WL 1956927, at *2 (N.D. Cal. 2017) 19 (quoting Mavrix, 647 F.3d at 1223-24). 20 Here, Plaintiffs argue that the Court has general jurisdiction over Shopify USA, but 21 concede that Shopify USA is neither incorporated in California (it is a Delaware corporation), nor 22 is California Shopify USA’s principal place of business (Shopify USA’s principal place of 23 business is Ottawa, Canada). FAC ¶ 24. Instead, to support their contention that the Court has 24 general jurisdiction over Shopify USA, Plaintiffs observe that Shopify USA previously listed San 25 Francisco, CA as its principal place of business since 2014, including, allegedly, during the time 26 period that the data breach took place in 2019. Opposition at 11-13. Plaintiffs point to Shopify 27 USA’s business registration filings in various states that continued to list San Francisco as its 28 principal place of business until 2019 or 2020, Docket No. 67-1 (“Economides Decl.”), Exhs. 1, 3, 5 1 6, and cites litigation from 2017 and 2018 in which Shopify USA represented to courts that its 2 principal place of business was in San Francisco, Opposition at 11-12. United States District Court Northern District of California 3 However, Plaintiffs’ observation that Shopify USA’s place of business at the time of the 4 data breach was in California does not establish the Court’s general jurisdiction over Shopify 5 USA. Courts have uniformly held that general jurisdiction is to be determined no earlier than the 6 time of filing of the complaint. Sabre Int’l Sec. v. Torres Advanced Enter. Sols., LLC, 60 F. Supp. 7 3d 21, 30 (D.D.C. 2014) (collecting cases); see also Young v. Daimler AG, 228 Cal. App. 4th 855, 8 864 (2014) (“Unlike specific jurisdiction, general jurisdiction is determined no earlier than at the 9 time a suit is filed.”). Plaintiffs do not dispute that at the time this case was filed, in April 2021, 10 Spotify USA’s principal place of business was in Ottawa, Canada—not San Francisco, California. 11 FAC ¶ 24. 12 Plaintiffs’ citation to Delphix Corp. v. Embarcadero Technologies, Inc., an unpublished, 13 non-precedential Ninth Circuit memorandum disposition, for the proposition that “[c]ourts must 14 examine the defendant’s contacts with the forum at the time of the events underlying the dispute,” 15 749 Fed. Appx. 502, 506 (9th Cir. 2018), is unavailing. First, the language Plaintiffs cite from 16 Delphix quotes a precedential Ninth Circuit decision, Steel v. United States, which makes explicit 17 that its holding is about specific jurisdiction. 813 F.2d 1545, 1549 (9th Cir. 1987) (“When a court 18 is exercising specific jurisdiction over a defendant, arising out of or related to the defendant’s 19 contacts with the forum, the fair warning that due process requires arises not at the time of the suit, 20 but when the events that gave rise to the suit occurred.”) (Emphasis added). There is no 21 precedential decision holding that the same logic applies to the analysis of general jurisdiction—a 22 point that Judge Rawlinson emphasizes in her partial dissent in Delphix, 749 Fed. Appx. at 507- 23 08—which is consistent with the Ninth Circuit’s caution that “[b]ecause the assertion of judicial 24 authority over a defendant is much broader in the case of general jurisdiction than specific 25 jurisdiction, a plaintiff invoking general jurisdiction must meet an ‘exacting standard’ for the 26 minimum contacts required.” Ranza v. Nike, Inc., 793 F.3d 1059, 1069 (9th Cir. 2015) (citation 27 omitted). 28 Because Shopify USA’s principal place business must be analyzed at the time the 6 United States District Court Northern District of California 1 complaint for filed for purposes of general jurisdiction, Plaintiffs’ only remaining theory for the 2 Court to assert general jurisdiction is that this is “an exceptional case” in which general 3 jurisdiction is available in California even though it is not one of the paradigm fora. Id. Plaintiffs 4 are unable to show that this is such an exceptional case where Shopify USA’s contacts are so 5 “continuous and systematic” as to “‘approximate physical presence’ in [California],” Mata, 2017 6 WL 1956927 at *2. Shopify USA entered evidence that it permanently closed its San Francisco 7 office in September 2020, that its corporate officers are located in Ontario, Canada and New York, 8 approximately three-quarters of its employees are located outside of California, and a vast 9 majority of its business activities are conducted outside of, and have no relationship to, California. 10 Docket No. 55-1 (“Harris-John Decl.”) ¶¶ 3, 5, 7, 8. Plaintiffs do not dispute these representations 11 and make no allegations sufficient to show that Shopify USA is “so heavily engaged in activity in 12 [California] as to render it essentially at home.” BNSF Ry. Co. v. Tyrell, 137 S. Ct. 1549, 1559 13 (2017); see also King v. Bumble Trading, Inc., 2020 WL 663741, at *2 (N.D. Cal. 2020) (finding 14 that defendant corporation’s principal place of business was in Texas, where its “CEO[] lives and 15 works,” notwithstanding “documents filed with the California Secretary of State” stating that its 16 “principal executive office is in San Francisco”). Thus, the Court finds that it lacks general jurisdiction over Shopify USA. 17 18 19 B. Specific Jurisdiction Specific jurisdiction exists in tort type cases where: (1) the defendant “purposefully 20 directed” its activities towards California; (2) the plaintiff’s claims “arise out of” those forum- 21 related activities; and (3) the exercise of jurisdiction is “reasonable.” See Morrill v. Scott Fin. 22 Corp., 873 F.3d 1136, 1142 (9th Cir. 2017). The purposeful direction test applies where, as here, 23 Plaintiffs assert primarily tort or statutory claims. See e.g., id.; Caces-Tiamson v. Equifax, No. 20- 24 CV-00387-EMC, 2020 WL 1322889, at *3 (N.D. Cal. Mar. 20, 2020) (courts should apply a 25 purposeful direction analysis to tort claims arising from data breaches); Matus v. Premium 26 Nutraceuticals, LLC, No. EDCV 15-01851 DDP (DTBx), 2016 WL 3078745, at *3 (C.D. Cal. 27 2016) (applying purposeful direction test where the plaintiff alleged violations of the UCL, FAL, 28 and CLRA and a claim for negligent misrepresentation). “The plaintiff bears the burden of 7 1 satisfying the first two prongs of the test.” Schwarzenegger, 374 F.3d at 802. A defendant “purposefully direct[s]” [its] activities at the forum if [it]: (1) committed an 2 3 intentional act, (2) expressly aimed at the forum state, (3) causing harm that the defendant knows 4 is likely to be suffered in the forum state.” Picot v. Weston, 780 F.3d 1206, 1214 (9th Cir. 2015) 5 (internal quotations and citation omitted). “Failing to sufficiently plead any one of these three 6 elements … is fatal to Plaintiff[s’] attempt to show personal jurisdiction.” Alexandria Real Estate 7 Equities, Inc. v. Runlabs Ltd., No. 18-CV-07517-LHK, 2019 WL 4221590, at *7 (N.D. Cal. 2019) 8 (internal quotations omitted). 1. 9 Plaintiffs advance several theories in order to carry their burden to show (1) that the 10 United States District Court Northern District of California The Court Lacks Specific Jurisdiction Over Shopify, Inc. and Shopify USA 11 Shopify Defendants “purposefully directed” their activities towards California, and (2) that their 12 claims “arise out of” Shopify’s forum-related activities.1 These arguments are addressed in turn. First, Plaintiffs allege the Court has “jurisdiction over Shopify [Inc.] … because [it] 13 14 solicit[s] customers and transact[s] business in California.” FAC ¶ 31. In their Opposition brief, 15 Plaintiffs further elaborate that “Shopify, Inc. undertook to power and administer the shopping 16 website used by Ledger to engage in the advertisements and sales in California giving rise to 7% 17 of Ledger’s worldwide business.” Opposition at 18. Plaintiffs argue these constitute “intentional 18 acts” that were “expressly aimed at [California].” Picot, 780 F.3d at 1214. However, a finding purposeful direction cannot “be based on the mere fact that [a 19 20 company] provides services to customers nationwide, including but not limited to California.” 21 Caces-Tiamson, 2020 WL 1322889, at *3. “‘The placement of a product into the stream of 22 commerce, without more, is not an act the defendant purposefully directed toward the forum 23 state.’” Id. (quoting Asahi Metal Indus. Co., Ltd. v. Super. Ct. of Cal., 480 U.S. 102, 112 (1987)). 24 25 26 27 28 Plaintiffs argue that that “Shopify USA is subject to specific jurisdiction for the same reasons as Shopify Inc.” because “Shopify USA and Shopify Inc. make no distinction between themselves in the public eye, using the same logos, trademarks, and websites, making it impossible at this juncture to know the extent of involvement in this data breach by each entity.” Opposition at 14 n.8. The Court does not address whether Plaintiffs have adequately alleged that jurisdictional contacts may be imputed between these affiliated companies, see Ranza, 793 F.3d at 1073, because Plaintiffs fail to establish this court has specific jurisdiction over Shopify, Inc., and thus Plaintiffs’ derivative arguments as to Shopify USA also fail. 8 1 1 Yet that is the essence of Plaintiffs’ allegations herein. See FAC ¶ 156 (Plaintiffs allege that 2 Shopify, Inc. is a “global entit[y], that conduct[s] business nationwide and globally, servicing 3 consumers in the United States and in many foreign counties. [It] also provide[s] services in 4 virtually every state and … target[s] world-wide customers.”). United States District Court Northern District of California 5 Plaintiffs’ attempt to graft the alleged “purposeful direction” of Ledger’s activity to make 6 7% of its global sales in California on to Shopify, Inc. does not establish the Court’s specific 7 jurisdiction over Shopify, Inc. However, “the Supreme Court has explained that the contacts 8 supporting purposeful direction ‘must be the defendant’s own choice.’” Cisco Sys., Inc. v. Dexon 9 Computer, Inc., 2021 WL 2207343, at *3 (N.D. Cal. 2021) (quoting Ford Motor Co. v. Mont. 10 Eighth Jud. Dist. Ct., 141 S. Ct. 1017, 1025 (2021)); Helicopteros Nacionales de Colombia, S.A. 11 v. Hall, 466 U.S. 408, 417 (1984) (“[The] unilateral activity of another party or a third person is 12 not an appropriate consideration when determining whether a defendant has sufficient contacts 13 with a forum State to justify an assertion of jurisdiction”). Plaintiffs make no allegations that the 14 fact that Shopify, Inc. provided “a software product” to Ledger that “allow[ed] [Ledger] to easily 15 operate [an] online store[],” FAC ¶ 75, to sell to “consumers worldwide,” FAC ¶ 155, shows that 16 Shopify, Inc. made a choice to direct acts towards California. Similarly, Plaintiffs’ allegation that 17 Shopify’s “terms of service obligate it to ‘take all reasonable steps’ to protect the disclosure of 18 confidential information, including “names, addresses and other information regarding customers 19 and prospective customers,” FAC ¶ 77, is based on Plaintiff’s concession that the only reason 20 Shopify had any interaction with Plaintiffs is because “Ledger used Shopify’s services,” id. ¶ 76 21 (emphasis added). Cf. SKAPA Holdings LLC v. Seitz, 2021 WL 672091, at *5 (D. Ariz. 2021) 22 (When assessing specific jurisdiction, “the analysis must be [restricted to] the defendant’s ‘own 23 contacts’ with the forum.”) (quoting Walden v. Fiore, 571 U.S. 277, 289 (2014)). Ledger’s acts 24 cannot be imported to Shopify for jurisdictional purposes. 25 Second, Plaintiffs contend that personal jurisdiction lies over Shopify Inc. because 26 “substantial events leading up to the breach at issue have occurred in California.” FAC ¶ 26. 27 Plaintiffs refer to additional facts contained in declarations asserting jurisdictional facts to 28 elaborate that “Shopify, Inc. provided access to Plaintiffs’ information to TaskUs, Inc., located in 9 1 California, and that conduct led directly to the breaches harming Plaintiff Seirafi and other class 2 members in California.” Opposition at 18 (citing Docket No. 56-1 (“McIntomny Decl.”) ¶ 11). 3 Plaintiffs further contend that “Shopify, Inc. permitted the customer data—the disclosure/loss of 4 which gives rise to the liability—to be accessible to and accessed by at least one culpable 5 individual who was indicted in federal court in California. Id. (citing Docket No. 67-1 6 (“Economides Decl.”), Exh. 10); FAC ¶ 81. United States District Court Northern District of California 7 Plaintiffs, however, misrepresent the content of the declarations and complaint, and fail to 8 support their assertion that Shopify, Inc. engaged in activity in California leading up to and during 9 the breach. The McIntomny Declaration, prepared by a Senior Clerk at Shopify, Inc., explains that 10 Shopify, Inc. did not contract with TaskUs to process user data, but rather, Shopify International 11 Limited, a separate entity based in Dublin, Ireland, did so. McIntomny Decl. ¶ 11. Furthermore, 12 there is no evidence in the declaration or elsewhere that Shopify Inc. (or any other entity) 13 “reposited [Plaintiffs’] data in California,” Opposition at 19, or “provided access to” that data in 14 California, id. at 18. Cf. McIntomny Decl. ¶ 11. Rather, Jennifer Routledge, Senior Lead for 15 Vendor Partnerships for Shopify, Inc. declares, “TaskUs, Inc. contracted with Shopify 16 International Limited to provide all of its services, including services involving any Shopify Inc. 17 data, and to remotely access any data necessary for provision of those services, only from sites 18 outside of the United States.” Docket No. 70-1 (“Routledge Decl.”) ¶ 2 (emphasis added). 19 Shopify, Inc.’s supplemental declarations reject Plaintiffs’ assertion that it was “a California 20 company that then implemented the breach,” Opposition 19, and state that the breach was 21 accomplished by independent contractors of TaskUs located in the Philippines. See McIntomny 22 Decl. ¶¶ 11-12. And although TaskUs has a California address, Shopify Inc. included a copy of 23 the agreement through which Shopify International Limited (headquartered in Dublin, Ireland) 24 contracted for services to be performed by TaskUs, which states that "The Services will be 25 provided in the Territory of the Philippines and at the following Site: 17th Floor, 24-7 McKinley 26 Building, 24th St. 7th Ave, BGC, Taguig City, Philippines." Docket No. 54-6 at 29. Properly 27 characterized and contextualized by the undisputed facts contained in these declarations, none of 28 Plaintiffs’ contentions are sufficient for Plaintiffs to meet their burden to show that Shopify, Inc. 10 United States District Court Northern District of California 1 “purposefully directed” any acts towards California. 2 Moreover, Plaintiffs’ allegation at FAC ¶ 81 does not in fact allege that “Shopify Inc. 3 permitted the customer data … to be accessible to and accessed” by anyone in California, but 4 rather that a California man “paid an employee of a Shopify vendor to provide him with Shopify’s 5 merchant data.” FAC ¶ 81; see also Economides Decl., Exh 10 (Indictment in United States v. 6 Heinrich, 8:21-cr-22-JLS (C.D. Cal. 2021), Docket No. 16). Indeed, as Plaintiffs’ allegation 7 concedes and the criminal indictment confirms (consistent with Shopify’s declaration), the 8 California-based defendant was not an employee of Shopify’s or even TaskUs; his connection to 9 the data breach is that he corresponded over the internet and solicited “a Philippines-based 10 employee of a third-party contractor who provided customer support services for the Victim 11 Company” to steal data. United States v. Heinrich, 8:21-cr-22-JLS (C.D. Cal. 2021), Docket No. 12 16 at 2; see also id. at 3-13. The fact that a resident of California was indicted on allegations that 13 he paid other individuals to steal data from Shopify Inc. in the Philippines does not show that 14 Shopify Inc. purposefully directed acts at California. 15 Finally, Plaintiffs argue that Shopify, Inc. purposefully directed activity towards California 16 by omission: “Shopify, Inc. failed to warn Plaintiff Seirafi and Class Members in California about 17 the breach, and those acts of concealment caused additional harm as those individuals were left 18 vulnerable to hackers who had obtained the data that Ledger was supposed to protect.” Opposition 19 at 18. This theory, too, fails to provide a basis to conclude that Shopify, Inc. purposefully directed 20 its activity towards California. Any alleged decision to communicate—or not to communicate— 21 with individuals affected by the data breach would presumably have been made by Shopify, Inc. at 22 its principal place of business in Ottawa, Canada. There are no facts alleged that Shopify, Inc. 23 made its decision regarding notification in California or that it specifically targeted California in 24 its decision not to provide communications about the breach, nor do any facts presented by 25 Plaintiffs suggest that California-residents were uniquely harmed or entitled to a warning about the 26 breach more than anyone else affected by the breach residing in any other jurisdiction. See Caces- 27 Tiamson, 2020 WL 1322889, at *3 (“Ms. Caces-Tiamson cannot establish even a prima facie case 28 of specific jurisdiction because, as Equifax argues, ‘any and all actions which Equifax did or 11 1 allegedly did not take with respect to its data security systems’ would presumably have occurred 2 in Georgia, where Equifax has its principal place of business. The fact that Ms. Caces-Tiamson 3 suffered injury in California (i.e., where she resides) as a result of Equifax's actions or omissions is 4 not enough to support specific jurisdiction.”) (internal citations omitted). 5 Thus, because Plaintiffs fail to show (1) that the Shopify, Inc. “purposefully directed” their 6 activities towards California, and (2) that their claims “arise out of” Shopify’s forum-related 7 activities demonstrate, the Court concludes that it lacks specific jurisdiction over Shopify Inc (and, 8 correspondingly, over Shopify USA, see supra n.2). Accordingly, the Shopify Defendants are 9 dismissed from this action. 10 2. a. United States District Court Northern District of California 11 12 The Court Lacks Specific Jurisdiction Over Ledger Ledger Did Not Purposefully Direct Its Activities Towards California As noted above, a defendant “purposefully direct[s]” [its] activities at the forum if [it]: (1) 13 committed an intentional act, (2) expressly aimed at the forum state, (3) causing harm that the 14 defendant knows is likely to be suffered in the forum state.” Picot, 780 F.3d at 1214 (internal 15 quotations and citation omitted). Ledger concedes it committed an “intentional act” by offering 16 hardware wallets for sale on its internationally accessible website, including to customers in 17 California. Docket No. 58 (“Ledger MTD”) at 8; see Loomis v. Slendertone Distribution, Inc., 18 420 F. Supp. 3d 1046, 1068 (S.D. Cal. 2019). However, Plaintiffs fail to demonstrate the second 19 two prongs of the purposeful direction test: they neither show that Ledger “expressly aimed” it 20 activities at California, nor that Ledger caused harm it knew was likely to be suffered in 21 California. 22 b. Ledger Did Not Expressly Aim Activity At California 23 First, Plaintiffs do not adequately allege that Ledger “expressly aimed” any acts at 24 California. Plaintiffs allege that “[t]his Court” has personal jurisdiction over Ledger “because it 25 solicits customers, including Plaintiffs and Class members, in the United States and California.” 26 FAC ¶ 32. This assertion is not enough to demonstrate Ledger’s express aiming. See Asahi 27 Metal, 480 U.S. at 112 (“The placement of a product into the stream of commerce, without more, 28 is not an act the defendant purposefully directed toward the forum state”); Imageline, Inc. v. 12 1 Hendricks, No. CV 09-1870 DSF AGRX, 2009 WL 10286181, at *4 (C.D. Cal. 2009) (“The 2 Defendants' sales to California residents were not specifically directed contacts, but instead 3 occurred only because the purchasers of Defendants' goods happened to reside in California. 4 There was no ‘individual[ized] targeting’ of California.”). United States District Court Northern District of California 5 “Operating a universally accessible website alone is generally insufficient to satisfy the 6 express aiming requirement.” Elliot v. Cessna Aircraft Co., No. 8:20-cv-00378-SBA, 2021 WL 7 2153820, at *3 (C.D. Cal. 2021) (“the fact that Defendant maintains an interactive website that 8 reaches potential customers in California does not establish specific jurisdiction”); see also Adobe 9 Sys. Inc. v. Cardinal Camera & Video Ctr., Inc., No. 15-cv-02991-JST, 2015 WL 5834135, at *5 10 (N.D. Cal. 2015) (“not all material placed on the Internet is, solely by virtue of its universal 11 accessibility, expressly aimed at every state in which it is accessed”). “A defendant is required to 12 do ‘something more’—namely, the defendant must engage in conduct directly targeting the forum, 13 such as to display content or advertisements that appeal to, and profit from, an audience in a 14 particular state.” Elliot, 2021 WL 2153820, at *3 (citing Mavrix, 647 F.3d at 1231). 15 In Mavrix, the Ninth Circuit noted the difficult of determining “whether tortious conduct 16 on a nationally accessible website is expressly aimed at any, or all, of the forums in which the 17 website can be viewed,” 647 F.3d at 1229, but reasoned that specific jurisdiction obtained in 18 California because defendant “operated a very popular website with a specific focus on the 19 California-centered celebrity and entertainment industries” and concluded that defendant 20 “anticipated, desired, and achieved a substantial California viewer base” and “continuously and 21 deliberately exploited the California market for its website,” id. at 1230 (emphasis added). The 22 Mavrix Court concluded that holding the defendant there “answerable in a California court for the 23 contents of a website whose economic value turns, in significant measure, on its appeal to 24 Californians” did not violate due process. Id. 25 Applying Mavrix, the Ninth Circuit recently held in AMA Multimedia v. Wanat, that a 26 foreign defendant who operated an adult-content website did not expressly aim intentional acts at 27 the United States to satisfy the minimum contacts test for specific jurisdiction despite allegations 28 that the defendant used “geotargeted advertisements” to produce its U.S. revenue and that over 13 United States District Court Northern District of California 1 19% of the site’s total visitors were U.S.-based. 970 F.3d 1201, 1210-11 (9th Cir. 2020). The 2 Wanat Court explained that the defendant’s website and products lacked “a forum-specific focus” 3 because that the “market for adult content is global” and that 80% of the defendant’s viewers were 4 outside the United States. Id. at 1210. The Wanat Court further explained that the defendants use 5 of geotargeted advertisements cannot establish specific jurisdiction because such advertisements 6 are always directed at a specific forum: “a viewer in the United will see advertisements tailored to 7 the United States while a viewer in Germany will see advertisements tailored to Germany,” so 8 “absent other indicia of [defendant’s] personal direction,” the use of geotargeted advertising does 9 not establish express aiming. Id. The Ninth Circuit summarized that specific jurisdiction did not 10 lie in the United States because it “was not ‘the focal point’ of the website ‘and of the harm 11 suffered.’” Id. at 1212 (quoting Walden, 571 U.S. at 287) (emphasis added). 12 Here, Plaintiffs have not alleged enough under the Ninth Circuit’s frameworks in Mavrix 13 and Wanat to find that Ledger “expressly aimed” its conduct at California. Plaintiff’s bare 14 allegation that Ledger “solicits customers in the United States and California,” FAC ¶ 32, and 15 evidence (based on a declaration Ledger introduced as an exhibit to its motion to dismiss) that 16 7.03% of Ledger’s worldwide revenue comes from California, is not enough to establish Ledger 17 “anticipated, desired, and achieved a substantial” customer-base in California like the defendant in 18 Mavrix. 647 F.3d at 1230. Nor does it demonstrate Ledger’s forum-specific focus on California, 19 given that the “market for [its hardware products] is global.” Wanat, 930 F.3d at 1210. Indeed, 20 more than 60% of the company’s revenue comes from outside of the U.S. and 80% of its U.S. 21 revenue from outside of California. Opposition at 17. See also Caces-Tiamson, 2020 WL 22 1322889, at *3 (“Nor can specific jurisdiction be based on the mere fact that [Defendant] provides 23 services to customers nationwide, including but not limited to California.”). 24 The complaint also includes an allegation that Plaintiff Seirafi, who resides in Los 25 Angeles, California, “saw advertisements for Ledger’s services and hardware” around March 26 2019, FAC ¶ 16, but provides no further explanation of what those advertisements consisted of, 27 where they were placed, where Seirafi was located when he saw them, nor any other information 28 for the Court to reasonably infer that the advertisements evinced a California-specific focus. 14 United States District Court Northern District of California 1 Seirafi’s declaration submitted as an exhibit to Plaintiff’s Opposition provides some additional 2 context – that Seirafi viewed the advertisement on Instagram – but then explains that, “Based on 3 review of Ledger’s online advertising account [a feature that may be viewed through Instagram] in 4 August 2021, it appears that the advertisements that [Seirafi] was seeing prior to purchasing a 5 Ledger wallet was specifically based on U.S. area codes.” Docket No. 67-3 (“Seirafi Decl.”) ¶¶ 6 13-14 (emphasis added). Nothing in Seirafi’s declaration demonstrates that Ledger aimed its 7 advertising to California. Ledge submits evidence that “Ledger SAS does not specifically direct 8 any of its business activities or advertising at California. Its business activities, including 9 advertising, have no particular focus on any specific state in the United States.” Docket No. 59 10 (“Ricomard Decl.”) ¶ 11. Plaintiffs’ insinuation that Ledger’s advertising activity was targeted at 11 California (the complaint does not even directly make this assertion) does not provide sufficient 12 detail of the “something more” necessary to show Ledger’s operation of a globally accessible 13 website was also “expressly aimed” at California. Cf. Mavrix, 647 F.3d at 1231; Wanat, 930 F.3d 14 at 1210; Erickson v. Nebraska Mach. Co., No. 15-CV-01147-JD, 2015 WL 4089849, at *4 (N.D. 15 Cal. 2015) (“[A]lthough the complaint alleges in conclusory fashion that NMC's website is ‘highly 16 interactive and allows visitors to purchase or rent products directly through the website’ . . . there 17 is no evidence that the website was in any way directed at California residents.”) (citation 18 omitted). 19 Plaintiffs rely principally on two cases to justify their argument that Ledger expressly 20 aimed its activity to California. They point to Lack v. Mizuho Bank to demonstrate the additional 21 factors that courts look to when a defendant operates and interactive website to determine whether 22 that cite has been aimed at California: “[Plaintiff] and other California users opened accounts, 23 communicated with the customer support desk, initiated bitcoin trades, made deposits, and 24 processed withdrawals through the website.” 2019 WL 4239128, at *5 (C.D. Cal. June 24, 2019). 25 But Plaintiffs do not allege that Ledger’s website has any of these features or that any Californians 26 used any such features that made the website in Lack multi-faceted and “highly interactive”—only 27 that Ledger’s site allows customers to browse and buy hardware wallets. FAC ¶ 32. 28 Next, Plaintiffs cite iSmile Dental Prods. v. Smile Dental Supply, Inc., No. 2:16-cv0105515 United States District Court Northern District of California 1 TLN, 2017 WL 1153110 (E.D. Cal. March 28, 2017), where the Court found that two sales into 2 California through an interactive website were enough for purposeful direction. The district court 3 in iSmile, however, did not discuss nor apply the Ninth Circuit’s controlling analysis from Mavrix 4 (even though Mavrix had been decided six years earlier). The iSmile Court relied on the Second 5 Circuit’s view that “an interactive website plus a single sale is sufficient to constitute ‘something 6 more’ and meet the purposeful direction standard.” Id. (quoting Chloe v. Queen Bee Beverly Hills, 7 LLC, 616 F.3d 158, 171 (2d Cir. 2010)). It is hard to see how the Second Circuit’s bright-line 8 articulation of an interactive site and a single sale in a forum can be reconciled with the Ninth 9 Circuit’s searching inquiry into the nature, intent and scope of a defendant’s expressly aimed, 10 forum-focused activity as required by Mavrix and Wanant. See also ThermoLife Int'l, LLC v. 11 NetNutri.com LLC, 813 F. App'x 316, 318 (9th Cir. 2020) (“ThermoLife cannot establish specific 12 personal jurisdiction through nonspecific, nationwide sales, as, in the context of this case, any 13 contact with Arizona would be “‘random, fortuitous, or attenuated.’” (citation omitted)). 14 Therefore, the cases on which Plaintiffs rely are either inapposite or unpersuasive. Finally, the Supreme Court’s recent holding in Ford Motor Co. does not alter the analysis 15 16 here. There the Court found that Ford was subject to specific jurisdiction in Montana and 17 Minnesota because it “conceded ‘purposeful availment’ of the two States’ markets.”2 141 S. Ct. at 18 1028. Ford did so through its extensive forum-related conduct. “By every means imaginable— 19 among them, billboards, TV and radio spots, print ads and direct mail—Ford urges Montanans and 20 Minnesotans to buy its vehicles” including the vehicles that experienced alleged malfunctions at 21 issue in the cases. Id. Ford cars “are available, whether new or used, throughout the States,” and 22 the company’s dealers in Montana and Minnesota “regularly maintain and repair Ford cars” while 23 the company “distributes replacement parts both to its own dealers and to independent auto shops 24 in the two states.” Id. Taken together, Ford’s activities in those states “encourage[d] Montanans 25 26 27 28 The Supreme Court in Ford analyzed specific jurisdiction under the “purposeful availment” test for contract claims, which differs from the “purposeful direction” test applicable to the tort claims here. But even if the Court were to consider the reasoning in Ford to guide its analysis here, there is no basis for the Court to alter its conclusion that Plaintiffs’ have failed to demonstrate that the Court has specific jurisdiction over Ledger. 16 2 1 2 “In other words,” the Court reasoned, “Ford had systematically served a market in 3 Montana and Minnesota for the very vehicles that the plaintiffs allege malfunctioned and injured 4 them in those States. So there is a strong ‘relationship among the defendant, the forum, and the 5 litigation’—the ‘essential foundation’ of specific jurisdiction.” Id. (citation omitted). The 6 Supreme Court observed that the fact that “the company sold the specific cars involved in the[] 7 crashes [at issue in the litigation] outside the forum States, with consumers later selling them to 8 the States’ residents” did not change the conclusion that Ford was subject to specific jurisdiction 9 in Minnesota and Montana. Id. at 1029. The Court concluded: 10 11 United States District Court Northern District of California and Minnesotans to become lifelong Ford drivers.” Id. 12 13 14 15 In conducting so much business in Montana and Minnesota, Ford ‘enjoys the benefits and protection of [their] laws’—the enforcement of contracts, the defense of property, the resulting formation of effective markets. All that assistance to Ford's in-state business creates reciprocal obligations—most relevant here, that the car models Ford so extensively markets in Montana and Minnesota be safe for their citizens to use there. Thus our repeated conclusion: A state court's enforcement of that commitment, enmeshed as it is with Ford's government-protected in-state business, can ‘hardly be said to be undue.’ 16 Id. at 1029-30 (internal citations omitted). By contrast, as already discussed, Plaintiffs here fail to 17 allege that Ledger purposefully availed itself to the California market through similar forum- 18 specific advertising, sales or services. The scale and magnitude of Ledger’s alleged activities in 19 the California pale in comparison with that undertaken by Ford. There was no enmeshment of 20 Ledger’s obligations to consumers with government-protected in-state business comparable to that 21 in Ford. There are no allegations that California law or institutions have provided Ledger any 22 “assistance” to its “in-state business” to “create reciprocal obligations” that Ledger owes to 23 California. Id. at 1029-30. Moreover, there was a direct relationship to the cars Ford extensively 24 marketed in Montana and Minnesota and the resulting injury – it was cars themselves which 25 caused the harm. Here, the relationship between Ledger’s California sales of its product and the 26 hack of the database of its customers from the files of a third party is attenuated and indirect. 27 Hence, the “strong ‘relationship among the defendant, the forum, and the litigation’—the 28 ‘essential foundation’ of specific jurisdiction” present in Ford is missing here. 17 1 2 United States District Court Northern District of California 3 c. Ledger Did Not Cause Harm In California That It Knew Was Likely To Be Suffered There Second, even if Plaintiffs had sufficiently alleged that Ledger expressly aimed its sales 4 activity to California (which they do not), Plaintiffs fail to allege that Ledger’s intentional act of 5 offering hardware wallets for sale on its website caused harm in California nor harm that Ledger 6 knew was likely to be suffered there. See Picot, 780 F.3d at 1214 (third prong of purposeful 7 direction test is that defendant’s alleged intentional act was responsible for “causing harm that the 8 defendant knows is likely to be suffered in the forum state.”); Elofson v. Bivens, No. 15-cv-05761- 9 BLF, 2017 WL 566323, at *5 (N.D. Cal. Feb. 13, 2017) (plaintiff failed to establish purposeful 10 direction where he did not allege any of the defendant’s actions caused him harm). Plaintiffs do 11 not connect Ledger’s alleged forum-specific intentional act of selling hardware wallets in 12 California to their alleged harms stemming from a data breach. The injury was caused by the data 13 breach, not the sales. To get around this deficiency in its pleadings, Plaintiffs’ opposition brief 14 attempts to tether Shopify’s alleged California-specific activity that gave rise to the alleged data 15 breach to Ledger, by contending that “Ledger permitted Plaintiffs’ data—and other California 16 class members’ data—to be possessed by TaskUs, Inc. located [in] . . . South, Santa Monica, 17 California and the data breach then arose with TaskUs, Inc.” Opposition at 17 (citing McIntomny 18 Decl. ¶¶ 10-11). Not only does this allegation not appear in Plaintiffs’ complaint, see Tietsworth 19 v. Sears, Roebuck and Co., 720 F. Supp. 2d 1123, 1145 (N.D. Cal. 2010), but Plaintiffs’ theory 20 relies on the mistaken factual assertion discussed above – there is no evidence that any party took 21 any actions related to any Plaintiff or any other customer data in California. The data was 22 managed by TaskUs, Inc., in the Philippines. See supra Discussion § I(B)(1). 23 Furthermore, as discussed below, the alleged wrongful act of Ledger permitting the data to 24 be breached could not have occurred in California, where Leger had no office or employees. 25 Thus, because Plaintiffs cannot satisfy the second and third prongs of the purposeful 26 direction test—that Ledger expressly aimed an intentional act at California and that intentional act 27 caused harm that Ledger knew was likely to be suffered in the forum state—Plaintiffs fail to 28 demonstrate that Ledger purposefully directed its activities in California to give rise to the Court’s 18 1 2 United States District Court Northern District of California 3 specific jurisdiction over Ledger. i. Plaintiffs’ Claims Do Not “Arise Out Of” Ledger’s CaliforniaRelated Activities 4 Even if Plaintiffs had demonstrated that Ledger purposefully directed its sale activities to 5 California, they fail to satisfy the second prong to the specific jurisdiction analysis: to show that 6 their claims “arise out of” Ledger’s forum-related activities. See Morrill, 873 F.3d at 1142. “Or 7 put just a bit differently, ‘there must be an affiliation between the forum and the underlying 8 controversy, principally, [an] activity or an occurrence that takes place in the forum State and is 9 therefore subject to the State's regulation.’” Ford Motor Co., 141 S. Ct. at 1025 (citation omitted). 10 Plaintiffs’ complaint on this prong is deficient for the same reasons it was unable to 11 adequately alleges that Ledger caused harm in California nor harm that Ledger knew was likely to 12 be suffered there under the purposeful direction analysis. Plaintiffs allege no facts to connect 13 Ledger’s activity with regards to the data breach to California. See Caces-Tiamson, 2020 WL 14 1322889, at *3 (“A plaintiff's residency in the forum state is not the sine qua non of specific 15 jurisdiction. Neither is where the Plaintiff experienced her injury. Rather, the Supreme Court has 16 instructed [in Walden] that [t]he proper question is not where the plaintiff experienced a particular 17 injury or effect but whether the defendant's conduct connects him to the forum in a meaningful 18 way.”) (quotation marks and citations omitted) (emphasis added). 19 Plaintiffs further contend that after the breach occurred Ledger “failed to warn or 20 adequately assist those individuals in California to protect against hacking attacks arising from the 21 breach.” Opposition at 18; FAC ¶¶ 82-137. But, again, this theory fails to connect any of 22 Ledger’s actions (or allegedly deliberate inaction) to California. Ledger submitted uncontroverted 23 evidence that it is incorporated and has its principal place of business in Paris, France, that it does 24 not have any offices in California or anywhere else in the United States, that it does not any 25 employees or officers located in the United States, and that it is not registered to do business in 26 California. Docket No. 59 (“Ricomard Decl.”) ¶¶ 6-9. In light of these facts, any decisions 27 Ledger made regarding its actions or inaction with regard to the data breaches and how to proceed 28 can reasonably be inferred to have been made at its principal place of business in Paris, France. 19 1 Or, at the very least, there is no basis for the Court to infer that any of those decision were made in 2 California, where Ledger does not have a single employee. Cf. Caces-Tiamson, 2020 WL 3 1322889, at *3 (“[Plaintiff] cannot establish even a prima facie case of specific jurisdiction 4 because, as Equifax argues, “any and all actions which Equifax did or allegedly did not take with 5 respect to its data security systems” would presumably have occurred in Georgia, where Equifax 6 has its principal place of business. The fact that Ms. Caces-Tiamson suffered injury in California 7 (i.e., where she resides) as a result of Equifax's actions or omissions is not enough to support 8 specific jurisdiction.”) (citations omitted). Thus, because Plaintiffs fail to satisfy their burden to demonstrate that Ledger United States District Court Northern District of California 9 10 “purposefully directed” its activity at California, and that Plaintiffs’ claims “arise out of” Ledger’s 11 California-related activities, Picot, 780 F.3d at 1214, the Court concludes that it lacks specific 12 jurisdiction over Ledger. Thus, Defendant Ledger is dismissed from this action. 13 C. Jurisdictional Discovery 14 Having concluded that the Court lacks personal jurisdiction over any of the three 15 Defendants in this case, the Court turns to Plaintiffs’ request for leave to conduct jurisdictional 16 discovery. Opposition at 24-25. The decision whether to grant jurisdictional discovery is 17 typically within the discretion of the district court. Wells Fargo & Co. v. Wells Fargo Exp. Co., 18 556 F.2d 406, 430 n.24 (9th Cir. 1977). “[W]here pertinent facts bearing on the question of 19 jurisdiction are in dispute, discovery should be allowed.” American West Airlines, Inc. v. GPA 20 Group, Ltd., 877 F.2d 793, 801 (9th Cir. 1989). However, “where a plaintiff's claim of personal 21 jurisdiction appears to be both attenuated and based on bare allegations in the face of specific 22 denials made by the defendants, the Court need not permit even limited discovery.” Pebble Beach 23 Co. v. Caddy, 453 F.3d 1151, 1160 (9th Cir. 2006) (quoting Terracom v. Valley Nat. Bank, 49 24 F.3d 555, 562 (9th Cir. 1995)). 25 Plaintiffs’ request for jurisdictional discovery articulates six issues pertaining to the 26 Shopify Defendants and three issues pertaining to Ledger that they would seek to investigate. 27 Economides Decl. ¶¶ 6-7. The court need not grant jurisdictional discovery, however, where 28 Plaintiffs’ requests are “purely speculative allegations of attenuated jurisdictional contacts.” Getz 20 1 v. Boeing Co., 654 F.3d 852, 860 (9th Cir. 2011). Moreover, where a defendant has already 2 provided evidence establishing that personal jurisdiction does not exist, jurisdictional discovery is 3 unwarranted. Frank Valli & The Four Seasons v. EMI, Music Publ’g Ltd., No. CV 17-7831-MWF 4 (JCx), 2018 WL 6136818, *8 (C.D. Cal. May 22, 2018) (denying jurisdictional discovery where 5 the “evidence already before the court demonstrates” that the personal jurisdiction does not exist). 6 7 8 9 10 United States District Court Northern District of California 11 Accordingly, the Court reviews each of Plaintiffs’ requests for jurisdictional discovery: Information Plaintiffs Propose to Seek from Shopify Defendants “The role and responsibilities of Vivek Narayandas, an attorney employed at Shopify (USA) who advises Shopify Inc. as its Data Protection Officer.” (Economides Decl. ¶ 6(a)) 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 “What employees were involved in working with or overseeing the work done by TaskUs (the Shopify vendor that Shopify states was responsible for the breach), where do they work, and which entity did they work for.” (Economides Decl. ¶ 6(b)) Analysis This request is based on “purely speculative allegations of attenuated jurisdictional contacts.” Getz, 654 F.3d at 860. This request would only be meaningful to establish the Court’s specific jurisdiction over Shopify USA, however, Plaintiffs makes no allegations regarding any of Shopify USA’s forum-specific activities. Instead, their theory of specific jurisdiction over Shopify USA is derivative of their theory of specific jurisdiction over Shopify, Inc. Opposition at 14 n.8. There is no basis for the Court to allow Plaintiffs to explore a theory regarding Shopify USA’s forum-related conduct that it presents for the first time in its request for discovery. This request is based on “purely speculative allegations of attenuated jurisdictional contacts.” Getz, 654 F.3d at 860. In light of evidence showing that the data breach by TaskUs did not occur in California, Plaintiffs advance, for the first time, an unsupported theory that Shopify may have had employees in California who supervised TaskUs. There is no basis for this speculative request because evidence already in the record shows that “TaskUs, Inc. contracted with Shopify International Limited to provide all of its services, including services involving any Shopify Inc. data, and to remotely access any data necessary for provision of those services, only from sites outside of the United States.” (Routledge Decl. ¶ 2). Moreover, Shopify International Limited, an Irish company, is neither a party to this case, nor is there any 21 1 2 3 4 5 6 7 8 9 10 United States District Court Northern District of California 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Information Plaintiffs Propose to Seek from Shopify Defendants Analysis indication or any allegations they have any employees in California. (McIntomny Decl. ¶ 11). “Which employees reported to Roy Sunstrum, This request is based on “purely speculative the signatory to Shopify’s contract with allegations of attenuated jurisdictional TaskUs, where do they work, and which contacts.” Getz, 654 F.3d at 860. In light of entity did they work for.” (Economides Decl. evidence showing that the data breach by ¶ 6(c)) TaskUs did not occur in California, Plaintiffs seem to advance, for the first time, an unsupported theory that Shopify may have had employees in California who supervised TaskUs and that their supervisory misconduct caused Plaintiffs’ harm. There is no basis for this speculative request. “Which employees were involved in Dispositive evidence already provided: implementing and overseeing Shopify’s “Shopify, Inc. is not registered to do business specific data security practices alleged to be in California . . . and does not have an office insufficient in the First Amended Complaint, in California. . . Shopify, Inc. has no where do they work, and which entity did employees in California.” (McIntomny Decl. they work for.” (Economides Decl. ¶ 6(d)) ¶ 5). “Which employees were involved Dispositive evidence already provided: investigating the breach and determining its “Shopify, Inc. is not registered to do business impact, size, and scope, and where do they in California . . . and does not have an office work, and which entity did they work for.” in California. . . Shopify, Inc. has no (Economides Decl. ¶ 6(e)) employees in California.” (McIntomny Decl. ¶ 5). “Which employees were involved in Dispositive evidence already provided: Shopify’s response and notification process, “Shopify, Inc. is not registered to do business where do they work, and which entity did in California . . . and does not have an office they work for.” (Economides Decl. ¶ 6(f)) in California. . . Shopify, Inc. has no employees in California.” (McIntomny Decl. ¶ 5). Information Plaintiffs Propose to Seek from Ledger “Advertisements, sales, and/or business strategies involving the California market and/or California consumers.” (Economides Decl. ¶ 7(a)) “Practices for obtaining, storing, transmitting, and/or protecting the personal information of California consumers.” (Economides Decl. ¶ 7(b)) Analysis Dispositive evidence already provided: “Ledger SAS does not specifically direct any of its business or advertising at California. Its business activities, including advertising, have no particular focus on any specific state in the United States.” (Ricomard Decl. ¶ 11.) Dispositive evidence already provided: When consumers make purchases through ledger.com, they provide certain contact information to Ledger SAS. Ledger SAS maintains this information in its e-commerce 22 1 Information Plaintiffs Propose to Seek from Ledger 2 3 4 5 “California-based companies, employees, independent contractors, or other agents relating to Ledger SAS’s data storage and protection.” (Economides Decl. ¶ 7(c)) 6 7 8 United States District Court Northern District of California 9 Analysis and marketing database. Ledger does not have any unique practices for California consumers. (Ricomard Decl. ¶¶ 5, 11.) Dispositive evidence already provided: “Ledger SAS does not have any offices in California or anywhere else in the United States. It also does not have any employees or officers located in the United States. All of Ledger SAS’s employees and officers are located in France and Switzerland.” (Ricomard Decl. ¶ 7.) Plaintiffs’ requested discovery is not based on any prima facie evidence that the 10 undisputed evidence presented by Defendants are false or inaccurate. Accordingly, the Court 11 concludes jurisdictional discovery is based on speculation and is therefore unwarranted. The 12 Court denies Plaintiffs’ request. In light of the Court’s finding that jurisdictional discovery is 13 unwarranted, the Court concludes that it would be futile for Plaintiffs to attempt to amend their 14 complaint to assert personal jurisdiction over any of the three Defendants. 15 V. 16 CONCLUSION The Court lacks personal jurisdiction over Defendants Shopify USA, Shopify, Inc., and 17 Ledger. Accordingly, the Court GRANTS each Defendant’s respective motion to dismiss. 18 Docket Nos. 55, 56, and 58. The Court, further, concludes that jurisdictional discovery is 19 unwarranted and thus DENIES Plaintiffs’ request for jurisdictional discovery. For the reasons 20 explained above, the Court finds that it would be futile for Plaintiffs to amend their complaint to 21 attempt to assert personal jurisdiction over Defendants. Thus, the case is dismissed with 22 prejudice. 23 24 25 26 27 28 This order disposes of Docket Nos. 55, 56, and 58. The Clerk of the Court is directed to enter judgment and close the case. IT IS SO ORDERED. Dated: November 9, 2021 ______________________________________ EDWARD M. CHEN United States District Judge 23
]]>
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You
should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
