Huynh v. Quora, Inc., a Delaware corporation, No. 5:2018cv07597 - Document 210 (N.D. Cal. 2020)
Court Description: ORDER GRANTING IN PART AND DENYING IN PART 140 DEFENDANTS MOTION FOR SUMMARY JUDGMENT. Signed by Judge Beth Labson Freeman on 12/21/2020. (blflc2S, COURT STAFF) (Filed on 12/21/2020)
Download PDF
<![CDATA[
Huynh v. Quora, Inc., a Delaware corporation Doc. 210 Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 1 of 35 1 2 3 UNITED STATES DISTRICT COURT 4 NORTHERN DISTRICT OF CALIFORNIA 5 SAN JOSE DIVISION 6 7 ALEXANDER HUYNH, et al., Plaintiffs, 8 v. 9 10 QUORA, INC., Defendant. United States District Court Northern District of California 11 12 13 14 15 16 17 18 19 Case No. 5:18-cv-07597-BLF ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT’S MOTION FOR SUMMARY JUDGMENT [Re: ECF 140] In this putative class action, Plaintiff Jeri Connor (“Plaintiff”) alleges that Defendant Quora, Inc. (“Defendant”) failed to safeguard its users’ personal identifying information (“PII”) from a data breach of their platform. Before the Court is Defendant’s Motion for Summary Judgment on the remaining claims for (1) negligence and (2) California’s Unfair Competition Law (the “UCL”). Mot. for Summary J. (“Mot.”), ECF 140. Having considered the parties’ briefing, oral arguments on October 29, 2020, and the applicable law, the Court GRANTS IN PART and DENIES IN PART Defendant’s Motion. I. BACKGROUND 20 A. The Undisputed Facts of the Data Breach1 21 22 23 24 25 26 Defendant Quora is a question-and-answer social media platform. Decl. of Paula Griffin (“Griffin Decl.”) ¶ 3, ECF 140-1; Decl. of Zhe Fu (“Fu Decl.”) ¶ 3, ECF 140-2. To become one of its users, a person must create an account and provide Defendant certain PII, which the company collects and maintains under its Privacy Policy. See Griffin Decl. ¶ 4; Decl. of Steven R. Weinmann (“Weinmann Decl.”) Ex. C (“Terms of Service”), ECF 151-1, and Ex. F (“Privacy 27 28 1 The facts set forth in this section are undisputed unless otherwise noted. For the purposes of this Motion only, Defendant concedes that all the data Plaintiff claims was stolen was, in fact, stolen. Dockets.Justia.com Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 2 of 35 1 Policy”), ECF 151-4. Defendant also provides users the ability to link their accounts with other 2 social media accounts such as Facebook and LinkedIn. See Weinmann Decl. Ex. B, at 20:6-9, 3 ECF 152-1, and Decl. of Rebekah S. Guyon (“Guyon Decl.”) Ex. 13, ECF 140-4 (collectively 4 “Connor Tr.”); see also Guyon Decl. Ex. 11 (“Disclosure Email”), ECF 140-4. On November 30, 2018, Defendant learned that a third-party had breached its platform United States District Court Northern District of California 5 6 approximately six months earlier (the “Data Breach”). Fu Decl. ¶ 4; Weinmann Decl. Ex. D 7 (“Griffin Tr.”), at 41:13-19, ECF 151-2; Decl. of Paul R. Wood (“Wood Decl.”) Ex. 2 (“Quora 8 Blog Post”), ECF 150-4. Days later on December 3, 2018, Defendant disclosed the Data Breach 9 via email to its affected users, including Plaintiff Jeri Connor. See Disclosure Email. One month 10 later in January 2019, Plaintiff purchased premium credit monitoring from ClickFreeScore for five 11 months, costing $39.90 per month.2 See Guyon Decl. Ex. 12 (“Purchase Receipt”) and Ex. 17 12 (“Cancellation Receipt”), ECF 140-4; Connor Tr. 197:1-198:11. Since she received notice of the 13 Data Breach, Plaintiff says she has spent approximately one hour per day monitoring her accounts. 14 Connor Tr. 242:16-24. While Plaintiff has been the victim of numerous other data breaches and 15 feels she has been put at risk for identity theft, she does not allege that she has yet suffered actual 16 identity theft or fraud since the Data Breach. Connor Tr. 10:5-11:13, 16:18-23, 17:5-15, 39:6-10, 17 44:4-9. 18 B. Procedural History 19 Plaintiff Alexander Huynh commenced this action on December 18, 2018. Compl., ECF 1. 20 After several other cases were consolidated into this one, Plaintiffs filed the Second Amended 21 Complaint on April 25, 2019. See Order, ECF 17; Order, ECF 19; Order, ECF 45; Second Am. 22 Compl. (“SAC”), ECF 55. On December 19, 2019, the Court granted in part and denied in part 23 Defendant’s motion to dismiss the Second Amended Complaint. Order (“Prior Order I”), ECF 72. 24 On February 25, 2020, Plaintiffs filed the Third Amended Complaint, alleging four causes 25 26 27 28 2 Plaintiff states that she spent $39.95 per month on ClickFreeScore while Defendant states that she spent $19.95 per month. Opp’n 6; Mot. 7. The transcript evidence cited by either party does not provide a sum certain amount. See Connor Tr. 33, 197-198. It appears, based on the submitted receipt reflecting the purchase, that Plaintiff was to be charged $39.90 per month after being charged a $1 refundable processing fee to create her account. See Purchase Receipt. 2 Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 3 of 35 1 of action: (1) violation of California’s Unfair Competition Law (“UCL”), Cal. Bus. & Prof. Code 2 § 17200 et seq.; (2) negligence; (3) breach of confidence; and (4) breach of contract.3 See Consol. 3 Third Am. Class Action Compl. (“TAC”) ¶¶ 68-115, ECF 85. On February 28, 2020, Defendant 4 moved to dismiss the Third Amended Complaint. Mot., ECF 88. On June 1, 2020, the Court 5 granted in part and denied in part Defendant’s motion to dismiss, allowing Plaintiffs’ negligence 6 and UCL claims to proceed. Order (“Prior Order II”), ECF 116. Defendant filed this Motion for Summary Judgment on September 4, 2020. See generally 7 8 Mot. Plaintiff timely filed the Opposition on October 5, 2020. See generally Opp’n, ECF 154. 9 Defendant filed the Reply on October 15, 2020. See generally Reply, ECF 161. 10 II. “A party is entitled to summary judgment if the ‘movant shows that there is no genuine 11 United States District Court Northern District of California RULE 56 SUMMARY JUDGMENT LEGAL STANDARD 12 dispute as to any material fact and the movant is entitled to judgment as a matter of law.’” City of 13 Pomona v. SQM N. Am. Corp., 750 F.3d 1036, 1049 (9th Cir. 2014) (quoting Fed. R. Civ. P. 14 56(a)). A fact is “material” if it “might affect the outcome of the suit under the governing law.” 15 Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986). A dispute as to a material fact is 16 “genuine” if there is sufficient evidence for a reasonable trier of fact to decide in favor of the 17 nonmoving party. Id. The party moving for summary judgment bears the initial burden of informing the Court of 18 19 the basis for the motion and identifying portions of the pleadings, depositions, answers to 20 interrogatories, admissions, or affidavits that demonstrate the absence of a triable issue of material 21 fact. Celotex Corp. v. Catrett, 477 U.S. 317, 323 (1986). To meet its burden, “the moving party 22 must either produce evidence negating an essential element of the nonmoving party’s claim or 23 defense or show that the nonmoving party does not have enough evidence of an essential element 24 to carry its ultimate burden of persuasion at trial.” Nissan Fire & Marine Ins. Co. v. Fritz Cos., 25 Inc., 210 F.3d 1099, 1102 (9th Cir. 2000). In judging evidence at the summary judgment stage, 26 27 28 3 After the filing of the Third Amended Complaint, this Court granted the voluntary dismissal of Plaintiffs Alexander Huynh, Rick Musgrave, Erica Cooper. See Order, ECF 96; Order, ECF 138; Order, ECF 139. 3 Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 4 of 35 1 the Court “does not assess credibility or weigh the evidence, but simply determines whether there 2 is a genuine factual issue for trial.” House v. Bell, 547 U.S. 518, 559-60 (2006). Where the 3 moving party will have the burden of proof on an issue at trial, it must affirmatively demonstrate 4 that no reasonable trier of fact could find other than for the moving party. Celotex, 477 U.S. at 5 325; Soremekun v. Thrifty Payless, Inc., 509 F.3d 978, 984 (9th Cir. 2007). If the moving party meets its initial burden, the burden shifts to the nonmoving party to United States District Court Northern District of California 6 7 produce evidence supporting its claims or defenses. Nissan Fire, 210 F.3d at 1103. If the 8 nonmoving party does not produce evidence to show a genuine issue of material fact, the moving 9 party is entitled to summary judgment. Celotex, 477 U.S. at 323. “The court must view the 10 evidence in the light most favorable to the nonmovant and draw all reasonable inferences in the 11 nonmovant’s favor.” City of Pomona, 750 F.3d at 1049. “[T]he ‘mere existence of a scintilla of 12 evidence in support of the [nonmovant’s] position’” is insufficient to defeat a motion for summary 13 judgment. First Pac. Networks, Inc. v. Atl. Mut. Ins. Co., 891 F. Supp. 510, 513-14 (N.D. Cal. 14 1995) (quoting Anderson, 477 U.S. at 252). “‘Where the record taken as a whole could not lead a 15 rational trier of fact to find for the nonmoving party, there is no genuine issue for trial.’” First 16 Pac. Networks, 891 F. Supp. at 514 (quoting Matsushita Elec. Indus. Co. v. Zenith Radio Corp., 17 475 U.S. 574, 587 (1986)). 18 19 III. RULE 56(D) MOTION TO DELAY OR DENY SUMMARY JUDGMENT Plaintiff alleges that Defendant has obfuscated the nature and details of the Data Breach, 20 undermining her ability to determine whether any compromised information can be used to 21 perpetrate fraud or identity theft. Opp’n 4. Plaintiff therefore moves to delay or deny Defendant’s 22 Motion for Summary Judgment pursuant to Rule 56(d) so that she can develop facts regarding the 23 scope of the Data Breach. Opp’n 4, 6-7. Plaintiff’s request is DENIED. 24 Federal Rule of Civil Procedure 56(d) is “a device for litigants to avoid summary judgment 25 when they have not had sufficient time to develop affirmative evidence.” U.S. v. Kitsap 26 Physicians Serv., 314 F.3d 995, 1000 (9th Cir. 2002). Rule 56(d) states: 27 28 If a nonmovant shows by affidavit or declaration that, for specified reasons, it cannot present facts essential to justify its opposition, the court may: 4 Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 5 of 35 2 (1) defer considering the motion or deny it; (2) allow time to obtain affidavits or declarations or to take discovery; or (3) issue any other appropriate order. 3 To prevail on a Rule 56(d) request, the party seeking relief must show that “(1) it has set 1 4 forth in affidavit form the specific facts it hopes to elicit from further discovery; (2) the facts 5 sought exist; and (3) the sought-after facts are essential to oppose summary judgment.” Family 6 Home & Fin. Ctr., Inc. v. Fed. Home Loan Mortg. Corp., 525 F.3d 822, 827 (9th Cir. 2008). The 7 party must also show that he or she has pursued discovery diligently in the past and that additional 8 discovery would prevent summary judgment. Iglesia Ni Cristo v. Cayabyab, Case No. 18-cv- 9 00561-BLF, 2020 WL 1531349, at *6 (N.D. Cal. Mar. 31, 2020) (citing Chance v. Pac-Tel 10 United States District Court Northern District of California 11 Teletrac Inc., 242 F.3d 1151, 1161 n.6 (9th Cir. 2001)). Here, Plaintiff sets forth the discovery sought in the Declaration of Paul R. Wood and in 12 the Opposition. Plaintiff seeks further discovery to determine “whether Quora’s conclusory ‘facts’ 13 regarding the breach and the extent of the data compromised are supported or accurate.” Opp’n 7; 14 see also Wood Decl. ¶¶ 3-8. With the discovery of these facts, she aims to rebut the facts in 15 Defendant’s declarations “regarding (1) when the breach occurred; (2) the Quora databases that 16 were compromised; (3) the storage and characteristics of the Quora access tokens; and (4) whether 17 the searches run by Griffin in the backup data base captured all data related to Plaintiff.” Opp’n 7. 18 Plaintiff also requests more time to depose Defendant’s witnesses. Opp’n 7; Wood Decl. ¶¶ 5-7. 19 In response, Defendant argues that “(1) the discovery [Plaintiff] seeks . . . is not essential; (2) she 20 has identified no facts that actually exist that would refute summary judgment (which is premised 21 on her own lack of causation or harm); and (3) she delayed discovery without excuse.” Reply 3. 22 This Court agrees that Plaintiff does not explain how the information that she seeks to 23 discover is “essential” to justifying her Opposition. See Fed. R. Civ. P. 56(d). Neither the 24 Opposition nor the Declaration of Paul R. Wood explains how a continuance or denial would 25 allow Plaintiff to develop the factual issues surrounding actionable causation or damages, the 26 bases for Defendant’s Motion as to Plaintiff’s negligence claim. See Mot. 9-20; see also Tatum v. 27 City & Cnty. of San Francisco, 441 F.3d 1090, 1100-01 (9th Cir. 2006) (finding no abuse of 28 discretion in denying a continuance where the plaintiff’s declaration did not explain how a 5 United States District Court Northern District of California Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 6 of 35 1 continuance would allow the plaintiff to produce evidence creating a factual issue regarding 2 probable cause); Amagen Inc. v. Sandoz Inc., 295 F. Supp. 3d 1062, 1071 (9th Cir. 2017) (denying 3 a continuance where factual issues sought to be developed were not material to the finding of 4 noninfringement). Developing facts as to the nature and scope of the Data Breach will not answer 5 whether the nature of the alleged harm—that Plaintiff spent time and money dealing with the Data 6 Breach—is actionable. See Connor Tr. 10:5-13, 242:15-18; Sun Decl. ¶ 18(e). And learning more 7 about the scope of the Data Breach does not resolve whether Plaintiff’s purchased credit 8 monitoring service was the “same” as the other free credit monitoring services available to her at 9 the time. Mot. 4, 11-12; see also Connor Tr. 34:9-23. Finally, as to the UCL claim, the scope of 10 the Data Breach is irrelevant to the issue of whether injunctive relief is available where there is an 11 adequate remedy at law. See Mot. 23-25; Opp’n 25; Reply 15. 12 In sum, there “is a proper ground for denying discovery and proceeding to summary 13 judgment.” Brae Transp., Inc. v. Coopers & Lybrand, 790 F.2d 1439, 1443 (9th Cir. 1986). Thus, 14 Plaintiff’s request for a continuance or denial pursuant to Rule 56(d) is DENIED. 15 16 IV. RULE 56(C) EVIDENTIARY OBJECTIONS Under Federal Rule of Civil Procedure 56(c)(2), a party can object to an opposing party’s 17 declarations and evidentiary material if it “cannot be presented in a form that would be admissible 18 in evidence.” Fed. R. Civ. P. 56(c). Defendant objects to one statement in the Connor Transcript 19 and several assertions in the Declaration of David Sun, including the declaration in its entirety 20 based on Sun’s alleged lack of expertise. See Connor Tr. 242:15-18; Decl. of David Sun (“Sun 21 Decl.”), ECF 150-1. The Court discusses and OVERRULES each objection. 22 A. Connor Tr. 242:15-18: Response to Allegedly Leading Question on Redirect 23 Plaintiff testified to the following at her deposition: 24 25 26 Q. And in addition to purchasing credit monitoring through ClickFreeScore.com from January to June, did you also . . . monitor your credit during that period? A. Yes. Q. And did you monitor it more than you did prior to the Quora Breach? 27 MR. BALLON: Objection to form; more than? Vague and ambiguous. 28 Q. Excuse me. Let me rephrase it. Did the level of your monitoring increase after the 6 Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 7 of 35 1 2 3 4 5 Q. And . . . how frequently would you monitor your credit after the Quora breach? A. Daily. Q. And approximately how much time would you spend monitoring your credit after the Quora breach? A. Depending on the day, but typically an hour. 6 Connor Tr. 242:2-24. Defendant objects to the assertion that Connor spent more time monitoring 7 her credit after learning of the Data Breach because it was given in response to a leading question 8 on re-direct. Reply 6; Connor Tr. 242:15-18. 9 United States District Court Northern District of California Quora breach? A. Yes. Ruling: OVERRULED. “A leading question is a question that suggests the answer to the 10 person being interrogated.” Ochave v. I.N.S., 254 F.3d 859, 871 n.4 (9th Cir. 2001) (Pregerson, J., 11 dissenting) (internal quotation marks and modifications omitted). Under Federal Rule of Evidence 12 611(c), “[l]eading questions should not be used on direct examination except as necessary to 13 develop the witness’s testimony. Ordinarily, the court should allow leading questions: (1) on 14 cross-examination; and (2) when a party calls a hostile witness, an adverse party, or a witness 15 identified with an adverse party.” Fed. R. Evid. 611(c). 16 But there is no absolute prohibition on leading questions. The language of Rule 611(c) is 17 permissive, vesting, “broad discretion in trial courts.” Miller v. Fairchild Industries, Inc., 885 18 F.2d 498, 514 (9th Cir. 1989); see also Morgan v. Bill Vann Co., Inc., 969 F. Supp. 2d 1358, 1361 19 n.6 (S.D. Ala. 2013) (citing cases). Indeed, a trial court will be reversed for allowing testimony 20 elicited by an improper leading question only if “the judge’s action . . . amounted to, or 21 contributed to, the denial of a fair trial.” Miller, 885 F.2d at 514 (internal quotation marks and 22 footnote omitted)); see also U.S. v. DeFiore, 720 F.2d 757, 764 (2d Cir. 1983) (explaining that the 23 Advisory Committee’s Note to Rule 611(c) indicates that appellate courts have manifested “[a]n 24 almost total unwillingness to reverse for infractions”). 25 Here, “[t]he facts elicited by the leading question are evidence that would be admissible at 26 trial, and the Court shall consider those facts.” Anderson v. SeaWorld Parks and Entm’t, Inc., No. 27 15-cv-02172-JSW, 2018 WL 1981396, at *4 n.3 (N.D. Cal. Feb. 20, 2018) (admitting testimony 28 elicited by a leading question on a motion for summary judgment); see also Celotex Corp., 477 7 Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 8 of 35 1 U.S. at 324 (explaining that on summary judgment, the nonmoving party need not “produce 2 evidence in a form that would be admissible at trial in order to avoid summary judgment”); but see 3 Wilson v. Frito-Lay N. Am., Inc., 260 F. Supp. 3d 1202, 1210 (N.D. Cal. 2017) (excluding answers 4 to “improper leading questions of a non-hostile witness” from consideration on a motion for 5 summary judgment). Exercising its discretion, this Court will consider Plaintiff’s deposition 6 testimony for the purpose of this early Motion. Thus, Defendant’s objection is OVERRULED. 7 B. Rule 702 Objections 8 Defendant moves to exclude both Sun as an expert and statements from his declaration 9 under Federal Rule of Evidence 702 and Daubert v. Merrell Down Pharm., Inc., 509 U.S. 579, 10 United States District Court Northern District of California 11 12 589 (1993). Plaintiff relies on Sun’s opinions in opposing this Motion. 1. Legal Standard Federal Rule of Evidence 702 provides that an expert must be qualified to testify by 13 “knowledge, skill, experience, training, or education.” Fed. R. Evid. 702. As such, a qualified 14 expert may testify if 15 16 17 18 19 (a) the expert’s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue; (b) the testimony is based on sufficient facts or data; (c) the testimony is the product of reliable principles and methods; and (d) the expert has reliably applied the principles and methods to the facts of the case. 20 Id. The district court acts as the gatekeeper to “ensure that any and all scientific testimony or 21 evidence admitted is not only relevant, but reliable.” Daubert, 509 U.S. at 589; Primiano v. Cook, 22 598 F.3d 558, 567-68 (9th Cir. 2010). These standards apply for a challenge brought during 23 summary judgment. See In re Ford Tailgate Litig., No. 11-cv-02953-RS, 2015 WL 7571772, at 24 *5 n.3 (N.D. Cal. Nov. 25, 2015) (“Daubert dictates the analysis necessary for a motion to exclude 25 expert testimony in the context of a motion for summary judgment.”); but see Daniel v. Ford 26 Motor Co., No. CIV. 2:11-02890 WBS EFB, 2013 WL 2474934, at *2 (E.D. Cal. June 7, 2013) 27 (explaining that a full Daubert analysis is less pressing at summary judgment, where “the court 28 sits as both a modified fact finder seeking to determine whether a genuine issue of material exists 8 Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 9 of 35 1 and as the Daubert gatekeeper”), reversed on other grounds, 806 F.3d 1217 (9th Cir. 2015); 2 Darensburg v. Metro Transp. Comm’n, No. C-05-01597 EDL, 2008 WL 4277656, at *1 (N.D. 3 Cal. Sept. 15, 2008) (“There is less need for the gatekeeper to keep the gate when the gatekeeper is 4 keeping the gate only for himself.”). The Court has broad discretion concerning the admissibility 5 or exclusion of expert testimony. Wood v. Stihl, Inc., 705 F.2d 1101, 1104 (9th Cir. 1983). United States District Court Northern District of California 6 Daubert explains that evidence is relevant if it will “assist the trier of fact to understand the 7 evidence or to determine a fact in issue.” 509 U.S. at 591 (quoting Fed. R. Evid. 702) (internal 8 quotation marks omitted). “Expert testimony which does not relate to any issue in the case is not 9 relevant and, ergo, non-helpful.” Id. (internal quotation marks and citation omitted). This 10 consideration is described as one of “fit,” i.e., “whether expert testimony proffered in the case is 11 sufficiently tied to the facts of the case that it will aid the jury in resolving a factual dispute.” Id. 12 The reliability of expert testimony turns on four factors: “(1) whether a theory or technique 13 can be tested; (2) whether it has been subjected to peer review and publication; (3) the known or 14 potential error rate of the theory or technique; and (4) whether the theory or technique enjoys 15 general acceptance within the relevant scientific community.” Estate of Barabin v. AstenJohnson, 16 Inc., 740 F.3d 457, 463 (9th Cir. 2014) (citing Daubert, 509 U.S. at 592-94), overruled on other 17 grounds by U.S. v. Bacon, 979 F.3d 766 (9th Cir. 2020). And in the Ninth Circuit, another 18 significant factor is “whether the experts are proposing to testify about matters growing naturally 19 and directly out of research they have conducted independent of the litigation, or whether they 20 have developed their opinions expressly for purposes of testifying.” Daubert v. Merrell Dow 21 Pharm., Inc., 43 F.3d 1311, 1317 (9th Cir. 1995). 22 The “basic gatekeeping obligation” articulated in Daubert applies not only to scientific 23 testimony but to all expert testimony. Kumho Tire Co., Ltd. v. Carmichael, 526 U.S. 137, 147 24 (1999). Furthermore, the factors of reliability “do not constitute a definitive checklist or test.” Id. 25 at 150 (emphasis in original). The reliability inquiry is flexible, and “whether Daubert’s specific 26 factors are, or are not, reasonable measures of reliability in a particular case is a matter that the law 27 grants the trial judge broad latitude to determine.” Kumho Tire, 526 U.S. at 153. 28 Keeping this framework in mind, the Court turns to Defendant’s evidentiary objections 9 Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 10 of 35 1 2 2. Sun Decl. ¶¶ 3-6: Sun’s Qualifications 3 Plaintiff submits the Declaration of David Sun in support of her Opposition to offer 4 testimony regarding the nature and scope of the Data Breach and the distinction among the various 5 credit monitoring services at issue. See generally Sun Decl. Defendant objects to the admission 6 of the entire declaration because Sun does not claim expertise in identity theft or fraud. Reply 8. 7 United States District Court Northern District of California regarding Plaintiff’s main expert witness, David Sun. Ruling: OVERRULED. Here, Sun bases his qualifications on his experience dealing with 8 cyber security and computer forensics. Sun Decl. ¶¶ 3-6. He is a partner in charge of the cyber 9 security and forensics practice at his firm and previously owned a consulting firm specializing in 10 these areas. Id. ¶ 3. Sun is also a Certified Information Systems Security Professional, a Certified 11 Computer Examiner, and an EnCase Certified Examiner with a master’s degree in electrical 12 engineering. Id. ¶ 5. Finally, he has prior experience testifying in litigation matters regarding 13 “cyber security incidents, computer forensic examinations and cyber-intrusion and breach 14 investigations.” Id. ¶ 6. While he does not premise his expertise in knowledge of identity theft or 15 financial fraud, his background qualifies him to opine on the nature, scope, and impact of the Data 16 Breach. Thus, Defendant’s objection is overruled without prejudice for the purpose of this 17 Motion. However, because this ruling is without prejudice, it does not preclude Defendant from 18 seeking to exclude Sun’s testimony later on these same grounds. 19 3. Sun Decl. ¶¶ 14-16: Sun’s Review of Plaintiff’s Compromised Data 20 Plaintiff submits Sun’s expert testimony that combining certain compromised information 21 such as IP addresses, browser information, and the type of device associated with Plaintiff’s 22 account enables a third party to “piece together a pattern of the Plaintiff’s location and cell phone 23 ownership history.” Sun Decl. ¶ 14. He states that such information is unavailable to the public 24 and could allow a hacker to pose as Plaintiff. Id. ¶ 14. Additionally, Sun proposes, based on his 25 prior experience with other telecommunication carriers, that combining general nonpublic 26 information about a person with past cell phone ownership on their account “could satisfy the 27 criteria for some level of account authorization.” Id. ¶ 16. Defendant objects to this testimony on 28 the grounds that it is highly speculative and is based on an assessment of Sprint, whereas 10 United States District Court Northern District of California Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 11 of 35 1 Plaintiff’s mobile carrier was Boost Mobile. Reply 8; see also Connor Tr. 172:17-20. As such, 2 Defendant argues that Sun’s opinion is unreliable and irrelevant, making it unhelpful. Reply 8. 3 Ruling: OVERRULED. Here, Sun bases his conclusions on an assessment of the 4 Declaration of Paula Griffin, which describes the data elements included in the compromise. Sun 5 Decl. ¶ 14; see also Griffin Decl. ¶¶ 15-18. Relying on his prior experience, he was able to 6 uncover the personal information regarding Connor’s location and cell phone ownership history. 7 Sun Decl. ¶ 14. The times of the phone records acquired by Sun in his review range from October 8 2016 to June 2018. Id. His review identifies the mobile carrier as “Boost Mobile/Virgin (Sprint).” 9 Id. On the dates in question, Boost Mobile was Sprint’s for-pay service. Mot. Hr’g Tr. 36:5-12, 10 ECF 200. Thus, such information is both (1) reliable in that Sun explains how he can uncover 11 nonpublic information from the compromised data that could be used for some level of account 12 authorization, and (2) relevant in that it could help the factfinder determine whether the 13 compromised information puts Plaintiff at risk for identity theft and financial fraud. See Daubert, 14 509 U.S. at 591; Fed. R. Evid. 702. 15 16 4. Sun Decl. ¶¶ 19-20: Sun’s Review of Plaintiff’s Credit Monitoring Services Plaintiff submits Sun’s review of the various credit monitoring services in which she was 17 enrolled to explain why it was reasonable to purchase ClickFreeScore when she had other free 18 services available to her. Sun Decl. ¶¶ 19-20. He examined each provider’s prices and coverage 19 of the three main credit reporting bureaus, concluding that “[o]nly the ClickFreeScore.com 20 Platinum service provides coverage of all three bureaus, providing access to the actual credit 21 reports and scores from all of them.” Id. ¶ 20. Defendant objects to this testimony on the grounds 22 that Sun claims no credit monitoring expertise and that he does not “bring any special expertise in 23 analyzing [Plaintiff’s] many credit monitoring services.” Reply 11. Defendant argues that 24 “[b]ecause Sun’s entire knowledge on this subject comes from ‘little more than a quick internet 25 search,’ it does not qualify him as an expert under Rule 702 and is inadmissible.” Reply 11-12 26 (quoting Samuels v. Holland Am. Line-USA, Inc., 656 F.3d 948, 953 (9th Cir. 2011)). Relying on 27 Stollenwerk v. Tri-West Health Care Alliance, 254 Fed. Appx. 664, 667 (9th Cir. 2007), Defendant 28 contends that Sun does not address why it is necessary to access all the services and a raw credit 11 United States District Court Northern District of California Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 12 of 35 1 score in the same place when Plaintiff could place fraud alerts with the major credit agencies and 2 receive copies of her credit reports free of charge. Reply 12. 3 Ruling: OVERRULED. Here, Sun does not explicitly claim qualifications in credit 4 monitoring, but he does claim an extensive background in technology consulting and has authored 5 technical publications covering telecommunications. Sun Decl. ¶ 4-5. He has also testified in 6 numerous litigations regarding computer breach investigations. Id. ¶ 6. Therefore, he is qualified 7 to help the jury understand how victims may use commonly offered tools like credit monitoring 8 services to deal with compromised data. See Fed. R. Evid. 702(a). Furthermore, his testimony 9 can help explain the rationale behind purchasing a premium credit monitoring service when other 10 free services are available. See Mot. 9-15; Opp’n 8-17; Reply 6-10. And the facts in Stollenwerk 11 are not analogous to the facts here. In Stollenwerk, the expert evidence at issue “did not mention 12 or account for the availability of free services,” causing the court to conclude that the report was 13 “entirely too conclusory to establish that a reasonable person faced with Stollenwerk’s level of risk 14 of identity theft would incur significant monitoring costs rather than take advantage of these 15 services.” Stollenwerk, 254 Fed. Appx. at 667. But Sun goes beyond mere conclusory statements 16 to explain why ClickFreeScore’s single premium service is preferable to multiple free services— 17 that the premium service provides greater coverage of the credit reporting bureaus and access to 18 full credit reports. Sun Decl. ¶ 20. Thus, this Court will consider Sun’s analysis of the various 19 credit monitoring services on this Motion. 20 5. Sun Decl. ¶¶ 8-11: Sun’s Assessment of the Declaration of Zhe Fu 21 Sun analyzes the Declaration of Zhe Fu, who provides testimony regarding Defendant’s 22 platform infrastructure and the scope of the Data Breach. See Sun Decl. ¶¶ 8-11; Fu Decl. ¶¶ 5-7. 23 Sun posits that because Fu bases his findings of significant data transfers on billing records, Fu’s 24 analysis is insufficiently thorough to determine the scope of the Data Breach. See Sun Decl. ¶¶ 8- 25 9. He explains that Fu references “significant data transfers” in his analysis but “does not provide 26 any details beyond the graph to determine if [Fu] examined smaller, protracted transfers that 27 would not be noticeable in the graph.” Id. ¶ 8. Furthermore, Sun declares that “assurances by Fu 28 of what data was stored in AWS S3 and subject to the security incident is not corroborated by any 12 Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 13 of 35 1 information available.” Id. ¶ 10. Defendant contends that Sun’s assertions are speculative and 2 “based on a misreading of ‘significant’ in the Fu Declaration and lifting words out of context, not 3 a material dispute.” Reply 9. Ruling: OVERRULED. Here, it is unclear how Sun misreads the Declaration of Zhe Fu or United States District Court Northern District of California 4 5 lifts words out of context. See Reply 9. Sun explains that more information is required to 6 determine if “a small, imperceptible increase in transfer volume over a 6-month period” occurred, 7 which he asserts could result in a significant amount of data. Sun Decl. ¶ 8. Sun does not 8 speculate to draw conclusions about the Data Breach itself; rather, he uses his background to posit 9 that more information is required to assess the scope of the Data Breach. See Id. ¶¶ 8-10. Such 10 information is helpful to determine the risk to Plaintiff. See Daubert, 509 U.S. at 591; Fed. R. 11 Evid. 702(a). Thus, the Court will consider this evidence. 12 C. Opp’n 4-5: Statements About Quora’s Business Model 13 Plaintiff submits that Defendant is in the “business of selling data” and that as a result 14 there is a “cost” to Defendant’s users. Opp’n 4-5. Defendant objects to such assertions as 15 inadmissible on the grounds that (1) Plaintiff provides no evidence and (2) they are irrelevant 16 since Plaintiff cannot claim Defendant’s profits. Reply 15. Ruling: OVERRULED. Here, Plaintiff submits Defendant’s Terms of Service and Privacy 17 18 Policy as evidence to support her assertions in the Opposition. See Terms of Service; Privacy 19 Policy; see also Opp’n 5. And while Plaintiff cannot claim Defendant’s profits, such background 20 information is relevant to establishing context regarding the nature of the relationship between 21 Defendant and Plaintiff. Thus, this Court will not strike the material. 22 V. DISCUSSION4 23 24 25 26 27 28 4 Defendant requests judicial notice of two documents. Mot. 6 n.2. Courts may take judicial notice of matters either that are “generally known within the trial court’s territorial jurisdiction” or that “can be accurately and readily determined from sources whose accuracy cannot reasonably be questioned.” Fed. R. Evid. 201(b). “Specifically, a court may take judicial notice: (1) of matters of public record, (2) that the market was aware of information contained in news articles, and (3) publicly accessible websites whose accuracy and authenticity is not subject to dispute.” In re Facebook, Inc. Sec. Litig., 405 F. Supp. 3d 809, 827 (N.D. Cal. 2019) (internal citations and quotation marks omitted). Here, the Court grants Defendant’s request and takes judicial notice of (1) Verizon Communication, Inc. Current Report (Form 8-K) at Guyon Decl. Ex. 15, ECF 140-4, and (2) Yahoo 2013 Account Security Update FAQs at Guyon Decl. Ex. 16, ECF 140-4. See 13 Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 14 of 35 United States District Court Northern District of California 1 Defendant brings this Motion seeking summary adjudication of Plaintiff’s remaining 2 claims for (1) negligence and (2) violation of the UCL. See generally Mot. Defendant’s 3 arguments generally focus on the nature of Plaintiff’s asserted harms and remedies as well as an 4 alleged lack of causation. See Mot. 9, 20-22. Plaintiff maintains that there are genuine disputes of 5 material fact sufficient to withstand granting this Motion. See Opp’n 3-4. Viewing all evidence in 6 the light most favorable to Plaintiff, the Court DENIES summary judgment as to the negligence 7 claim and GRANTS summary judgment as to the UCL claim. 8 A. Negligence 9 Plaintiff’s negligence cause of action is based on Defendant’s alleged failure to adequately 10 protect her PII, causing her to spend time and money monitoring her credit after the Data Breach. 11 See TAC ¶¶ 82-89. To prevail on a negligence claim in California, a plaintiff must allege facts to 12 satisfy these elements: “(1) the existence of a duty to exercise due care; (2) breach of that duty; 13 (3) causation; and (4) damages.” In re Sony Gaming Networks & Customer Data Sec. Breach 14 Litig. (Sony Gaming I), 903 F. Supp. 2d 942, 959-60 (S.D. Cal. 2012) (citing Paz v. State of Cal., 15 22 Cal. 4th 550, 558-59 (2000)). Defendant argues that Plaintiff’s negligence claim fails for three 16 reasons: (1) Plaintiff cannot prove cognizable injury; (2) Plaintiff cannot prove causation; and 17 (3) the economic loss rule bars Plaintiff’s claim. Mot. 9. Each is discussed in turn. 18 1. Cognizable Injury 19 “Under California law, appreciable, nonspeculative, present harm is an essential element of 20 a negligence cause of action.” Sony Gaming I, 903 F. Supp. 2d at 959-60 (citing Aas v. Super. Ct., 21 24 Cal. 4th 627, 646 (2000), superseded by statute on other grounds, Cal. Civ. Code § 895 et seq., 22 as recognized in S. Cal. Gas Leak Cases, 7 Cal. 5th 391, 412 (2019)). Defendant argues that Aas 23 is instructive on Plaintiff’s asserted harm. Mot. 10. In Aas, the California Supreme Court held 24 that homeowners could not recover damages in negligence from their home builders for 25 construction defects that have not caused property damage. 24 Cal. 4th at 632. The court 26 27 28 McManus v. McManus Fin. Consultants, Inc., 552 Fed. Appx. 713, 714 (9th Cir. 2014) (taking judicial notice of Form 8-K, a public filing); Loomis Slendertone Distrib., Inc., 420 F. Supp. 3d 1046, 1063 (S.D. Cal. 2019) (taking judicial notice of printouts from the defendant’s publicly available website). 14 United States District Court Northern District of California Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 15 of 35 1 explained that “[c]onstruction defects that have not ripened into property damage, or at least into 2 involuntary out-of-pocket losses, do not comfortably fit the definition of ‘appreciable harm’—an 3 essential element of a negligence claim.” Id. at 646 (citing Davies v. Krasna, 14 Cal. 3d 502, 513 4 (1975)). 5 Relying on Aas, Defendant moves for summary judgment based on Plaintiff’s failure to 6 show “appreciable, nonspeculative, present harm.” Mot. 9. Defendant bases its Motion on the 7 fact that Plaintiff has not suffered identity theft and asserts that she has voluntarily attempted to 8 repair any hypothetical threat of future harm by temporarily purchasing credit monitoring services 9 and monitoring her accounts. Mot. 10-11. Plaintiff contends that Aas is factually distinct “from a 10 data breach where the harm is from the theft of PII, some of which is just now being revealed to 11 Plaintiff.” Opp’n 9. 12 It appears that California courts have not considered whether time and money lost to credit 13 monitoring from the future threat posed by compromised PII are damages to support a negligence 14 claim. Ruiz v. Gap, Inc., 380 Fed. Appx. 689, 691 (9th Cir. 2010); see also Adkins v. Facebook, 15 Inc., 424 F. Supp. 3d 686, 695 (N.D. Cal. Nov. 26, 2019) (“No binding decision has ever decided 16 whether or not future harms from a data breach can anchor a claim for negligence.”). Early 17 federal cases answering this question in the negative confronted situations in which physical 18 hardware was stolen from an office, making it difficult to prove the severity of the risk. See, e.g., 19 Ruiz v. Gap, Inc., 622 F. Supp. 2d 908, 910-11, 14-15 (N.D. Cal. 2009) (granting summary 20 judgment for lack of cognizable harm where thieves stole laptops with PII from the defendant’s 21 office), aff’d, 380 Fed. Appx. 689, 691 (9th Cir. 2010); Gardner v. Health Net, Inc. (Gardner II), 22 No. CV 10-2140 PA (CWx), 2010 WL 11571242, at *2-3 (C.D. Cal. Nov. 29, 2010) (dismissing 23 where the plaintiff failed to allege actual exposure of his information caused by the theft of a disk 24 drive from the defendant’s offices). Courts dealing with data breach cases involving hacking have 25 since recognized that such situations are distinct because the thieves are more electronically 26 sophisticated and engage in hacking to target users’ PII directly. See Anderson v. Hannaford 27 Bros. Co., 659 F.3d 151, 165-66 (1st Cir. 2011). 28 Furthermore, California does carve out an exception to the present harm requirement for 15 United States District Court Northern District of California Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 16 of 35 1 medical monitoring cases in which victims were exposed to toxic chemicals. See Potter v. 2 Firestone Tire & Rubber Co., 6 Cal. 4th 965, 1009 (1993) (holding that “the cost of medical 3 monitoring is a compensable item of damage” pursuant to a five-factor test of whether such a cost 4 is reasonable and necessary). And courts confronting the issue in this Circuit have extended the 5 toxic tort exception to data breach cases in which PII is compromised. See, e.g., Corona v. Sony 6 Pictures Entm’t, Inc., No. 14-CV-09600 RGK (Ex), 2015 WL 3916744, at *4 (C.D. Cal. June 15, 7 2015) (adapting the Potter medical monitoring test to determine the need for future credit 8 monitoring); Castillo v. Seagate Tech., LLC, No. 16-cv-01958-RS, 2016 WL 9280242, at *4 (N.D. 9 Cal. Sept. 14, 2016) (following Corona). Furthermore, courts have found that “injury by way of 10 costs relating to credit monitoring, identity theft protection, and penalties” can “sufficiently 11 support a negligence claim.” Corona, 2015 WL 3916744, at *4-5; see also Stasi v. Inmediata 12 Health Grp. Corp., No. 19cv2353 JM (LL), 2020 WL 6799437, at *9-11 (S.D. Cal. Nov. 19, 13 2020) (finding cognizable harm where the plaintiffs alleged lost time and money to deal with a 14 data breach); In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., No. 3:19-cv- 15 2284-H-KSC, 2020 WL 2214152, at *4 (S.D. Cal. May 7, 2020) (finding that allegations of 16 “[i]ncreased time spent monitoring one’s credit and other tasks associated with responding to a 17 data breach” were sufficiently “specific, concrete, and non-speculative”); Castillo, 2016 WL 18 9280242, at *4 (holding that those who incurred out-of-pocket expenses on additional identity 19 protection and restoration services had pleaded cognizable injuries, whereas those who were 20 merely considering the purchase of such services had not). 21 Here, this Court agrees with Plaintiff that the time and money she spent on credit 22 monitoring in response to the Data Breach is cognizable harm to support her negligence claim. 23 See Opp’n 9. Like several victims in Castillo, Plaintiff spent money purchasing a premium 24 version of an identity-protection service. See Connor Tr. 32:4-34:23, 94:2-17; Purchase Receipt; 25 Cancellation Receipt; Sun Decl. ¶¶ 19-20; see also Castillo, 2016 WL 9280242, at *4 (finding 26 cognizable injury where some plaintiffs bought a subscription to an identity protection service 27 “because they wanted greater protection than that offered” by the defendant). And Plaintiff has 28 testified that she spent more time monitoring her credit as a result of the Data Breach. Connor Tr. 16 Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 17 of 35 1 242:16-24. Her testimony that she spent “typically an hour” per day after the Data Breach is 2 sufficiently specific to constitute cognizable injury. Connor Tr. 242:19-24; compare Corona, 3 2015 WL 3916744, at *4 (finding that “general allegations of lost time are too speculative to 4 constitute cognizable injuries” (emphasis added)), with Solara, 2020 WL 2214152, at *1, *4 5 (finding that more specific allegations of the amount of time spent responding to the threat were 6 sufficient to allege cognizable harm). 7 8 United States District Court Northern District of California 9 Accordingly, this Court DENIES Defendant’s Motion for Summary Judgment based on the claim that Plaintiff cannot produce sufficient evidence supporting cognizable harm in negligence. 2. Causation 10 “Causation is generally a question of fact for the jury unless ‘the proof is insufficient to 11 raise a reasonable inference that the act complained of was the proximate cause of the injury.’” 12 Lies v. Farrell Lines, Inc., 641 F.2d 765, 770 (9th Cir. 1981) (quoting Leaf v. U.S., 588 F.2d 733, 13 736 (9th Cir. 1978)). In California, “[t]o demonstrate actual or legal causation, the plaintiff must 14 show that the defendant’s act or omission was a ‘substantial factor’ in bringing about the injury.” 15 Gardner v. Health Net, Inc. (Gardner I), No. CV 10-2140 PA (CWx), 2010 WL 11597979, at *4 16 (C.D. Cal. Aug. 12, 2010) (quoting Saelzler v. Advanced Grp. 400, 25 Cal. 4th 763, 778 (2001)) 17 (internal quotation marks omitted); see also Viner v. Sweet, 30 Cal. 4th 1232, 1239 (2003) 18 (explaining that the substantial factor test, which California has definitively adopted for cause-in- 19 fact determinations, subsumes the but-for test). As such, “the plaintiff must show ‘some 20 substantial link or nexus’ between the act and the injury.” Gardner I, 2010 WL 11597979, at *4 21 (quoting Saelzler, 25 Cal. 4th at 778). “[T]he actor’s negligent conduct is not a substantial factor 22 in bringing about harm to another if the harm would have been sustained even if the actor had not 23 been negligent.” Viner, 30 Cal. 4th at 1240 (emphasis in original deleted) (quoting Restatement 24 (Second) of Torts § 432(1) (Am. L. Inst. 1965)). But if “two forces are actively operating . . . and 25 each of itself is sufficient to bring about harm to another, the actor’s negligence may be found to 26 be a substantial factor in bringing it about.” Viner, 30 Cal. 4th at 1240 (quoting Restatement 27 (Second) of Torts § 432(2)). 28 Here, Defendant first argues that Plaintiff cannot prove causation because she has been the 17 United States District Court Northern District of California Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 18 of 35 1 victim of numerous other data breaches in which her compromised information could have been 2 used to commit fraud. Mot. 11-13; see also Decl. of Anthony J. Ferrante (“Ferrante Decl.”) ¶¶ 21- 3 31, ECF 140-5. But the mere fact that Plaintiff has been a victim of other more serious breaches 4 in the past does not mean a substantial connection between this breach and her decision to monitor 5 her credit more closely is lacking. See Gardner I, 2010 WL 11597979, at *4 (quoting Saelzler, 25 6 Cal. 4th at 778). Defendant does not get a free pass on this basis. Defendant relies on cases 7 outside this Circuit that have granted summary judgment for failing to present sufficient evidence 8 of causation where the victims’ PII had been compromised in prior breaches. Mot. 12-13. In 9 those cases, however, the plaintiffs presented insufficient evidence linking the compromised PII to 10 identity theft, not to lost time and money spent dealing with the breach. See Jianjun Fu v. Wells 11 Fargo Home Mortg., No. 2:13-cv-01271-AKK, 2014 WL 4681543, at *4-5 (N.D. Ala. Sept. 12, 12 2014) (granting summary judgment where the plaintiffs did not provide evidence indicating that 13 the unsecured email at issue was the cause of their claims of actual identity theft); Jones v. 14 Commerce Bank, N.A., No. 06 Civ. 835(HB), 2007 WL 672091, at *3-4 (S.D.N.Y. Mar. 6, 2007) 15 (granting summary judgment where the plaintiff essentially relied on a theory of res ipsa loquitor 16 to prove causation of identity theft). 17 In this case, Defendant informed Plaintiff in December 2018 that her PII was compromised 18 as a result of the Data Breach. See Disclosure Email. Plaintiff claims and provides testimony that, 19 in response, she spent more time and money monitoring her credit, not that her identity was stolen. 20 TAC ¶ 19; Connor Tr. 242:6-24; see also Stasi, 2020 WL 6799437, at *9 (finding that causation 21 for negligence can be sustained by allegations that lost time and an increase in spam/phishing were 22 the result of defendant’s duty to protect the plaintiff’s PII). She also testifies that the Data Breach 23 was the last straw in a string of breaches and that she could not be sure whether more sensitive 24 financial information was disclosed previously. See Connor Tr. 251:17-252:15. Indeed, in 25 January 2019—only a month after the disclosure—Plaintiff purchased enhanced credit monitoring. 26 See Purchase Receipt; Cancellation Receipt; Opp’n 6, 15; cf. In re Sony Gaming Networks & 27 Customer Data Sec. Breach Litig. (Sony Gaming II), 996 F. Supp. 2d 942, 970 (S.D. Cal. 2014) 28 (explaining that a plaintiff must “plead both a logical and temporal connection between the 18 United States District Court Northern District of California Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 19 of 35 1 decision to purchase credit monitoring services and the defendant’s alleged breach” and finding 2 the “high burden” was not met where the plaintiff failed to allege when or why he closed his 3 accounts). This evidence is sufficient to raise a reasonable inference that the Data Breach was a 4 substantial factor in causing Plaintiff to purchase enhanced credit monitoring and to increase the 5 time she spent monitoring her credit. See Lies, 641 F.2d at 770 (explaining that causation is 6 generally a fact for the jury where the evidence creates a reasonable inference that the tortious act 7 proximately caused the injury). While Defendant may challenge the authenticity of Plaintiff’s 8 claimed reasons for more carefully monitoring her credit, such a dispute is not for this Court to 9 decide summarily. See Mot. 7-8; see also Abarca v. Franklin County Water Dist., 761 F. Supp. 2d 10 1007, 1064 (E.D. Cal. 2011) (“Assessing the credibility of a witness is properly left to the jury.”); 11 Erhart v. Bofl Holding, Inc., No. 15-cv-02287-BAS-NLS, 2020 WL 1550207, at *39 (S.D. Cal. 12 Mar. 31, 2020) (denying summary judgment where a jury could find that money spent 13 investigating an internal auditor’s mishandling of employees’ nonpublic personal information was 14 sufficient to cause damage). 15 Additionally, Defendant argues that Plaintiff cannot prove causation because there is no 16 evidence that the information compromised in the Data Breach could be used to commit identity 17 theft and therefore put her identity at risk. Mot. 12; Ferrante Decl. ¶ 16. But Plaintiff counters 18 that, while a malicious third party may be unable to use the compromised information to perpetrate 19 fraud directly, it could be combined with other data to uncover private information that may be 20 used against her, such as learning her location at various times. Opp’n 13; Sun Decl. ¶¶ 13-17. 21 This conflicting testimony creates another genuine dispute of material fact. 22 Defendant next argues that Plaintiff’s decision to purchase ClickFreeScore and mitigate 23 any risk of harm was neither reasonable nor necessary. Mot. 13. In support of this argument, 24 Defendant cites several cases that predate more recent data breach litigation cases, most of which 25 are factually distinct because they involve the theft of actual hardware, as opposed to a hack into a 26 company’s systems. Compare Ruiz, 622 F. Supp. 2d at 910-11 (theft of laptops), Gardner I, 2010 27 WL 11597979, at *4 (theft of a disk drive), and Stollenwerk, 254 Fed. Appx. at 665 (theft of 28 computer servers with hard drives), with Anderson, 659 F.3d at 165-66 (theft based on “a 19 United States District Court Northern District of California Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 20 of 35 1 sophisticated breach of electronic data”); but see Sony Gaming II, 996 F. Supp. 2d at 970 (relying 2 on Stollenwerk and other cases outside this Circuit to conclude that the plaintiff had not met the 3 high burden of showing that credit monitoring services were reasonably necessary in an electronic 4 data breach). More recent cases have found that that such prophylactic actions were reasonable 5 and necessary. See, e.g., Stasi, 2020 WL 6799437, at *9-11 (finding that credit monitoring was 6 warranted where the information involved was not the type courts have recognized as enabling 7 identity theft, such as financial information or Social Security numbers); Solara, 2020 WL 8 2214152, at *4 (finding that credit monitoring was reasonable where PII was stolen); Castillo, 9 2016 WL 9280242, at *4 (finding that purchase of a subscription to a premium credit monitoring 10 service was warranted); Corona, 2015 WL 3916744, at *4-5 (applying California’s medical 11 monitoring test in Potter to conclude that the theft of employees’ PII warranted credit monitoring). 12 Here, in December 2018, Defendant informed Plaintiff that her PII may have been 13 compromised, including account and user information such as “email, IP, user ID, encrypted 14 password, user account settings, [and] personalization data.” Disclosure Email. The email 15 notification explained that Defendant, exercising an abundance of caution, was logging out all 16 users who may have been affected by the hack and was invalidating any passwords used for 17 authentication. Disclosure Email. Defendant also stated that the company “believe[d]” it had 18 identified the root cause of the breach but that the investigation was “ongoing” and that the 19 company was continuing to work “to gain a full understanding of what happened.” Disclosure 20 Email. Finally, it recommended that users change passwords if they were using the same ones 21 across multiple websites. Disclosure Email. From these statements, a Quora user like Plaintiff 22 could reasonably conclude that the severity of the Data Breach, and therefore the threat of identity 23 theft or fraud, was still unknown. See Corona, 2015 WL 3916744, at *4 (“It is commonly known 24 that the consequences resulting from identity theft can be both serious and long-lasting.”). As 25 such, a jury could find it reasonable for Plaintiff to believe “that credit monitoring was needed in 26 the wake of the Quora breach.” Opp’n 13. Furthermore, Plaintiff provides that the compromised 27 information could be used in combination with other pieces of information to commit fraud. Sun 28 Decl. ¶¶ 13-17. Hence, this Court cannot find as a matter of law that it was not reasonable and 20 Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 21 of 35 United States District Court Northern District of California 1 necessary for Plaintiff to take prophylactic steps to prevent misuse of her information. 2 Finally, the parties dispute whether it was reasonable and necessary for Plaintiff to 3 purchase a premium version of ClickFreeScore. Mot. 14-15; Opp’n 14-16. It is undisputed that 4 Plaintiff had other free credit monitoring services available to her to mitigate prior data breaches. 5 See Mot. 14-15; Opp’n 15; Sun. Decl. 19-20. Defendant offers Plaintiff’s deposition testimony 6 that ClickFreeScore’s paid service provided “pretty much the same services” as Credit Karma’s 7 free services, causing her to downgrade to the “basic package.” Connor Tr. 33:9-34:23. 8 Defendant argues that these statements show Plaintiff knew she had the same services for free that 9 ClickFreeScore offered for a fee. See Mot. 14; Reply 11; Connor Tr. 76-79, 99. Plaintiff, 10 however, presents evidence elaborating on her initial statements, explaining that she downgraded 11 to the basic package, not because she did not feel the need for additional services, but because the 12 subscription cost money that she would rather spend on her four children, as opposed to 13 “something that should have already been protected in the first place.” Connor Tr. 34:25-35:10. 14 She further testified that ClickFreeScore’s premium service offered additional protections such as 15 $1 million in fraud protection against which ClickFreeScore would insure. Connor Tr. 35:12-24. 16 And Plaintiff presents evidence that “only the ClickFreeScore.com Platinum service provides 17 coverage of all three [credit reporting] bureaus, providing access to the actual credit reports and 18 scores from all of them.” Sun Decl. ¶ 20. Hence, this Court finds that there remains a genuine 19 dispute of material fact over whether ClickFreeScore’s premium services offered the “same” 20 services that Plaintiff could already use for free. 21 In sum, the evidence demonstrates genuine disputes of material fact regarding whether the 22 Data Breach caused Plaintiff to spend time and money monitoring her credit and whether 23 Plaintiff’s decision to purchase enhanced credit monitoring was reasonable and necessary. 24 Accordingly, this Court DENIES Defendant’s Motion for Summary Judgment based on the claim 25 that Plaintiff cannot produce sufficient evidence supporting causation in negligence. 26 3. The Economic Loss Rule 27 Defendant argues that the economic loss rule bars recovery for Plaintiff’s asserted harms. 28 Mot. 15. Specifically, Defendant contends that all Plaintiff’s asserted harms are purely economic 21 United States District Court Northern District of California Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 22 of 35 1 and that no exception to the economic loss rule applies because the parties do not have a special 2 relationship. Mot. 16-17. The Court disagrees for the reasons discussed below. 3 “[T]he economic loss rule prevents the law of contract and the law of tort from dissolving 4 into one another” and “requires a [plaintiff] to recover in contract for purely economic loss due to 5 disappointed expectations, unless he can demonstrate harm above and beyond a broken contractual 6 promise.” Robinson Helicopter Co. v. Dana Corp., 34 Cal. 4th 979, 988 (2004) (brackets and 7 internal quotation marks omitted). Hence, to recover for purely economic loss, a plaintiff must 8 demonstrate that one of these exceptions to the economic loss rule applies: “(1) personal injury, 9 (2) physical damage to property, (3) a special relationship existing between the parties, or 10 (4) some other common law exception to the rule.” Kalitta Air, L.L.C. v. Cent. Texas Airborne 11 Sys., Inc., 315 Fed. Appx. 603, 605 (9th Cir. 2008) (internal quotation marks omitted). 12 This Court previously held that the economic loss rule did not bar Plaintiff’s negligence 13 claim because she alleged loss of time as a harm, meaning she had not alleged pure economic loss. 14 See Prior Order I 13. And this Court later found that, regardless of whether loss of time is a pure 15 economic loss, there is a special relationship between the parties. See Prior Order II 12-16. 16 Defendant urges this Court to revisit these rulings on the grounds that (1) the recovery Plaintiff 17 seeks is a pure economic harm, and (2) the undisputed facts show there is no special relationship 18 between the parties. Mot. 15-16. 19 This Court does not disturb its prior ruling that Plaintiff alleged sufficient facts to show 20 that the parties have a special relationship, which is an exception to the economic loss doctrine. 21 And Plaintiff has now offered sufficient evidence to defeat summary judgment on that claim. 22 Whether there is a special relationship under J’Aire presents a question of law for the court. 23 Greystone Homes, Inc. v. Midtec, Inc., 168 Cal. App. 4th 1194, 1228 (Cal. App. Ct. 2008); see 24 also Lichtman v. Siemens Industry Inc., 16 Cal. App. 5th 914, 924 (Cal. Ct. App. 2017) 25 (examining Biakanja/J’Aire factors “to determine whether defendant established as a matter of law 26 that it owed no duty to plaintiffs”). To determine the existence of a special relationship, the Court 27 examines six factors: 28 22 Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 23 of 35 1 2 3 4 United States District Court Northern District of California 5 (1) the extent to which the transaction was intended to affect the plaintiff, (2) the foreseeability of harm to the plaintiff, (3) the degree of certainty that the plaintiff suffered injury, (4) the closeness of the connection between the defendant’s conduct and the injury suffered, (5) the moral blame attached to the defendant’s conduct and (6) the policy of preventing future harm. 6 J’Aire Corp. v. Gregory, 24 Cal. 3d 799, 804 (1979). “All six factors must be considered by the 7 court and the presence or absence of one factor is not decisive.” Sony Gaming II, 996 F. Supp. 2d 8 at 968 (citing Kalitta Air, L.L.C. v. Cent. Tex. Airborne Sys., Inc., 315 Fed. Appx. 603, 605-06 (9th 9 Cir. 2008)). “[T]he inquiry hinges not on mere rote application of these . . . factors, but instead on 10 a comprehensive look at the . . . sum total of the policy considerations at play in the context before 11 us.” S. Cal. Gas Leak, 7 Cal. 5th at 399 (internal quotation marks omitted). 12 The first factor is “the extent to which the transaction was intended to affect the 13 plaintiff.” J’Aire, 24 Cal. 3d at 804. At the pleading stage, this Court, relying on Sony Gaming 14 II, previously found that as pled this factor favored Defendant. Prior Order II 12-13. Defendant, 15 arguing that no California court has found a special relationship in the absence of the first factor, 16 now asserts that the first factor is a requirement that, if found lacking, precludes a special 17 relationship. Mot. 17; see S. Cal. Gas Leak, 7 Cal. 5th at 401-02 (“What we mean by special 18 relationship is that the plaintiff was an intended beneficiary of a particular transaction but was 19 harmed by the defendant’s negligence in carrying it out.”); see also Andrews v. Plains All Am. 20 Pipeline, L.P., No. CV-154113 PSG (JEMx), 2019 WL 6647930, at *4 (C.D. Cal. Nov. 20, 2019) 21 (finding that the most natural reading of the California Supreme Court’s opinion in S. Cal. Gas 22 Leak, 7 Cal. 5th at 401-402, “is that a transaction involving defendant intending to affect the 23 plaintiff is necessary to establish a special relationship, but may not be sufficient on its own, 24 without a subtler inquiry”). Plaintiffs respond that cases postdating Sony Gaming II have found 25 that the first factor favors the plaintiffs in similar data sharing situations. Opp’n 21-22. Although 26 the Ninth Circuit has held that the presence or absence of any one factor is not decisive, Sony 27 Gaming II, 996 F. Supp. 2d at 968, this Court, applying California law, revisits its prior conclusion 28 23 Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 24 of 35 1 United States District Court Northern District of California 2 based on the evidence submitted. With Defendants’ new arguments, the Court has reassessed this first factor. Cases decided 3 after Sony Gaming II have found that the first factor is met when plaintiffs share personal data 4 with a company with the understanding that the company will protect that data. See e.g., Terpin v. 5 AT&T Mobility, LLC, No. 2:18-CV-06975-ODW (KSx), 2020 WL 883221 (C.D. Cal. Feb. 24, 6 2020); In re Yahoo! Inc. Customer Data Sec. Litig., 313 F. Supp. 3d 1113 (N.D. Cal. 2018); 7 Corona, 2015 WL 3916744. In Terpin, the plaintiff entered into a basic contract for mobile 8 telephone services with AT&T. 2020 WL 883221 at *4. Because of AT&T’s inadequate security 9 policies, hackers were able to use his telephone number to commit identity theft and financial 10 fraud. Id. at *1, *4. The Court found that the first factor was met where the plaintiff “was 11 required to share his personal information with AT&T with the understanding that AT&T would 12 adequately protect it.” Id. at *4. In Yahoo!, which involved free email accounts, the Court found 13 the first factor met because “Plaintiffs were required to turn over their PII to Defendants and did 14 so with the understanding that Defendants would adequately protect Plaintiffs’ PII and inform 15 Plaintiffs of breaches.” 313 F. Supp. 3d at 1132. Finally, in Corona, the plaintiffs were required 16 to provide their PII as a condition of their employment, and the PII was later exposed because of a 17 data breach. 2015 WL 3916744, at *5. The court found that, “[b]ased on these allegations, there 18 is no doubt that this ‘transaction’ was intended to affect Plaintiffs.” Id. 19 Here, it is undisputed that as part of Defendant’s Terms of Service, Plaintiff was required 20 to provide certain information upon creating an account. See Terms of Service 1. Contained 21 within the Terms of Service was a privacy promise, described in Defendant’s Privacy Policy. 22 Terms of Service 7. The Privacy Policy explained Defendant’s “policies and procedures on the 23 collection, use, disclosure, and sharing of [users’] personal information or personal data when 24 [users] use the Quora Platform.” Privacy Policy 1. Emphasizing the importance of users’ privacy 25 and the security of their information, the Privacy Policy assured users that Defendant implemented 26 safeguards to protect their information. Privacy Policy 1, 6. And the Privacy Policy clarified to 27 the user: “You may, of course, decline to submit information through the Quora Platform, in 28 which case we [Defendant] may not be able to provide certain services to you.” Privacy Policy 6. 24 Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 25 of 35 1 Such a transaction mirrors that of Terpin, Yahoo!, and Corona; Plaintiff was required to provide 2 her personal information as a condition of using Defendant’s services, with the expectation that 3 Defendant would take reasonable steps to safeguard against misuse of that information. United States District Court Northern District of California 4 After reviewing the applicable law, the Court is no longer persuaded by Defendant’s 5 argument that Plaintiff cannot establish the first factor because she provides no evidence that she 6 herself intended to use the platform in a manner that varied from that of Defendant’s other 7 millions of users. Mot. 17-18; Reply 13; see also Prior Order II 13. This Court now concludes 8 that Plaintiff need only demonstrate she is a member of a class of people intended to be affected, 9 not that she alone was in that position. See Centinela Freeman Emergency Med. Assoc. v. Health 10 Net of Cal., Inc., 1 Cal. 5th 994, 1014 n.10 (2016) (explaining that “liability for negligent conduct 11 may be imposed ‘where there is a duty of care owed by the defendant to the plaintiff or to a class 12 of which the plaintiff is a member’” and disapproving cases analyzing the first factor as too 13 restrictive for reasoning that alleged negligent conduct must be “intended to affect that particular 14 plaintiff, rather than just a class of persons to whom the plaintiff happens to belong” (emphasis in 15 original) (quoting J’Aire, 24 Cal. 3d at 803)). Plaintiff has shown that she is a member of a 16 distinct class of people—Defendant’s account users—who specifically provided Defendant certain 17 personal information with the expectation that Defendant would take reasonable steps to secure it. 18 See Terms of Service 1; Privacy Policy 1, 6; see, e.g., Potter v. Chevron Prod. Co., No. 17-cv- 19 06689-PJH, 2018 WL 4053448, at *8 (N.D. Cal. Aug. 24, 2018) (finding that the first factor 20 favored the plaintiff, who was a member of a class of third-party oil-change consumers that the 21 agreements at issue were intended to affect). Such a transaction was intended to affect Plaintiff 22 and others in the class by assuring them that they could use the platform while knowing their 23 personal information would be reasonably protected. Any dispute regarding the precise nature of 24 the hacked information will be resolved by the jury, but Plaintiff submits sufficient evidence to 25 support this J’Aire factor for purposes of summary judgment. 26 Privacy law is a rapidly evolving area, and the Court finds from Corona, as well as Terpin 27 and Yahoo!, that entrusting PII to a company establishes a “transaction intended to affect the 28 plaintiff.” J’Aire, 24 Cal. 3d at 804. Consequently, the Court concludes now, on a more 25 Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 26 of 35 1 developed record, that there is evidence to support a transaction intended to affect Plaintiff. The second factor is the “foreseeability of harm to the plaintiff.” Id. Courts “determine United States District Court Northern District of California 2 3 foreseeability not by reference to specific parties but instead based on the general sort of conduct 4 at issue.” S. Cal. Gas Leak, 7 Cal. 5th at 401 n.5. Here, Plaintiff has offered evidence that when 5 she became a Quora user, she provided personal information that was later compromised, such as 6 her account and user information (e.g., name, email, user ID, and encrypted password) as well as 7 data imported from other linked networks (e.g., contacts, demographic information, interests, and 8 access tokens). See Disclosure Email. Plaintiff further shows that she spent time and money 9 responding to the Data Breach after learning about it in December 2018. See Disclosure Email; 10 Purchase Receipt; Connor Tr. 242:6-24. This Court has already determined that such alleged 11 harms are cognizable and that there is a genuine dispute of material fact whether such action was 12 reasonable and necessary. See supra § V.A.1.-2. It was foreseeable that Plaintiff would incur 13 time and money working to secure that information when Defendant did not adequately protect it. 14 See Yahoo!, 313 F. Supp. 3d at 1132 (“[I]t was plainly foreseeable that Plaintiffs would suffer 15 injury if Defendants did not adequately protect the PII,” which “includes the user’s name, email 16 address, birth date, gender, ZIP code, occupation, industry, and personal interests”); Terpin v. 17 AT&T Mobility, LLC, 399 F. Supp. 3d 1035, 1120, 1049 (C.D. Cal. 2019) (finding it foreseeable 18 that the plaintiff would suffer injury if the defendant failed to adequately protect the plaintiff’s 19 PII). Thus, Plaintiff provides evidence sufficient to withstand summary judgment as to the second 20 factor. 21 The third factor is “the degree of certainty that the plaintiff suffered injury.” J’Aire, 24 22 Cal. 3d at 804. Here, Plaintiff provides evidence that she spent money on credit monitoring 23 amounting to $39.90 per month for five months and an average of one hour per day in time lost 24 responding to the Data Breach. See Purchase Receipt. Such evidence shows that Plaintiff has 25 suffered harm. See, e.g., Stasi, 2020 WL 6799437, at *9-11 (finding harm in the form of lost time 26 and money dealing with the data breach); Solara, 2020 WL 2214152, at *4 (same); Castillo, 2016 27 WL 9280242, at *4 (finding harm in the form of purchasing a premium credit monitoring service); 28 Corona, 2015 WL 3916744, at *5 (finding harm in the form of “costs relating to credit 26 Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 27 of 35 1 monitoring, identity theft protection, and penalties”). This Court already found that such harm is 2 cognizable and that there is a triable issue whether Plaintiff’s actions were reasonable and 3 necessary. See supra § V.A.1.-2. Thus, contrary to Defendant’s assertions, Plaintiff can present 4 evidence showing the third factor favors her position. United States District Court Northern District of California 5 The fourth factor is “the closeness of the connection between the defendant’s conduct and 6 the injury suffered.” J’Aire, 24 Cal. 3d at 804. Here, Plaintiff shows that she purchased 7 ClickFreeScore approximately one month after Defendant sent her an email notification that her 8 PII may have been compromised as a result of the Data Breach. See Disclosure Email; Purchase 9 Receipt. She also testified that it was the last straw in a string of data breaches, prompting her to 10 purchase enhanced credit monitoring. Connor Tr. 251:20. These facts sufficiently demonstrate a 11 close connection between Defendant’s failure to safeguard her PII adequately and Plaintiff’s 12 decision to spend more time and money monitoring her credit. See Corona, 2015 WL 3916744, at 13 *4-5 (finding a sufficient connection where the defendant failed to maintain adequate security, 14 causing the plaintiffs to incur expenses related to credit monitoring to deal with the data breach). 15 Thus, Plaintiff provides enough evidence to withstand summary judgment as to the fourth factor. 16 The fifth factor is “the moral blame attached to the defendant’s conduct.” J’Aire, 24 Cal. 17 3d at 804. In its Privacy Policy, Defendant assured its users that their privacy is “very important” 18 and that Defendant takes users’ privacy “very seriously.” Privacy Policy 1. In response to the 19 Data Breach, Defendant acknowledged its responsibility to safeguard against this type of invasion 20 and its failure to meet this responsibility. See Disclosure Email. While Defendant did issue an 21 apology within days of learning about the Data Breach, evidence suggests the breach went 22 undetected for months before Defendant became aware of it. See Griffin Tr. 41:13-19, 48:5-8. In 23 other words, Plaintiff can demonstrate that Defendant became morally blameworthy by the 24 standards set forth in J’Aire when it failed to adequately protect her PII despite acknowledging 25 that it had a responsibility to do so. See, e.g., Terpin, 2020 WL 883221, at *4 (finding the 26 defendant was morally culpable for being aware that allowing SIM swapping made its customers’ 27 PII more vulnerable yet doing nothing to prevent the practice); Corona, 2015 WL 3916744, at *4- 28 5 (finding a special relationship where the defendant knew it had inadequate security but opted to 27 Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 28 of 35 1 accept the risk of a breach); Sony Gaming II, 996 F. Supp. 2d at 973 (finding moral blame where 2 the defendant knew about its security vulnerabilities); Gardner II, 2010 WL 11571242, at *3 3 (“[T]he moral blame attached to Defendant’s conduct is high, given Plaintiffs’ allegations that 4 Defendant failed to take the appropriate measures to protect Plaintiffs’ information.”). Thus, 5 Plaintiff offers evidence sufficient to rebut Defendant’s claim that its conduct was not morally 6 blameworthy. United States District Court Northern District of California 7 The sixth factor is “the policy of preventing future harm.” J’Aire, 24 Cal. 3d at 804. This 8 Court agrees with Plaintiff that imposing “liability for negligence—which is not contested in the 9 [Motion]—would encourage companies such as [Defendant] to take better care to safeguard their 10 users’ PII.” Opp’n 23; see also Prior Order II 15. Furthermore, failing to adequately safeguard 11 users’ PII “implicates consumer protection concerns expressed in California and federal statutes.” 12 Prior Order II 15; see, e.g., Terpin, 2020 WL 883221, at *4 (“AT&T’s failure to adequately 13 protect [plaintiff’s] personal information implicates the consumer data protection concerns 14 expressed in federal statutes, such as Section 222 of the Federal Communications Act.”); Yahoo!, 15 313 F. Supp. 3d at 1131-32 (explaining that the defendant’s negligent protection of the plaintiffs’ 16 PII “implicates the consumer data protection concerns expressed in California statutes, such as the 17 CRA and CLRA”); Sony Gaming II, 996 F. Supp. 2d at 973 (finding that “imposing liability might 18 influence other businesses to take the necessary precautions”); Gardner II, 2010 WL 11571242, at 19 *3 (finding that “the policy of preventing future harm” supported the availability of damages, 20 “given the prevalence of identity theft and the need to protect consumers’ confidential 21 information”). Thus, Plaintiff can show that the sixth factor favors her position. 22 In sum, Plaintiff has offered evidence sufficient to show that all six J’Aire factors weigh in 23 her favor. Therefore, summary judgment based on Defendant’s contention that the facts do not 24 support the special relationship exception to the economic loss rule is not appropriate. 25 Accordingly, this Court DENIES Defendant’s Motion for Summary Judgment based on the 26 argument that the economic loss rule bars Plaintiff’s negligence claim. 27 28 4. Conclusion Plaintiff has presented evidence sufficient to demonstrate that (1) the harm alleged is 28 United States District Court Northern District of California Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 29 of 35 1 cognizable, (2) there is a genuine dispute of material fact as to causation, and (3) the special 2 relationship exception to the economic loss rule applies. Thus, Defendants’ Motion for Summary 3 Judgment is DENIED as to the negligence claim. 4 B. California’s Unfair Competition Law (“UCL”) 5 Plaintiff’s UCL cause of action is based on Defendant’s alleged representations and 6 omissions surrounding its failure to adequately protect Plaintiff’s PII and disclose the details of the 7 Data Breach. See TAC ¶¶ 68-81. Plaintiff seeks an injunction requiring Defendant (1) to provide 8 updated information about exactly what was exposed and (2) to institute industry-standard 9 practices to protect its users’ data.5 Opp’n 25. Defendant moves for summary judgment on the 10 UCL claim based on two grounds. Mot. 20-25. First, Defendant argues that because the Data 11 Breach did not cause Plaintiff to lose money, she lacks statutory standing to bring a UCL claim. 12 Mot. 20-22. Second, Defendant argues that because Plaintiff has an adequate remedy at law, she 13 cannot claim injunctive relief under the UCL. Mot. 23-25. Each ground is discussed in turn. 14 1. Statutory Standing The UCL provides a cause of action for business practices that are (1) unlawful, (2) unfair, 15 16 or (3) fraudulent. Cal. Bus. & Prof. Code § 17200. But whether a UCL claim is actionable turns 17 first on a plaintiff’s standing to bring it. In re Anthem, Inc. Data Breach Litig., 162 F. Supp. 3d 18 953, 985 (2016). To establish standing for a UCL claim, a plaintiff must demonstrate that the 19 alleged unfair competition caused him or her to personally lose money or property, i.e., suffer 20 economic injury-in-fact. Yahoo!, 313 F. Supp. 3d at 1129; Cal. Bus. & Prof. Code § 17204; 21 Kwikset Corp. v. Super. Ct., 51 Cal. 4th 310, 322-27 (2011). Causation requires showing either a 22 causal connection to or reliance on the alleged unfair business practice. Kwikset, 51 Cal. 4th at 23 326. Economic injury-in-fact can occur where a defendant’s wrongful conduct requires the 24 plaintiff to “enter into a transaction, costing money or property, that would otherwise have been 25 unnecessary.” Id. at 323. To have standing, such costs need not be restitution, which is the only 26 monetary remedy available under the UCL. See Sony Gaming II, 996 F. Supp. 2d at 986 (citing 27 28 5 Plaintiff originally requested restitution under the UCL claim. TAC ¶ 81. Now conceding that she cannot obtain restitution, she requests only injunctive relief. Opp’n 25. 29 Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 30 of 35 1 2 Here, Plaintiff presents evidence that Defendant’s unfair business practices compelled her 3 to spend money on enhanced credit monitoring protection in January 2019. Opp’n 24-25; 4 Disclosure Email; Purchase Receipt. Defendant argues that its alleged unfair competition did not 5 cause Plaintiff to purchase the enhanced credit monitoring, since she already had other free 6 services available and bought the services after filing this action. Mot. 21; Reply 14-15. 7 United States District Court Northern District of California Kwikset, 51 Cal. 4th at 335-37). To support its argument, Defendant first asserts that the Data Breach did not cause Plaintiff 8 to lose money because she purchased ClickFreeScore “after seeing a pop-up ad for the service in 9 January 2019, not in response to learning of the [Data Breach] in December 2018.” Mot. 21; see 10 also Reply 14-15; Connor Tr. 94:2-13. The Court finds that this argument lacks merit. It is 11 reasonable to infer that Plaintiff, after learning of the Data Breach only one month earlier, 12 responded to the ClickFreeScore advertisement because she saw benefit in greater protection 13 against her increased risk of identity theft and fraud. It is likewise reasonable to infer that, had the 14 Data Breach not recently occurred, Plaintiff would have ignored the advertisement. The pop-up ad 15 informed Plaintiff of an available service to help her deal with an already existing problem; it did 16 not destroy the required “causal connection.” Kwikset, 51 Cal. 4th at 326. 17 Defendant next attacks Plaintiff’s deposition testimony explaining why she spent more 18 time monitoring her credit after this Data Breach as opposed to other breaches involving her PII: 19 Q. Okay. Can you explain what it is about the Quora credit breach that caused you to spend more time than you were spending before, given that your information was also exposed— given that more sensitive information was exposed in the Experian and TaskRabbit credit breaches? 20 21 22 23 24 25 26 27 28 MR. WOOD: Objection; form. A. I have no idea. Q. (By Mr. Ballon) What was it that’s different about the Quora credit breach except that you have sued over this one? A. Maybe the straw that kind of broke the camel’s back. Q. But you do agree that you had more sensitive information exposed previously in the TaskRabbit security breach, correct? A. I don’t know that for sure. Q. Well, based on the notices you got, at least you were told that you had more sensitive information disclosed, correct? 30 Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 31 of 35 1 2 3 4 5 6 United States District Court Northern District of California 7 A. Probably, yes. Q. And you had more sensitive financial information disclosed in the [Equifax] breach, correct? [] A. I’m not—I don’t know for sure. Q. But at least you were told that more sensitive financial information was exposed in the Equifax breach than in the Quora breach? A. Possibly. Q. But your testimony is the reason you spent more time as a result of the Quora breach is that it was the straw that broke the camel’s back; is that correct? A. Pretty much, yes, sir. 8 Connor Tr. 251:10-252:15. Defendant urges this Court to focus on Plaintiff’s answer that she had 9 “no idea” why she spent more time monitoring her credit after this Data Breach as opposed to the 10 other data breaches. Mot. 21. But such a reading takes Plaintiff’s deposition testimony out of 11 context. Read as a whole, Plaintiff’s deposition testimony suggests that she may have been 12 confused by the wording of the original question and that her motivations in purchasing enhanced 13 credit monitoring stem not from the seriousness of the compromised data, but from the Data 14 Breach itself as the last straw in a history of data breaches. See Connor Tr. 251:20. At a 15 minimum, the evidence creates a genuine dispute of material fact as to whether this Data Breach 16 caused her to purchase ClickFreeScore. See Troyk v. Famers Grp. Inc., 171 Cal. App. 4th 1305, 17 1350-51 (Cal. Ct. App. 2009) (denying summary judgment where the movant failed to show no 18 triable issue of fact as to causation for UCL standing); Chowning v. Kohl’s Dep’t Stores, Inc., No. 19 CV 15-08673 RGK (SPx), 2016 WL 1072129, at *2-4 (C.D. Cal. Mar. 15, 2016) (denying 20 summary judgment as to causation for UCL standing because there was a triable issue of fact as to 21 reliance on the alleged misrepresentations). 22 Defendant further posits that Plaintiff has not suffered a cognizable loss as a result of the 23 Data Breach because she could use other free services to monitor her credit. Mot. 21. To support 24 its argument, Defendant relies on Ruiz v. Gap, Inc., No. 07-5739 SC, 2009 WL 250481, at *3 25 (N.D. Cal. Feb. 3, 2009), where the court found that the plaintiff failed to allege a “loss of money” 26 because victims of the data breach could obtain reimbursement for payment made toward 27 enhanced credit monitoring. Mot. 21-22. But payments toward enhanced credit monitoring that 28 arise from a data breach and that are not reimbursed do “constitute economic injury, sufficient to 31 United States District Court Northern District of California Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 32 of 35 1 confer UCL standing.” In re Capital One Consumer Data Sec. Breach Litig., MDL No. 2 1:19md2915 (AJT/JFA), 2020 WL 5629790, at *27 (E.D. Va. Sept. 18, 2020); see also In re 3 Yahoo! Customer Data Sec. Breach Litig., No. 16-MD-02752-LHK, 2017 WL 3727318, *21-22 4 (N.D. Cal. Aug. 30, 2017) (finding that plaintiffs were “required to enter into a transaction, costing 5 money or property, that would otherwise have been unnecessary” after incurring out-of-pocket 6 expenses on credit monitoring to deal with the data breach); Anthem, 162 F. Supp. 3d at 986-87 7 (noting that the language in Kwikset favors the argument that money spent on credit monitoring to 8 prevent fraud is sufficient to assert statutory standing under the UCL); Corona, 2015 WL 9 3916744, at *5, *8 (finding standing based on prior finding of cognizable injury in negligence “by 10 way of costs relating to credit monitoring, identity theft protection, and penalties”); Witriol v. 11 LexisNexis Grp., No. C05-02392 MJJ, 2006 WL 4725713, *6 (N.D. Cal. Feb. 10, 2006) (finding 12 that “costs associated with monitoring and repairing credit impaired by the unauthorized release of 13 private information” constituted “monetary loss as a result of Defendants’ actions”). 14 Here, no evidence suggests that Plaintiff could seek reimbursement for her purchase of 15 ClickFreeScore. See Opp’n 25. And there is a genuine dispute of material fact over whether 16 ClickFreeScore’s premium services offered the same services that Plaintiff could already use for 17 free, since “only the ClickFreeScore.com Platinum service provides coverage of all three [credit 18 reporting] bureaus, providing access to the actual credit reports and scores from all of them.” Sun 19 Decl. ¶ 20; see also Mot. 21-22; Opp’n 3. 20 21 22 Thus, this Court finds that Plaintiff has provided evidence sufficient to raise a genuine dispute of material fact as to statutory standing under the UCL. 2. Injunctive Relief 23 “The UCL’s coverage is sweeping, and its standard for wrongful business conduct 24 intentionally broad.” Moore v. Apple, Inc., 73 F. Supp. 3d 1191, 1204 (N.D. Cal. 2014) (internal 25 quotation marks omitted). But because a UCL action is equitable in nature, its remedies for 26 private individuals “are limited to restitution and injunctive relief.” Pom Wonderful LLC v. Welch 27 Foods, Inc., No. CV 09-567 AHM (AGRx), 2009 WL 5184422, *2 (C.D. Cal. Dec. 21, 2009). 28 In Sonner v. Premier Nutrition Corp., 971 F.3d 834, 844 (9th Cir. 2020), the Ninth Circuit 32 United States District Court Northern District of California Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 33 of 35 1 held that “the traditional principles governing equitable remedies in federal courts, including the 2 requisite inadequacy of legal remedies, apply when a party requests restitution under the UCL and 3 CLRA in a diversity action.” Cases in this Circuit have held that Sonner extends to claims for 4 injunctive relief. See, e.g., Zaback v. Kellogg Sales Co., No. 3:20-cv-00268-BEN-MSB, 2020 WL 5 6381987, *4 (S.D. Cal. Oct. 29, 2020) (dismissing a UCL claim for injunctive relief because the 6 plaintiff failed to allege that there was no adequate remedy at law); In re Macbook Keyboard 7 Litig., No. 5:18-cv-02813-EJD, 2020 WL 6047253, at *2-3 (N.D. Cal. Oct. 13, 2020) (finding that 8 Sonner extends to preclude claims for injunctive relief); Gibson v. Jaguar Land Rover N. Am., 9 LLC, No. CV 20-00769 CJC (GJSx), 2020 WL 5492990, at *3-4 (C.D. Cal. Sept.9, 2020) 10 (dismissing UCL claims for injunction and restitution based on Sonner); Teresa Adams v. Cole 11 Haan, LLC, No. Sacv 20-913 JVS (DFMx), 2020 WL 5648605, at *2 (C.D. Cal. Sept. 3, 2020) 12 (finding, under the reasoning of Sonner, that there is no “exception for injunctions as opposed to 13 other forms of equitable relief”); Schertz v. Ford Motor Co., No. CV 20-03221 TJH (PVCx), 2020 14 WL 5919731, at *2 (C.D. Cal. July 27, 2020) (dismissing UCL claims for injunction and 15 restitution where the plaintiff failed to allege that there was no adequate remedy at law). 16 Here, Plaintiff concedes she has no claim for restitution under the UCL and instead seeks 17 only injunctive relief. Opp’n 25. Most importantly, she fails to allege or demonstrate that any 18 remedy at law is inadequate, and in fact she even seeks a remedy at law through her negligence 19 claim, which is based on the same alleged conduct as her equitable claim. See TAC ¶¶ 10, 33, 84, 20 86; Opp’n 24-25. Plaintiff requests an injunction mandating that Defendant both (1) provide 21 updated information about exactly what was exposed and (2) institute industry-standard practices 22 for protection of its users’ data. Opp’n 25. But the potential harm caused by both actions may be 23 remedied by money damages, and “[w]here the claims pleaded by a plaintiff may entitle her to an 24 adequate remedy at law, equitable relief is unavailable.” Rhynes v. Stryker Corp., No. 10-5619 25 SC, 2011 WL 2149095, at *4 (N.D. Cal. May 31, 2011); see, e.g., Mullins v. Premier Nutrition 26 Corp., No. 13-cv-01271-RS, 2018 WL 510139, at *2, *4 (N.D. Cal. Jan. 23, 2018) (dismissing the 27 claims for equitable restitution under the UCL because the plaintiff failed to demonstrate that she 28 lacked an adequate legal remedy, especially given that she had an available legal remedy under her 33 Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 34 of 35 1 CLRA claim), aff’d, Sonner, 971 F.3d at 845; Munning v. Gap, Inc., 238 F. Supp. 3d 1195, 1203- 2 04 (N.D. Cal. 2017) (dismissing the UCL claim with prejudice because there was an adequate 3 remedy at law under the plaintiff’s breach of contract and breach of express warranty claims); 4 Zapata Fonseca v. Goya Foods Inc., No. 16-cv-02559-LHK, 2016 WL 4698942, at *7 (N.D. Cal. 5 Sept. 8, 2016) (dismissing claims for equitable relief under the UCL because the plaintiff pled 6 other claims, including negligent misrepresentation, providing for an adequate remedy at law). Furthermore, Defendant has met its burden of showing that Plaintiff has an adequate United States District Court Northern District of California 7 8 remedy at law. See Mot. 23-25; Reply 15. But Plaintiff does not produce evidence rebutting 9 Defendant’s assertions. See Opp’n 25. The Declaration of David Sun, which Plaintiff cites in the 10 Opposition but does not explain, offers expert testimony that Defendant should have relied on 11 more sophisticated information and tools to assess the Data Breach. Opp’n 25; Sun Decl. ¶ 9. It 12 does not, however, provide evidence demonstrating that Defendant’s failure to change its practices 13 or provide timely updates could produce harm for which legal relief is inadequate. See id. As 14 such, even if it were possible for Plaintiff to demonstrate she has no adequate remedy at law, she 15 has failed to meet her burden of production to offer contradictory evidence that one exists. See 16 Nissan Fire, 210 F.3d at 1103 (explaining that “if . . . a moving party carries its burden of 17 production, the nonmoving party must produce evidence to support its claim or defense” to 18 withstand summary judgment). Accordingly, summary judgment as to the UCL claim is warranted. 19 20 3. Conclusion Defendant has demonstrated that there is an adequate remedy at law for the conduct 21 22 described in the injunction Plaintiff seeks. But Plaintiff does not produce, and this Court cannot 23 find, any evidence that meaningfully rebuts the evidence offered by Defendant. Thus, the Court 24 GRANTS summary judgment on the UCL claim. 25 26 27 VI. ORDER For the foregoing reasons, IT IS HEREBY ORDERED that Defendants’ Motion for Summary Judgment is DENIED as to the negligence claim and GRANTED as to the UCL claim. 28 34 Case 5:18-cv-07597-BLF Document 210 Filed 12/21/20 Page 35 of 35 1 2 3 Dated: December 21, 2020 ______________________________________ BETH LABSON FREEMAN United States District Judge 4 5 6 7 8 9 10 United States District Court Northern District of California 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 35
]]>
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You
should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
