In re Accellion, Inc. Data Breach Litigation, No. 5:2021cv01155 - Document 217 (N.D. Cal. 2024)
Court Description: ORDER GRANTING IN PART AND DENYING IN PART 174 MOTION TO DISMISS. Signed by Judge Edward J. Davila on 1/29/2024. (ejdlc1, COURT STAFF) (Filed on 1/29/2024)
Download PDF
<![CDATA[
In re Accellion, Inc. Data Breach Litigation Doc. 217 1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 SAN JOSE DIVISION 7 8 IN RE ACCELLION, INC. DATA BREACH LITIGATION 9 10 United States District Court Northern District of California 11 Case No. 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS Re: ECF No. 174 12 This action arises from two data breaches in December 2020 and January 2021 of 13 14 Defendant Accellion, Inc., a cloud software company whose file transfer software was widely used 15 by governmental entities, hospitals, universities, law firms, financial institutions, and private 16 companies. Beginning in February 2021, several individual lawsuits were filed against Accellion 17 and its clients that used the vulnerable software at issue, many of which were transferred to and 18 consolidated in this district. Following consolidation and the Court’s appointment of interim lead 19 counsel, Accellion filed the present motion to dismiss the consolidated complaint. ECF No. 174 20 (“Mot.”). The Court also heard oral arguments on October 19, 2023. Based on the parties’ written submission and oral arguments, the Court GRANTS IN 21 22 PART and DENIES IN PART Accellion’s motion to dismiss the consolidated complaint. 23 I. FACTUAL BACKGROUND 24 A. Accellion and FTA 25 Accellion, Inc. is a cloud-based software company that provides an enterprise content 26 firewall that allegedly “prevents data breaches and compliance violations from third party cyber 27 risk.” Consolidated Class Action Compl. (“Compl.”) ¶ 24. In the early 2000s, Accellion 28 Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 1 Dockets.Justia.com 1 developed a file sharing transfer software called File Transfer Appliance (“FTA”), which was 2 intended to “facilitate secure, encrypted file sharing that exceeded limits imposed on the size of 3 email attachments.” Id. ¶ 25. Accellion’s file transfer services were used by hundreds of 4 companies, private organizations, and government entities. Id. ¶ 29. When individuals transact 5 with such entities that use Accellion’s FTA software, they are typically required to provide their 6 private identifying information (“PII”), which is then transferred by Accellion. Id. ¶ 30. 7 Accellion’s services are used to securely transfer files containing PII. Id. ¶ 31. 8 9 United States District Court Northern District of California 10 In the years preceding December 2020, Accellion allegedly became aware that the FTA product was “nearing the end of its life” and encouraged its customers to switch to a new product, called Kiteworks. Id. ¶ 32. 11 B. The Data Breaches 12 On December 16, 2020, an Accellion customer was alerted by the FTA’s anomaly detector 13 that unauthorized third parties had exploited the FTA. Compl. ¶ 42. Upon investigation, 14 Accellion confirmed that the FTA software contained two security vulnerabilities, described as 15 SQL Injection and OS Command Execution. Id. Between December 16 and December 23, 16 Accellion released two patches to address the vulnerabilities and notified its clients between 17 December 2020 and January 2021. Id. ¶ 43. 18 On January 20, 2021, a second attack occurred, involving two vulnerabilities described as 19 Server-Side Request Forgery and OS Command Execution. Compl. ¶ 47. At this point, Accellion 20 advised its clients to shut down their FTA systems. Id. 21 Plaintiffs allege that these data breaches were the largest breach in 2021 and one of the 22 largest breaches during the last five years. Compl. ¶ 49. The Complaint lists over sixty (60) 23 entities that had used the FTA product and were impacted by the data breaches, which include 24 several state and governmental agencies, hospitals, universities, law firms, financial institutions, 25 and private companies. Id. ¶ 59. Over the course of these two attacks, unauthorized actors gained 26 access to significant quantities of personally identifiable information (“PII”), personal health 27 information (“PHI”), and other information from these entities. Compl. ¶ 49. 28 Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 2 1 Plaintiffs are individuals whose private details were exposed to unauthorized actors as a 2 result of these data breaches. Compl. ¶ 1. The information exposed included “names, dates of 3 birth, Social Security numbers, driver’s license numbers and/or state identification numbers, bank 4 account information, employment information, and personal health information,” collectively 5 referred to as Plaintiff’s “personally identifiable information” (“PII”). Id. Plaintiffs allege that 6 they have experienced identity theft, fraudulent charges on their bank and credit accounts, 7 temporary bank freezes, and out-of-pocket losses, such as overdraft fees, credit monitoring costs, 8 and credit card reissuance fees. Id. ¶¶ 4–15. 9 C. On February 17, 2021, the earliest filed complaint in this district was filed by Madalyn 10 United States District Court Northern District of California Procedural History 11 Brown against Accellion, Inc., asserting one claim of negligence and one claim for violation of the 12 WCPA. ECF No. 1. Since then, several other complaints were filed in this district and others 13 across the country against Accellion, as well as several of its customers including Health Net, 14 Flagstar Bank, and Kroger. On January 12, 2022, one group of plaintiffs filed a motion for preliminary approval of 15 16 class-wide settlement in one of the actions in this district. See Stobbe v. Accellion, Case No. 5:21- 17 cv-01353-EJD. However, before the motion could be resolved, this Court consolidated nearly all 18 of the related Accellion actions under the present earliest opened docket. ECF No. 83. On February 10, 2023, the Court appointed interim co-lead class counsel, which did not 19 20 include the plaintiff group that reached class-wide settlement. ECF No. 143. Following a 21 subsequent investigation, interim class counsel declined to proceed with the class-wide settlement 22 as to Accellion and filed a consolidated complaint. See ECF Nos. 167, 170. Accellion filed the 23 present motion to dismiss all claims asserted against them, which has been fully briefed. ECF 24 Nos. 174 (“Mot.”); 181 (“Opp.”); 187 (“Reply”). On December 19, 2023, the Court heard oral arguments from the parties. 25 26 27 28 II. LEGAL STANDARD A motion to dismiss under Federal Rule of Civil Procedure 12(b)(6) tests the legal Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 3 United States District Court Northern District of California 1 sufficiency of the claims alleged in the complaint. Ileto v. Glock, 349 F.3d 1191, 1199–1200 (9th 2 Cir. 2003). Under Federal Rule of Civil Procedure 8, a complaint must include a “short and plain 3 statement of the claim showing that the pleader is entitled to relief,” and may be dismissed under 4 Rule 12(b)(6) if the plaintiff fails to state a cognizable legal theory or has not alleged sufficient 5 facts to support such a theory. Somers v. Apple, Inc., 729 F.3d 953, 959 (9th Cir. 2013). When 6 deciding whether to grant a motion to dismiss, the court must generally accept as true all “well- 7 pleaded factual allegations.” Ashcroft v. Iqbal, 556 U.S. 662, 664 (2009). The court must also 8 construe the alleged facts in the light most favorable to the plaintiff. See Retail Prop. Trust v. 9 United Bd. of Carpenters & Joiners of Am., 768 F.3d 938, 945 (9th Cir. 2014) (“[The court] must 10 accept as true all factual allegations in the complaint and draw all reasonable inferences in favor of 11 the nonmoving party.”). However, “courts are not bound to accept as true a legal conclusion 12 couched as a factual allegation.” Iqbal, 556 U.S. at 678. The court usually does not consider material beyond the pleadings for a Rule 12(b)(6) 13 14 motion. Hal Roach Studios, Inc. v. Richard Feiner & Co., 896 F.2d 1542, 1555 n. 19 (9th Cir. 15 1989). Exceptions include material incorporated by reference in the complaint and material 16 subject to judicial notice. See Lee v. City of Los Angeles, 250 F.3d 668, 688–69 (9th Cir. 2001). 17 III. DISCUSSION 18 Plaintiffs assert eleven claims against Accellion: (1) negligence; (2) negligence per se; (3) 19 violation of the California Consumer Privacy Act; (4) violation of the Confidentiality of Medical 20 Information Act; (5) violation of the California Customer Records Act; (6) intrusion upon 21 seclusion; (7) breach of contract; (8) unjust enrichment; (9) violation of the California 22 Constitution right to privacy; (10) violation of the Washington Consumer Protection Act; and (11) 23 violation of the Michigan Consumer Protection Act (“MCPA”).1 See Compl., ECF No. 170. 24 As an initial point, Accellion first argues for dismissal due to impermissible group 25 pleading. Mot. 5. However, any ambiguity as to the group references to “Defendants” has largely 26 27 28 1 Plaintiffs do not oppose dismissal of their MCPA claim. Opp. 2 n.1. Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 4 United States District Court Northern District of California 1 been resolved by the subsequent severance and transfer of all claims against Flagstar to the 2 Eastern District of Michigan, which is the only remaining non-Accellion defendant in this 3 consolidated action. ECF No. 182. Because the Complaint expressly defines “Defendants” as 4 referring to Accellion and the Flagstar entities (Compl. at 1), the Court will evaluate the 5 Complaint’s references to “Defendants” in the complaint as references to Accellion only. 6 A. 7 “To state a claim for negligence in California, a plaintiff must establish the following Negligence 8 elements: (1) the defendant had a duty, or an ‘obligation to conform to a certain standard of 9 conduct for the protection of others against unreasonable risks,’ (2) the defendant breached that 10 duty, (3) that breach proximately caused the plaintiff’s injuries, and (4) damages.” 11 Bass v. Facebook, Inc., 394 F. Supp. 3d 1024, 1038–39 (N.D. Cal. 2019). 12 Accellion moves to dismiss Plaintiffs’ negligence claim for failure to allege facts giving 13 rise to a duty of care, breach of any such duty, and cognizable damages. Mot. 5–10. The 14 Complaint alleges that Accellion owed Plaintiffs a duty of reasonable care to preserve and protect 15 the confidentiality of the PII collected, which included maintaining and testing its security systems 16 and taking reasonable security measures to safeguard the PII. Compl. ¶ 116. Plaintiffs allege this 17 duty arose from Accellion’s commitments to its clients (id. ¶¶ 65, 116); its role as the “purported 18 expert guardians and gatekeepers of data” (id. ¶ 116); its “responsibility to provide data security 19 consistent with industry standards,” such as those under the CCRA, the FTC Act, HIPAA, and 20 COPPA (id. ¶¶ 118, 122); the special relationship between Accellion and the end users of the 21 services it provided to its immediate clients (id. ¶¶ 119, 120, 140); as well as Accellion’s common 22 law duty to prevent foreseeable harm to others (id. ¶ 121). 23 1. Duty to Protect 24 Accellion first contends that California law does not impose a general duty on companies 25 to protect against even foreseeable harm by third parties. Mot. 6. Citing Doe v. Uber Techs., 79 26 Cal. App. 5th 410 (2022), Accellion argues that Plaintiffs do not allege misfeasance, nor does it 27 have a “special relationship” with the Plaintiffs that would permit liability for nonfeasance. Id. 28 Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 5 1 Under California law, each person has a general duty ‘to exercise, in his or her activities, 2 reasonable care for the safety of others.’” Brown v. USA Taekwondo (“USAT”), 11 Cal. 5th 204, 3 214 (2021), reh’g denied (May 12, 2021); see also Cal. Civ. Code § 1714(a). However, “one 4 owes no duty to control the conduct of another, nor to warn those endangered by such conduct.” 5 Regents of Univ. of California v. Superior Ct., 4 Cal. 5th 607, 619 (2018). This “no-duty-to- 6 protect rule is not absolute, however. . . . In a case involving harm caused by a third party, a 7 person may have an affirmative duty to protect the victim of another’s harm if that person is in 8 what the law calls a ‘special relationship’ with either the victim or the person who created the 9 harm.” USAT, 11 Cal. 5th at 215. United States District Court Northern District of California 10 The California Supreme Court has set forth a two-step inquiry in determining whether to 11 recognize a duty to protect: “First, the court must determine whether there exists a special 12 relationship between the parties or some other set of circumstances giving rise to an affirmative 13 duty to protect. Second, if so, the court must consult the factors described in Rowland to 14 determine whether relevant policy considerations counsel limiting that duty.” USAT, 11 Cal. 5th 15 at 209 (citing Rowland v. Christian, 69 Cal. 2d 108, 113 (1968)). a. 16 17 Special Relationship With respect to the first step of the USAT two-step inquiry, the Court finds that there exists 18 a special relationship between a file transfer company and the individuals whose information is 19 being transferred. 20 In Regents of Univ. of California v. Superior Ct., 4 Cal. 5th 607 (2018), the California 21 Supreme Court described the features of a special relationship that would permit the law to impose 22 a duty to protect on one of the parties to the relationship. The state high court specifically 23 identified at least four features that are common to many recognized special relationships: 24 25 26 27 28 1. Dependency: “Generally, the relationship has an aspect of dependency in which one party relies to some degree on the other for protection.” Id. at 620. 2. Control: “Whereas one party is dependent, the other has superior control over the means of protection.” Id. at 621. Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 6 1 2 community, not the public at large.” Id. 3 4. Beneficial to the duty-holder: “[A]lthough relationships often have advantages for both 4 participants, many special relationships especially benefit the party charged with a duty 5 of care.” Id. at 621. 6 United States District Court Northern District of California 3. Limited Communities: “[Special relationships] create a duty of care owed to a limited The relationship here between Plaintiffs and Accellion exhibits all four features identified 7 in Regents. First, Plaintiffs have demonstrated that they relied on Accellion to safeguard the PII 8 that it transferred. The Complaint alleges that “[i]n the ordinary course of doing business with 9 entities that use Accellion’s FTA, individuals are typically required to provide PII that is then 10 transferred by Accellion,” and “when electronic files containing such information are transferred, 11 the transfer must be secure.” Compl. ¶¶ 30–31 (emphasis added). This reliance is all the more 12 heightened by the high value of PII and its frequent targeting by hackers and cybercriminals. 13 Compl. ¶¶ 63–64. Conversely, there is no reason to believe that Plaintiffs could have secured their 14 PII themselves when it was sent using Accellion’s FTA software. 15 Second, Plaintiffs have also alleged that Accellion has “superior control over the means of 16 protection.” Regents, 4 Cal. 5th at 621. The Complaint directly alleges that Accellion was “in the 17 position to ensure that its systems were sufficient to protect against the foreseeable risk of harm to 18 Plaintiffs and Class members from a resulting data breach.” Compl. ¶ 120; see also id. ¶ 140. 19 Indeed, Accellion demonstrated this control when it released patches for the vulnerabilities within 20 days after they were exploited. Compl. ¶¶ 43, 46. 21 Third, consistent with Regents, this “relationship is limited to specific individuals” and 22 does not run to “the public at large.” 4 Cal. 5th at 621. As defined by the Complaint, the special 23 relationship in this case extends to “the end users of the services Accellion and Flagstar provided 24 to their clients,” i.e., “those to whom the data belonged.” Compl. ¶¶ 119–120. Accellion objects 25 that imposing a duty in this instance would “expose [software] manufacturers to unmanageable 26 litigation risk.” Mot. 8; see also 10/19/23 Hr’g Tr. 10:11–18 (“Plaintiffs are essentially alleging 27 that Accellion had a special relationship with the public at large [] because anyone’s data could be 28 Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 7 1 stored or transferred on Accellion’s software.”). However, the fact that the special relationship 2 could extend to any particular person in the public does not mean that the relationship is with the 3 public at large. If so, the “classic examples” of special relationships recognized at common law— 4 e.g., the common carrier-passenger and innkeeper-guest relationships—would fall out of this 5 definition, given that any member of the public can conceivably board a public bus or book a room 6 at an inn. See Regents, 4 Cal. 5th at 620. Here, the special relationship exists only between 7 Accellion and those specific individuals whose information the FTA software ferries. United States District Court Northern District of California 8 Finally, the Complaint alleges that Accellion is a benefactor of this special relationship, 9 given that “[t]his business model proved successful for Accellion for many years.” Compl. ¶¶ 29, 10 31. Indeed, “Accellion’s entire business model was built on promising its clients that it provided a 11 platform to securely transfer files that contained sensitive data.” Id. ¶ 120. In much the same way 12 that “[r]etail stores or hotels could not successfully operate [] without visits from their customers 13 and guests,” Regents, 4 Cal. 5th at 621, Accellion could not successfully operate without the need 14 for secure transfers of Plaintiffs’ sensitive data. See Compl. ¶¶ 30–31. Accordingly, all four 15 Regent features the existence of a special relationship between Accellion and Plaintiffs. 16 The Court’s finding of a “special relationship” between data companies and the owners of 17 the data is also consistent with the holdings that many courts have reached prior to the framework 18 established by Regents and USAT. Specifically, there is abundant authority that California law 19 recognizes a duty on companies to take reasonable steps to protect all sensitive information it 20 obtains from individuals. See, e.g., Stasi v. Inmediata Health Grp. Corp., 501 F. Supp. 3d 898, 21 915 (S.D. Cal. 2020) (finding “no support [] for [defendant’s] argument that no special 22 relationship exists between a company that possesses peoples’ personal and medical information 23 and those people”); Castillo v. Seagate Tech., LLC, 2016 WL 9280242, at *3 (N.D. Cal. Sept. 14, 24 2016) (“[T]he Rowland factors compel the conclusion [defendant] was duty-bound to take 25 reasonable steps to protect all personal identifying information it obtained from its employees, 26 including information pertaining to employees’ spouses and dependents.”); In re Facebook, Inc., 27 Consumer Priv. User Profile Litig., 402 F. Supp. 3d 767, 799 (N.D. Cal. 2019) (“Facebook had a 28 Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 8 1 responsibility to handle its users’ sensitive information with care.”); Bass v. Facebook, Inc., 394 F. 2 Supp. 3d 1024, 1039 (N.D. Cal. 2019) (finding that a Facebook user had “met his obligation to 3 plausibly plead duty of care” against Facebook “in the handling of personal information”). United States District Court Northern District of California 4 Accellion argues that they had no relationship at all with Plaintiffs, contending that it lacks 5 contractual privity with Plaintiffs and played no role in how Plaintiffs’ information was provided 6 or used by its clients. Mot. 6. Regents, however, did not identify “privity of contract” or “direct 7 correspondence” as common features of special relationships, even though both features were 8 evidently present in the college-student relationship in Regents. 4 Cal. 5th at 622. Moreover, 9 federal courts applying California law have not hesitated to extend a data company’s duty of care 10 beyond those with whom it shares privity or exceeds some threshold level of interactions. 11 See Stasi, 501 F. Supp. 3d at 915 (finding that defendant healthcare software company “owed a 12 duty to protect Plaintiffs’ information despite the fact that Plaintiffs were not [defendant’s] 13 customers or otherwise in privity with [defendant]”); Castillo, 2016 WL 9280242, at *3 (finding 14 that defendant was “duty-bound to take reasonable steps to protect all personal identifying 15 information it obtained from its employees, including information pertaining to employees’ 16 spouses and dependents.”) (emphasis added). 17 Accellion correctly point out that many of the decisions Plaintiffs rely on were decided 18 prior to the California Supreme Court’s clarification of the “duty to protect” in USAT. Reply 3 19 n.2, 4. On the other hand, however, Accellion also has not cited any California law authority— 20 either before or after USAT—to support its proposition that no “special relationship” exists 21 between a data transfer company and the owners of the data being transferred. See Stasi, 501 F. 22 Supp. 3d at 914 (finding there to be “no support, however, for [defendant’s] argument that no 23 special relationship exists between a company that possesses peoples’ personal and medical 24 information and those people”). In any event, the Court’s standalone “special relationship” 25 analysis above comports with the USAT framework. 26 Accellion also relies heavily on Doe v. Uber Techs., Inc., 79 Cal. App. 5th 410 (2022), for 27 the proposition that a general public statement advertising “safe pickups” for customers did not 28 Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 9 1 create a special relationship between Uber and the victim plaintiffs. Mot. 6–7. However, the 2 California Court of Appeal’s analysis in Uber did not turn on the type of special relationship in 3 this case (i.e., between a file transfer company and the owners of the information it shared). 4 Rather, Uber only analyzed whether a special relationship existed based upon on a “common 5 carrier-passenger” basis and on a contractual basis. 79 Cal. App. 5th at 420–24. Accordingly, 6 Uber’s “special relationship” analysis provides limited insight into whether a special relationship 7 exists between a file transfer software company and the owners of the data. 8 9 10 United States District Court Northern District of California 11 12 In sum, the Court finds that Plaintiffs have alleged the existence of a special relationship between themselves and Defendant Accellion, satisfying the first step of USAT’s two-step inquiry for duties to protect. b. Rowland Factors The Court turns next to consider whether any of the factors identified in Rowland v. 13 Christian, 69 Cal. 2d 108 (1968), would limit the duty that Accellion owed on account of this 14 special relationship. See USAT, 11 Cal. 5th at 209. These factors include: “the foreseeability of 15 harm to the plaintiff, the degree of certainty that the plaintiff suffered injury, the closeness of the 16 connection between the defendant’s conduct and the injury suffered, the moral blame attached to 17 the defendant’s conduct, the policy of preventing future harm, the extent of the burden to the 18 defendant and consequences to the community of imposing a duty to exercise care with resulting 19 liability for breach, and the availability, cost, and prevalence of insurance for the risk involved.” 20 Rowland, 69 Cal. 2d at 113. 21 The Court finds that the Complaint’s allegations track these factors and plead appropriate 22 and specific facts regarding the foreseeability of harm from Accellion’s conduct, Plaintiffs’ 23 injuries, the nexus between Accellion’s failure to employ reasonable security protections and 24 Plaintiffs’ injuries, and the policy of preventing future harm. Compl. ¶¶ 137–141. The only factor 25 advanced by Accellion to limit the duty is the public policy argument that “[p]ermitting the 26 customers of a software company’s customers to sue the company directly would negate its ability 27 to contractually manage its own risk, by exposing it to limitless and unforeseeable liability.” 28 Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 10 United States District Court Northern District of California 1 Reply 3 (emphasis in original). At the hearing, Accellion analogized this duty to Microsoft 2 Outlook or Amazon Web Services owing a duty to anyone whose information passes through their 3 services. 10/19/23 Hr’g Tr. 5:5–16. Accellion, however, does not explain how this policy would 4 narrow the duty imposed. Additionally, the only support cited for this policy argument is a 1986 5 U.S. Supreme Court opinion standing for the general proposition that it would be “difficult for a 6 manufacturer to take into account the expectations of persons downstream who may encounter its 7 product,” which is too thin a reed and too general a premise for the Court to accord meaningful 8 weight. Reply 3–4 (citing E. River S.S. Corp. v. Transamerica Delaval, Inc., 476 U.S. 858 9 (1986)). Accellion also does not make any effort to reconcile this public policy with existing 10 statutory duties. Indeed, as noted in Stasi, “the burden of imposing a common law duty to protect 11 [] personal information is not likely high given that both state and federal law already require such 12 protection, and, in the case of state law, already allows for a private right of action.” 501 F. Supp. 13 3d at 915. In any event, courts analyzing duties to protect data under Rowland have typically 14 found that, “[f]rom a policy standpoint, to hold that [the company] has no duty of care here ‘would 15 create perverse incentives for businesses who profit off the use of consumers’ personal data to turn 16 a blind eye and ignore known security risks.’” Bass, 394 F. Supp. 3d at 1039 (citing In re Equifax, 17 Inc., Customer Data Sec. Breach Litig., 362 F. Supp. 3d 1295, 1325 (N.D. Ga. 2019)). 18 It is also worth reiterating that, prior to the 2021 decision in Brown v. USAT, California 19 courts were using the Rowland factors to find that data companies owed duties of care in handling 20 the personal information they received. See, e.g., Bass, 394 F. Supp. 3d 1039 (finding a duty of 21 “reasonable care in the handling of personal information” after analyzing Rowland factors); Stasi, 22 501 F. Supp. 3d 915 (“Applied here, [the Rowland] factors weigh in favor of the plausibility that 23 [defendant] owed a duty to protect Plaintiffs’ information despite the fact that Plaintiffs were not 24 [defendant’s] customers or otherwise in privity with [defendant].”); Castillo, 2016 WL 9280242, 25 at *3 (“[T]he Rowland factors compel the conclusion [defendant] was duty-bound to take 26 reasonable steps to protect all personal identifying information it obtained from its employees, 27 including information pertaining to employees’ spouses and dependents.”). 28 Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 11 1 Given the Complaint’s allegations and the overall weight of Rowland analyses in data 2 protection cases, the Court finds that the Rowland factors do not warrant any further limitation of 3 the duty imposed by the “special relationship” found above. *** 4 5 In summary, the Court finds that Plaintiffs have alleged that there exists a “special 6 relationship” between Accellion and the Plaintiffs who own the PII that Accellion handled, giving 7 rise to a duty of reasonable care to protect Plaintiffs’ PII. 8 United States District Court Northern District of California 9 2. Breach The Complaint alleges that Accellion breached its duties by failing to (1) adopt, 10 implement, and maintain adequate security measures to safeguard Plaintiffs and Class members’ 11 PII; (2) adequately monitor the security of its networks and systems; (3) provide timely notice that 12 Plaintiffs and Class members’ PII had been compromised so those at risk could take timely and 13 appropriate steps to mitigate the potential for identity theft and other damages; and (4) ensure that 14 clients were timely notified about the FTA security vulnerabilities. Compl. ¶¶ 133–34. The 15 Complaint also incorporates by reference a March 2021 security assessment report issued by the 16 cybersecurity firm Mandiant (“Mandiant Report”), which found that the two vulnerabilities 17 exploited during the data breaches were of “critical severity.” Compl. ¶ 48 n.13. In addition to 18 those “critical” vulnerabilities, the Mandiant Report also identified two other vulnerabilities that 19 were of “high severity” and “medium severity.” Id. 20 As a preliminary matter, there is some support for the proposition that, where a data breach 21 has occurred, the breach itself is sufficient to allege a breach of duty for Rule 12(b)(6) purposes. 22 In Flores-Mendez v. Zoosk, Inc., Judge Alsup invoked the common law doctrine of res ipsa 23 loquitur (“the thing speaks for itself”) to hold, “when a breach occurs, the thing speaks for itself. 24 The breach would not have occurred but for inadequate security measures, or so it can be 25 reasonably inferred at the pleadings stage.” 2021 WL 308543, at *4 (N.D. Cal. Jan. 30, 2021). 26 This reasoning was motivated in part by Judge Alsup’s observation that, in data breach cases, it 27 would be “unreasonable for defendant to insist that the details be laid out in the initial complaint,” 28 Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 12 United States District Court Northern District of California 1 because the “ordinary consumer [] has no clue what internet companies’ security steps are.” Id. 2 The Court agrees that this reasoning has some currency, though it need not fully embrace the 3 analysis here, given that Plaintiffs have alleged deficiencies in Accellion’s security measures. 4 In this case, the Court finds that the findings published in the Mandiant Report and 5 incorporated by reference into the Complaint are sufficient to allege breach for negligence 6 purposes. Neither party attempts to assail Mandiant’s reputability, and both parties have agreed 7 the Court may place great reliance on the Report’s findings. 10/19/23 Hr’g Tr. 17:23–18:2, 25:1– 8 12. To that end, the Court finds that the Mandiant Report provides great detail into the 9 vulnerabilities exploited by the two data breaches in this case, which included SQL injection, 10 server-side request forgery, and remote command execution. Mandiant Report 6–7. The 11 existences of these “critical severity” vulnerabilities, in addition to two other “high” and 12 “medium” level vulnerabilities, are sufficient for Plaintiffs to plausibly allege that Accellion 13 breached its duty of reasonable care to protect their PII. These vulnerabilities and breach 14 allegations do not turn on the allegations that Accellion failed to retire the FTA product as it 15 neared its end-of-life, contrary to Accellion’s suggestion. Reply 8–9. 16 Accordingly, the Court finds that the Complaint has sufficiently plead breach with regards 17 to Plaintiffs’ negligence claim. 18 3. 19 20 21 Damages “Under California law, appreciable, nonspeculative, present harm is an essential element of a negligence cause of action.” Huynh v. Quora, Inc., 508 F. Supp. 3d 633, 649 (N.D. Cal. 2020). With respect to damages, the Complaint alleges that Plaintiffs have experienced the loss of 22 their ability to control how their personal information is used; increased risk of future identity 23 theft; costs associated with credit and asset freezes due to credit misuse; out-of-pocket expenses 24 associated with preventing, detecting, and recovering from identity theft; and diminution in value 25 of their personal information. Compl. ¶ 143. 26 Accellion argues that these injuries are not cognizable and also that the economic loss rule 27 bars Plaintiffs’ recovery. Mot. 9–11. The Court addresses each in turn. 28 Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 13 United States District Court Northern District of California 1 With respect to Accellion’s first argument, the Court finds that the Complaint has 2 sufficiently alleged injury for Plaintiffs’ negligence claim. Plaintiffs here have already 3 experienced identity theft in the form of unauthorized charges appearing on their bank and credit 4 accounts, Compl. ¶¶ 5–15, rendering the risk of future identity theft sufficiently non-speculative. 5 Additionally, a “growing number of federal courts have now recognized Loss of Value of PII as a 6 viable damages theory. And a growing number of courts now recognize that individuals may be 7 able to recover Consequential Out of Pocket Expenses that are incurred because of a data breach, 8 including for time spent reviewing one’s credit accounts.” In re Experian Data Breach Litig., 9 2016 WL 7973595, at *5 (C.D. Cal. Dec. 29, 2016) (internal brackets and quotation marks 10 omitted). Courts have also recognized “time spent responding to a data breach” as a non- 11 economic injury. Stasi, 501 F. Supp. 3d at 913. These are all cognizable categories of damages 12 for a negligence cause of action under California law. 13 Turning next to Accellion’s argument as to the economic loss rule, the Court also finds that 14 the injuries alleged in the Complaint constitutes non-economic injuries that do not implicate the 15 economic loss rule. For instance, “time spent responding to a data breach is a non-economic 16 injury, that when alleged to support a negligence claim, defeats an economic loss doctrine 17 argument.” Stasi, 501 F. Supp. 3d at 913 (citing In re Solara Med. Supplies, LLC Customer Data 18 Sec. Breach Litig., 613 F. Supp. 3d 1284, 1295 (S.D. Cal. 2020); see also Schmitt v. SN Servicing 19 Corp., 2021 WL 3493754, at *6 (N.D. Cal. Aug. 9, 2021) (collecting cases in this district that 20 “have found that the economic loss doctrine does not apply where loss of time is alleged”). 21 Additionally, California law carves out an exception to the economic loss rule where a “special 22 relationship” exists between the parties, which the Court has already found the Complaint to have 23 alleged. See supra Section III(A)(1)(a); J’Aire Corp. v. Gregory, 24 Cal. 3d 799, 804 (1979) 24 (“Where a special relationship exists between the parties, a plaintiff may recover for loss of 25 expected economic advantage through the negligent performance of a contract although the parties 26 were not in contractual privity.”). Each of these bases is an independent reason that prevents 27 Plaintiffs’ negligence claim from being dismissed under the economic loss rule. 28 Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 14 United States District Court Northern District of California 1 At the hearing (but not in its briefs), Accellion emphatically commended the 1965 2 California Supreme Court decision of Seely v. White Motor Co., 63 Cal. 2d 9 (1965), to the Court 3 in support of its economic loss rule argument. However, Seely is not the panacea Accellion 4 presents it as. Seely was a warranty case relating to defendant manufacturer’s failure to repair 5 plaintiff’s truck and did not involve a negligence claim for tort recovery. 63 Cal. 2d at 13 6 (affirming judgment against defendant because the “award was proper on the basis of a breach of 7 express warranty”) (emphasis added). Moreover, Seely did not analyze whether a “special 8 relationship” exists between a truck manufacturer and the truck end user—it primarily engaged in 9 a discourse regarding the differences between tort and warranty liability. Id. at 15–19. To the 10 extent that Accellion relies on Seely’s singular statement that, “[e]ven in actions for negligence, a 11 manufacturer’s liability is limited to damages for physical injuries and there is no recovery for 12 economic loss alone, id. at 18, this merely restates the general economic loss rule. Contrary to 13 Accellion’s insistence, this does not bear upon the question of whether a manufacturer has a 14 “special relationship” to downstream persons affected by the product. See 10/19/23 Hr’g Tr. 15 43:1–17. Notwithstanding Justice Traynor’s well-reasoned decision, the duties, alleged injuries, 16 and relationship between the Seely parties bear little resemblance or application to the case at bar, 17 which involves the relationship between a file transfer software company and the individuals 18 whose PII was compromised relating to a data breach. 19 20 Accordingly, the Court finds that Plaintiffs have sufficiently alleged damages for their negligence claim that are cognizable and not barred by the economic loss rule. *** 21 22 Because the Court finds that a special relationship exists between the parties that give rise 23 to a duty of care, that Accellion breached its duty, and Plaintiffs have alleged cognizable damages, 24 the Court DENIES Accellion’s motion to dismiss Plaintiffs’ First Claim for negligence. 25 B. 26 Accellion also moves to dismiss the Complaint’s second claim, which Plaintiffs style as Negligence Per Se 27 “negligence per se.” Mot. 11. This claim alleges that Accellion’s conduct breached the duty 28 Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 15 1 imposed under various statutory regimes, including the FTC Act, HIPAA, the California Customer 2 Records Act (“CCRA”), and the Children’s Online Privacy Protection Act (“COPPA”). 3 Compl. ¶ 145. Accellion contends that this claim is improper because “negligence per se” is not 4 an independent claim for relief under California law and, even properly wielded as an evidentiary 5 doctrine, Plaintiffs may not rely on the specific statutes to establish a standard of care. Mot. 11. United States District Court Northern District of California 6 Under California law, a “claim” for negligence per se requires four showings: “(1) a 7 defendant violated a statute, ordinance, or regulation; (2) the violation proximately caused injury; 8 (3) the injury resulted from an occurrence that the enactment of the law was designed to prevent; 9 and (4) the plaintiff was a member of the class of persons the statute was intended to protect.” 10 Kirsten v. California Pizza Kitchen, Inc., 2022 WL 16894503, at *8 (C.D. Cal. July 29, 2022) 11 (citing Safari Club Int’l v. Rudolph, 862 F. 3d 1113, 1126 (9th Cir. 2017)). “If all four 12 requirements are satisfied, the plaintiff is entitled to a presumption that the defendant failed to 13 exercise due care; however, the plaintiff still must plead an underlying negligence claim for which 14 the presumption is to apply.” Kilmer v. Medtronic, Inc., 2021 WL 1405198, at *7 n.5 (E.D. Cal. 15 Apr. 13, 2021). 16 The Court agrees with Accellion to the extent that Plaintiffs may not maintain “negligence 17 per se” as a standalone claim alongside their negligence claim, which Plaintiffs themselves do not 18 appear to contest. Opp. 13 (recognizing that negligence per se is “not an independent cause of 19 action”); see, e.g., Jones v. Awad, 39 Cal. App. 5th 1200, 1210 (2019) (“Negligence per se is an 20 evidentiary doctrine, rather than an independent cause of action.”). On this point, the Court finds 21 that the Complaint does not state an independent claim for relief labeled “negligence per se,” 22 which is therefore subject to dismissal as a matter of law. 23 Accellion’s secondary arguments—that Plaintiffs have failed to allege why they may use 24 the statutory standards of care to establish their negligence claim—are less persuasive. First, 25 Accellion contends that the Complaint has not alleged proximate injury to property. Mot. 11. 26 This argument is unavailing given that, as highlighted above at Section III.A.3, the Complaint has 27 alleged a wide variety of injuries Plaintiffs have sustained from the data breaches. Second, 28 Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 16 1 Accellion submits that plaintiffs may only rely on a statute’s duty if the statute in question 2 prescribed a “particular course of conduct,” citing Ramirez v. Nelson, 44 Cal. 4th 908, 919 (2008). 3 Ramirez, however, does not require that the statute lay out specific conduct before it can be 4 referenced under negligence per se. Rather, the Supreme Court of California’s holding turned on a 5 nexus requirement between the transgressed statute and the injury sustained by the plaintiff 6 asserting negligence per se. Id. at 918 (2008) (“[I]f one is not within the protected class or the 7 injury did not result from an occurrence of the nature which the transgressed statute was designed 8 to prevent, [negligence per se] has no application.”); see also Jones, 39 Cal. App. 5th at 1210 9 (“[Negligence per se] can be applied generally to establish a breach of due care under any United States District Court Northern District of California 10 negligence-related cause of action.”) (emphasis added). 11 Federal courts applying California law on negligence per se in data breach case have also 12 turned to FTC Act and HIPAA provisions to supply the standard of care element for a standalone 13 negligence claim. See, e.g., Kirsten, 2022 WL 16894503, at *9 (allowing reference to FTC Act 14 Section 5 for “unfair . . . practices in or affecting commerce”); In re Ambry Genetics Data Breach 15 Litig., 567 F. Supp. 3d 1130, 1142 (C.D. Cal. 2021) (allowing reference to FTC Act and HIPAA 16 for breach of medical information). Here, although the Court does not find that Plaintiffs can 17 maintain their negligence per se claim as a standalone cause of action, the Court also will not 18 preclude Plaintiffs from relying on the provisions of the FTC Act, HIPAA, CCRA, or COPPA in 19 support of the elements in their negligence claim, provided they can also meet the other 20 requirements for negligence per se noted above. 21 Accordingly, the Court GRANTS Accellion’s motion and DISMISSES WITHOUT 22 LEAVE TO AMEND the Complaint’s second claim for negligence per se. This dismissal, 23 however, shall be WITHOUT PREJUDICE to Plaintiffs’ alleging the underlying statutes under 24 their negligence claim to establish the applicable standards and duties of care. California Consumer Privacy Act (“CCPA”) 25 C. 26 Accellion moves to the dismiss Plaintiffs’ CCPA claim on two grounds: (1) Accellion is 27 not a “business” within the meaning of the statute; and (2) the Complaint does not allege a specific 28 Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 17 1 non-conclusory failure to implement reasonable security measures. Mot. 14. Because Accellion is 2 not a “business” under the CCPA, the Court need not and will not address Accellion’s arguments 3 as to its reasonable security measures. The CCPA provides a limited civil cause of action for “[a]ny consumer whose 4 5 nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and 6 exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and 7 maintain reasonable security procedures.” Cal. Civ. Code § 1798.150(a)(1) (emphasis added). 8 The CCPA defines “business,” in relevant part2, as follows: 9 11 [A] legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information. . . . 12 Id. § 1798.140(d)(1) (emphasis added). Accordingly, to qualify as a “business” under the CCPA, 13 the entity must both (1) collect PII and (2) determine why and how (“the purposes and means”) the 14 PII should be processed. See Karter v. Epiq Sys., Inc., 2021 WL 4353274, at *2 (C.D. Cal. July 15 16, 2021). The CCPA further defines “collects” as “buying, renting, gathering, obtaining, 16 receiving, or accessing any personal information pertaining to a consumer by any means”; and 17 defines “processing” as “any operation or set of operations that are performed on personal 18 information or on sets of personal information.” Cal. Civ. Code § 1798.140(f), (y). United States District Court Northern District of California 10 19 As to the first requirement, the Complaint contains several allegations of Accellion 20 collecting consumers’ PII. See, e.g., Compl. ¶¶ 2 (“Entities . . . hired Accellion—a cloud solutions 21 company—to collect and securely transfer sensitive Personally Identifiable Information.”), 158 22 (“Defendants collect personal information from, among other sources, consumers who request 23 information from them, consumers who use their services, including users of their mobile 24 applications, and consumers who submit customer support requests.”). The CCPA also adopts a 25 broad understanding of “collects,” defining it to mean “buying, renting, gathering, obtaining, 26 27 28 2 Accellion does not dispute the other threshold revenue requirements set forth at Cal. Civ. Code § 1798.140(d)(A)–(C). Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 18 1 receiving, or accessing any personal information pertaining to a consumer by any means.” 2 Cal. Civ. Code § 1798.140(f) (emphasis added). On a Rule 12(b)(6) motion, the Complaint’s 3 allegations are sufficient (though barely) to state that Accellion “collects consumers’ personal 4 information” under the CCPA’s broad definition. United States District Court Northern District of California 5 The second half of the “business” definition, however, entails a more nuanced analysis. 6 The Complaint alleges that Accellion was hired by various companies to “securely transfer” and to 7 “facilitate secure, encrypted file sharing that exceeded limits imposed on the size of emails 8 attachments.” Compl. ¶¶ 2, 25 (“Instead of transferring documents by email, the intended 9 recipient would receive a link to files, hosted on Accellion’s FTA, which could then be viewed or 10 downloaded.”). Therefore, the relevant inquiry is whether, by enabling the secure transfer of files 11 by hosting them on FTA, Accellion determined why and how consumers’ PII was processed. 12 So alleged, the Court finds that Accellion did not. Critically, the Complaint lacks any 13 allegations regarding the “determinations” Accellion made with respect to why and how Plaintiffs’ 14 PII was processed. The allegation that Accellion “developed, marketed, and sold a file sharing 15 transfer software product” (Compl. ¶ 25) does not indicate that Accellion would be making 16 decisions about the data its software would transfer after the software was licensed or made 17 available to a customer. Nor does the Complaint allege that Accellion decides or “determines” 18 anything about PII processing whenever one of its customers uses the FTA product to send files. 19 To the contrary, the Complaint contains statements indicating that it is Accellion’s customer who 20 makes the decision for each file transfer. Compl. ¶¶ 2, 28 (alleging that Accellion “enables 21 millions. . . from every walk of life to do their jobs without putting their organization at risk. 22 When they click the Accellion button, they know it’s the safe and secure way to share information 23 with the outside world”) (emphasis added). The relevant CCPA inquiry is not whether Accellion 24 simply enabled or was involved in transmitting Plaintiffs’ PII; rather, the Court must ask whether 25 Accellion determined how and why Plaintiffs’ PII was transmitted. Without any allegations as to 26 what Accellion decides or “determines” with respect to processing Plaintiffs’ PII, the Court cannot 27 find that the Complaint has alleged that Accellion is a “business” for the purposes of the CCPA. 28 Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 19 United States District Court Northern District of California 1 Accellion’s involvement (or lack thereof) with respect to determining how a consumers’ 2 PII is processed also distinguishes it from other companies that courts have found to be 3 “businesses” under the CCPA. In Karter v. Epiq Systems, Inc., the complaint had specifically 4 alleged that the defendant (a class action settlement administrator) “work[ed] with its clients to 5 determine how it will use consumers’ personal information to provide notice and manage claims 6 and opt-outs.” 2021 WL 4353274, at *2 (C.D. Cal. July 16, 2021). Unlike Accellion, the Epiq 7 defendant was alleged to have directly and affirmatively participated in determining how a 8 consumer’s PII would be used. Similarly, in Blackbaud, the court found that a company that 9 provided software for “administration, fundraising, marketing, and analytics to social good 10 entities” was a “business” under the CCPA. In re Blackbaud, Inc., Customer Data Breach Litig., 11 2021 WL 3568394 (D.S.C. Aug. 12, 2021). There as well, the defendant was alleged to have 12 actively interacted with and analyzed the data at issue: “Blackbaud uses consumers’ personal data 13 to provide services at customers’ requests, as well as to develop, improve, and test Blackbaud’s 14 services,” that “Blackbaud develops software solutions to process its customers’ patrons’ personal 15 information,” and that “Blackbaud offers ‘professional and managed services in which its expert 16 consultants provide data conversion, implementation, and customization services for each of its 17 software solutions.’” Id. at *5 (emphasis added). In both Epiq and Blackbaud, the defendants 18 played much more integral roles in determining how to process consumer PII—they were involved 19 in, analyzed, and even consulted on how consumers’ personal information would be used. 20 Accellion did not. 21 Plaintiffs argue that “[b]y facilitating the transfer of personal information, Accellion 22 enabled the use of consumers’ PII and determined the means of processing it.” Opp. 15. At oral 23 arguments, Plaintiffs’ counsel expanded on this argument, submitting that the “purpose” of the 24 FTA product was to “put files up on the cloud and transfer them” and the “means is just the 25 proprietary technology.” 10/19/23 Hr’g Tr. 36:10–24. This, however, conflates the “purposes and 26 means” of the FTA software with the “purposes and means of the processing of consumers’ 27 personal information,” a construction that is not supported by the CCPA or the Complaint. The 28 Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 20 1 CCPA specifically defines “processing” as “any operation or set of operations that are performed 2 on personal information or on sets of personal information.”3 Cal. Civ. Code § 1798.140(y) 3 (emphasis added). The Complaint, however, does not allege that the FTA software performs any 4 operation on the information that it transfers, only that it “facilitate[s] secure, encrypted file 5 sharing.” Compl. ¶ 25. Accordingly, the Court will decline Plaintiffs’ invitation to find that 6 Accellion “determine[d] the purposes and means of the processing of consumers’ personal 7 information” by simply developing and marketing a file sharing software. Additionally, Plaintiffs rely on statements Accellion made in its privacy policy that it 8 United States District Court Northern District of California 9 controls information provided directly to it. Compl. ¶ 28. However, the information referenced 10 by this privacy policy appears to relate only to Accellion’s interactions with its direct clients (e.g., 11 Flagstar), as opposed to information transmitted between Accellion’s clients and the Plaintiffs. 12 See Accellion Privacy Policy, Kiteworks, https://www.kiteworks.com/privacy-policy/ (“We 13 respectfully use appropriate personal information in order to market, sell, deliver, and support the 14 solutions that we offer. We do not collect personal information that is not necessary for the 15 marketing, selling, delivery, and support of our solutions, such as demographic, biometric, 16 medical, social information. . . . Our systems, employees, contractors, and affiliates can not access 17 personal information collected by our customers even when that information may be contained in 18 customer applications which use the Accellion Services under the control of customers.”). 19 Plaintiffs contend that the CCPA does not require that the information involved in a breach be the 20 same type of information a business collects or processes. Opp. 15–16. However, even if 21 Accellion may be a “business” with respect to data it collects from its website, the CCPA 22 expressly provides that the duty of “reasonable security procedures and practices” imposed on 23 businesses only runs to the personal information that the business collects. Cal. Civ. Code § 24 25 26 27 28 Notably, the CCPA did not include “sharing” or “transferring” personal information within the definition for “processing,” even though the statute evidently contemplated sharing consumers’ personal information. See Cal. Civ. Code § 1798.140 (ah)(1) (defining “sharing” as “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party”). Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 21 3 1 1798.100(e). On that point, the Complaint asserts no CCPA claim against the security measures 2 protecting the personal information collected pursuant to Accellion’s privacy policy. 3 4 respect to Plaintiffs’ PII, Plaintiffs cannot maintain their CCPA claim against Accellion, and the 5 Court need not address Accellion’s other CCPA arguments. Accellion’s motion to dismiss the 6 CCPA claim is GRANTED. Because the Court cannot conclude that Plaintiffs would be unable to 7 resolve these deficiencies with further factual amendment regarding the FTA product’s operation 8 on their PII, the Third Claim is DISMISSED WITH LEAVE TO AMEND. 9 10 United States District Court Northern District of California Because the Complaint fails to allege that Accellion is a “business” under the CCPA with D. Confidentiality of Medical Information Act (“CMIA”) Plaintiffs also allege that Accellion violated its obligations under the expanded CMIA 11 definitions for businesses deemed to be a “provider of health care.” Specifically, the Complaint 12 alleges that, under Cal. Civ. Code § 56.06(a), Accellion is “organized in part for the purpose of 13 maintaining medical information to make it available . . . for purposes of information 14 management, diagnosis, or treatment.” Compl. ¶ 167; see also Cal. Civ. Code § 56.06(a). The 15 Complaint also alleges that Accellion falls under the definition at § 56.06(b) as a business offering 16 “software that is designed to maintain medical information.” Compl. ¶ 167; see also Cal. Civ. 17 Code §56.06(b). 18 Accellion argues that the CMIA claim is deficient because (1) Accellion is not an entity 19 regulated by the CMIA; (2) Plaintiffs fail to allege that their medical information was affected by 20 the data breaches; and (3) Plaintiffs failed to allege negligence. Mot. 15–17. 21 The Court agrees with Accellion that it does not fall within the expanded § 56.06 22 definitions of a “provider of health care.” First, under § 56.06(a), Plaintiffs have failed to 23 sufficiently allege that Accellion is a “business organized for the purpose of maintaining medical 24 information.” Cal. Civ. Code § 56.06(a). In their opposition, Plaintiffs refer to their allegation at 25 ¶ 167 that “Accellion is organized in part for the purpose of maintaining medical information” 26 (Opp. 18); however, conclusory recitations of the requisite statutory showing are not enough to 27 state a claim. See, e.g., Iqbal, 556 U.S. at 678. The only non-conclusory allegation in the 28 Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 22 1 Complaint states that Accellion “provides secure file-sharing services for hospitals and other 2 medical professionals to facilitate ‘patient care’ through the sharing of patient’s medical records.” 3 Compl. ¶ 167. However, § 56.06(a) requires more than an allegation that Accellion maintained or 4 even presently maintains medical information; Accellion must have been “organized for the 5 purpose of maintaining medical information.” Here, the Court cannot infer from a single website 6 statement advertising its breadth of clients that Accellion is a company organized for the purpose 7 of maintaining medical information. 8 United States District Court Northern District of California 9 Second, under § 56.06(b), the Court also finds that Plaintiffs have failed to allege that Accellion is a business that offered “software or hardware to consumers . . . that is designed to 10 maintain medical information.” As a preliminary matter, both parties appear to agree that 11 Accellion’s software was not offered directly to individual consumers. See Mot. 16; Opp. 17–18. 12 However, Plaintiffs contend that Accellion nonetheless falls within this category because its 13 institutional customers (e.g., “government agencies, private business, and universities,” Compl. ¶ 14 2) should also be considered “consumers” as purchasers of Accellion’s software. See Opp. 19 15 (citing Blackbaud, 2021 WL 3568394, at *7 (interpreting “consumers” as encompassing more 16 than just “individuals”). 17 This is a tenuous interpretation that threatens to read the “consumers” language out of the 18 statute. Plaintiffs’ overly generalized definition of a consumer as “one that utilizes economic 19 goods” would be redundant and duplicative with the immediately preceding language referring to 20 a “business that offers software or hardware to consumers.” Cal. Civ. Code § 56.06(b). Who else 21 would a business “offer” software to, if not “one that utilizes” the software? Additionally, 22 Plaintiffs’ expansion of “consumers” to include business entities would be inconsistent with the 23 CMIA’s usage of “consumers” in other contexts, which often concern the consumer’s “diagnosed 24 mental health or substance use disorder” or “mental health application information” collected from 25 a consumer. See Cal. Civ. Code § 56.05(j), (k). Accordingly, the Court declines to adopt 26 Plaintiffs’ and Blackbaud’s interpretation of “consumers” as “one that utilizes economic goods.” 27 Additionally, the Court also finds that Accellion would not fall under the § 56.06(b) category for 28 Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 23 United States District Court Northern District of California 1 the separate reason that its FTA software was not “designed to maintain medical information.” 2 Much like the analysis under § 56.06(a), the fact that the FTA may have been used to transfer or 3 maintain medical information does not mean it was designed to do so. 4 At the hearing, Plaintiffs directed the Court to Prutsman v. Nonstop Admin. & Ins. Servs., 5 Inc., 2023 WL 5257696 (N.D. Cal. Aug. 16, 2023) in support of their overall position.4 Although 6 Prutsman declined to dismiss the CMIA claim, the parties there did not dispute whether the 7 defendant or its software was intended to “maintain medical information”; indeed, the defendant 8 had admitted that it was an “employee health insurance and benefits broker” that provided 9 “healthcare insurance solutions.” Consolidated Am. Compl. ¶¶ 48–49, Prutsman v. Nonstop 10 Admin. & Ins. Servs., Inc., No. 23-CV-01131-VC (N.D. Cal. May 25, 2023), ECF No. 38. This 11 case, therefore, offers limited persuasive weight here. Accellion and its file transfer software are 12 much farther removed from medical information than a health insurance broker would be. 13 Because the Complaint lacks facts from which the Court could reasonably infer that 14 Accellion was “organized for the purpose of maintaining medical information” or offered software 15 to consumers that is “designed to maintain medical information,” Plaintiffs have failed to allege 16 that Accellion is subject to CMIA obligations. Although the Court believes it unlikely that 17 Plaintiffs could discover and allege facts indicating that Accellion was designed to “maintain 18 medical information,” the Court cannot conclude that it would be futile. Accordingly, the Court 19 GRANTS Accellion’s motion and DISMISSES the CMIA claim WITH LEAVE TO AMEND. California Customer Records Act (“CCRA”) 20 E. 21 The Complaint asserts a CCRA claim against Accellion, alleging that Accellion’s failure to 22 promptly notify Plaintiffs violated its obligations under the CCRA. Compl. ¶¶ 183–84. Accellion 23 moves to dismiss this claim, arguing that (1) Plaintiffs are not Accellion’s “customers” and 24 therefore may not initiate a civil action against it; (2) any obligation to notify Plaintiffs belonged 25 26 27 28 Plaintiffs originally cited Prutsman in support of their CCPA claim. 10/19/23 Hr’g Tr. 40:20– 24. However, Prutsman only committed two sentences to discussing whether the defendant was a “business” under the CCPA without any analysis for the Court to follow. Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 24 4 1 to Accellion’s FTA customers, not Accellion; and (3) Plaintiffs’ allegations of actions they could 2 have taken with timely disclosure are not cognizable injuries under the CCRA. Mot. 17–19. The CCRA limits civil actions to “any customer injured by a violation of this title,” 3 4 Cal. Civ. Code § 1798.84(b), which is defined as “an individual who provides personal 5 information to a business for the purpose of purchasing or leasing a product or obtaining a service 6 from the business.” Id. § 1798.80(c). The Complaint alleges that Plaintiffs “provided personal information to Defendants for the United States District Court Northern District of California 7 8 purpose of obtaining services from Defendants” and, therefore, fall within the CCRA’s definition 9 of “customer.” Compl. ¶ 179. Although this conclusion may be supported with respect to 10 Accellion’s clients such as Flagstar Bank, it is not supported as to Accellion to the extent that 11 Plaintiffs had sought to obtain services from—i.e., were customers of—Accellion. The 12 Complaint’s allegations indicate that Plaintiffs are customers or employees of Flagstar (id. ¶¶ 5, 8, 13 10), employees or customers of Kroger (id. ¶¶ 6, 7, 13, 14), recipients of health care services (id. 14 ¶¶ 9, 12), or recipients of Washington unemployment benefits (id. ¶¶ 11, 15). There are no 15 allegations that Plaintiffs had paid money to or obtained any service from Defendant Accellion. 16 Plaintiffs contend that “individuals do not have to provide their information directly to a 17 business to be ‘customers’ under the CCRA.” Opp. 20–21. Even if the Court accepts this base 18 proposition,5 Plaintiffs do not address the express requirement in the CCRA that the information 19 be provided “for the purpose of . . . obtaining a service from the business.” Cal. Civ. Code 20 § 1798.80(c). The Complaint contains no allegation that Plaintiffs intended to obtain any services 21 from Accellion. Plaintiffs’ interpretation of “customers” under the CCRA is untenable given the 22 unambiguous language in the statute. Because Plaintiffs are not “customers” of Accellion within the meaning of the CCRA, the 23 24 25 26 27 28 5 To be clear, even this contention is on uncertain footing. Plaintiffs rely on a 2016 opinion that has been described more recently as an “outlier among courts considering this question [of whether the CCRA applies to non-customer information].” Kirsten v. California Pizza Kitchen, Inc., 2022 WL 16894503, at *6 (C.D. Cal. July 29, 2022) (referring to Castillo, 2016 WL 9280242, at *7). Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 25 United States District Court Northern District of California 1 Court finds that they may not maintain their CCRA claim against Accellion. Accellion’s motion 2 is GRANTED. Although the Court is not persuaded by Plaintiffs’ interpretation of the CCRA, it 3 cannot conclude that Plaintiffs cannot plead facts that bring themselves within the definition of a 4 “customer” and, therefore, the CCRA claim is DISMISSED WITH LEAVE TO AMEND. 5 F. Privacy Claims 6 Plaintiffs also bring two privacy claims against Accellion: the intentional tort of intrusion 7 upon seclusion (Sixth Claim) and violation of the California Constitution’s right to privacy (Tenth 8 Claim). Accellion moves to dismiss these claims on identical grounds, asserting that the 9 Complaint contains no allegations of Accellion’s culpable state of mind for these intentional torts. 10 Mot. 19–20. Plaintiffs respond that Accellion’s intent may be inferred from its “reckless 11 disregard,” which purportedly suffices to establish intent for their privacy claims. Opp. 22. 12 “To state a claim for intrusion upon seclusion under California common law, a plaintiff 13 must plead that (1) a defendant intentionally intruded into a place, conversation, or matter as to 14 which the plaintiff has a reasonable expectation of privacy,” and (2) the intrusion “occurred in a 15 manner highly offensive to a reasonable person.” In re Facebook, Inc. Internet Tracking Litig., 16 956 F.3d 589, 601 (9th Cir. 2020) (internal brackets and quotation marks omitted) (citing 17 Hernandez v. Hillsides, Inc., 47 Cal. 4th 272, 286 (2009)). A claim for invasion of privacy under 18 the California constitution requires Plaintiffs to show: “(1) they possess a legally protected privacy 19 interest, (2) they maintain a reasonable expectation of privacy, and (3) the intrusion is ‘so serious . 20 . . as to constitute an egregious breach of the social norms’ such that the breach is ‘highly 21 offensive.’” In re Facebook, Inc. Internet Tracking Litig., 956 F.3d at 601. 22 With respect to the intrusion upon seclusion claim, the Court finds that the Complaint has 23 failed to allege that Accellion had acted intentionally with respect to the data breach. The 24 Complaint only alleges that Accellion had “acted knowingly and in reckless disregard” of 25 Plaintiffs’ privacy rights. Compl. ¶ 190. However, as courts in this district have found, there is 26 “no authority that suggests that failure to take adequate measures to protect against the intentional 27 intrusion of a third party satisfies the first element of a claim for intrusion on seclusion.” Damner 28 Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 26 United States District Court Northern District of California 1 v. Facebook Inc., 2020 WL 7862706, at *6 (N.D. Cal. Dec. 31, 2020). Plaintiffs cite Kentucky 2 and Nevada opinions for the proposition that “reckless disregard” is sufficient to establish intent 3 for an invasion of privacy claim. See Opp. 22 (citing Smith v. Bob Smith Chevrolet, Inc., 275 F. 4 Supp. 2d 808 (W.D. Ky. 2003); Dobson v. Sprint Nextel Corp., 2014 WL 553314 (D. Nev. Feb. 5 10, 2014)). However, both decisions only analyzed Kentucky and Nevada law, respectively, and 6 provide no insight into the proper applications of the California tort asserted here. Plaintiffs also 7 cite Katsaris v. Cook, 180 Cal. App. 3d 256 (1986), a 1986 California Court of Appeal decision to 8 describe how “reckless disregard” may be proven. Katsaris was a tort action for intentional 9 infliction of emotional distress (not intrusion upon seclusion) where the defendant had shot two of 10 plaintiff’s dogs—it shares no overlap with privacy torts or data breaches. Id. at 261. Plaintiffs’ 11 Sixth Claim for intrusion upon seclusion may be dismissed on this ground alone. 12 As to Plaintiffs’ invasion of privacy claim under the California Constitution, the Court also 13 finds that Plaintiffs have not alleged that Accellion’s conduct was “highly offensive.” The 14 Complaint alleges that Accellion’s “fail[ure] to protect [personal] information from unauthorized 15 disclosure to third parties” was highly offensive. Compl. ¶¶ 189, 227. The weight of California 16 authority, however, cuts against this conclusory allegation. “[T]he highly offensive analysis 17 focuses on the degree to which the intrusion is unacceptable as a matter of public policy.” In re 18 Facebook, Inc. Internet Tracking Litig., 956 F.3d at 606. Notably, courts have declined to find 19 “highly offensive” conduct or an “egregious breach of social norms” where only negligence is 20 alleged with respect to a data breach, as opposed to intentional violations of privacy rights. See, 21 e.g., Dugas v. Starwood Hotels & Resorts Worldwide, Inc., 2016 WL 6523428, at *12 (S.D. Cal. 22 Nov. 3, 2016) (dismissing invasion of privacy constitutional claim because “Plaintiff fails . . . to 23 allege any facts that would suggest that the data breach was an intentional violation of Plaintiff's 24 and other class members’ privacy, as opposed to merely a negligent one”); In re iPhone 25 Application Litig., 844 F. Supp. 2d 1040, 1063 (N.D. Cal. 2012) (“Even negligent conduct that 26 leads to theft of highly personal information, including social security numbers, does not 27 ‘approach [the] standard’ of actionable conduct under the California Constitution and thus does 28 Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 27 1 not constitute a violation of Plaintiffs’ right to privacy.”); Ruiz v. Gap, Inc., 380 F. App’x 689, 693 2 (9th Cir. 2010) (noting that “California courts have yet to extend the [invasion of privacy] cause of 3 action to include accidental or negligent conduct”); cf. Prutsman, 2023 WL 5257696 (dismissing 4 claims for intrusion upon exclusion and California Constitution privacy rights because “[n]othing 5 in the complaint suggests that Nonstop was anything but negligent and passive”). As a result, the 6 Court does not find that Plaintiffs have alleged “highly offensive” conduct by Accellion, which is 7 an element of both the intrusion upon seclusion and invasion of privacy claims. Accordingly, because the Complaint has failed to allege that Accellion intentionally 8 9 United States District Court Northern District of California 10 intruded or that the intrusion was highly offensive, Plaintiffs’ Sixth and Tenth Claims are DISMISSED WITH LEAVE TO AMEND. 11 G. Breach of Contract 12 Plaintiffs also brings a claim for breach of contract against Accellion as third-party 13 beneficiaries. Compl. ¶ 198. Accellion moves to dismiss this claim because (1) it shares no 14 privity of contract with any Plaintiff, and (2) the End User License Agreement (“EULA”) 15 governing Accellion’s relationship with its clients contained an express clause disclaim any third- 16 party beneficiaries.6 Mot. 20–21. The Court agrees with Accellion that the third-party beneficiary disclaimer clause control 17 18 in this case and preclude Plaintiffs from recovery as intended third-party beneficiaries. “For a 19 third party to be able to recover on a contract, it must be able to show that the contract was made 20 with the ‘express or implied intention of the parties to the contract to benefit the third party.’ 21 Dollar Tree Stores Inc. v. Toyama Partners LLC, 2011 WL 872724, at *3 (N.D. Cal. Mar. 11, 22 2011). However, the Ninth Circuit has held that a “No Third Party Beneficiaries” clause 23 “unambiguously manifests an intent not to create any obligations to third parties.” Balsam v. 24 Tucows Inc., 627 F.3d 1158, 1163 (9th Cir. 2010). Plaintiffs’ sole response—that the EULA 25 disclaimer “serves only as evidence of the parties’ intent, and there is no factual record 26 27 28 The Court GRANTS Accellion’s request for judicial notice of the EULA, as Plaintiffs do not oppose taking notice. ECF No. 175; see also Opp. 23 n.8. Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 28 6 1 demonstrating intent,” Opp. 23—does not impair the unambiguous intent expressed in the 2 EULA’s disclaimer language. In any event, their argument does not satisfy their pleading 3 obligations as to whether Accellion or its clients intended Plaintiffs to be third-party beneficiaries. United States District Court Northern District of California 4 Because the Court finds that Plaintiffs have not alleged privity of contract with Accellion 5 nor have they alleged facts that would support an intent to create third-party beneficiary 6 obligations, the Court GRANTS Accellion’s motion to dismiss the breach of contract claim 7 WITHOUT LEAVE TO AMEND. 8 H. Unjust Enrichment 9 Accellion moves to dismiss Plaintiffs’ unjust enrichment claim, arguing that the Complaint 10 does not sufficiently allege (1) inadequacy of legal remedies, or (2) the elements for unjust 11 enrichment. Mot. 22–23. 12 The remedy for an unjust enrichment claim is equitable restitution. Hartford Cas. Ins. Co. 13 v. J.R. Mktg., L.L.C., 61 Cal. 4th 988, 998 (2015) (“An individual who has been unjustly enriched 14 at the expense of another may be required to make restitution.”). Accordingly, Plaintiffs are 15 required to allege that the Court has equitable jurisdiction over this claim, including a showing 16 that they lack an adequate remedy at law. See Sonner v. Premier Nutrition Corp., 971 F.3d 834, 17 844 (9th Cir. 2020). 18 Here, the Complaint contains no allegations regarding the adequacy of Plaintiffs’ legal 19 remedies. See generally Compl. ¶¶ 213–224. Plaintiffs respond that they have pled their unjust 20 enrichment claim in the alternative to their claims at law, which they contend is sufficient to 21 establish equitable jurisdiction. Opp. 24; see also Compl. ¶ 214. However, this response misses 22 the mark. “The question is not whether or when Plaintiffs are required to choose between two 23 available inconsistent remedies, it is whether equitable remedies are available to Plaintiffs at all,” 24 specifically because of inadequate legal remedies. In re MacBook Keyboard Litig., 2020 WL 25 6047253, at *2 (N.D. Cal. Oct. 13, 2020); see also In re Apple Processor Litig., 2023 WL 26 5950622, at *2 (9th Cir. Sept. 13, 2023) (affirming dismissal under Sonner where “Plaintiffs were 27 obligated to allege that they had no adequate legal remedy in order to state a claim for equitable 28 Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 29 1 relief, and they have ‘fail[ed] to explain’ how the money they seek through restitution is any 2 different than the money they seek as damages”). Likewise, the Court here finds that simply 3 asserting their equitable claim in the alternative does not satisfy Plaintiffs’ burden to allege that 4 they lack an adequate remedy at law. Because Plaintiffs have failed to allege facts supporting the Court’s equitable jurisdiction, 5 United States District Court Northern District of California 6 Plaintiffs’ Ninth Claim for unjust enrichment is DISMISSED WITH LEAVE TO AMEND. Washington Consumer Protection Act (“WCPA”) 7 I. 8 Finally, Accellion moves to dismiss the WCPA claim because Plaintiffs failed to allege an 9 “unfair or deceptive act or practice” with respect to Accellion’s data security practices. Mot. 25. 10 Accellion first argues that the Complaint does not allege specific security practices that it failed to 11 implement (id.), and in its reply, Accellion argues that Plaintiffs cannot maintain a WCPA claim 12 where the data breach impacted the customers of Accellion’s customers (Reply 12–13). “[T]o prevail in a private [WCPA] action and therefore be entitled to attorney fees, a 13 14 plaintiff must establish five distinct elements: (1) unfair or deceptive act or practice; (2) occurring 15 in trade or commerce; (3) public interest impact; (4) injury to plaintiff in his or her business or 16 property; (5) causation.” Hangman Ridge Training Stables, Inc. v. Safeco Title Ins. Co., 105 17 Wash. 2d 778, 780 (1986). “Because the [WCPA] does not define ‘unfair or deceptive, the 18 Washington Supreme Court has allowed the definitions to evolve through a gradual process of 19 judicial inclusion and exclusion.” Krefting v. Kaye-Smith Enterprises Inc., 2023 WL 4846850, at 20 *8 (W.D. Wash. July 28, 2023). An “unfair act” is one that “(1) causes or is likely to cause 21 substantial injury, which (2) consumers cannot avoid, and (3) is not ‘outweighed by countervailing 22 benefits.’” Veridian Credit Union v. Eddie Bauer, LLC, 295 F. Supp. 3d 1140, 1161 (W.D. Wash. 23 2017). 24 With respect to Accellion’s argument that the Complaint does not allege specific security 25 measures it failed to maintain, the Court has already found above that the Mandiant Report— 26 incorporated by reference into the Complaint—describe in expert detail the “critical severity” 27 vulnerabilities that were exploited by the data breaches. See supra Section III(A)(2). 28 Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 30 United States District Court Northern District of California 1 Accellion also argues that it cannot be liable for an “unfair” act under the WCPA that 2 caused injuries sustained by “downstream” parties, such as Plaintiffs. Reply 12. However, they 3 cite no Washington authority for this proposition, instead only noting that all of Plaintiffs’ WCPA 4 authorities involved data breaches where the defendant had directly collected and stored plaintiffs’ 5 compromised data. Id. at 12 n.15. However, Accellion’s role in the data breaches here is 6 analogous to the role of Amazon in the data breach of Capital One’s Amazon Web Services cloud 7 environment where Capital One stored consumers’ confidential PII. See In re Cap. One 8 Consumer Data Sec. Breach Litig., 488 F. Supp. 3d 374, 388 (E.D. Va. 2020). In that case, even 9 though the consumer plaintiffs were also “downstream” parties with respect to Amazon Web 10 Services, the court nonetheless found that the plaintiffs’ WCPA claim to be adequately pled with 11 respect to both Capital One and Amazon. Id. at 428–29. 12 Furthermore, as a more general matter, federal courts applying Washington law have 13 consistently found that a “failure to employ adequate date security measures” that “result[s] in 14 harm to thousands of customers” is sufficient to constitute an “unfair” act under the WCPA. See, 15 e.g., Veridian Credit Union v. Eddie Bauer, LLC, 295 F. Supp. 3d 1140, 1162 (W.D. Wash. 2017) 16 (finding an “unfair act” under WCPA where “the key wrongdoing at issue in this litigation [was] 17 Eddie Bauer’s alleged failure to employ adequate data security measures”) (internal brackets and 18 quotation marks omitted); Krefting v. Kaye-Smith Enterprises Inc., 2023 WL 4846850, at *8 19 (W.D. Wash. July 28, 2023) (“Under similar circumstances, the Court has found that the failure to 20 take proper measures to secure PII can constitute an unfair act under the [WCPA].”) (collecting 21 cases); Guy v. Convergent Outsourcing, Inc., 2023 WL 4637318, at *8 (W.D. Wash. July 20, 22 2023) (“Plaintiffs’ allegations of [defendant’s] failure to secure their PII sufficiently identifies an 23 unfair act that satisfies this element of the [WCPA].”); Buckley v. Santander Consumer USA, Inc., 24 2018 WL 1532671, at *4 (W.D. Wash. Mar. 29, 2018) (“[Defendant’s] alleged ‘failure to take 25 reasonably adequate security measures constitutes an unfair act because it knowingly and 26 foreseeably put [plaintiff] at a risk of harm from data theft and fraudulent . . . activity and this 27 harm allegedly occurred.”). 28 Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 31 Given how courts have interpreted and applied Washington law with respect to the WCPA, 1 2 the Court finds that the Complaint sufficiently alleges an “unfair” act by Accellion in “failing to 3 design, adopt, implement, control, direct, oversee, manage, monitor, and audit appropriate data 4 security processes, controls, policies, procedures, protocols, and software and hardware systems to 5 safeguard and protect Plaintiffs’ and Washington Subclass members’ PII.” Compl. ¶ 235. And 6 because this was the only basis for Accellion’s motion to dismiss the WCPA claim, Accellion’s 7 motion is DENIED with respect to Plaintiffs’ Eleventh Claim for violation of the WCPA. 8 IV. 9 10 United States District Court Northern District of California 11 12 13 CONCLUSION Based on the foregoing, the Court GRANTS IN PART and DENIES IN PART Defendant Accellion’s motion to dismiss, as follows: 1. Accellion’s motion is DENIED as to Plaintiffs’ First Claim for negligence and Eleventh Claim for violations of the WCPA; 2. The Second Claim for negligence per se, the Seventh Claim for breach of contract, and 14 the Twelfth Claim for violations of the MCPA are DISMISSED WITHOUT LEAVE 15 TO AMEND; 16 3. The Third Claim for violations of the CCPA, the Fourth Claim for violations of the 17 CMIA, the Fifth Claim for violations of the CCRA, the Sixth Claim for intrusion upon 18 seclusion, the Ninth Claim for unjust enrichment, and the Tenth Claim for violations of 19 the California Constitution are DISMISSED WITH LEAVE TO AMEND. 20 21 IT IS SO ORDERED. Dated: January 29, 2024 22 23 24 EDWARD J. DAVILA United States District Judge 25 26 27 28 Case No.: 5:21-cv-01155-EJD ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS 32
]]>
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You
should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
