Thomas et al v. Kimpton Hotel & Restaurant Group, LLC, No. 3:2019cv01860 - Document 142 (N.D. Cal. 2022)
Court Description: ORDER DENYING PLAINTIFFS' MOTION FOR CLASS CERTIFICATION; DENYING AS MOOT DEFENDANT'S MOTION TO EXCLUDE OPINIONS OF PLAINTIFFS' DAMAGES EXPERT. Signed by Judge Maxine M. Chesney on April 20, 2022. (mmclc1, COURT STAFF) (Filed on 4/20/2022)
Download PDF
<![CDATA[
1 2 3 IN THE UNITED STATES DISTRICT COURT 4 FOR THE NORTHERN DISTRICT OF CALIFORNIA 5 6 JAKE THOMAS, et al., Case No. 19-cv-01860-MMC Plaintiffs, 7 v. 8 9 KIMPTON HOTEL & RESTAURANT GROUP, LLC, 10 Defendant. ORDER DENYING PLAINTIFFS' MOTION FOR CLASS CERTIFICATION; DENYING AS MOOT DEFENDANT'S MOTION TO EXCLUDE OPINIONS OF PLAINTIFFS' DAMAGES EXPERT United States District Court Northern District of California 11 12 Before the Court are two motions: (1) plaintiffs Jake Thomas ("Thomas"), 13 Salvatore Galati ("Galati"), and Jonathan Martin's ("Martin") Motion for Class Certification, 14 filed September 21, 2021, and (2) defendant Kimpton Hotel & Restaurant Group, LLC's 15 ("Kimpton") Motion to Exclude the Opinions of Plaintiffs' Damages Expert, filed November 16 22, 2021. The motions have been fully briefed. Having read and considered the papers 17 filed in support of and in opposition to the motions, the Court rules as follows.1 18 19 BACKGROUND In the operative complaint, the Third Amended Complaint ("TAC"), plaintiffs allege 20 that Kimpton, an entity that "own[s] or manage[s]" hotels (see TAC ¶ 1), contracted with 21 Sabre Corporation ("Sabre") "to provide a reservation system" (see TAC ¶ 3).2 Plaintiffs 22 further allege they booked hotel reservations at Kimpton hotels (see TAC ¶ 2), and, in so 23 doing, provided "private identifiable information" ("PII") (see TAC ¶¶ 11, 13, 15), which PII 24 was subsequently "accessed by hackers" who "obtained credentials" for Sabre's "Central 25 Reservations system" and "used those credentials to access customer data" (see TAC 26 27 28 1 By order filed March 9, 2022, the Court took the motions under submission. 2 Sabre is not a party to the above-titled action. 1 ¶¶ 6, 12, 14, 16). According to plaintiffs, if Sabre had "employed multiple levels of 2 authentication," rather than "single factor authorization," the "hacker would not . . . have 3 been able to access the system." (See TAC ¶ 6.) Plaintiffs further allege that Sabre was 4 Kimpton's "agent" and thus that Kimpton is responsible for Sabre's conduct. (See, e.g., 5 TAC ¶ 23.) Based on the above allegations, plaintiffs, on their own behalf and on behalf 6 of a putative class, assert claims under state law. United States District Court Northern District of California 7 In an order filed June 30, 2020, the Court granted in part Kimpton's motion to 8 dismiss the TAC. In particular, the Court denied the motion as to three Claims, 9 specifically, the First Claim for Relief, the Third Claim for Relief, and a portion of the 10 Eighth Claim for Relief. As to those three Claims, plaintiffs, by the instant motion, now 11 seek to proceed on behalf of a certified class. 12 13 LEGAL STANDARD A district court may not certify a class unless the plaintiff has "establish[ed] the four 14 prerequisites of [Rule] 23(a)," see Valentino v. Carter–Wallace, Inc., 97 F.3d 1227, 1234 15 (9th Cir. 1996), namely: "(1) the class is so numerous that joinder of all members is 16 impracticable; (2) there are questions of law or fact common to the class; (3) the claims 17 or defenses of the representative parties are typical of the claims or defenses of the 18 class; and (4) the representative parties will fairly and adequately protect the interests of 19 the class," see Fed. R. Civ. P. 23(a). 20 Further, the plaintiff must establish "at least one of the alternative requirements of 21 [Rule] 23(b)." See Valentino, 97 F.3d at 1234. Rule 23(b)(3), upon which plaintiffs herein 22 rely, provides for certification of a class where "the court finds that the questions of law or 23 fact common to class members predominate over any questions affecting only individual 24 members, and that a class action is superior to other available methods for fairly and 25 efficiently adjudicating the controversy." See Fed. R. Civ. P. 23(b)(3). 26 27 28 DISCUSSION As noted, plaintiffs seek to proceed with their three remaining Claims on behalf of a class. The Court next considers the three Claims in turn. 2 1 A. First Claim for Relief: Breach of Contract In the First Claim for Relief, plaintiffs allege that the terms of a "Privacy Statement" 2 3 located on Kimpton's website were part of the contract formed when each plaintiff and 4 putative class member reserved a hotel room, in that each was "required to accept the 5 Privacy Statement" during the reservations process. (See TAC ¶ 68.) Plaintiffs also 6 allege that the "Privacy Statement" included a "promise to safeguard and protect the 7 [c]lass [m]embers' PII from disclosure to third parties" (see TAC ¶ 70), and that such 8 promise was breached by the "failure to safeguard and protect the PII" (see TAC ¶ 75). In support of their motion for class certification, plaintiffs offer copies of Kimpton's United States District Court Northern District of California 9 10 "Privacy Policy" in effect during the relevant time period,3 which Policy contains the 11 following language, on which plaintiffs base their breach of contract claim: 12 We work diligently to protect the security of your personal information, including credit card information, during transmission by using Secure Sockets Layer (SSL) software, which encrypts information you input. Your data is kept in a highly secure environment protected from access by unauthorized parties. It is important for you to protect against unauthorized access to your password and to your customer profile by ensuring that you logoff when you have finished visiting our site. 13 14 15 16 (See Marquez Decl., filed September 21, 2021, Ex. 10 at 4, Ex. 11 at 4.) Additionally, plaintiffs state they are basing their breach of contract claim on the 17 18 following statement, which they assert was shown to them on the "payment page" when 19 they made their reservations: 20 We at Kimpton are committed to keeping your personal information safe. Our secure server software (SSL) is the industry standard and among the best software available today for secure commerce transactions. It encrypts all of your personal information, including payment card number, name, and address, so that it cannot be read as the information travels over the internet. 21 22 23 (See Pls.' Mot. at 11:24-12:2, Thomas Decl. ¶ 3, Galati Decl. ¶ 3; Martin Decl. ¶ 5; TAC 24 ¶ 27.) 25 26 27 28 3 Plaintiffs allege that the "unauthorized third party" who breached Sabre's system was able to access, "during the period between August 10, 2016[,] and March 9, 2017," the "data of customers that stayed at [Kimpton's] hotels." (See TAC ¶¶ 1, 6.) 3 United States District Court Northern District of California 1 As noted, plaintiffs do not allege hackers accessed PII located in Kimpton's 2 system, but, rather, PII located in Sabre's system. Nonetheless, plaintiffs assert, Kimpton 3 can be deemed to have failed to comply with the above-referenced language because it 4 is "liable for Sabre's misconduct on an ostensible agency theory." (See Pls.' Mot. at 5 8:10.) 6 Assuming, arguendo, plaintiffs can establish, with regard to their breach of 7 contract claim, the four prerequisites of Rule 23(a), the Court finds, as discussed below, 8 plaintiffs have not shown questions of law or fact common to class members predominate 9 over questions affecting individual class members, as required by Rule 23(b)(3). 10 Under California law, "[a]n agency is ostensible when the principal intentionally, or 11 by want of ordinary care, causes a third person to believe another to be his agent who is 12 not really employed by him." See Cal. Civ. Code § 2300. "Liability of the principal for the 13 acts of an ostensible agent rests on the doctrine of 'estoppel,' the essential elements of 14 which are representations made by the principal, justifiable reliance by a third party, and 15 a change of position from such reliance resulting in injury." Kaplan v. Coldwell Banker 16 Residential Affiliates, Inc., 59 Cal. App. 4th 741, 747 (1997) (internal quotation and 17 citation omitted). Put another way, "[t]he person dealing with the agent must do so with 18 belief in the agent's authority and this belief must be a reasonable one," the "belief must 19 be generated by some act or neglect of the principal sought to be charged," and the 20 plaintiff, "in relying [to his detriment] on the agent's apparent authority[,] must not be guilty 21 of negligence." See id. (internal quotation and citation omitted). 22 Here, in contending common questions of fact exist for purposes of determining 23 whether Sabre was the ostensible agent of Kimpton, plaintiffs assert that Kimpton's 24 website contains no language indicating that "a third party, Sabre, would be processing 25 the payment information." (See Pls. Mot. at 10:17-18.) Additionally, plaintiffs rely on the 26 experiences of the three named plaintiffs, which experiences, they argue, made it 27 reasonable for each of them to have erroneously believed Kimpton "controlled the data," 28 rather than Sabre. (See id. at 10:13-17.) Specifically, each named plaintiff states that 4 1 when he made a reservation, he went to Kimpton's website, where he clicked on a "Book 2 Now" button, which resulted in a "drop-down menu" on which he entered "travel 3 information to find an available hotel room," that he next was directed to a webpage on 4 which he selected a hotel room, after which he was directed to a webpage on which he 5 entered his credit card information, and lastly, that he was directed to a "confirmation 6 page." (See Thomas Decl. ¶ 3, Galati Decl. ¶ 3; Martin Decl. ¶ 4.) Each named plaintiff 7 further states that, during the reservations process, he "d[id] not recall leaving the 8 Kimpton website." (See Thomas Decl. ¶ 3, Galati Decl. ¶ 3; Martin Decl. ¶ 5.) United States District Court Northern District of California 9 As noted, to establish the existence of an ostensible agency, justifiable reliance 10 must be shown. Here, Kimpton argues such determination cannot be made without 11 consideration of each putative class member's individual experience, and, in support 12 thereof, relies on the following provision in its Privacy Policy: 13 14 15 16 17 18 19 20 Third party Internet sites available through advertising and other links on our site have separate privacy and data collection practices. If you click on a link found on our websites or on any other website, you should always look at the location bar within your browser to determine whether you have been linked to a different website. This Policy, and our responsibility, is limited to our own information collection practices. We are not responsible for, and cannot always ensure, the information collection practices or privacy policies of other websites maintained by third parties or our service providers where you submit your personal information directly to such websites. In addition, we cannot ensure the content of the websites maintained by these third parties or our service providers. (See Marquez Decl., filed September 21, 2021, Ex. 10 at 3, Ex. 11 at 3.)4 Additionally, Kimpton offers evidence, undisputed by plaintiffs, that, during the 21 relevant time period, when individuals made reservations by clicking the "Book Now" link 22 on Kimpton's website, they were taken to a website operated by Sabre's SynXis Central 23 Reservations system, and that the uniform resource locator ("URL") displayed on the 24 location bar was "synxis.com," either as "mobile.synxis.com" or "gc.synxis.com." (See 25 26 27 28 4 Contrary to plaintiffs' argument that the above-quoted provision in the Privacy Policy only applies to "third party advertising links," the provision, as noted, applies to both "advertising and other links on [Kimpton's] site," including links to websites maintained by Kimpton's "service providers." (See id. Ex. 10 at 3, Ex. 11 at 3.) 5 1 O'Grady Decl., filed December 9, 2021, ¶¶ 4, 7; Kardassakis Decl., filed November 19, 2 2021, Ex. 21 at 45:10:10-14, 58:3-7, 58:8-16.) 3 4 plaintiffs allege each putative class member did (see TAC ¶ 36 (alleging all putative class 5 members "read" the Privacy Policy "prior to reserving their hotel rooms")), were told that, 6 if they clicked on a link, they should look at the location bar to determine if they were on a 7 webpage maintained by another company, and that, if so, such other entity would have 8 its own information collection practices and privacy policies. Moreover, once the "Book 9 Now" link was clicked, the location bar, as noted, indicated the webpage was not a 10 11 United States District Court Northern District of California In sum, persons who visited Kimpton's website and read the Privacy Policy, as Kimpton webpage. Under such circumstances, the Court finds a determination of whether a putative 12 class member held a reasonable belief that he/she was at all times on a Kimpton.com 13 website presents individual issues that predominate over common issues. Stated 14 otherwise, plaintiffs have not shown the issue of whether Sabre acted as Kimpton's 15 ostensible agent can be determined other than by considering the individual experience 16 of each putative class member. In particular, plaintiffs have not shown every putative 17 class member necessarily would have believed, at the time PII was provided, he/she was 18 providing it to Kimpton under Kimpton's privacy policy, as opposed to Sabre under 19 Sabre's privacy policy. See, e.g., Salazar v. McDonald's Corp., 2017 WL 88999, at *3, *6 20 (N.D. Cal. January 5, 2017) (holding, where plaintiffs asserted defendant could be held 21 liable for state law violations committed by defendant's alleged ostensible agent, plaintiffs 22 failed to show reliance could be established on classwide basis, as "inquiry require[d] 23 proof of what each [putative class member] knew or should have known" and each had 24 varying "knowledge and expectations" about relationship between defendant and 25 ostensible agent) (internal quotation and citation omitted); see also In re Coordinated 26 Pretrial Proceedings in Petroleum Products Antitrust Litig., 691 F.2d 1335, 1342 (9th Cir. 27 1982) (holding court, in ruling on motion to certify class, "is required to consider the 28 nature and range of proof necessary to establish [the claims]"). 6 1 2 their breach of contract claim on behalf of a class, the motion will be denied. 3 B. Third Claim for Relief: Violation of California Civil Code § 1798.81.5 4 United States District Court Northern District of California Accordingly, to the extent plaintiffs seek an order allowing them to proceed with In the Third Claim for Relief, plaintiffs assert Kimpton violated section 1798.81.5 of 5 the California Civil Code. Although the Third Claim for Relief is titled "Violation of Cal. 6 Civil Code § 1798.81.5(c)," the supporting allegations pertain solely to California Civil 7 Code § 1798.85.5(b). Specifically, plaintiffs, in the TAC, quote subdivision (b), which 8 provides that "[a] business that owns, licenses, or maintains personal information about a 9 California resident shall implement and maintain reasonable security procedures and 10 practices appropriate to the nature of the information, to protect the personal information 11 from unauthorized access, destruction, use, modification, or disclosure" (see TAC ¶ 88 12 (quoting Cal. Civ. Code § 1798.81.5(b)), and allege as the factual basis for such violation 13 that Kimpton "employed single factor authorization and/or allowed its contractor to 14 employ single factor authorization in its reservation system" (see TAC ¶ 92). 15 In the instant motion, plaintiffs do not appear to seek certification of a class for 16 purposes of plaintiffs' pursuing a claim under § 1798.81.5(b). Rather, plaintiffs appear to 17 argue they are entitled to pursue, on behalf of a class, a claim under § 1798.81.5(c), 18 which provides that "[a] business that discloses personal information about a California 19 resident pursuant to a contract with a nonaffiliated third party that is not subject to 20 subdivision (b) shall require by contract that the third party implement and maintain 21 reasonable security procedures and practices appropriate to the nature of the 22 information, to protect the personal information from unauthorized access, destruction, 23 use, modification, or disclosure." See Cal. Civ. Code § 1798.81.5(c). 24 As Kimpton points out, however, subdivision (c) is not implicated by the allegations 25 made in the TAC. Rather, as noted, plaintiffs allege in the TAC that it was plaintiffs 26 themselves, as well as all members of the putative class, that provided their PII to Sabre, 27 whose system was compromised by an unknown hacker (see TAC ¶¶ 23, 28), and 28 confirm in their motion for class certification that their claims are based on such 7 1 allegations (see Pls.' Mot. for Class Cert. at 2:2-7, 10:13-18; Pls.' Reply at 7:12). 2 Plaintiffs do not allege that Kimpton "disclose[d] personal information about a California 3 resident pursuant to a contract with a nonaffiliated third party," see Cal. Civ. Code 4 § 1798.81.5(c), nor do they allege that Sabre, acting as Kimpton's agent, "disclose[d]" 5 such personal information pursuant to a contract Sabre had with a nonaffiliated third 6 party, see id. In the absence of any such allegation, § 1798.81.5(c) is inapplicable. 7 Further, to the extent plaintiffs seek to certify a class under 1798.81.5(b), plaintiffs 8 again must rely on a theory of ostensible agency, and, as discussed above with regard to 9 the First Claim for Relief, a determination as to that question requires an individualized 10 United States District Court Northern District of California 11 inquiry. Accordingly, to the extent plaintiffs seek an order allowing them to proceed with a 12 claim under § 1798.81.5 on behalf of a class, the motion will be denied. 13 C. Eighth Cause of Action: Violation of Texas Deceptive Trade Practices Act 14 In the Eighth Claim for Relief, titled "Violation of Texas' Deceptive Trade Practices 15 – Consumer Protection Act, Texas. Bus. & Com. Code § 17.41, et seq. ['DTPA']," 16 plaintiffs allege that Kimpton engaged in "misleading" and "deceptive" acts or practices. 17 (See TAC ¶ 140.) As explained in their motion, plaintiffs base this claim on the same two 18 representations by Kimpton as those on which plaintiffs base their breach of contract 19 claim. (See Pls.' Mot. at 18:4:6.) 5 According to plaintiffs, such representations were 20 "misleading and deceptive" in light of Sabre's "actual protective measures," which 21 measures did not "employ multi-layer authentication." (See Pls.' Mot. at 18:4-8.) 22 Misleading and deceptive business practices are unlawful under § 17.50(a)(1) of 23 24 25 26 27 28 5 By order filed June 30, 2020, the Court dismissed with leave to amend the Eighth Claim for Relief to the extent it was based on "Kimpton's having made false statements." (See Order, filed June 30, 2020, at 15:7-9.) Thereafter, no further amended complaint was filed. Rather, as to the remaining bases for such claim, plaintiffs state they seek to certify a class based solely on Kimpton's having made two "misleading" and "deceptive" statements and appear to distinguish between, on the one hand, a "false" statement, and, on the other hand, a "misleading" or "deceptive" statement. As Kimpton has not challenged plaintiffs' proceeding in such manner, the Court does not further consider the matter at this time. 8 1 DTPA. Specifically, § 17.50(a)(1) prohibits "the use or employment by any person of a 2 false, misleading, or deceptive act or practice that is: (A) specifically enumerated in a 3 subdivision of Subsection (b) of Section 17.46 of [the DTPA];6 and (B) relied on by a 4 consumer to the consumer's detriment." See Tex. Bus. & Com. Code § 17.50(a)(1). 5 Here, assuming, arguendo, plaintiffs can establish, with regard to their DTPA 6 claim, the four prerequisites of Rule 23(a), the Court finds, as discussed below, plaintiffs 7 have not shown questions of law or fact common to class members predominate over 8 questions affecting individual class members. United States District Court Northern District of California 9 As noted, § 17.50(a)(1) requires a plaintiff to prove he relied to his detriment on a 10 misleading or deceptive act. See Cruz v. Andrews Restoration, Inc., 364 S.W. 3d 817, 11 824 (Tex. 2012) (holding violation of § 17.50(a) "is not complete without a finding of 12 reliance"). Although plaintiffs fail to expressly assert how reliance can be established on 13 a classwide basis, plaintiffs impliedly argue reliance can be shown on behalf of the entire 14 class because Kimpton's representations were uniform. As the Texas Court of Appeals 15 has observed, however, receipt by class members of the same representation is 16 insufficient to establish reliance on a classwide basis, as reliance "can be shown only by 17 demonstrating [each] person's thought processes in reaching the decision," and, 18 consequently, even "under all the same facts and circumstances, one person may have 19 relied on the misrepresentation in reaching a decision while another did not rely on it in 20 reaching the same decision." See Fidelity & Guaranty Life Ins. Co., 165 S.W. 3d 416, 21 423 (Tex. App. 2005) (internal quotation and citation omitted). 22 23 Here, the question of whether a putative class member relied on any statement describing Kimpton's privacy policy is, in the first instance, dependent on whether such 24 25 26 27 28 6 Plaintiffs rely on three acts enumerated in § 17.46(b): "Representing that goods or services have sponsorship, approval, characteristics, ingredients, uses, benefits, or quantities which they do not have," see Tex. Bus. & Com. Code § 17.46(b)(5); "Representing that goods or services are of a particular standard, quality, or grade . . . if they are of another," see Tex. Bus. & Com. Code § 17.45(b)(7); and "Advertising goods or services with intent not to sell them as advertised," see Tex. Bus. & Com. Code § 17.46(b)(9). (See TAC ¶ 140.) 9 1 individual believed he/she was providing PII to Kimpton or to Sabre, and, consequently, 2 cannot be resolved on a classwide basis. See id. (noting "[t]he [Supreme Court of Texas] 3 did not entirely preclude class actions in which reliance was an issue, but it did make 4 such cases a near-impossibility"). 5 6 Accordingly, to the extent plaintiffs seek an order allowing them to proceed with a claim under the DTPA on behalf of a class, the motion will be denied. CONCLUSION 7 8 For the reasons stated: 9 1. Plaintiffs motion for class certification is hereby DENIED. United States District Court Northern District of California 10 2. Kimpton's motion to exclude the opinions of plaintiffs' damages expert, which 11 opinions pertain exclusively to calculating damages on a classwide basis, is hereby 12 DENIED as moot. 13 IT IS SO ORDERED. 14 15 Dated: April 20, 2022 MAXINE M. CHESNEY United States District Judge 16 17 18 19 20 21 22 23 24 25 26 27 28 10
]]>
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You
should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
