Schmitt et al v. SN Servicing Corporation, an Alaska Corporation, No. 3:2021cv03355 - Document 40 (N.D. Cal. 2021)
Court Description: ORDER GRANTING IN PART AND DENYING IN PART 35 MOTION TO DISMISS by Judge William H. Orrick. (jmd, COURT STAFF) (Filed on 11/12/2021)
Download PDF
<![CDATA[
1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 7 DESIREE SCHMITT, et al., Plaintiffs, 8 United States District Court Northern District of California 9 Case No. 21-cv-03355-WHO v. 10 SN SERVICING CORPORATION, AN ALASKA CORPORATION, 11 Defendant. ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS Re: Dkt. No. 35 12 13 Plaintiff Desiree Schmitt brings this lawsuit against defendant SN Servicing Corporation 14 (“SNSC”) on behalf of a nationwide class of impacted borrowers for claims arising out of a data 15 breach incident that occurred on SNSC’s system in late 2020, of which SNSC did not notify its 16 customers for three months. SNSC has filed a motion to dismiss Schmitt’s First Amended 17 Complaint (“FAC”), which is GRANTED in part and DENIED in part, with leave to amend. The 18 motion is GRANTED with prejudice on Schmitt’s invasion of privacy claim because she has not 19 adequately alleged egregious conduct by SNSC. The motion is also GRANTED on the claim 20 brought under the “unlawful” prong of the UCL, with leave to amend. Although the Ninth Circuit 21 permits the Federal Trade Commission (“FTC”) Act and Guides to serve as predicates for 22 unlawful UCL claims, Schmitt has not pleaded these violations with enough specificity. The 23 motion is DENIED on Schmitt’s claim brought under the “unfair” prong of the UCL as well as her 24 negligence claim, as she has sufficiently pleaded elements of both. 25 BACKGROUND 26 Schmitt was a customer of SNSC, a financial services corporation that specializes in 27 servicing residential, small balance commercial, consumer, and unsecured loans. FAC [Dkt. No. 28 34] ¶ 10. On or about October 15, 2020, a ransomware-threat group known as “Mount Locker” United States District Court Northern District of California 1 (the “Unauthorized Party”) deployed ransomware into SNSC’s system and successfully acquired a 2 number of digital files maintained by SNSC (known hereinafter as the “data breach”). Id. at ¶ 15. 3 She states that the personal and financial information of at least 170,426 people were stolen and 4 held for ransom. Id. at ¶ 18. She also alleges that despite learning of the data breach and alerting 5 the Federal Bureau of Investigation “almost immediately,” SNSC did not notify Schmitt or class 6 members of the breach until January 14, 2021. Id. at ¶ 19. 7 SNSC’s Notice of Data Breach (“Notice”) informed recipients that personal information 8 was acquired through a “ransomware” attack that “may include, but is potentially not limited to: 9 your name, address, loan numbers, balance information and billing information such as charges 10 assessed, owed and/or paid.” Id. at ¶ 20 (citing Ex. B). The letter also stated that SNSC was “still 11 in the process of conducting a comprehensive investigation of this incident” and that recipients 12 “will be notified in the event we discover that any additional nonpublic personal information 13 (‘NPI’) or personally identifiable information (‘PII’) pertaining to you was exposed.” Id. at ¶ 21 14 (citing Ex. B). The Notice encouraged recipients, “[o]ut of an abundance of caution,” to “remain 15 vigilant . . . review your account statements and immediately report any suspicious activity.” See 16 id. at ¶ 67; Ex. B. It also recommended that recipients “obtain credit reports from each nationwide 17 credit reporting agency.” Id. 18 Schmitt claims that she did just that, purchasing credit monitoring at an annual cost of 19 more than $200, along with a password manager (costing $3 per month) and password protection 20 (costing more than $90). FAC at ¶ 68. She also contends that she has spent and will continue to 21 spend “time and energy protecting and monitoring her identity and credit,” including at least four 22 hours reviewing bank accounts and statements and at least 10 hours changing “hundreds of 23 passwords related to her business and personal accounts.” Id. at ¶ 69. 24 This vigilance was warranted, Schmitt contends. She alleges that on or around July 16, 25 2021, SNSC provided a supplemental disclosure to some class members stating that names, 26 contact information, birthdates, Social Security numbers, and “loan/borrower information” had 27 also been stolen in the data breach. Id. at ¶ 30 (citing Ex. C). Schmitt concedes that she did not 28 receive the July 16 letter, but notes that she had already filed this lawsuit when it was distributed. 2 1 Id. at ¶ 66. Schmitt further argues that she had “no reason to doubt, and every reason to assume,” 2 that her Social Security number, birthdate, and “loan/borrower information” was “also stolen and 3 in the hands of criminals.” Id. Schmitt asserts that she and other class members “provided their 4 lenders, servicers, and SNSC with significant personal, income, and financial information that 5 SNSC was able to acquire and to supplement by obtaining credit reports and banking information 6 from third parties.” Id. at ¶ 63. This information, she contends, includes: full names, mailing 7 addresses, phone numbers, email addresses, loan identification numbers, tax information, and 8 Social Security numbers. See id. United States District Court Northern District of California 9 Schmitt contends that personal and financial information is “such a valuable commodity to 10 identity thieves that once information has been compromised, criminals often trade the 11 information on the ‘cyber black-market’ for years.” Id. at ¶ 53. As such, she argues, “there is a 12 strong probability that entire batches of stolen information have been dumped on the black market, 13 or are yet to be dumped on the black market,” placing her and other class members “at an 14 increased risk of fraud and identity theft for many years into the future.” Id. at ¶ 54. She also 15 alleges that after the data breach, she has experienced an “increase in spam, phishing attempts, and 16 social engineering,” including repeated robotexts to her cell phone. Id. at ¶ 70. 17 Schmitt blames SNSC for the data breach, arguing that its “failure to adhere to reasonable 18 and necessary industry standards . . . resulted in the Data Breach and exacerbated its scope and 19 impact.” Id. at ¶ 32. She claims that SNSC undertook “basic steps recognized in the industry” to 20 protect her and other class members’ personal and financial information only after the breach. Id. 21 at ¶ 35. According to Schmitt, these steps included “replacing email filtering tools, malware 22 software, and Internet monitoring tools with more robust solutions that utilize artificial 23 intelligence (AI) to detect and block known and newly introduced malware,” and blocking all 24 Internet traffic with foreign countries. See id. (citing Ex. B). Schmitt also alleges that SNSC 25 failed to comply with FTC cybersecurity standards. See id. at ¶¶ 37-43. Schmitt argues that had 26 SNSC properly maintained its systems and protected Schmitt and other class members’ 27 information, it could have prevented the breach. See id. at ¶ 44. She also contends that SNSC 28 “should have notified all of its customers much sooner.” Id. at ¶ 45. 3 Schmitt filed this lawsuit in San Francisco County Superior Court on March 12, 2021, 1 2 bringing three claims on behalf of a nationwide class of borrowers impacted by the data breach: 3 (1) negligence; (2) invasion of privacy; (3) the “unlawful” and “unfair” prongs of California’s 4 Unfair Competition Law (“UCL”).1 On May 5, 2021, SNSC removed the action to federal court 5 and subsequently filed a motion to dismiss for failure to state a claim. Dkt. Nos. 1, 14. Although I 6 found that Schmitt could assert California law claims as an Ohio resident, she failed to plausibly 7 plead elements of those claims. See Mot. to Dismiss Order (“First MTD Order”) [Dkt. No. 27] 1. 8 As such, I denied the motion in part and granted in part with leave to amend. Id. Schmitt filed her 9 FAC on August 30, 2021, which prompted a second motion to dismiss by SNSC. Dkt. Nos. 34, 10 35. I now consider that motion. LEGAL STANDARD United States District Court Northern District of California 11 12 Under Federal Rule of Civil Procedure 12(b)(6), a district court must dismiss a complaint 13 if it fails to state a claim upon which relief can be granted. To survive a Rule 12(b)(6) motion to 14 dismiss, the plaintiff must allege “enough facts to state a claim to relief that is plausible on its 15 face.” See Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). A claim is facially plausible 16 when the plaintiff pleads facts that allow the court to “draw the reasonable inference that the 17 defendant is liable for the misconduct alleged.” See Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) 18 (citation omitted). There must be “more than a sheer possibility that a defendant has acted 19 unlawfully.” Id. While courts do not require “heightened fact pleading of specifics,” a plaintiff 20 must allege facts sufficient to “raise a right to relief above the speculative level.” See Twombly, 21 550 U.S. at 555, 570. 22 In deciding whether the plaintiff has stated a claim upon which relief can be granted, the 23 court accepts the plaintiff’s allegations as true and draws all reasonable inferences in their favor. 24 See Usher v. City of Los Angeles, 828 F.2d 556, 561 (9th Cir. 1987). However, the court is not 25 required to accept as true “allegations that are merely conclusory, unwarranted deductions of fact, 26 27 28 1 A second plaintiff, James Furth, was named in the original complaint. See Dkt. No. 1. However, Furth was not named in the Amended Complaint, nor any of the filings related to this Motion to Dismiss. 4 1 or unreasonable inferences.” See In re Gilead Scis. Sec. Litig., 536 F.3d 1049, 1055 (9th Cir. 2 2008). 3 If the court dismisses the complaint, it “should grant leave to amend even if no request to 4 amend the pleading was made, unless it determines that the pleading could not possibly be cured 5 by the allegation of other facts.” See Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000). In 6 making this determination, the court should consider factors such as “the presence or absence of 7 undue delay, bad faith, dilatory motive, repeated failure to cure deficiencies by previous 8 amendments, undue prejudice to the opposing party and futility of the proposed amendment.” See 9 Moore v. Kayport Package Express, 885 F.2d 531, 538 (9th Cir. 1989). DISCUSSION 10 United States District Court Northern District of California 11 12 I. INVASION OF PRIVACY Under California law, a plaintiff must show three elements to adequately state a claim for 13 invasion of privacy: (1) a legally protected privacy interest; (2) a reasonable expectation of privacy 14 under the circumstances; and (3) a serious invasion of the privacy interest. In re iPhone 15 Application Litig., 844 F. Supp. 2d 1040, 1063 (N.D. Cal. 2012) (internal citation omitted). SNSC 16 again challenges the third element of Schmitt’s claim. 17 There is a “high bar” for pleading an invasion of privacy claim. Low v. LinkedIn Corp., 18 900 F. Supp. 2d 1010, 1025 (N.D. Cal. 2012). “Actionable invasions of privacy must be 19 sufficiently serious in their nature, scope, and actual or potential impact to constitute an egregious 20 breach of the social norms underlying the privacy right.” Hill v. Nat’l Collegiate Athletic Assn., 7 21 Cal. 4th 1, 37 (1994) (emphasis added). “Even negligent conduct that leads to theft of highly 22 personal information, including Social Security numbers, does not approach the standard of 23 actionable conduct under the California Constitution and thus does not constitute a violation of 24 plaintiffs’ right to privacy.” iPhone Application Litig., 844 F. Supp. 2d at 1063 (internal citation 25 and quotation marks omitted). 26 SNSC argues that Schmitt again fails to allege any egregious or intentional conduct. Mot. 27 to Dismiss (“MTD”) [Dkt. No. 35] 6:11-12. Rather, SNSC contends, Schmitt makes “barebones 28 allegations” that she has the right to be “highly offended” by the disclosure of her personal 5 United States District Court Northern District of California 1 information, and that the breach alone warrants proceeding with this claim. Id. at 6:11-15. SNSC 2 argues that this does not amount to a serious invasion of privacy. Id. at 6:15. In support, SNSC 3 cites two cases with similar allegations as those raised by Schmitt. In one, the court held that 4 “[l]osing personal data through insufficient security doesn’t rise to the level of an egregious breach 5 of social norms underlying the protection of sensitive data like Social Security numbers.” Razuki 6 v. Caliber Home Loans, Inc., No. 17-CV-1718, 2018 WL 2761818, at *2 (S.D. Cal. June 8, 2018). 7 In the other, the court dismissed an invasion of privacy claim because the plaintiff did not “allege 8 any facts that would suggest that the data breach was an intentional violation of plaintiff’s and 9 other class members’ privacy, as opposed to merely a negligent one.” Dugas v. Starwood Hotels 10 & Resorts Worldwide, Inc., No. 3:16-CV-00014, 2016 WL 6523428, at *12 (S.D. Cal. Nov. 3, 11 2016). 12 These cases are more on point than the one cited by Schmitt, who argues that the instant 13 circumstances are akin to the invasion of privacy that occurred in In re Facebook, Inc., Consumer 14 Privacy User Profile Litig., 402 F. Supp. 3d 767 (N.D. Cal 2019). See Oppo. to Mot. to Dismiss 15 (“Oppo.”) [Dkt. No. 36] 16:19-20. In re Facebook arose from the Cambridge Analytica scandal, 16 alleging that Facebook acted unlawfully by “making user information widely available to third 17 parties” and “failing to do anything meaningful to prevent third parties from misusing the 18 information they obtained.” Id. at 777-78. According to Schmitt, “essentially the same conduct is 19 alleged” here. Oppo. at 16:24. 20 It is difficult to see how Schmitt draws this conclusion. In re Facebook involved 21 Facebook’s alleged practice of intentionally sharing information about its users with a “non- 22 exclusive list of business partners.” In re Facebook, 402 F. Supp. 3d at 781. In turn, those 23 companies allegedly shared data with Facebook. Id. In addition, Facebook was accused of doing 24 nothing to stop those “business partners” from misusing the user information that Facebook 25 provided. Id. In one instance—the Cambridge Analytica scandal that gave rise to the litigation— 26 a researcher gave the information that he obtained from Facebook to a British consulting firm, 27 which then used personal information from millions of Facebook accounts to send targeted 28 political messages during the 2016 presidential campaign. See id. at 777. 6 1 That is a far cry from the allegations at hand. First, there is no indication of any intentional 2 sharing of information by SNSC similar to that by Facebook. Schmitt does not contend that SNSC 3 was in business with, purposefully shared consumers’ personal information with, or received data 4 from the Unauthorized Party. Schmitt claims that SNSC allowed access to consumers’ personal 5 information by storing it in “a place where hackers would target and easily succeed in acquiring it 6 as a result of SNSC’s unreasonable data security.” Oppo. at 16:25-27 (citing FAC at ¶ 25, 111). 7 But procuring information via security breach is inherently different than obtaining it through an 8 agreed-upon exchange between business partners, as alleged in In re Facebook. See In re 9 Facebook, 402 F. Supp. 3d at 781. Schmitt repeatedly refers to the incident involving SNSC as a United States District Court Northern District of California 10 “breach” and “attack,” underscoring this crucial difference. See, e.g., FAC at ¶ 1, 14, 23, 107. 11 Schmitt also cites In re Facebook in arguing that the “intimate details” regarding her and 12 class members was sufficiently sensitive to render the data breach an invasion of privacy. Oppo. 13 at 17:3-10. This argument also fails, as the compromise of any information resulted from alleged 14 conduct that was (at most) negligent and not intentional. See iPhone Application Litig., 844 F. 15 Supp. 2d at 1063. (“Even negligent conduct that leads to theft of highly personal information, 16 including Social Security numbers, does not . . . constitute a violation of plaintiffs’ right to 17 privacy.”). Because Schmitt has not met the high bar for pleading invasion of privacy, I GRANT 18 19 20 SNSC’s motion to dismiss the invasion of privacy claim with prejudice. II. UCL 21 The UCL prohibits “any unlawful, unfair or fraudulent business act or practice.” Cal. Civ. 22 Code § 17200. Each prong provides a “separate and distinct theory of liability.” Lozano v. AT&T 23 Wireless Servs., Inc., 504 F.3d 718, 731 (9th Cir. 2007). Schmitt claims violations of two of the 24 three prongs, alleging unlawful and unfair actions by SNSC. See FAC at ¶¶ 115-122. 25 A. UNLAWFUL 26 The unlawful prong of the UCL prohibits “anything that can properly be called a business 27 practice and that at the same time is forbidden by law.” In re Yahoo! Inc. Customer Data Sec. 28 Breach Litig., No. 16-MD-02752-LHK, 2017 WL 3727318, at *23 (N.D. Cal. Aug. 30, 2017) 7 1 (citation omitted). “By proscribing ‘any unlawful’ business practice, the UCL permits injured 2 consumers to ‘borrow’ violations of other laws and treat them as unlawful competition that is 3 independently actionable.” Id. However, the claim “must identify the particular section of the 4 statute that was violated, and must describe with reasonable particularity the facts supporting the 5 violation.” Bros. v. Hewlett-Packard Co., No. C-06-02254-RMW, 2006 WL 3093685, at *7 (N.D. 6 Cal. Oct. 31, 2006) (internal citation omitted). If a plaintiff cannot state a claim under the 7 “borrowed” law, he or she cannot state a UCL claim. Golden v. Sound Inpatient Physicians Med. 8 Grp., Inc., 93 F. Supp. 3d 1171, 1179 (E.D. Cal. 2015). United States District Court Northern District of California 9 Schmitt alleges violations of the FTC Act and of FTC “regulations, guidance, and 10 decisions” as grounds for her claim under the UCL’s unlawful prong. FAC at ¶ 117 (citing in part 11 15 U.S.C. § 45, et. seq.). At oral argument, her counsel referenced a footnote in her brief that 12 cited an electronic brochure published by the FTC, which was included in Schmitt’s Opposition 13 but not in her FAC. See Oppo. at 18 n.3. 14 I previously held that because the FTC Act did not confer a private right of action, it could 15 not serve as a predicate for a UCL claim under the latter’s unlawful prong. See First MTD Order 16 at 16-17 (“For purposes of alleging an unlawful business practice, plaintiffs cannot predicate their 17 UCL claim on the FTC Act.”). I thought that O’Donnell v. Bank of Am., Nat. Ass’n, 504 Fed. 18 Appx. 566 (2013) was more persuasive than the district court’s ruling in In re Anthem, Inc. Data 19 Breach Litig., 162 F. Supp. 3d 953 (N.D. Cal. 2016), particularly because it came from the Ninth 20 Circuit. See First MTD Order at 16-17. 21 Now, Schmitt cites new cases supporting her argument that the FTC Act and guidelines 22 can provide the basis for an unlawful UCL claim, the most compelling of which come from the 23 Ninth Circuit and the California Supreme Court. See Oppo. at 20. In Rubenstein v. Neiman 24 Marcus Grp. LLC, 687 Fed. Appx. 564, 567 (9th Cir. 2017), the court held that “although the FTC 25 Guides do not provide a private civil right of action, virtually any state, federal or local law can 26 serve as the predicate for an action under the UCL.” (internal quotation marks and citation 27 omitted). Although this contradicts O’Donnell, it too directly addresses the lack of the private 28 right of action as it pertains to FTC guidelines and the UCL and is later in time (though neither 8 1 case is precedential). It also aligns with the California Supreme Court’s decision in Rose v. Bank 2 of America, N.A., 57 Cal. 4th 390, 397-98 (2013), which allowed UCL claims based on violations 3 of the Truth in Savings Act, even though the statute’s private right of action for damages had been 4 repealed. For those reasons, I agree with the reasoning in Rubenstein and Schmitt may predicate 5 her UCL unlawful claim on the FTC Act and FTC guidelines. The problem, however, is that Schmitt again fails to plead violations of either the FTC Act United States District Court Northern District of California 6 7 or guidelines with the requisite particularity. When alleging unlawful conduct, the FAC predicates 8 her UCL claim on violations of the FTC Act or FTC regulations, guidance, and decisions. See 9 FAC at ¶ 117. But Schmitt does not name which specific provision of the FTC Act was allegedly 10 violated, let alone how. See id. The same goes for the FTC guidelines. Unlike in Rubenstein, 11 where the plaintiffs alleged violations of specific FTC Guides (the Guides Against Deceptive 12 Pricing, 16 Code of Federal Regulations Sections 233.1 and 233.2(c)), Schmitt only mentions 13 general FTC “guides” and “standards.” See Rubenstein, 687 Fed. Appx. at 566; FAC at ¶¶ 37-38, 14 117. 15 The footnote counsel mentioned does not save the claim. It cites an electronic “guide for 16 business” published by the FTC. See Oppo. at 18 n.3 (linking to “Protecting Personal 17 Information: A Guide for Business”). But the authority of this document is unclear. It does not 18 appear to cite to any federal regulations, as in Rubenstein. See id. It encourages readers to “take 19 stock of the law” and references three statutes that “may require you to provide reasonable 20 security for sensitive information,” but does not elaborate beyond providing a link to the FTC 21 website. See id. at 6. Moreover, the introduction to the document describes it as a “brochure.” Id. 22 at 2. There is no indication that this document constitutes a law or federal regulation, nor carries 23 the weight of such. Without any argument from Schmitt showing this, this document cannot serve 24 as a predicate for her unlawful UCL claim. 25 Schmitt also points to a Third Circuit case as well as SNSC’s Privacy Policy in arguing 26 that her allegations have the requisite particularity. See Oppo. at 18-19. But neither resolve the 27 ongoing flaw in the pleadings: Schmitt has failed to (1) identify a particular section of the statute 28 (in this case, the specific provision of the FTC Act or an FTC Guide); and (2) describe with any 9 1 particularity the facts supporting the purported violations of that section. Accordingly, I find that Schmitt has not adequately pleaded a violation of a statute giving 2 United States District Court Northern District of California 3 rise to a claim under the unlawful prong of the UCL. 4 B. UNFAIR 5 The unfair prong of the UCL creates a cause of action for a business practice that is unfair 6 even if not proscribed by another law. In re Yahoo!, 2017 WL 3727318, at *23 (citation omitted). 7 The UCL does not define “unfair,” and the “proper definition of ‘unfair’ conduct against 8 consumers ‘is currently in flux’ among California courts.” Id. Some courts apply what is referred 9 to as the “tethering test,” where unfairness must “be tethered to some legislatively declared policy 10 or proof of some actual or threatened impact on competition.” Lozano, 504 F.3d at 735 (citation 11 omitted). Others use the “balancing test,” which requires courts to “weigh the utility of the 12 defendant’s conduct against the gravity of the harm to the alleged victim.” Davis v. HSBC Bank 13 Nevada, N.A., 691 F.3d 1152, 1169 (9th Cir. 2012) (internal quotation marks omitted). Plaintiffs 14 “may proceed with a UCL claim under the balancing test by either alleging immoral, unethical, 15 oppressive, unscrupulous or substantially injurious conduct by defendants or by demonstrating 16 that defendants’ conduct violated an established public policy.” In re Anthem, 162 F. Supp. 3d at 17 990. 18 SNSC contends that Schmitt fails both tests. First, SNSC asserts that because Schmitt has 19 failed to allege “any legitimate violation of statutory law, there is no legislative policy” to which 20 she can tether her claim. See MTD at 11:10-18. SNSC extends this argument to the first aspect of 21 the balancing test, again asserting that Schmitt cannot show that SNSC violated an “clear, 22 established public policy.” Id. at 12:22-13:12. Regarding the second aspect of the balancing test, 23 SNSC asserts that Schmitt has not alleged how the ransomware attack amounts to “immoral, 24 unethical, oppressive, unscrupulous or substantially injurious” acts, beyond “reciting the words” in 25 the FAC. See id. at 12:14-17. 26 Turning first to the tethering test, I agree that Schmitt has not sufficiently pleaded a 27 28 10 1 violation of public policy.2 The FAC contends that it is the “established public policy of this state 2 that confidential information entrusted to financial institutions . . . be adequately protected from 3 outside institutions.” FAC at ¶ 116. Schmitt also alleges that “SNSC’s practices were contrary to 4 legislatively declared and public policies that seek to protect consumer data and ensure that 5 entities who solicit or are entrusted with personal and financial data utilize appropriate security 6 measures.” Id. Schmitt argues that these public policies are reflected in the FTC Act, Section 1798.81.5 of United States District Court Northern District of California 7 8 the California Civil Code, and Article I, Section 1 of the California Constitution. See id. But the 9 FTC Act and cited section of the California Constitution make no mention of personal information 10 or consumer data, nor the legislative intent behind either. Cf. In re Adobe Sys., Inc. Privacy Litig., 11 66 F. Supp. 3d 1197, 1227 (N.D. Cal. 2014) (noting that “California legislative intent is clear” as 12 to the cited statutes, allowing plaintiffs to adequately allege a claim under the UCL’s unfair 13 prong); Diva Limousine, Ltd. v. Uber Techs., Inc., 392 F. Supp. 3d. 1074, 1091 (N.D. Cal. 2019) 14 (finding that plaintiffs adequately alleged an unfair UCL claim because the California Labor Code 15 “expressly declares that ‘it is the policy of this state to vigorously enforce minimum labor 16 standards’” relevant to the claim). These provisions might in fact reflect the public policy that 17 Schmitt alleges. But she needs to draw a more direct line between the two in order to adequately 18 allege that SNSC’s actions violated any public policy. 19 Section 1798.81.5(a)(1) of the California Civil Code expressly declares the Legislature’s 20 intent to protect personal information. As I have previously stated, however, case law indicates 21 that this section only applies to California residents, suggesting that any associated public policy 22 may be similarly limited. See First MTD Order at 17 (citing In re Sony Gaming Networks & 23 Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942, 973 (S.D. Cal. 2012); see also Cal. Civ. 24 Code § 1798.81.5(a)(1) (“It is the intent of the Legislature to ensure that personal information 25 about California residents is protected.”) (emphasis added). Schmitt does not argue otherwise. That said, I find that Schmitt has plausibly alleged “immoral, unethical, oppressive, 26 27 28 2 Schmitt did not allege any actual or threatened impact on competition by SNSC. See FAC at ¶¶ 116-122. 11 United States District Court Northern District of California 1 unscrupulous or substantially injurious” conduct by defendants, satisfying the balancing test at this 2 stage of the litigation. In re Anthem, 162 F. Supp. 3d at 990. The FAC offers sufficient facts to 3 allege this type of conduct, in part by claiming that SNSC represented in its Privacy Policy that “to 4 protect . . . personal information from unauthorized access and use” it used security measures 5 including “computer safeguards, secured files and buildings,” but knowingly failed to employ 6 adequate safeguards. See FAC at ¶ 119; Ex. A. While I agree with SNSC that its own Privacy 7 Policy does not carry the same weight as a legislatively declared public policy, the key is that 8 SNSC represented to customers that it would protect their personal information despite knowing, 9 according to Schmitt, that it had inadequate safeguards in place. See Reply [Dkt. No. 37] 5:25-27. 10 Moreover, Schmitt alleges that SNSC’s conduct was “immoral, unethical, oppressive, 11 unscrupulous, unconscionable, and/or substantially injurious” when it failed to disclose the data 12 breach in a timely manner, now pleading that SNSC had a duty to so. See, e.g., FAC at ¶ 118. 13 Therefore, based on the balancing test, I find that Schmitt has sufficiently stated a claim under the 14 unfair prong of the UCL. For these reasons, SNSC’s motion to dismiss is DENIED with respect to the claim brought 15 16 under the unfair prong of the UCL. It is GRANTED on the claim brought under the unlawful 17 prong, with leave to amend. 18 19 20 III. NEGLIGENCE To state a claim for negligence in California, a plaintiff must show duty, breach, causation, and damages. Conroy v. Regents of Univ. of Cal., 45 Cal. 4th 1244, 1250 (2009). 21 A. PERSONAL IDENTIFYING INFORMATION 22 As an initial matter, in my prior Order, I held that Schmitt failed to adequately assert that 23 personal identifying information (“PII”) was among the information compromised during the data 24 breach—and thus, could not show that SNSC had a duty to protect that information. First MTD 25 Order at 8:16-19. I stated that Schmitt could show this by “pleading what kind of information 26 [she], and customers like [her], provided to SNSC.” Id. at 8:19-20. “With allegations that certain 27 less sensitive information was released during the data breach . . . and that SNSC at least had in its 28 possession other more sensitive information (which rise to the level of PII), a reasonable inference 12 1 2 SNSC asserts that Schmitt has again failed to do this. See MTD at 14. SNSC relies 3 heavily on the language of the Notice sent to customers, which it argues makes “abundantly clear 4 that plaintiff has no case because none of her PII was accessed and compromised.” Id. at 14:11- 5 16. SNSC cites excerpts, including: 6 7 • • 8 • 9 • 10 11 United States District Court Northern District of California could be drawn that PII was also among the information compromised.” Id. at 8:20-24. 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 SNSC is “not aware of the misuse of any of your information. . . .” “[N]one of the information that was compromised included credit card information, or banking account information. . . .” “The information compromised was largely limited to March 2018 Billing Statements and fee notices. . . .” “[Y]ou will be notified in the event we discover that any . . . personally identifiable information (‘PII’) pertaining to you was exposed.” Id. at 14 (citing FAC, Ex. B). Schmitt responds by arguing that she adequately amended her Complaint to include the types of information about Schmitt and class members that SNSC possessed at the time of the breach. See Oppo. at 7:11-18. She first cites SNSC’s Privacy Policy, which states that SNSC collects and shares information that can include Social Security numbers and account balances, transaction and credit histories, credit scores, and mortgage rates and payments. See Oppo. at 7:12-15 (citing FAC at ¶ 12). Schmitt adds to this list later in the FAC, alleging that she and class members “provided their lenders, servicers, and SNSC with significant personal, income, and financial information that SNSC was able to acquire and to supplement by obtaining credit reports and banking information from third parties.” Id. at ¶ 63. That information, Schmitt asserts, includes Social Security numbers, full names, property and insurance details, loan history information, and tax and credit information. See id. In deciding whether a plaintiff has stated a claim upon which relief can be granted, I must accept her allegations as true and draw all reasonable inferences in her favor. See Usher, 828 F.2d at 561. California law recognizes the disclosure of a person’s name and Social Security number as the disclosure of PII. See Cal. Civ. Code § 1798.81.5(d)(1)(A)(i). Schmitt proffers enough factual allegations—including SNSC’s own Privacy Policy—to reasonably infer that SNSC had Social 28 13 United States District Court Northern District of California 1 Security numbers in its possession when the breach occurred. See FAC at ¶¶ 12, 63. This 2 allegation is also supported by the supplemental disclosure sent to class members, stating that the 3 Unauthorized Party “may have had access” to names, contact information, birthdates, Social 4 Security numbers, and “loan/borrower information” during the data breach. Id. at ¶ 30 (citing Ex. 5 C). Although Schmitt did not receive the letter, she notes that this lawsuit was pending at the time 6 it was distributed. Id. at ¶ 66. Drawing all reasonable inferences in her favor, I find that Schmitt 7 has sufficiently pleaded that the information compromised in the data breach included PII. 8 B. DUTY OF CARE 9 California courts consider several factors when determining the existence of a legal duty. 10 The “Rowland factors” include: (1) the foreseeability of harm to the plaintiff; (2) the degree of 11 certainty that the plaintiff suffered injury; (3) the closeness of the connection between the 12 defendant’s conduct and the injury suffered; (4) the moral blame attached to the defendant’s 13 conduct; (5) the policy of preventing future harm; (6) the extent of the burden to the defendant and 14 consequences to the community of imposing a duty; and (7) the availability, cost, and prevalence 15 of insurance for the risk involved. Regents of Univ. of Cal. v. Superior Court, 4 Cal. 5th 607, 628 16 (2018). The Regents court noted that these factors fall into two categories: one involving 17 “foreseeability and the related concepts of certainty and the connection between plaintiff and 18 defendant,” and the other examining “public policy concerns of moral blame, preventing future 19 harm, burden, and insurance availability.” Id. at 629. The court also noted that the factors “must 20 be evaluated at a relatively broad level of factual generality.” Id. at 628. 21 22 i. Foreseeability Factors SNSC argues that the first Rowland factor is not met because Schmitt’s alleged harm— 23 “expenses and/or time spent on credit monitoring”—was not foreseeable. MTD at 15:14-16 24 (citing FAC at ¶ 109). SNSC describes the Schmitt’s actions as “entirely unnecessary” and 25 “voluntary,” arguing that because her PII was not accessed or misused, there was no need for her 26 to spend time or money monitoring her credit. See id. at 15:16-24. SNSC cites the Notice as 27 affirming that Schmitt’s PII was not accessed or misused, along with the supplemental disclosure 28 in arguing that SNSC offered “complimentary credit monitoring and identity theft services” to 14 1 affected individuals. Id. at 15:18-26 (citing FAC, Exs. B, C). The latter, SNSC argues, further 2 shows there was “no reason to incur this ‘harm.’” Id. at 15:19. 3 4 In the letter, SNSC encouraged recipients to “remain vigilant over [the] next twelve (12) to 5 twenty-four (24) months, review your account statements and immediately report any suspicious 6 activity.” See FAC, Ex. B. It also recommended that recipients “regularly obtain credit reports 7 from each nationwide credit reporting agency.” Id. SNSC’s argument that its own 8 recommendations were not foreseeable is not persuasive. 9 United States District Court Northern District of California As Schmitt argues, this ignores the language of the Notice itself. See Oppo. at 10:26-11:9. SNSC summarily challenges the second and third Rowland factors—the degree of certainty 10 that Schmitt suffered injury and closeness of the connection between SNSC’s conduct and the 11 alleged injury—on the same grounds. See MTD at 16:1-7. However, as explained below, the 12 money and time Schmitt spent monitoring her credit constitutes a sufficient injury for her claims 13 to proceed. She also adequately alleges that her injury is closely connected to SNSC’s purported 14 failure to protect the personal information of Schmitt and other class members, along with its 15 recommendation that customers monitor their credit. See Oppo. at 11:18-24. 16 17 ii. Policy Factors Turning to the policy-related factors, SNSC first argues that there is “no moral blame to 18 attach to SNSC,” particularly when the ransomware attack and purported harm to Schmitt was not 19 foreseeable. See MTD at 16:9-11. In support, SNSC cites Castillo v. Seagate Tech., LLC, No. 16- 20 CV-01958-RS, 2016 WL 9280242, at *6 (N.D. Cal. Sept. 14, 2016), which analyzed moral 21 blameworthiness under the economic loss doctrine. In Castillo, the court held that the plaintiffs 22 failed to adequately plead that the defendant’s actions were immoral because they had not 23 “provided enough information to permit an inference that [the defendant] should have been on the 24 lookout for fraudulent requests for W-2 information.” See id. Without “reckless or purposeful 25 behavior,” SNSC argues, “no moral blame can attach.” See MTD at 16:17-18 (citing Castillo, 26 2016 WL 9280242, at *6). 27 28 But Castillo is distinguishable. The Castillo plaintiffs alleged that the defendant owed them a duty to “protect their personal identifying information and to inform them reasonably 15 1 promptly about the phishing attack.” See Castillo, 2016 WL 9280242, at *2. Schmitt takes issue 2 with SNSC’s purported misrepresentations in its Privacy Policy, along with the delayed 3 notification to customers after the data breach was discovered. Oppo. at 11-12; see also FAC at ¶ 4 105-106 (alleging “reckless disregard” by SNSC). And while the Castillo plaintiff were informed 5 of the breach either “a few days” or “about a week” after it occurred, Schmitt alleges she was not 6 notified for three months. See Castillo, 2016 WL 9280242, at *1; FAC at ¶ 19. I also find that the policy of preventing future harm favors imposing a duty of care, as it United States District Court Northern District of California 7 8 would strengthen information security for customers like Schmitt, who entrust companies like 9 SNSC with their PII and, in the event that something goes awry, expect prompt notification. See 10 Oppo. at 12-13. Again, SNSC cites a distinguishable case when arguing otherwise. See MTD at 11 16:26-17:6. It is true that the court in Sakai v. Massco Invs., LLC, 20 Cal. App. 5th 1178, 1189-90 12 (2018), declined to find liability for harm caused by a third party “as a matter of policy,” citing in 13 part the “onerous” burden of implementing preventative measures. But that case involved 14 markedly different circumstances, arising after a taco truck customer was struck by a vehicle in a 15 gas station parking lot. See id. at 1181-82. Any burden imposed on SNSC to strengthen its 16 security measures or speed up its notification processes would be incurred by a large company, not 17 the owner of a gas station. See MTD at 17:7-15. The benefits would also reach a wider audience. 18 Schmitt has adequately alleged that any burden would be outweighed by the “significant” benefits 19 of reducing “identity fraud, phishing, and social engineering schemes,” as well as lessening the 20 risks of customers’ identity theft and fraud. See Oppo. at 13:7-15. Although the parties disagree 21 as to the expense and availability of insurance, the final Rowland factor, it is not dispositive, as the 22 remaining factors all weigh in favor of imposing a duty of case. For these reasons, I find that Schmitt has adequately alleged that SNSC had a duty of care 23 24 to protect her PII.3 25 26 27 28 3 Schmitt also contends in her Opposition that SNSC had a duty of case based on a special relationship, because it created the peril, and under the doctrine of negligence per se. See Oppo. at 8-9. Because I find that Schmitt has adequately pleaded a duty of care under the Rowland factors, I need not evaluate the duty in these other contexts. 16 United States District Court Northern District of California 1 C. BREACH 2 SNSC does not challenge breach in its Motion to Dismiss. I previously noted that if 3 Schmitt were to adequately allege a plausible legal duty, the burden to plead a corresponding 4 breach based on SNSC’s inadequate security measures was “not high.” See First MTD Order at 5 8:26-28. Because Schmitt has adequately alleged a duty, I see no issue with breach. 6 D. CAUSATION AND DAMAGES 7 SNSC challenges causation and damages with familiar arguments. It argues that Schmitt 8 “does not make the requisite connection between the alleged breach and [her] damages” because 9 she does not assert that: “(1) her PII was actually stolen and misused, (2) she was a victim of 10 identity theft or fraud, and (3) she did not suffer identify theft or fraud prior to this incident.” See 11 MTD at 18:15-18. 12 These arguments have been settled. As stated in my prior Order, recent case law makes 13 clear that “time and money” a plaintiff spends on credit monitoring in response to a data breach “is 14 cognizable harm to support [a] negligence claim.” See First MTD Order at 10 (citing Huynh v. 15 Quora, Inc., 508 F. Supp. 3d 633, 649-50 (N.D. Cal 2020) and other cases). Schmitt has clearly 16 asserted plausible damages under existing law. 17 In my prior Order, I also noted that if Schmitt were to plausibly plead that her PII was 18 compromised, “a reasonable inference would follow that [her] decision to purchase monitoring 19 services was ‘reasonable’ and ‘necessary.’” See First MTD Order at 12:1-2. As explained above, 20 Schmitt has done this. Again, I see no reason to depart from my earlier thinking. 21 22 Given these considerations, I find that Schmitt has sufficiently pleaded a claim for negligence. Accordingly, SNSC’s motion is DENIED on this claim. CONCLUSION 23 24 25 26 27 For the foregoing reasons, SNSC’s Motion to Dismiss is GRANTED in part and DENIED in part, with leave to amend in twenty days. IT IS SO ORDERED. Dated: November 12, 2021 William H. Orrick United States District Judge 28 17
]]>
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You
should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
