- 1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 7 IN RE SAN FRANCISCO 49ERS DATA Case No. 3:22-cv-05138-JD BREACH LITIGATION. 8 ORDER RE DISMISSAL 9 10 11 12 Plaintiffs in this consolidated action say that their personally identifiable information (PII) 13 was hacked in a data breach of defendant San Francisco 49ers’ computer systems in February 14 2022. Dkt. No. 28 (consolidated amended complaint). They allege claims for negligence, breach 15 of implied contract, and violations of the California Consumer Records Act, Cal. Civ. Code § 16 1798.80 et seq. (CRA), Unfair Competition Law, Cal. Bus. Code § 17200 et seq. (UCL), 17 California Consumer Privacy Act, Cal. Civ. Code § 1798.150 (CCPA), and the Georgia Uniform 18 Deceptive Trade Practices Act, Ga. Code Ann. § 10-1-370 et seq. (Georgia UDTPA). The 49ers 19 ask to dismiss under Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). Dkt. No. 42. 20 The parties’ familiarity with the record is assumed. Overall, most of the claims are just 21 plausible enough to warrant a fully developed record for determination on summary judgment. 22 Negligence per se is dismissed with prejudice as a freestanding claim, and the Georgia UDTPA 23 claim is dismissed with leave to amend. 24 LEGAL STANDARDS 25 Under Rule 12(b)(1), dismissal is appropriate if the Court lacks subject matter jurisdiction. 26 Fed. R. Civ. P. 12(b)(1). Federal courts are courts of limited jurisdiction, and the “case or 27 controversy” requirement of Article III of the U.S. Constitution “limits federal courts’ subject 1 Mut. Auto. Ins., 598 F.3d 1115, 1121 (9th Cir. 2010); see also Maystrenko v. Wells Fargo, N.A., 2 No. 21-CV-00133-JD, 2021 WL 5232221, at *2 (N.D. Cal. Nov. 10, 2021). “[A] plaintiff must 3 demonstrate standing to sue by alleging the ‘irreducible constitutional minimum’ of (1) an ‘injury 4 in fact’ (2) that is ‘fairly traceable to the challenged conduct of the defendants’ and (3) ‘likely to 5 be redressed by a favorable judicial decision.’” Patel v. Facebook Inc., 290 F. Supp. 3d 948, 952 6 (N.D. Cal. 2018) (quoting Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016)). The “specific 7 element of injury in fact is satisfied when the plaintiff has suffered an invasion of a legally 8 protected interest that is concrete and particularized and actual or imminent, not conjectural or 9 hypothetical.” Id. (internal quotations and citations omitted). 10 “A Rule 12(b)(1) jurisdictional attack may be facial or factual. In a facial attack, the 11 challenger asserts that the allegations contained in a complaint are insufficient on their face to 12 invoke federal jurisdiction. By contrast, in a factual attack, the challenger disputes the truth of the 13 allegations that, by themselves, would otherwise invoke federal jurisdiction.” Safe Air for 14 Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir. 2004) (citations omitted); see also Patel, 290 F. 15 Supp. 3d at 951-52. The 49ers’ attack on plaintiffs’ standing is facial, and the truth of the 16 allegations in the complaint will be assumed. 17 For Rule 12(b)(6) motion to dismiss, a plaintiff must allege “enough facts to state a claim 18 to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). This 19 calls for enough “factual content that allows the court to draw the reasonable inference that the 20 defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) 21 (citing Twombly, 550 U.S. at 556). The plausibility analysis is “context-specific” and not only 22 invites, but “requires the reviewing court to draw on its judicial experience and common sense.” 23 Id. at 679. 24 DISCUSSION 25 I. STANDING 26 Plaintiffs have alleged a concrete and individualized injury sufficient to confer standing to 27 sue under Article III. Plaintiffs say that hackers obtained their Social Security numbers and 1 the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of 2 their PII.” Dkt. No. 28 ¶ 11; see also ¶¶ 40, 51. This is enough to establish standing. See 3 TransUnion LLC v. Ramirez, 594 U.S. 413, 436 (2021); Jones v. Ford Motor Co., 85 F.4th 570, 4 574 (9th Cir. 2023) (per curiam); In re Zappos.com, Inc., 888 F.3d 1020, 1027-28 (9th Cir. 2018). 5 Plaintiffs have also adequately alleged that their injuries are fairly traceable to the actions 6 of the 49ers. The theory of the complaint is that the 49ers did not encrypt or otherwise protect 7 plaintiffs’ PII with reasonable security protocols. See Dkt. No. 28 ¶¶ 9, 22. This is a sufficiently 8 clear causal chain to allege traceability. See Brill v. Chevron Corp., No. 15-CV-04916-JD, 2017 9 WL 76894, at *3 (N.D. Cal. Jan. 9, 2017). 10 II. NEGLIGENCE 11 For negligence, a plaintiff must plausibly allege: (1) the defendant had a duty, or an 12 “obligation to conform to a certain standard of conduct for the protection of others against 13 unreasonable risks,” (2) the defendant breached that duty, (3) that breach proximately caused the 14 plaintiff’s injuries, and (4) damages. Corales v. Bennett, 567 F.3d 554, 572 (9th Cir. 2009) 15 (quoting McGarry v. Sax, 158 Cal. App. 4th 983 (2008)). 16 For present purposes, plaintiffs have alleged enough to state a negligence claim. “The 17 general rule in California is that everyone is responsible for an injury occasioned to another by his 18 or her want of ordinary care or skill in the management of his or her property or person. In other 19 words, each person has a duty to use ordinary care and is liable for injuries caused by his failure to 20 exercise reasonable care in the circumstances.” Cabral v. Ralphs Grocery Co., 51 Cal. 4th 764, 21 771 (2011) (simplified); see also Cal. Civ. Code § 1714 (“Everyone is responsible, not only for the 22 result of his or her willful acts, but also for an injury occasioned to another by his or her want of 23 ordinary care or skill in the management of his or her property or person.”). As noted, plaintiffs 24 say that the 49ers obtained and stored their PII without implementing reasonable safeguards 25 against hacking and unauthorized access, and that they have incurred actual costs in following up 26 on the hacking. Plaintiffs also say they have already incurred, and will continue to incur, 27 monitoring costs. That is enough for pleading purposes to go forward, without prejudice to a 1 The Court defers the question of whether the economic loss rule might apply to foreclose 2 the negligence claim. The 49ers contend that the amended complaint alleges purely economic 3 losses untethered to personal injury or a special relationship, and so recovery in tort is unavailable. 4 Dkt. No. 42 at 10-11; see Robinson Helicopter Co. v. Dana Corp., 34 Cal. 4th 979, 988 (2004). 5 The rule serves to “limit liability in commercial activities that negligently or inadvertently go 6 awry.” Robinson Helicopter, 34 Cal. 4th at 991 n.7. It is true that plaintiffs feature their out-of- 7 pocket losses in the amended complaint, but they also mention noneconomic injuries, albeit not 8 with crystal clarity. See, e.g., Dkt. No. 28 ¶¶ 63-70. Consequently, this question is better resolved 9 on a fully developed record later in the litigation. 10 With plaintiffs’ agreement, Dkt. No. 49 at 12, the negligence per se claim is dismissed as a 11 freestanding claim. 12 III. UCL 13 The UCL claim was not handled well by either side. The 49ers made a two-paragraph 14 argument for dismissal, and plaintiffs responded in kind with a series of cursory and rather 15 disjointed comments. The 49ers also raised for the first time in a reply brief the contention that 16 plaintiff Donelson cannot bring a UCL claim because the relevant conduct occurred outside of 17 California. That was not an appropriate tactic. 18 The Court declines to take up the UCL claim on this anemic record. The 49ers may 19 challenge it on summary judgment. 20 IV. BREACH OF IMPLIED CONTRACT 21 “An implied contract is one, the existence and terms of which are manifested by conduct.” 22 Cal. Civ. Code § 1621. For this claim, plaintiffs must allege: “(1) the contract, (2) plaintiff’s 23 performance or excuse for nonperformance, (3) defendant’s breach, and (4) the resulting damages 24 to plaintiff.” Reichert v. Gen. Ins. Co. of Am., 68 Cal. 2d 822, 830 (1968) (citations omitted). 25 Plaintiffs have plausibly alleged these elements. The amended complaint states that 26 plaintiffs were required to disclose their PII to the 49ers, to the 49ers’ benefit, with the 27 understanding that the 49ers would reasonably protect their information. That is enough for the V. CCRA 1 The CCRA requires California businesses that own or license computerized data that 2 include personal information to disclose a data breach after discovering one “in the most expedient 3 time possible and without unreasonable delay, consistent with the legitimate needs of law 4 enforcement, . . . or any measures necessary to determine the scope of the breach and restore the 5 reasonable integrity of the data system.” Cal. Civ. Code § 1798.82. The amended complaint 6 alleges that the 49ers knew of the breach in February 2022, Dkt. No. 28 ¶ 25, but waited 7 approximately six months before disclosing it. Id. ¶¶ 3, 4. Specifically, plaintiffs say that the 8 49ers had realized that the breach included “personal, unencrypted information of Plaintiffs and 9 the class, but waited approximately three months to notify them,” and that the delay of three 10 months is unreasonable under the circumstances as it “prevented Plaintiffs and the Class from 11 taking appropriate measure from [sic] protecting themselves against harm.” Id. ¶¶ 134-35. The 12 CCRA claim will go forward. 13 VI. CCPA 14 The 49ers say that plaintiffs’ allegation that the 49ers failed to “implement and maintain 15 reasonable security procedures and practices” is conclusory. Dkt. No. 42 at 12. But the amended 16 complaint includes specific allegations regarding the 49ers’ security procedures and practices, 17 including their failure “to even encrypt or redact” their highly sensitive PII. Dkt. No. 28 ¶ 9. That 18 is enough for present purposes. 19 Whether plaintiffs may recover statutory damages under the CCPA remains in question. 20 The CCPA requires a 30-day notice-and-cure procedure prior to initiating an action. Cal. Civ. 21 Code § 1798.150(b). Materials outside of the amended complaint indicate plaintiffs mailed the 22 required notice after initiating litigation.1 Plaintiffs did not address this issue. The Court will not 23 make a final determination of these external facts at the pleadings stage, but the parties are 24 directed to confer on an agreement with respect to the date of mailing and whether that forecloses 25 statutory damages. 26 27 VII. GEORGIA UDTPA The Georgia Uniform Deceptive Trade Practices Act provides that “a person likely to be 2 damaged by a deceptive trade practice of another may be granted” injunctive relief. O.C.G.A. 3 § 10-1-373(a). Deceptive trade practices include representations that “goods or services have .. . 4 characteristics, ingredients, uses, [or] benefits . . . that they do not have.” O.C.G.A. § 10-1- 5 372(a)(5). The complaint does not identify which, if any, of the 49ers’ representations were 6 deceptive. The Georgia UDTPA claim is dismissed with leave to amend. 7 CONCLUSION 8 Plaintiffs may file a second amended complaint with respect to the Georgia UDTPA claim 9 by August 30, 2024. No new claims or parties may be added without the Court’s prior consent. A 10 failure to comply with this order or filing deadline will result in dismissal of the Georgia UDTPA 11 claim with prejudice pursuant to Federal Rule of Civil Procedure 41(b). a 12 IT IS SO ORDERED. Dated: August 15, 2024 15 16 JAMES JPONATO United Ptates District Judge 17 4 18 19 20 21 22 23 24 25 26 27 28
Document Info
Docket Number: 3:22-cv-05138
Filed Date: 8/15/2024
Precedential Status: Precedential
Modified Date: 10/31/2024