eLaws | Code of Federal Regulations | United States Code |
 All Courts
 Federal Courts
 US Federal District Court Cases
 District Court, D. Nevada
 2024-09

Houghton v. Rancho Mesquite Casino, Inc. ( 2024 )


Menu:
  • 1 2 UNITED STATES DISTRICT COURT DISTRICT OF NEVADA 3 4 In re: Case No. 2:23-cv-00276-CDS-BNW Eureka Casino Breach Litigation 5 Order Granting in Part and Denying in Part Defendant’s Motion to Dismiss 6 7 [ECF No. 41] 8 9 Plaintiffs William Houghton, Andrew Figura, Michael Oldham, and Kristin Andrew,1 10 individually and on behalf of all others similarly situated, bring this action against Defendant 11 Rancho Mesquite Casino, Inc. d/b/a Eureka Casino Hotel (“Eureka”). Am. Compl., ECF No. 31. 12 Collectively, they assert claims for: (1) negligence; (2) negligence per se; (3) breach of implied 13 contract; (4) unjust enrichment; (5) violation of the California Unfair Competition Law 14 (“UCL”); (6) violation of the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100, et 15 seq.) (“CCPA”); (7) violation of the California Customer Records Act (Cal. Civ. Code §§ 1798.80, 16 et seq.) (“CCRA”); and (8) declaratory judgment. Id. Eureka filed a motion to dismiss, ECF No. 17 41, which has been fully briefed.2 For the reasons set forth herein, I grant in part and deny in part 18 the motion to dismiss. 19 I. Background3 20 Defendant Eureka owns and operates hotels and casinos in Mesquite, Nevada, Las Vegas, 21 Nevada, and Seabrook, New Hampshire. ECF No. 31 at ¶ 26. From around November 9, 2022, to 22 November 13, 2022, Eureka was subject to a data breach which reportedly involved the personal 23 information of at least 229,299 individuals, many of whom were Eureka customers. Id. at ¶ 1. The 24 25 1 Hereinafter referred to collectively as the “Houghton plaintiffs.” 2 Opp’n to the Eureka’s mot. to dismiss, ECF No. 42; Reply to the mot. to dismiss, ECF No. 43. 26 3 Unless otherwise noted as undisputed, references to the consolidated complaint in this section are for background information only and do not serve as findings of fact. 1 Houghton plaintiffs allege that “cybercriminals gained unauthorized access to [Eureka]’s 2 computer systems and networks and acquired copies of Private Information held on [Eureka]’s 3 systems” and Eureka “only became aware of the unauthorized access when the cyberthieves 4 encrypted [Eureka]’s computer systems as part of a ransomware attack.” Id. at ¶¶ 32–33. 5 Information involved in the data breach included, but was not necessarily limited to, 6 individuals’ full names, Social Security numbers, and driver’s license numbers. Id. at ¶ 2. The 7 Houghton plaintiffs allege that they are current or former customers of Eureka. Id. at ¶¶ 102, 108, 8 114, 120. Plaintiffs Houghton, Oldham, and Andrew are or were members of Eureka’s players 9 rewards club. Id. ¶¶ 102, 108, 114. Each provided Eureka with their name, Social Security number, 10 “and other Private Information” in exchange for payment and for membership in its players club. 11 Id. Plaintiff Figura was a customer of Eureka and alleges that he was required to supply Eureka 12 “with his name and other Private Information as a condition of using [Eureka]’s services and 13 facilities.” Id. at ¶ 120. 14 Each of the Houghton plaintiffs received a letter from Eureka on February 16, 2023, 15 explaining that, on November 9, 2022, Eureka had “experienced a cybersecurity incident in 16 which some of [its] systems were encrypted by an unauthorized actor.”4 Id. at ¶¶ 31–36. They 17 allege that Eureka “failed to encrypt the [Personally Identifiable Information (“PII”)] stored on 18 its computer systems, evidenced by the fact that hackers were able to steal the Private 19 Information in a readable form.” Id. at ¶ 38. The Houghton plaintiffs cite to a notice by Eureka 20 announcing the breach, which stated that “[u]pon discovering the incident, we immediately 21 took steps to secure our system[,]” and recommended that affected individuals “remain vigilant 22 by reviewing your credit reports and account statements for any unauthorized activity.” Id. at ¶¶ 23 39–40 (citing Office of the Maine Attorney General, Data Breach Notifications, 24 https://apps.web.maine.gov/online/aeviewer/ME/40/35af8dca-9af6-4a5d-aa9b- 25 4 The Houghton plaintiffs allege 1,737 of the impacted individuals received notice earlier, on December 9, 26 2022. Id. at ¶ 36. 1 d7013c99d9d6.shtml). 2 Between February 22 and March 16, 2023, the four Houghton plaintiffs filed individual 3 complaints in this court asserting claims against Eureka arising out of the cyberattack. ECF No. 4 6; ECF No. 27. On June 16, 2023, following entry of an order of consolidation, the Houghton 5 plaintiffs filed a consolidated class action complaint on behalf of themselves, a putative 6 nationwide class, and a California sub-class comprised of others who are similarly situated. ECF 7 No. 31. Eureka filed a motion to dismiss all eight of the Houghton plaintiffs’ claims on September 8 15, 2023. ECF No. 41. 9 II. Legal standard 10 The Federal Rules of Civil Procedure require a plaintiff to plead “a short and plain 11 statement of the claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). 12 Dismissal is appropriate under Rule 12(b)(6) when a pleader fails to state a claim upon which 13 relief can be granted. Fed. R. Civ. P. 12(b)(6); Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). A 14 pleading must give fair notice of a legally cognizable claim and the grounds on which it rests, 15 and although a court must take all factual allegations as true, legal conclusions couched as 16 factual allegations are insufficient. Twombly, 550 U.S. at 555. Accordingly, Rule 12(b)(6) requires 17 “more than labels and conclusions, and a formulaic recitation of the elements of a cause of action 18 will not do.” Id. To survive a motion to dismiss, “a complaint must contain sufficient factual 19 matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 20 556 U.S. 662, 678 (2009) (quoting Twombly, 550 U.S. at 570). “A claim has facial plausibility 21 when the plaintiff pleads factual content that allows the court to draw the reasonable inference 22 that the defendant is liable for the misconduct alleged.” Id. This standard “asks for more than a 23 sheer possibility that a defendant has acted unlawfully.” Id. 24 If the court grants a motion to dismiss for failure to state a claim, leave to amend should 25 be granted unless it is clear that the deficiencies of the complaint cannot be cured by 26 amendment. DeSoto v. Yellow Freight Sys., Inc., 957 F.2d 655, 658 (9th Cir. 1992). Under Rule 15(a), a 1 court should “freely” give leave to amend “when justice so requires,” and in the absence of a 2 reason such as “undue delay, bad faith or dilatory motive of the part of the movant, repeated 3 failure to cure deficiencies by amendment previously allowed, undue prejudice to the opposing 4 party by virtue of allowance of the amendment, futility of the amendment, etc.” Foman v. Davis, 5 371 U.S. 178 (1962). 6 III. Discussion 7 Defendant Eureka moves to dismiss all of plaintiffs’ common law and statutory claims. 8 The court addresses plaintiffs’ claims in turn. 9 A. Cognizable damages for negligence and breach of implied contract claims 10 A “plaintiff must prove damages to prevail on” negligence5 and breach of implied 11 contract claims. Pruchnicki v. Envision Healthcare Corp., 439 F. Supp. 3d 1226, 1231–32 (D. Nev. 12 2020), aff’d, 845 F. App’x 613 (9th Cir. 2021) (citing Sanchez ex rel. Sanchez v. Wal-Mart Stores, Inc., 221 13 P.3d 1276, 1280 (Nev. 2009), and Saini v. Int’l Game Tech., 434 F. Supp. 2d 913, 919–20 (D. Nev. 14 2006)) (Pruchnicki I). To prove damages, a plaintiff must have a cognizable injury that is not “too 15 tenuous[.]” Id. at 1232. See also Krottner v. Starbucks Corp., 406 F. App’x 129, 131 (9th Cir. 2010) 16 (finding that allegations of certain future harm was too tenuous to support a cognizable injury 17 in a negligence claim). The Houghton plaintiffs assert several cognizable injuries to support 18 damages in their negligence and breach of contract claims, all of which Eureka disputes. 19 20 In their consolidated complaint, the Houghton plaintiffs state that they have suffered 21 damages for “loss of time” needed to “take appropriate measures to avoid unauthorized and 22 fraudulent charges; change their usernames and passwords on their accounts; investigate, 23 correct and resolve unauthorized debits, charges, and fees charged against their accounts; and 24 deal with spam messages and e-mails received as a result of the Data Breach.” ECF No. 31 at ¶ 14. 25 5 Because the Houghton plaintiffs withdraw their cause of action for negligence per se, I will not address 26 it further. See ECF No. 42 at 2 n.2. 1 Eureka argues that the time lost to protecting information is “an unfortunate, but common, fact 2 of daily life in a digital world[,]” arguing that there is no way to make lost time damages 3 cognizable absent tangible, out-of-pocket expenses. ECF No. 43 at 5 (citing Pruchnicki I, 439 F. 4 Supp. 3d at 1233 and In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 613 F. Supp. 2d 108, 134 5 (D. Me. 2009), aff’d in part, rev’d in part sub nom. on other grounds, Anderson v. Hannaford Bros. Co., 659 6 F.3d 151, 156 (1st Cir. 2011)). 7 The Houghton plaintiffs do not allege any additional out-of-pocket expenses they made 8 in protecting their data. See ECF No. 31 at ¶ 14. “[L]ost time alone does not establish 9 compensable damages.” Smallman v. MGM Resorts Int’l, 638 F. Supp. 3d 1175, 1192 (D. Nev. 2022) 10 (citing Pruchnicki v. Envision Healthcare Corp., 845 F. App’x 613, 614 (9th Cir. 2021) (Prucknicki II)). 11 Unlike out-of-pocket expenses incurred in protecting one’s data and responding to a data 12 breach, which provide a concrete measure of a plaintiff’s damages, a claim for lost time by itself 13 is simply too nebulous. Accordingly, I dismiss the Houghton plaintiffs’ negligence claim to the 14 extent it alleges damages based on loss of time. However, because it is unclear if amendment 15 could cure this deficiency, dismissal is without prejudice and with leave to amend. 16 17 The Houghton plaintiffs allege they suffered emotional distress because of the data 18 breach. ECF No. 31 at ¶¶ 105, 111, 117, 135. Arguing for dismissal, Eureka cites Pruchnicki I, which 19 states that “Nevada law ‘require[s] a plaintiff to demonstrate that he or she has suffered some 20 physical manifestation of emotional distress in order to support an award of emotional 21 damages.’” Pruchnicki I, 439 F. Supp. at 1233 (quoting Betsinger v. D.R. Horton, Inc., 232 P.3d 433, 436 22 (Nev. 2010)). See also Pruchnicki II, 845 F. App’x at 614 (“[U]nder Nevada law, ‘in the absence of 23 physical impact, proof of “serious emotional distress” causing physical injury or illness must be 24 presented.’” (quoting Olivero v. Lowe, 995 P.2d 1023, 1026 (Nev. 2000)). Houghton, Oldham, and 25 Andrew allege that their emotion distress has manifested as “anxiety about unauthorized parties 26 viewing, selling, and/or using [their] Private Information for purposes of identity theft and fraud. 1 [They are] very concerned about identity theft and fraud, as well as the consequences of such 2 identity theft and fraud resulting from the Data Breach.” ECF No. 31 at ¶¶ 105, 111, 117. None of 3 this can be characterized as physical injury or even “serious” emotional distress. Pruchnicki II, 845 4 F. App’x at 614. Accordingly, I dismiss without prejudice, and with leave to amend, the 5 Houghton plaintiffs’ negligence claim to the extent it alleges damages based on emotional 6 distress. 7 8 The Houghton plaintiffs seemingly argue “violation of privacy” as a cognizable harm that 9 arises out of the data breach. ECF No. 31 at ¶¶ 106, 112, 118, 123, 133, 135. Eureka argues that the 10 Houghton plaintiffs fail to address how such a violation resulted in compensable damages, citing 11 several cases, including Aguilar v. Hartford Accident & Indem. Co. ECF No. 41 at 12. In Aguilar, the 12 court held that “the loss of privacy engendered by an accidental data breach cannot satisfy the 13 necessary damage element of a negligence claim, ‘without specific factual statements that 14 Plaintiffs’ Personal Information has been misused, in the form of an open bank account, or un- 15 reimbursed charges.’” 2019 WL 2912861, at *2 (C.D. Cal. Mar. 13, 2019) (quoting In re Sony Gaming 16 Networks & Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942, 963 (S.D. Cal. 2012)). In 17 opposition, the Houghton plaintiffs rely primarily on a case that addresses violation of privacy 18 for purposes of Article III standing as opposed to damages. ECF No. 42 at 17 (citing Medoff v. 19 Minka Lighting, LLC, 2023 WL 4291973, at *3 (C.D. Cal. May 8, 2023)).6 They also cite Smallman, 20 which states that “[i]n the data breach context, courts within the Ninth Circuit have found that 21 an individual’s loss of control over the use of their identity due to a data breach and the 22 23 6 The question of whether a plaintiff has alleged sufficient injury for standing purposes is a separate 24 inquiry from whether they have stated a claim for compensable damages, and their having adequately pled one does not automatically mean they have sufficiently pled both. See Pruchnicki II, 845 F. App’x at 25 614–15 (finding that the district court in Pruchnicki I acted within its discretion when it found that the plaintiff sufficiently alleged injury for standing purposes but did not state a claim for compensable 26 damages). Eureka did not challenge the Houghton plaintiffs’ standing to bring this claim for relief. 1 accompanying impairment in value of PII constitutes non-economic harms.” 638 F. Supp. 3d at 2 1188. 3 It appears the Houghton plaintiffs’ theory of damages as to this claim is an evolving one. 4 What was pled as a “violation” of privacy in their consolidated complaint transformed into an 5 “invasion” of their privacy rights and, supported by a citation to Smallman, a violation of their 6 “right to control” their PII in their opposition to Eureka’s motion. Compare ECF No. 31 at ¶¶ 106, 7 112, 118, 123, 133, 135 (“violation”), with ECF No. 42 at 17 (“invasion” and “right to control”). The 8 plaintiffs do not explain the reasoning behind their violations of privacy claims in their 9 consolidated complaint and provide confusing citations to other bases of harm in their 10 opposition. The plaintiffs’ allegations regarding a “violation of privacy” are not pled with 11 sufficient specificity to survive a Rule 12(b)(6) motion to dismiss. Therefore, I dismiss without 12 prejudice, and with leave to amend, the Houghton plaintiffs’ negligence claim to the extent it 13 alleges damages based on a violation of privacy. 14 15 The Houghton plaintiffs allege that they face an increased risk of being “targeted in the 16 future, subjected to phishing, data intrusion, and other illegal actions based on their Private 17 Information as potential fraudsters could use that information to target such schemes more 18 effectively.” ECF No. 31 at ¶ 126. In its motion, Eureka argues that the plaintiffs’ claim is too 19 speculative, and “mere risk of future harm does not constitute cognizable injury.” ECF No. 41 at 20 6. It cites to Pruchnicki I, in which the court held that “alleged injuries that stem from the danger 21 of future harm are insufficient to support a negligence action.” 439 F. Supp. 3d at 1232 (citing 22 Krottner, 406 F. App’x at 131). The Pruchnicki I court held that “the imminent and certainly 23 impending injury flowing from potential fraud and identity theft and the continued risk to [the 24 plaintiff’s] personal data are too tenuous to constitute damages as an element of plaintiff’s 25 26 1 claim.” Id. at 1232 (internal quotations omitted).7 In their opposition, the Houghton plaintiffs 2 respond by citing to Smallman, in which the court held 3 that the rightful determination is “not to look at the minutia of what information has been taken — such as credit card information — or social security numbers — 4 but to specifically determine whether the data taken ‘gave hackers the means to commit fraud or identity theft.’” Bass v. Facebook, Inc., 394 F. Supp. 3d 1024, 1034 5 (N.D. Cal. 2019) (quoting [In re Zappos.com, Inc., 888 F.3d 1020, 1027–29 (9th Cir. 2018)]. “The information taken . . . need not be sensitive to weaponize hackers in 6 their quest to commit further fraud or identity theft.” Bass, 394 F. Supp. 3d at 1034. “Imminent injury in fact can be established through information similar in function 7 to [a] social security number[ ],” which “derives its value in that it is immutable.” 8 Id. 9 Smallman, 638 F. Supp. 3d at 1191. It is important to note that the Smallman case presented a very 10 different set of factual allegations. Unlike here, the Smallman plaintiffs specifically alleged that 11 they already had their hacked information “posted for sale on the dark web” and multiple 12 plaintiffs claimed that “criminals ha[d] attempted to make fraudulent purchases on their 13 accounts.” Id. However, Smallman also notes a Seventh Circuit opinion that acknowledged: “Why 14 else would hackers break into a store’s database and steal consumers’ private information? 15 Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume 16 those consumers’ identities.” Id. at 1191–92 (quoting Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 17 688, 693 (7th Cir. 2015)).8 18 The Ninth Circuit cases on which both Pruchnicki I and Smallman rely—Krottner and In re 19 Zappos, respectively—address issues of standing, not cognizable harm for purposes of damages. 20 See Krottner, 628 F.3d at 1142; In re Zappos, 888 F.3d at 1024. There does not appear to be any clear 21 guidance in the Ninth Circuit as to whether, and to what extent, future risk of harm can serve as 22 7 Aside from stating that Nevada law does not permit recovery of speculative damages, the Ninth Circuit 23 in Pruchnicki II did not address the district court’s finding on this issue of increased or future risk of identity theft. See Pruchnicki II, 845 F. App’x at 614–15. 24 8 Smallman also cites to a Sixth Circuit opinion which held that “[w]here a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the 25 fraudulent purposes alleged in Plaintiffs’ complaints.” Smallman, 638 F. Supp. 3d at 1192 (quoting Galaria v. Nationwide Mut. Ins. Co., 663 F App’x 384, 388 (6th Cir. 2016)). I also agree with this reasoning set forth in 26 Galaria. 1 a cognizable injury. But I find the Seventh Circuit’s reasoning in Remijas persuasive: regardless of 2 whether a plaintiff alleges their hacked information has been shared or sold, the purpose of a 3 hack is to collect and then utilize the plaintiffs’ private information to make fraudulent charges, 4 take their identities, or sell to others who will do either or both. Plaintiffs do not have to wait 5 until hackers inevitably use their private information for nefarious purposes to allege a 6 cognizable injury. Therefore, I deny Eureka’s motion to the extent it seeks dismissal on the 7 grounds that the plaintiffs’ allegation of future risk of injury is not a cognizable harm. 8 9 The Houghton plaintiffs allege that they suffered cognizable harm because the hack of 10 their PII has diminished its value. ECF No. 31 ¶¶ 106, 112, 117, 123. “Diminution in value of 11 personal information can be a viable theory of damages.” Pruchnicki I, 439 F. Supp. 3d at 1234. In 12 its motion to dismiss, Eureka argues that a plaintiff may sufficiently allege diminution in value of 13 personal information as a cognizable injury only when they have plausibly alleged: (1) the 14 “existence of a market for [their] personal information” and (2) “an impairment of [their] ability 15 to participate in that market.” ECF No. 41 at 8 (quoting Svenson v. Google Inc., 2016 WL 8943301, at 16 *9 (N.D. Cal. Dec. 21, 2016), and citing Pruchnicki I, 439 F. Supp. 3d at 1234). It argues that “[t]he 17 only market for the sale of these types of personal information is the criminal underground.” Id. 18 (citing Griffey v. Magellan Health, Inc., 562 F. Supp. 3d 34, 46 (D. Ariz. 2021), and Pruchnicki I, 439 F. 19 Supp. 3d at 1234, for the proposition that a diminution of value theory only applies to items or 20 information for which there are lawful markets). Eureka also argues that the Houghton 21 plaintiffs “have not alleged that they have been impaired from participating in any legitimate 22 market in which they could sell or monetize their Social Security or driver’s license numbers.” Id. 23 In their opposition, the Houghton plaintiffs again point to Smallman, in which the court, 24 rather than evaluating the market value of the plaintiffs’ PII, held that “[a]ny past and potential 25 future misuse of Plaintiffs’ PII impairs their ability to participate in the economic marketplace.” 26 ECF No. 42 at 14 (quoting Smallman, 638 F. Supp. 3d at 1191). The plaintiffs also cite to a 1 “growing trend” among courts to “recognize ‘the value of consumer personal information is not 2 derived solely (or even realistically) by its worth in some imagined marketplace where the 3 consumer actually seeks to sell it to the highest bidder, but rather in the economic benefit the 4 consumer derives from being able to purchase goods and services remotely and without the need 5 to pay in cash or a check.’” Id. (quoting In re Marriott Int’l, Inc., Customer Data Sec. Breach Litig., 440 F. 6 Supp. 3d 447, 462 (D. Md. 2020), and citing In re Mednax Servs., Inc., Customer Data Sec. Breach Litig., 7 603 F. Supp. 3d 1183, 1204 (S.D. Fla. 2022)). The plaintiffs argue that, in the increasingly digital 8 world, a plaintiff “need not allege that they intended to sell their PII because PII derives its value 9 to consumers by enabling them to participate in ordinary life and they are entitled to damages 10 resulting from the diminished value of their PII.” Id. (citing In re Anthem, Inc. Data Breach Litig., 2016 11 WL 3029783, at *15 (N.D. Cal. May 27, 2016) (Anthem I)). 12 Eureka’s interpretation of diminution in value is too narrow. See Smallman, 638 F. Supp. 3d 13 at 1190 (“[The] pleading requirements, that Plaintiffs must establish both the existence of a 14 market for their PII and an impairment of their ability to participate in that market, is not 15 supported by Ninth Circuit precedent and other district courts in this Circuit have rejected 16 them.”); Anthem I, 2016 WL 3029783, at *15 (“These statements [in the case law] appear to 17 require a plaintiff to allege that there was either an economic market for their PII or that it 18 would be harder to sell their own PII, not both.”). The value of personal information in the 19 digital world is fundamentally different from what might be considered a loss of value in a 20 “typical” market. The “Data Breach devalued Plaintiffs’ PII by interfering with their fiscal 21 autonomy. “Any . . . potential future misuse of Plaintiffs’ PII impairs their ability to participate in 22 the economic marketplace.” Smallman, 638 F. Supp. 3d at 1191. Therefore, I deny Eureka’s motion 23 to the extent it seeks dismissal on the grounds that the plaintiffs’ allegation of diminution of 24 value of their PII is not a cognizable harm. 25 26 1 2 The Houghton plaintiffs allege that they “lost the benefit of the bargain they made with 3 Defendant because of its inadequate data security practices for which they gave good and 4 valuable consideration.” ECF No. 31 at ¶ 65. To support their allegations, they state that “they 5 overpaid for a service that was intended to be accompanied by adequate data security but was 6 not. Part of the price Plaintiffs and Class Members paid to Defendant was intended to be used 7 by Defendant to fund adequate security of Defendant’s computer property and Plaintiffs’ and 8 Class Members’ Private Information.” Id. at 27. And “[h]ad Defendant disclosed that its security 9 was inadequate or that it did not adhere to industry-standard security measures, neither the 10 Plaintiffs, the Class Members, nor any reasonable person would have purchased services and/or 11 products from Defendant.” Id. at 37. 12 In seeking dismissal, Eureka argues that, as a matter of law, the plaintiffs “could not have 13 bargained for ‘reasonable data security’ because Defendant had a pre-existing duty to provide 14 such[,]” and California and Nevada laws require a business to maintain reasonable security 15 measures for peoples’ PII. ECF No. 41 at 9 (citing NRS 603A.210 and Cal. Civ. Code § 1798.81.5). 16 Additionally, it argues that the Houghton plaintiffs do not allege that they were denied “any 17 gambling, lodging, food and beverage, or club membership services for which they supplied 18 personal information” or that Eureka “made any ‘affirmative representation that data security 19 was included in the cost of the goods [or services that Plaintiffs’ allegedly purchased from 20 Defendant].’” Id. (quoting Gardiner v. Walmart, Inc., 2021 WL 4992539, at *5 (N.D. Cal. July 28, 21 2021) (alterations in motion). In response, the Houghton plaintiffs argue that they “paid money 22 and provided their PII to Eureka in exchange for its services, inherent to which was the mutual 23 understanding that Eureka would safeguard that PII[,]” and “the promise to safeguard PII is 24 implicit to every exchange involving confidential information.” ECF No. 42 at 15 (citing 25 Smallman, 638 F. Supp. 3d at 1190). 26 1 First, the existence of rules requiring reasonable security measures do not inherently 2 negate a claim for benefit-of-bargain damages. See, e.g., Smallman, 638 F. Supp. 3d at 1190. Even the 3 case upon which Eureka relies, In re Banner Health Data Breach Litig., supports this point. See 2018 4 WL 11352137 at *2–3 (D. Ariz. Aug. 7, 2018) (holding that, in the case of medical information, 5 “when promising to protect the data of Patient and Insurance Plan Plaintiffs, Defendant would 6 have needed to promise to do more than merely comply with the HIPAA for the agreement to be 7 enforceable” but “courts may presume that a party who provides sensitive information while 8 receiving a job, a good, or a service may expect that the information is reasonably protected”). 9 Although Eureka describes the plaintiffs’ theory as “newfangled,” ECF No. 43 at 5, a 10 significant body of case law supports it is a cognizable harm. Indeed, the district court in 11 Smallman summarized the current state of Ninth Circuit case law. It first described a series of 12 cases in which courts have accepted “more general allegations that data security was expected 13 and was part of the bargain” and then another line of cases in which “required more specific 14 factual allegations showing how data security was a part of the bargain or how much of the 15 money spent was for data security.” Smallman, 638 F. Supp. 3d at 1189–90 (collecting cases). The 16 Smallman court was persuaded by the first line of cases, reasoning that the second line required 17 plaintiffs to allege more than is necessary to survive a motion to dismiss. Id. at 1190. I too am 18 persuaded by this reasoning. It is sufficient for a plaintiff to allege that their overpayment for 19 services came with the expectation that they would be conferred the benefit of adequate data 20 security, and that, had they known that the defendant’s security measures were less than 21 industry-standard, they would not have gone through with their transaction. Therefore, I deny 22 Eureka’s motion to the extent it seeks dismissal on the grounds that the plaintiffs’ allegation 23 that they lost the benefit of their bargain for data security is not a cognizable harm. 24 B. Economic loss doctrine 25 In its motion, Eureka argues that the Houghton plaintiffs’ negligence claim is barred 26 under the economic loss doctrine. ECF No. 41 at 12. The economic loss doctrine “generally ‘bars 1 unintentional tort actions when the plaintiff seeks to recover purely economic losses.’” Lombino v. 2 Bank of Am., N.A., 797 F. Supp. 2d 1078, 1082 (D. Nev. 2011) (quoting Terracon Consultants W., Inc. v. 3 Mandalay Resort Grp., 206 P.3d 81, 86 (Nev. 2009)). “Thus, the doctrine provides that certain 4 economic losses are properly remediable only in contract.” Peri & Sons Farms, Inc. v. Jain Irr., Inc., 933 5 F. Supp. 2d 1279, 1283–84 (D. Nev. 2013). Nevada defines the economic loss doctrine as “the loss 6 of the benefit of the user’s bargain including pecuniary damage for all inadequate value, the cost 7 of repair and replacement of the defective product, or consequent loss of profits, without any 8 claim of personal injury or damage to other property.” Id. (citation omitted). Therefore, the 9 economic loss doctrine “does not bar actions seeking damage for pecuniary losses that are 10 ‘accompan[ied by] personal injury or property damage.’” Id. (quoting Terracon, 206 P.3d at 86). 11 Courts in the Ninth Circuit have consistently found that the loss of control of a plaintiff’s 12 identity and the resulting impairment of value of the PII in data breach cases constitutes non- 13 economic harm. See Smallman, 638 F. Supp. 3d at 1188; Flores-Mendez v. Zoosk, Inc., 2021 WL 308543, 14 at *3 (N.D. Cal. Jan. 30, 2021) (finding that the plaintiffs’ allegation of an enlarged risk of 15 identity theft, among others, prevented the dismissal of the negligence claim based on the 16 economic loss doctrine). Here, because the Houghton plaintiffs have sufficiently alleged harm 17 under a theory of increased risk of identity theft, the harms are not purely economic. Therefore, I 18 deny Eureka’s motion to the extent it seeks dismissal on the grounds that the plaintiffs’ 19 negligence claim is barred by the economic loss doctrine. The Houghton plaintiffs have 20 sufficiently pled a claim for negligence against Eureka. 21 C. Implied contract 22 Nevada law requires the plaintiff in a breach of contract action to show: (1) the existence 23 of a valid contract; (2) a breach by the defendant; and (3) damage as a result of the breach. 24 Mizrahi v. Wells Fargo Home Mortg., 2010 WL 2521742, at *3 (D. Nev. June 16, 2010) (citing Saini, 434 25 F. Supp. 2d at 919–20). Although the terms of an implied contract are manifested by conduct 26 rather than written words, both “are founded upon an ascertainable agreement.” Smith v. Recrion 1 Corp., 541 P.2d 663, 664–65 (Nev. 1975). The formation of an enforceable contract requires the 2 following: (1) offer and acceptance, (2) meeting of the minds, and (3) consideration. May v. 3 Anderson, 119 P.3d 1254, 1257 (Nev. 2005). As stated above, the damages element has been 4 sufficiently pled. See supra. 5 The Houghton plaintiffs allege that they formed an implied contract with Eureka and 6 that by not implementing sufficient security measures, Eureka breached that contract. ECF No. 7 31 at ¶¶ 159–78. They claim that by providing their PII in exchange for Eureka’s services and 8 products, Eureka impliedly agreed to reasonably protect the information. Id. at 35. The 9 Houghton plaintiffs also allege that they “expected that Defendant’s data security practices 10 complied with relevant laws and regulations and were consistent with industry standards” and 11 those “who paid money to Defendant reasonably believed and expected that Defendant would 12 use part of those funds to obtain adequate data security.” Id. According to the consolidated 13 complaint, the Houghton plaintiffs 14 would not have entrusted their Private Information to Defendant and entered into these implied contracts with Defendant without an understanding that their 15 Private Information would be safeguarded and protected, or entrusted their Private Information to Defendant in the absence of its implied promise to monitor 16 its computer systems and networks to ensure that it adopted reasonable data security measures. 17 18 Id. at 36. In its motion, Eureka argues that (1) no implied contract was formed, (2) the plaintiffs 19 failed to allege that any breach occurred, and (3) there was no consideration. ECF No. 41 at 14– 20 18. Although the Houghton plaintiffs address the issues of contract formation and breach in 21 their response, they fail to address Eureka’s argument that no consideration existed in their 22 purported implied contract. By not responding to this argument, the plaintiffs effectively 23 conceded the validity of Eureka’s motion on these grounds. Local Rule 7-2(d) provides, in 24 relevant part, that “[t]he failure of a moving party to file points and authorities in support of the 25 motion constitutes a consent to the denial of the motion.” LR 7-2(d); see also Travelers Cas. Ins. Co. 26 of Am. v. Geragos & Geragos, 495 F. Supp. 3d 848, 854 (C.D. Cal. 2020) (“Arguments to which no 1 response is supplied are deemed conceded.”). Therefore, the Houghton plaintiffs’ breach of 2 implied contract claim is dismissed. But because the Houghton plaintiffs may be able to cure 3 this deficiency, it is dismissed without prejudice and with leave to amend. 4 D. Unjust enrichment 5 The consolidated complaint alleges that the Houghton plaintiffs conferred a monetary 6 benefit on Eureka when they made payments and provided Eureka with their personal 7 information. ECF No. 31 at ¶ 191. They allege that their reasonable expectation was that Eureka 8 would use part of the money to protect their information, but Eureka “instead calculated to 9 increase their own profits at the expense of Plaintiffs and Class Members by utilizing cheaper, 10 ineffective security measures.” Id. They seek Eureka’s disgorgement of all proceeds Eureka 11 “unjustly received” from the plaintiffs. Id. at ¶ 198. 12 Eureka argues that the Houghton plaintiffs’ unjust enrichment claim fails for three 13 reasons. ECF No. 41 at 18–19. It argues that the plaintiffs cannot sufficiently allege facts to satisfy 14 the elements of the claim because “[t]here is nothing unjust about a casino and hotel receiving a 15 customer’s personal information to: (1) provide gambling, lodging and hospitality services; (2) 16 comply with tax laws regarding gambling winnings; or (3) offer the customer other benefits of 17 being a players rewards club member.” Id. (citing In re SuperValu, Inc., 925 F.3d 955, 966 (8th Cir. 18 2019)). It argues that, because the plaintiffs do not seek the return of their PII, “or compensation 19 for any monetary value they could ascribe to such[,]” they do not allege compensable damages. 20 Id. at 19. Finally, Eureka argues that the plaintiffs fail to explain why monetary damages would 21 be inadequate. Id. at 18. The Houghton plaintiffs respond that they paid Eureka for its services 22 expecting that part of their payments would go to reasonable security measures for their PII, 23 and Eureka’s failure to do so amounted to unjust enrichment. ECF No. 42 at 21–22. They also 24 argue that the compensable damages are “the portion of payments made by Plaintiffs to Eureka 25 to provide reasonably [sic] data security measures, but which Eureka nevertheless failed to 26 1 implement—not Plaintiffs’ Personal Information provided to Eureka nor the value of such 2 information.” Id. at 22. They also insist they cannot be remedied by money damages alone. Id. 3 In Nevada, the elements of an unjust enrichment claim are: “(1) a benefit conferred on the 4 defendant by the plaintiff; (2) appreciation of the benefit by the defendant; and (3) acceptance 5 and retention of the benefit by the defendant; (4) in circumstances where it would be 6 inequitable to retain the benefit without payment.” Ames v. Caesars Ent. Corp., 2019 WL 1441613, at 7 *5 (D. Nev. Apr. 1, 2019) (quoting Leasepartners Corp. v. Robert L. Brooks Tr., 942 P.2d 182, 187 (Nev. 8 1997)). Unjust enrichment and disgorgement are equitable remedies. See Small v. Univ. Med. Ctr. of S. 9 Nev., 2016 WL 4157309, at *3 (D. Nev. Aug. 3, 2016) (“Nevada recognizes the general rule that an 10 equitable claim, like unjust enrichment, is not available where the plaintiff has a full and 11 adequate remedy at law.”); Sunlighten, Inc. v. Finnmark Designs, LLC, 595 F. Supp. 3d 957, 972 (D. 12 Nev. 2022) (“Disgorgement is an equitable remedy[.]”). Thus, for a plaintiff to succeed in an 13 unjust enrichment claim, they must show that they lack an adequate remedy at law. Sonner v. 14 Premier Nutrition Corp., 971 F.3d 834, 844–45 (9th Cir. 2020). 15 Here, payment alone is sufficient to establish that a benefit was conferred on the 16 defendant. See Certified Fire Prot. Inc. v. Precision Constr., 283 P.3d 250, 257 (Nev. 2012) (“Benefit in 17 the unjust enrichment context can include services beneficial to or at the request of the other, 18 denotes any form of advantage, and is not confined to retention of money or property.” (internal 19 quotations omitted)). Not only did the Houghton plaintiffs pay Eureka, but they also allege that 20 part of their payment was to be used for protection of their data. ECF No. 31 at ¶ 191. Eureka 21 likewise appreciated, accepted, and retained the benefit because it accepted the plaintiffs’ 22 payment. The remaining question is whether this occurred in “circumstances where it would be 23 inequitable to retain the benefit without payment.” Ames, 2019 WL 1441613, at *5. The Houghton 24 plaintiffs advance two separate theories: first, that they overpaid for the services assuming that 25 Eureka would provide adequate data protection; and second, that, had they known that 26 Eureka’s systems were allegedly not compliant with industry standards, they would not have 1 paid for Eureka’s service in the first place. See ECF No. 31 at ¶¶ 191–94. The plaintiffs’ first theory 2 is subject to a split of authority. Compare Resnick v. AvMed, Inc., 693 F.3d 1317, 1328 (11th Cir. 2012), 3 In re Premera Blue Cross Customer Data Sec. Breach Litig., 198 F. Supp. 3d 1183, 1201 (D. Or. 2016), and In 4 re Banner Health Data Breach Litig., 2017 WL 6763548, at *6 (D. Ariz. Dec. 20, 2017) (data breach 5 cases finding that the overpayment theory of unjust enrichment overcomes a motion to dismiss), 6 with Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 968 (7th Cir. 2016), and Carlsen v. GameStop, 7 Inc., 833 F.3d 903, 912 (8th Cir. 2016) (finding that it does not). 8 Here, I find that the plaintiffs have alleged enough to survive the motion to dismiss on 9 their unjust enrichment claim based on their first theory.9 Eureka’s argument that there is 10 nothing unjust about a casino seeking payment for services neglects the crux of the plaintiffs’ 11 argument. A business can certainly expect payment in receipt for its products and services, but 12 when part of that payment was made in exchange for protection of private information, as the 13 plaintiffs allege here, a business has been unjustly enriched if it fails to erect those protections. 14 Eureka also misconstrues the compensable damages the plaintiffs seek: it is not the return of the 15 PII, it is the amount the Houghton plaintiffs paid that was intended to go to constructing 16 adequate data protection measures. 17 Eureka also suggests that the plaintiffs do not sufficiently explain why damages are 18 inadequate. ECF No. 41 at 18; ECF No. 43 at 9 (citing Sonner, 971 F.3d at 841, Gardiner, 2021 WL 19 4992539, at *7, and Smallman, 638 F. Supp. 3d at 1197). Like with many issues in the data breach 20 context, there is some competing authority. See, e.g., Doe v. Meta Platforms, Inc., 690 F. Supp. 3d 21 1064, 1086 (N.D. Cal. 2023) (“Meta also argues that the claim cannot stand as plaintiffs have 22 failed to plead that they lack adequate remedies at law under Sonner . . . . But plaintiffs do allege 23 that their remedies at law are inadequate.”) Even in Smallman, the court noted that part of its 24 25 9 The alternative theory, that the plaintiffs would not have used Eureka’s services had they known about its allegedly deficient security, is not as well developed in the case law, but has found some support as 26 well. See, e.g., In re Target Corp. Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1177–78 (D. Minn. 2014). Because I find enough support under the plaintiffs’ first theory, I do not reach a conclusion on the second theory. 1 reasoning for dismissing the plaintiffs’ unjust enrichment claim was that “Plaintiffs have not 2 alleged, even in the alternative, that they do not have adequate legal remedies.” 638 F. Supp. 3d at 3 1198. I find that the allegation that legal remedies are inadequate is sufficient to survive a motion 4 to dismiss. Therefore, Eureka’s motion to dismiss the plaintiffs’ unjust enrichment claim is 5 denied. 6 E. UCL claim 7 The consolidated complaint alleges that Eureka violated California’s UCL. ECF No. 31 at 8 ¶¶ 199–213. The California UCL prohibits “unfair competition” and defines the term as a 9 “business act or practice” that is (1) “fraudulent,” (2) “unlawful,” or (3) “unfair.” Bus. & Prof. 10 Code § 17200. Each prong of the UCL provides “a separate and distinct theory of liability[.]” 11 Kearns v. Ford Motor Co., 567 F.3d 1120, 1127 (9th Cir. 2009). To have standing to pursue a UCL 12 claim, the Houghton plaintiffs must show that they “suffered injury in fact and ha[ve] lost 13 money or property as a result of [Eureka’s] unfair competition.” Cal. Bus. & Prof. Code § 17204. 14 See also In re Facebook, Inc., Consumer Priv. User Profile Litig., 402 F. Supp. 3d 767, 804 (N.D. Cal. 2019). 15 In its motion, Eureka argues that the Houghton plaintiffs have not alleged they suffered an 16 injury in fact to establish standing, that they do not state their claim with sufficient specificity 17 under the “fraudulent” prong, and that their claims likewise fail under the “unlawful” and 18 “unfair” prongs. ECF No. 41 at 19–20; ECF No. 43 at 9–10. 19 20 Eureka argues that, because the Houghton plaintiffs allege only that their PII “is of 21 tangible value[,]” and do not state they suffered identity theft or fraudulent charges, they do not 22 have standing to bring a UCL claim. ECF No. 41 at 20–21. However, as discussed previously, the 23 plaintiffs repeatedly allege that a part of their payment to Eureka was designed to ensure 24 adequate safety measures, which were allegedly not provided. See ECF No. 31 at ¶¶ 191–94. This 25 is sufficient to establish an injury in fact. See Smallman, 638 F. Supp. 3d at 1201–02 (finding that 26 plaintiffs sufficiently pled allegations establishing standing where plaintiffs alleged that they 1 paid the “overinflated cost of the hotel rooms they purchased as a result of Defendant['s] 2 omissions regarding the adequacy of data security policies.”) 3 4 When alleging fraud, plaintiffs must meet a heightened pleading standard that requires 5 they “state with particularity the circumstances constituting fraud including the who, what, 6 when, where and how of the misconduct charged.” Loomis v. U.S. Bank Home Mortg., 912 F. Supp. 2d 7 848, 856 (D. Ariz. 2012) (quoting Fed. R. Civ. P. 9(b)). In their opposition, the plaintiffs argue 8 that their claim falls only under the “unlawful” and “unfair” prongs and thus does not require the 9 heightened fraud pleading. ECF No. 42 at 23. Eureka’s reply argues that the plaintiffs’ claims are 10 “attempted obfuscation” and because they state that Eureka violated Section 5(a) of the FTC 11 Act—a predicate for their “unlawful” prong claim— “by misrepresenting, by omission, the safety 12 of their computer systems,” their claim should actually be viewed under the “fraudulent” prong. 13 The “unlawful” prong of the UCL “borrows violations of other laws and treats them as 14 unlawful practices that the unfair competition law makes independently actionable.” Cal. 15 Consumer Health Care Council v. Kaiser Found. Health Plan, Inc., 142 Cal. App. 4th 21, 27 (2006) 16 (internal quotations omitted). Thus, in determining whether the “unlawful” prong has been met, 17 the court must “look through” the asserted UCL claim and determine if the underlying statutes 18 cited state a claim for relief. Id. at 28. As discussed above, the plaintiffs’ “unlawful” prong 19 argument is based on Eureka’s alleged violation of Section 5(a) of the FTC Act. ECF No. 42 at 20 23–24. 21 Section 5(a) of the FTC Act provides that “unfair or deceptive acts or practices in or 22 affecting commerce . . . are . . . declared unlawful.” 15 U.S.C. § 45(a)(1). A plaintiff can rely on this 23 statute to make an “unlawful” prong claim; fraud is not a necessary element, and the plaintiffs do 24 not attempt to make a case for fraud. See, e.g., In re Anthem, Inc. Data Breach Litig., 162 F. Supp. 3d 25 953, 992, 995 (N.D. Cal. 2016) [(Anthem II)]; In re Cap. One Consumer Data Sec. Breach Litig., 488 F. 26 Supp. 3d 374, 420 (E.D. Va. 2020) (“Section 5 of the FTC Act applies here and provides an 1 ascertainable duty regarding data protection. . . . Therefore, Plaintiffs have adequately alleged 2 the unlawfulness prong of an UCL claim.”). 3 The Houghton plaintiffs allege that Section 5 of the FTC Act creates an independent 4 statutory duty for businesses to “implement basic data security practices” and that orders from 5 the FTC’s enforcement actions “further clarify the measures businesses must take to meet their 6 data security obligations.” ECF No. 31 at ¶¶ 55–56. They also argue that Eureka violated Section 7 5(a) by “failing to implement reasonable and appropriate security measures or follow industry 8 standards for data security, by failing to ensure its affiliates with which it directly or indirectly 9 shared the PII did the same, and by failing to timely notify Plaintiff Houghton’s and California 10 Subclass Members of the Data Breach.” Id. at ¶ 205. Houghton alleges that if Eureka had 11 complied with Section 5(a), he and Class Members would not have been damaged. Id. at ¶ 206. 12 These allegations are sufficient to establish a claim under the “unlawful” prong, so I deny 13 Eureka’s motion to dismiss the Houghton plaintiffs’ UCL claim under the “unlawful” prong. 14 15 Eureka also argues that the Houghton plaintiffs’ conclusory assertion that it failed to 16 implement and maintain reasonable data security measures is insufficient to satisfy the “unfair” 17 prong of the UCL. ECF No. 43 at 10. The “unfair” prong of the UCL creates a cause of action for a 18 business practice that is unfair even if not proscribed by some other law. See In re Yahoo! Inc. 19 Customer Data Sec. Breach Litig., 2017 WL 3727318, at *23 (N.D. Cal. Aug. 30, 2017) (citing Korea 20 Supply Co. v. Lockheed Martin Corp., 29 Cal. 4th 1134, 1143 (2003)). 21 “The UCL does not define the term ‘unfair’ . . . [and] the proper definition of ‘unfair’ 22 conduct against consumers ‘is currently in flux’ among California courts.” Id. However, to 23 determine whether something is “unfair,” many California courts will “weigh the utility of the 24 defendant’s conduct against the gravity of the harm to the alleged victim.” Davis v. HSBC Bank 25 26 1 Nevada, N.A., 691 F.3d 1152, 1169 (9th Cir. 2012) (internal quotation marks omitted).10 Under this 2 approach, the Houghton plaintiffs “may proceed with a UCL claim under the balancing test by 3 either alleging immoral, unethical, oppressive, unscrupulous or substantially injurious conduct 4 by [Eureka] or by demonstrating that [Eureka’s] conduct violated an established public policy.” 5 Anthem II, 162 F. Supp. 3d at 990. 6 The plaintiffs here allege that Eureka’s knowing failure to ensure adequate safeguards of 7 their PII violated several California statutes, including Cal. Civ. Code § 1798.1 (“The Legislature 8 declares that . . . all individuals have a right of privacy in information pertaining to them . . . . The 9 increasing use of computers . . . has greatly magnified the potential risk to individual privacy 10 that can occur from the maintenance of personal information.”); Cal. Civ. Code § 1798.81.5(a) (“It 11 is the intent of the Legislature to ensure that personal information about California residents is 12 protected.”); Cal. Bus. & Prof. Code § 22578 (“It is the intent of the Legislature that this chapter 13 [including the Online Privacy Protection Act] is a matter of statewide concern.”). ECF No. 31 at 14 ¶ 210. District courts in this circuit, presented with similar allegations have consistently found 15 that plaintiffs have alleged enough for the “unfair” prong to be resolved at a later stage of 16 litigation. See In re Yahoo!, 2017 WL 3727318, at *24 (collecting cases). On one side of the 17 balancing test, I must weigh the utility of the defendant’s conduct as alleged: there is little utility 18 in Eureka’s failing to follow data security laws. On the other, the harm to the plaintiffs of having 19 their PII stolen is potentially far greater. As a result, I find that the Houghton plaintiffs have 20 sufficiently alleged a claim, so I deny Eureka’s motion to dismiss the plaintiffs’ UCL claim under 21 the “unfair” prong. 22 23 24 25 10 There are several other formulations of this test, including the “tethering test” and the “FTC test,” but courts have found that a plaintiff’s ability to allege the defendants’ violation of the balancing test has, 26 alone, been sufficient to survive a motion to dismiss. See, e.g., In re Yahoo!, 2017 WL 3727318, at *23–24. 1 F. CCPA claim 2 The Houghton plaintiffs allege that Eureka violated the CCPA. ECF No. 31 at ¶¶ 214–28. 3 The CCPA permits “[a]ny consumer whose nonencrypted and nonredacted personal 4 information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a 5 result of the business’s violation of the duty to implement and maintain reasonable security 6 procedures and practices appropriate to the nature of the information to protect the personal 7 information may institute a civil action.” Cal. Civ. Code § 1798.150(a)(1). 8 Eureka first argues that the Houghton plaintiffs make conclusory allegations that fail to 9 state a plausible CCPA claim. ECF No. 41 at 21. It specifically states that the plaintiffs rely 10 entirely on the assertion that “[t]he Data Breach occurred as a result of Defendant’s failure to 11 implement and maintain reasonable security procedures and practices appropriate to the nature 12 of the information to protect” the plaintiffs’ PII. Id. (quoting ECF No. 31 at ¶¶ 217–18, 223). This, 13 Eureka argues, is conclusory and does not meet the pleading standard required for a CCPA 14 claim. Id. (citing Iqbal, 556 U.S. at 678; In re Waste Mgmt. Data Breach Litig., 2022 WL 561734, at *6 15 (S.D.N.Y. Feb. 24, 2022); and others). 16 However, I find that the plaintiffs allege more than just conclusory statements. Looking 17 at their consolidated complaint in its entirety, which was incorporated into their CCPA claims 18 (ECF No. 31 at ¶ 214), the plaintiffs allege that Eureka (1) failed to encrypt the plaintiffs’ PII 19 (ECF No. 31 at ¶ 38); (2) failed to adhere to FTC guidelines, including not maintaining PII longer 20 than needed, limiting access to PII, requiring complex passwords, failing to use industry tested 21 methods of security, failing to monitor for suspicious activity and to verify that third-party 22 providers implemented adequate security (ECF No. 31 at ¶¶ 54, 56); (3) failed to follow industry 23 standards, including failing to install malware detection software, failing to set up network 24 firewalls, and failing to follow the Center for Internet Security’s Critical Security Controls (ECF 25 No. 31 at ¶¶ 59–61); and: 26 a. Failing to maintain an adequate data security system to reduce the risk of data 1 breaches and cyber-attacks; 2 b. Failing to adequately protect customers’ Private Information; 3 c. Failing to properly monitor its own data security systems for existing intrusions, encryptions, brute-force attempts, and clearing of event logs; 4 d. Failing to apply all available security updates; 5 e. Failing to install the latest software patches, update its firewalls, check user 6 account privileges, or ensure proper security practices; f. Failing to practice the principle of least-privilege and maintain credential 7 hygiene; 8 g. Failing to avoid the use of domain-wide, admin-level service accounts; 9 h. Failing to employ or enforce the use of strong randomized, just-in-time local administrator passwords, and; 10 i. Failing to properly train and supervise employees in the proper handling of 11 inbound emails. 12 13 (ECF No. 31 at ¶ 62). Additionally, the Houghton plaintiffs allege that “Eureka admitted it had 14 failed to maintain security appropriate to the nature of the information when it stated that it 15 only ‘took steps to secure our system’ after the Data Breach occurred.” ECF No. 42 at 27 (citing 16 ECF No 31 at ¶ 39). 17 These allegations are more than sufficient to plausibly plead a violation of the CCPA. At 18 this stage of litigation, with discovery incomplete, it would be unrealistic to expect a plaintiff to 19 provide more detail about the defendant’s former security systems. See Ramirez v. Paradies Shops, 20 LLC, 69 F.4th 1213, 1220 (11th Cir. 2023). 21 Next, Eureka argues that the plaintiffs’ claims are barred under the language of the 22 CCPA. The CCPA allows plaintiffs to seek relief for “actual pecuniary damages,” for statutory 23 damages, or for both. Cal. Civ. Code § 1798.150(b). Eureka states that the plaintiffs are only 24 25 26 1 seeking statutory damages,11 and they failed to comply with the pre-suit statutory damages 2 notice requirement. Under the CCPA: 3 Actions pursuant to this section may be brought by a consumer if, prior to initiating any action against a business for statutory damages on an individual or 4 class-wide basis, a consumer provides a business 30 days’ written notice identifying the specific provisions of this title the consumer alleges have been or 5 are being violated. In the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written 6 statement that the violations have been cured and that no further violations shall 7 occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business. 8 9 Cal. Civ. Code § 1798.150(b). Eureka argues that the plaintiffs provided untimely pre-suit notice 10 of their statutory claims, barring their statutory claim. ECF No. 41 at 22–23. It states that 11 Houghton originally filed his individual complaint on February 22, 2023, and mailed the CCPA 12 pre-suit notice the same day. Id. (citing ECF No. 1 and ECF No. 31 at ¶ 224). Houghton’s 13 complaint contained no mention of the CCPA. See ECF No. 1. Only when the consolidated 14 complaint was filed, on June 16, 2023, did plaintiffs raise a statutory damages CCPA claim. ECF 15 No. 31 at ¶ 214. In support of its argument that the claim is barred for lack of notice, Eureka 16 relies on Griffey v. Magellan Health Inc., in which the court declared that “[i]f a notice filed before 17 the 30-day deadline could be updated when an amended complaint is filed and satisfy the 30-day 18 notice requirement, then having the pre-suit notice requirement would be pointless.” 2022 WL 19 1811165, at *6 (D. Ariz. June 2, 2022). The court then dismissed the plaintiffs’ CCPA claims with 20 prejudice. Id. 21 I find the Griffey court’s reasoning unpersuasive in this context. The CCPA’s notice 22 requirement is designed “to allow the defendant an opportunity to cure the defect outside of 23 court.” Id. (quoting T & M Solar & Air Conditioning, Inc. v. Lennox Int’l Inc., 83 F. Supp. 3d 855, 875 24 (N.D. Cal. 2015)). There is no reason why the addition of a CCPA statutory damages claim to an 25 11 Based on the consolidated complaint, the plaintiffs seek “statutory damages . . . or actual damages.” ECF 26 No. 31 at ¶ 228. 1 amended complaint, after thirty days’ notice has been given, would go against the intentions of 2 this law. It is one thing for a plaintiff to initially file a complaint seeking CCPA statutory 3 damages in violation of the thirty-day notice requirement, only to file an amended complaint 4 with the same claim thirty days later. There is no harm, however, to a defendant who (1) has 5 been notified of a lawsuit on other grounds and (2) is separately provided thirty days’ notice of 6 the plaintiff’s seeking statutory damages in a CCPA claim. If, thirty days later, the plaintiff 7 determines that the defendant has not sufficiently cured its alleged violations, there should be 8 no reason the plaintiff is prevented from pursuing those claims. The defendant was provided the 9 statutorily mandated opportunity to cure before the plaintiff ever took the claim to court. 10 Therefore, the plaintiffs complied with the CCPA statutory damages notice rule when they 11 added the CCPA claim nearly four months after the notice letter was sent. 12 Eureka next argues that Houghton’s February 22, 2023 notice letter was deficient 13 because it did not “identify[] the specific provisions of [the CCPA] the consumer alleges have 14 been or are being violated.” ECF No. 41 at 23 (quoting Cal. Civ. Code § 1798.150(b)). It argues 15 that the two provisions Houghton cited—California Civil Code §§ 1798.81.5 and 1798.150—are 16 inadequate because § 1798.150 imposes no affirmative duty on the defendant and Houghton only 17 made conclusory statements in support of § 1798.81.5. Id. Section 1798.81.5 requires a covered 18 business to “implement and maintain reasonable security procedures and practices . . . .” Cal. 19 Civ. Code § 1798.81.5. 20 I disagree. Nothing in the law suggests this notice is required to meet the same standards 21 for pleading as a complaint. In the notice letter, Houghton explained that Eureka violated § 22 1798.81.5 by “fail[ing] to meet its duty to implement and maintain reasonable security 23 procedures and practices . . . includ[ing] the lack of adequate encryption to sufficiently maintain 24 California residents’ PII and to protect this PII from being accessed by third parties without 25 authorization.” Notice letter, ECF No. 31-1 at 2. As discussed above, it would be unreasonable to 26 expect a prospective plaintiff following a data breach, who has not been made privy to the inner 1 workings of Eureka’s data encryption systems, to provide notice in great detail. I find this 2 language to be sufficient under the notice requirement of the CCPA. 3 Finally, Eureka argues that it cured the issues noticed in Houghton’s letter because, as it 4 explained in its letter responding Houghton’s notice letter, [u]pon learning of suspicious activity on its network, Rancho Mesquite 5 immediately took measures to contain the incident, notified law enforcement, and 6 began an investigation. Rancho Mesquite took the necessary steps to block the unauthorized access and has continued to monitor for any further suspicious 7 activity or attempted or actual access to its network. None has been detected. 8 Eureka’s notice letter response, ECF No. 31-2 at 3. However, “[t]he implementation and 9 maintenance of reasonable security procedures and practices pursuant to Section 1798.81.5 10 following a breach does not constitute a cure with respect to that breach.” Cal. Civ. Code § 11 1798.150(b). Eureka’s measures were designed for the purpose of addressing future threats, not 12 curing the unauthorized release of the plaintiffs’ data. Therefore, I deny Eureka’s motion to 13 dismiss the plaintiffs’ CCPA claim. 14 G. CCRA claim 15 The Houghton plaintiffs allege that Eureka violated the CCRA. ECF No. 31 at ¶¶ 229–36. 16 Under the CCRA, any business which “owns, licenses, or maintains personal information about 17 a California resident shall implement and maintain reasonable security procedures and practices 18 appropriate to the nature of the information, to protect the personal information from 19 unauthorized access, destruction, use, modification, or disclosure.” Cal. Civ. Code § 1798.81.5(b). 20 Eureka argues that the plaintiffs make only a conclusory statement that “Defendant failed to 21 maintain reasonable data security procedures appropriate to the nature of the personal 22 information” and provide no additional factual allegations in support. ECF No. 41 at 24 (quoting 23 ECF No. 31 at ¶ 234). However, the Houghton plaintiffs allege not only that their data was kept 24 unsecure and unencrypted, which they describe in some detail, they also allege that Eureka 25 delayed notice of the breach to many of its customers for months—further exposing its 26 customers to harm. ECF No. 31 at ¶¶ 233, 36–37. I find that the plaintiffs have pled a CCRA violation with sufficient specificity to overcome Eureka’s motion, and therefore, I deny Eureka’s 2|| motion to dismiss the plaintiffs’ CCRA claim. 3 H. Declaratory judgment 4 Eureka’s argument for dismissal of the Houghton plaintiffs’ request for declaratory relief is contingent on the plaintiffs’ negligence and implied contract claims having been dismissed. 6|| Because the negligence claim remains, I deny Eureka’s motion to dismiss the plaintiffs’ request 7|| for declaratory judgment. Conclusion 9 It is therefore ordered that Eureka’s motion to dismiss [ECF No. 41] is granted in part 10|| and denied in part. The individual claims are addressed as follows: (1) Eureka’s motion as to the Houghton plaintiffs’ negligence claim is denied. 12 (2) Eureka’s motion as to the Houghton plaintiffs’ negligence per se claim is granted and B the negligence per se claim is therefore dismissed without prejudice. 14 (3) Eureka’s claim as to the Houghton plaintiffs’ breach of implied contract claim is 15 granted and the implied contract claim is therefore dismissed without prejudice. 16 (4) Eureka’s motion as to the Houghton plaintiffs’ unjust enrichment claim is denied. 17 (5) Eureka’s motion as to the Houghton plaintiffs’ UCL claim is denied. 18 (6) Eureka’s motion as to the Houghton plaintiffs’ CCPA claim is denied. 19 (7) Eureka’s motion as to the Houghton plaintiffs’ CCRA claim is denied. 20 (8) Eureka’s motion as to the Houghton plaintiffs’ declaratory judgment claim is denied. 21 If plaintiffs intend on filing an amended complaint, it must be titled “Second Amended 22|| Complaint,” and it must be filed on or before October 3, 2024. a 23 Dated: September 19, 2024 / / 24 / Le whe —— 46 States District Judge 27
Leave a Comment

Document Info

Docket Number: 2:23-cv-00276

Filed Date: 9/19/2024

Precedential Status: Precedential

Modified Date: 11/2/2024