DocketNumber: G061093
Filed Date: 7/21/2023
Status: Non-Precedential
Modified Date: 7/21/2023
Filed 7/21/23 P. v. Court Ventures CA4/3 NOT TO BE PUBLISHED IN OFFICIAL REPORTS California Rules of Court, rule 8.1115(a), prohibits courts and parties from citing or relying on opinions not certified for publication or ordered published, except as specified by rule 8.1115(b). This opinion has not been certified for publication or ordered published for purposes of rule 8.1115. IN THE COURT OF APPEAL OF THE STATE OF CALIFORNIA FOURTH APPELLATE DISTRICT DIVISION THREE THE PEOPLE OF THE STATE OF CALIFORNIA, G061093 Plaintiff and Appellant, (Super. Ct. No. 30-2019-01047183) v. OPINION COURT VENTURES, INC., et al., Defendants and Respondents. Appeal from a judgment of the Superior Court of Orange County, Richard 1 J. Oberholzer, Judge. Affirmed. 1 Although the parties stated in their appellate filings that the appeal is from an order of Superior Court Judge Linda Marks, the record indicates that the appeal is from a judgment following an order granting summary judgment issued by Judge Oberholzer. The error may have occurred because Judge Marks presided over the matter earlier. (See People v. Experian Data Corp. (April 26, 2022) G060360 [nonpub. opn.].) Mara W. Elliott, San Diego City Attorney, Mark Ankcorn and Kevin King, Deputy City Attorneys, and Blood Hurst & O’Reardon, Timothy G. Blood, Leslie Hurst and Paula R. Brown for Plaintiff and Appellant. The Vanderpool Law Firm, Douglas B. Vanderpool, Michael J. Fairchild and Brooke L. Bove, for Defendants and Respondents. * * * In this case of first impression, we are asked to determine whether Section 1798.82, subdivision (a) (section 1798.82(a)) of the Customer Records Act (CRA), Civil Code sections 17980 et seq., obligates former owners or licensees of computerized data containing personal information to provide notice to California residents after discovering or being notified of a data breach. As discussed below, we conclude section 1798.82(a) does not apply to former owners or licensees. The trial court thus properly granted summary judgment to respondents Court Ventures, Inc. (CVI) and Robert Gundling on the claim that they violated section 1798.82(a). Accordingly, we affirm the judgment against appellant, the People of the State of California. I FACTUAL AND PROCEDURAL BACKGROUND A. Summary Judgment Motion As an initial matter, we note that appellant did not provide a full and complete record on appeal. The complaint against respondents is not in the record, even as an exhibit to a declaration. Only respondents’ memorandum of points and authority in support of their motion for summary judgment is in the record. The actual motion, the separate statement of undisputed facts, the supporting declarations and the exhibits attached to the declarations, and respondents’ request for judicial notice are not in the record. Appellant’s opposition to the summary judgment motion, including a declaration in support of the opposition with 46 attached exhibits and a request for judicial notice, are 2 in the record. Respondents’ reply also is in the record. Finally, the hearing transcript, the trial court’s order granting the summary judgment and its written ruling are in the record. As described in respondents’ memorandum of points and authority, Gundling formed CVI in approximately 2001. CVI’s business was “the aggregation and sale of public-record sourced criminal history information, which was derived from various court records and other publicly available sources.” (Underlining ommited.) During its existence, CVI’s customers were businesses, not individuals. Gundling sold the business, including data subscriber agreements, to Experian Data Corporation in March of 2012. In April 2010, CVI entered into a Data Sharing Agreement with U.S. Infosource (USI), which maintained its own database. Under the agreement, CVI allowed USI access to its criminal data and USI allowed CVI access to its “SSN Address Trace Data.” In October 2010, an individual identifying himself as Jason Low with the private investigation firm, SG Investigators, contacted CVI and requested access to the SSN Address Trace Data. CVI subsequently entered into a data subscriber agreement with SG Investigators, which allowed SG Investigators to access the USI database. According to appellant, in November 2012, a special agent of the United States Secret Service contacted Experian, and informed Experian that Low, who was in fact, Hieu Minh Ngo, was under criminal investigation for identity-related crimes. In March 2014, Ngo pled guilty to various charges, and stated that the factual basis for his plea was that over an 18-month period, he sold access to the USI database to his customers, allowing them to make millions of queries on the USI database to further their own criminal fraud. In October 2014, the United States Department of Justice contacted Gundling and informed him of Ngo’s criminal activities. Appellant concedes that this was the first time Gundling was aware of the security breach. From the trial court’s ruling, we can infer that the operative complaint alleges a single cause of action for violation of the Unfair Competition Law (UCL), set 3 forth in Business and Professions Code section 17200 et seq. Specifically, the complaint alleged the predicate violation was the failure of Experian and respondents to provide notice to consumers following discovery of a data breach as required by section 1798.82(a). In their summary judgment motion, respondents argued, among other grounds, that they did not violate the CRA because they did not own or license computerized data at the time they discovered or were notified of the data breach. In response, plaintiff argues that because respondents “owned or licensed the [computerized] Data for a significant portion of the Security Breach—from at least October 2010 to March 2012,” they remain obligated to provide the required notice under the CRA, even if the CVI dissolved and “ceased to exist.” The trial court granted the summary judgment motion. It concluded that section 1798.82(a) “establishes an obligation on the owner or licensee of data, at the time of discovery, only.” It found: “Here, it is undisputed that [CVI] entered into an Asset Purchase Agreement with Experian Data Corp. in March of 2012, wherein Experian purchased all ‘Owned Intellectual Property,’ ‘Data Furnisher Agreements,’ ‘In-Bound Licenses,’ and ‘Data.’ [Citations.] It is also undisputed that, via this transfer, Experian obtained all of [CVI]’s rights to the subject data. [Citation.] “Additionally, it is undisputed that Defendant Gundling (and CVI through Gundling) first became aware of the data breach in October of 2014, after the above transfer of assets. [Citations.] “Based on the above undisputed facts, as Defendants did not own or license the data at the time they discovered the security breach, they were not obligated to provide notice pursuant to [section] 1798.82(a).” 4 II DISCUSSION Generally, “[a] defendant is entitled to summary judgment if the record establishes as a matter of law that none of the plaintiff’s asserted causes of action can prevail. [Citation.]” (Molko v. Holy Spirit Assn. (1988)46 Cal.3d 1092
, 1107.) “[W]e review the grant of summary judgment de novo. [Citation.] In performing our independent review, we conduct the same procedure used by the trial court. We examine (1) the pleadings to determine the elements of the claim for which the party seeks relief; (2) the summary judgment motion to determine if movant established facts justifying judgment in its favor; and (3) the opposition to the motion—assuming movant met its initial burden—to ‘decide whether the opposing party has demonstrated the existence of a triable, material fact issue. [Citation.]’ [Citations.]” (Y.K.A. Industries, Inc. v. Redevelopment Agency of City of San Jose (2009)174 Cal.App.4th 339
, 354.) “‘De novo review is [also used] to determine the soundness of a trial court’s resolution of the meaning of a statute, as entailing a pure question of law.’ [Citation.]” (Noel v. River Hills Wilsons, Inc. (2003)113 Cal.App.4th 1363
, 1368.) Here, the resolution of the summary judgment motion was based on an interpretation of section 1798.82(a). “‘“When we interpret a statute, ‘[o]ur fundamental task ... is to determine the Legislature’s intent so as to effectuate the law’s purpose. We first examine the statutory language, giving it a plain and commonsense meaning. We do not examine that language in isolation, but in the context of the statutory framework as a whole in order to determine its scope and purpose and to harmonize the various parts of the enactment. If the language is clear, courts must generally follow its plain meaning unless a literal interpretation would result in absurd consequences the Legislature did not intend. If the statutory language permits more than one reasonable interpretation, courts may consider other aids, such as the statute’s purpose, legislative history, and public policy.’ [Citation.] ‘Furthermore, we consider portions of a statute in the context of the 5 entire statute and the statutory scheme of which it is a part, giving significance to every word, phrase, sentence, and part of an act in pursuance of the legislative purpose.’”’” (Meza v. Portfolio Recovery Associates, LLC (2019)6 Cal.5th 844
, 856–857.) Civil Code section 1798.82 provides in relevant part: “(a) A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California . . . . The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” Under the plain language of section 1798.82(a), after discovery or notification of a data security breach, the current owner or licensee of the data must provide prompt notice of the data security breach to California residents. Thus, the owner or licensee of the computerized data containing personal information who is obligated to provide notice under section 1798.82 is determined at the time of the discovery or notification of the data breach. Not only does this interpretation comport with the plain language of the statute, it also effectuates the purpose of the law, which is to provide disclosure in “the most expedient time possible and without unreasonable delay.” (§ 1798.82, subd. (a).) A person or business who owns or licenses the data at the time of the discovery or notification of the breach would have both access to consumer information, such as names and addresses, and assets to pay for the required disclosure. Appellant contends that the “discovery or notification” language only modifies the subsequent notice or disclosure to California residents, and not the phrase “owns or licenses.” Appellant thus argues that because CVI owned or licensed the data at the time 6 of the breach, it is obligated to provide the required disclosure under section 1798.82(a). We disagree for several reasons. First, appellant’s interpretation ignores the statutory language. Although in many cases the current owner or licensee at the time of the breach will be the same as at the time the breach was discovered, that was not the case here. Section 1798.82(a) only mentions “discovery or notification of [a] breach.” There is no reference to the breach itself as triggering or limiting any disclosure obligation. Thus, there is no basis in the statutory language to expand the disclosure obligation beyond an owner or licensee at the time of the discovery or notification of a breach. Second, appellant’s interpretation can lead to absurd results. As appellant acknowledged, under its interpretation, an owner or licensee of the data at the time of a breach is obligated to provide notice, even if the owner or licensee no longer exists when the breach is discovered. It is easy to contemplate a situation where it would be impossible for a nonexistent corporation to provide notice, for example if it lacks access to consumer data or lacks paying assets. Because “[t]he law never requires impossibilities,” (Civ. Code, §2531), appellant’s interpretation is suspect. Finally, interpreting the statute in the manner suggested by appellant is not required to effectuate the law’s purpose. As noted, our interpretation provides the prompt notice required by the statute. Although more persons or businesses would be obligated to notify California residents under appellant’s interpretation, the additional obligation to disclose a security breach finds no support in the plain language of the statute. “We cannot ‘ignore the language employed by the Legislature merely because of a subjective evaluation that a differently worded statute would more effectively achieve the statutory goal.’ [Citation.]” (Faria v. San Jacinto Unified School District (1996)50 Cal.App.4th 1939
, 1945, fn. 2.) “If the Legislature meant to say something other than what it said, then it, not [the] court, should change the statute. The judicial function is to interpret the language of a statute, not to rewrite it.” (Id. at p.1947, fn. 4; see also California Fed. 7 Savings & Loan Assn. v. City of Los Angeles (1995)11 Cal.4th 342
, 349 [“We may not, under the guise of construction, rewrite the law or give the words an effect different from the plain and direct import of the terms used.”].) In sum, respondents showed that they were entitled to summary judgment. The burden thus shifted to appellant to show a triable, material fact. On appeal, appellant has not attempted to show a triable material fact, and the inadequate record would not have allowed us to find any triable material fact. Accordingly, the trial court properly granted summary judgment. III DISPOSITION The judgment is affirmed. Respondents are entitled to their costs on appeal. DELANEY, J. WE CONCUR: GOETHALS, ACTING P.J. SANCHEZ, J. 8