The U.S. District Court for the Southern District of California recently dismissed a consumer’s putative class action lawsuit against a mortgage lending and servicing company for purported damages sustained as a result of a security breach wherein his personal information was compromised, and the hackers attempted to open credit cards in his name.
Although the Court previously concluded that the consumer had standing to bring his claims under Article III of the Constitution, it held that the consumer failed to state causes of action for negligence and violations of various California laws.
A copy of the opinion is available at: Link to Opinion
A consumer (“Consumer”), on behalf of himself and others similarly situated, sued his mortgage sued a mortgage lender and servicer (“Mortgage Company”) after its customer database was hacked, and confidential customer information, such as social security numbers, was compromised.
The consumer claimed that he suffered monetary and emotional distress damages as a result of a cybercriminal’s attempts to open credit cards in his name, as a result of the Mortgage Company’s inadequate security and failure to timely notify its customers of the breach.
The Consumer filed suit against the Mortgage Company in the Superior Court of California, San Diego County, alleging causes of action for: (i) negligence; (ii) violation(s) of California Constitution (Art. I, § I); (iii) violation(s) of the California Customer Records Act (Civ. Code § 1798.80); (iv) violation(s) of the California Consumers Legal Remedies Act (Cal. Civ. Code § 1750), and; (v) violation(s) of the California Unfair Competition Law (Cal. Bus. & Prof. Code § 17200).
The Mortgage Company removed the action to United States District Court for the Southern District of California under the Class Action Fairness Act, and moved to dismiss the Consumer’s complaint for lack of standing and failure to state a claim.
First, in considering the Consumer’s Article III standing, the federal trial court rejected the Mortgage Company’s arguments that increased risk of identity theft is not an injury in fact, citing the Ninth Circuit’s recent holding that data-breach-victims pled "an injury in fact based on a substantial risk that hackers will commit identity fraud" and established a reasonable inference of causation by alleging that his identity was stolen and exploited. In re Zappos.com, Inc.,888 F.3d 1020, 1029 (9th Cir. 2018).
In addition, the Court held that the Mortgage Company’s argument that the Consumer failed to allege it possessed his data at the time of the breach or that it was actually stolen was undermined by its admission that it sent notices to customers who may have been affected by the breach -- which consumer received-- and in any event, was waived because it was raised for the first time in the Mortgage Company’s reply brief. Thus, the motion to dismiss for lack of standing was denied.
Next, in examining the Consumer’s negligence claims, the federal trial court drew analogies to the Ninth Circuit case of Krottner v. Starbucks, wherein the plaintiff consumer similarly alleged that personal information was misused, but the court couldn’t find “loss related to the attempt to open a bank account in his name.” Krottner v. Starbucks Corp., 406 F. App'x 129, 131 (9th Cir. 2010).
Although the Starbucks court found risk of identity theft following a data breach sufficient to supply an injury-in-fact for standing, the Starbucks consumer plaintiff’s claims were insufficient to support actual damages for a negligence claim because the injuries "stem from the danger of future harm." Here, the Consumer failed to distinguish his case from Starbucks, and the Court found his allegations were too vague for the court or Mortgage Company to evaluate. Thus, the Consumer’s negligence claims were dismissed, but with leave to amend.
Following amendment by the Consumer, the Court dismissed the negligence claim with prejudice and without leave to amend. The Consumer alleged damages such as “diminution in value of his personal data, overpayments to [Mortgage Company], and continued risk to his financial information.” However, as to the alleged continued risk of harm, the Court held the allegation was “still insufficient because it stems from the danger of future harm,” which is insufficient under Starbucks. The Court also held that the alleged diminution of value of his personal data failed to allege “enough facts to establish how his personal information is less valuable as a result of the breach.” Similarly, as to the alleged overpayment to Mortgage Company, the Consumer failed to “provide any information to show that he paid a premium for [Mortgage Company] to provide reasonable and adequate security measures.”
The Consumer also argued that the Mortgage Company’s breach of data violated his right to privacy under Art. I, Section I of the California Constitution. However, the loss of personal data through insufficient security fails to constitute “a serious invasion of privacy” that is “an egregious breach of the social norms underlying the privacy right” necessary to meet the standard of actionable conduct under the California Constitution. Hill v. Nat'l Collegiate Athletic Assn., 7 Cal. 4th 1, 37, 40 (1994); In re iPhone Application Litig.,844 F. Supp. 2d 1040, 1063 (N.D. Cal. 2012) ("Even negligent conduct that leads to theft of highly personal information, including social security numbers, does not approach the standard of actionable conduct under the California Constitution and thus does not constitute a violation of Plaintiffs' right to privacy." ). Accordingly, these claims, too, were dismissed, with leave to amend.
Next, the court considered the Consumer’s claims that the Mortgage Company failed to comply with the Customer Records Act, Civ. Code § 1798.80 (“CRA”), which requires businesses to protect customers' personal information by maintaining "reasonable security procedures," and if a data breach occurs, to notify affected customer's "without unreasonable delay" §§ 1798.81.5, 82.
The Consumer argued that the Mortgage Company waived its argument by failing to address this claim, but the Court found just the opposite, and that the Consumer failed to address the Mortgage Company’s arguments that dismissal was warranted for failure to allege injury, and for conclusory allegations about security, data disposal and notification. Thus, the claim was deemed abandoned, and dismissed with leave to amend. See, e.g., Shull v. Ocwen Loan Servicing, LLC, 2014 WL 1404877, at *2 (S.D. Cal. Apr. 10, 2014).
Following amendment by Consumer, the Court also dismissed the CRA claim with prejudice and without leave to amend. The Court noted that, although the CRA requires businesses to notify customers of a data breach "in the most expedient time possible and without reasonable delay” (Cal. Civ. Code § 1798.82(a)), courts have required plaintiffs to “show that the delay in notification led to incremental harm.” The Consumer did not do so here.
Moreover, the CRA requires businesses to "implement and maintain reasonable security procedures and practices appropriate to the nature of the information." Cal. Civ. Code § 1798.81.5. The Court held that Consumer “could have identified what made [Mortgage Company]'s security measures unreasonable by comparison to what other companies are doing, but simply knowing of higher-quality security measures is not sufficient to state a claim.”
The Consumer’s claims under the Consumers Legal Remedies Act (“CLRA”) asserted that the Mortgage Company violated various provisions of Cal. Civ. Code § 1770(a)'s ban on unfair business practices that result "in the sale or lease of goods or services to any consumer."
As you may recall, the CLRA defines "services" as "work, labor, and services for other than a commercial or business use, including services furnished in connection with the sale or repair of goods." § 1761.
Here, the Court accepted the Mortgage Company’s argument that home loans do not qualify as “the sale of a service” under the CLRA, citing California Supreme Court authority that that "ancillary services that insurers provide to actual and prospective purchasers of life insurance" do not count as a "service" under the CLRA because the activity centers on a "contractual obligation to pay money." Fairbanks v. Superior Court, 46 Cal. 4th 56, 61, 65 (2009). Thus, the Consumer’s CLRA claims were dismissed, but without leave to amend.
Lastly, the Consumer claimed that the Mortgage Company violated California’s Unfair Competition Law (Cal. Bus. & Prof. Code § 17200) (“UCL”) by supposedly engaging in unfair business practices by failing to provide sufficient security for his data.
Here, the Court noted that the Consumer’s complaint failed to explain which theory he was advancing under the UCL. Although his opposition brief suggested the Consumer relied upon his CLRA and CRA claims as predicates for an unlawful theory, because those causes of action failed to state a claim, and because the Consumer failed to sufficiently allege “lost money or property,” as required, the Consumer’s Unfair Competition Law claim also failed to state a cause of action, and was dismissed with leave to amend.
Consumer amended his UCL claim, but the Court held the amendments were insufficient, and this time dismissed the UCL claim with prejudice. The Court noted that a UCL plaintiff must "have suffered an `injury in fact' and `lost money or property as a result of such unfair competition." Consumer argued that he met this element because funds were withdrawn without his consent from his bank account. However, the Court noted, Consumer’s bank quickly reversed the transaction, and therefore Consumer suffered no “injury in fact,” as required.
Accordingly, the motion to dismiss Consumer’s putative class action lawsuit was granted with prejudice and without leave to amend.
Eric Tsai
Maurice Wutscher LLP
71 Stevenson Street, Suite 400
San Francisco, CA 94105
Direct: (415) 529-7654
71 Stevenson Street, Suite 400
San Francisco, CA 94105
Direct: (415) 529-7654
Fax: (866) 581-9302
Mobile: (714) 600-6000
Email: etsai@MauriceWutscher.com
Admitted to practice law in California, Nevada and Oregon
ALABAMA | CALIFORNIA | FLORIDA | ILLINOIS | MARYLAND | MASSACHUSETTS | NEW JERSEY | NEW YORK | OHIO | PENNSYLVANIA | TEXAS | WASHINGTON, D.C.