1 UNITED STATES DISTRICT COURT
2 DISTRICT OF NEVADA
3 JEREMIAH ARCHAMBAULT, et al., 4 Plaintiffs, Case No.: 2:24-cv-01691-GMN-DJA 5 vs. ORDER GRANTING IN PART 6 RIVERSIDE RESORT & CASINO, Inc., et MOTION TO DISMISS 7 al.,
8 Defendants.
9 10 Pending before the Court is a Motion to Dismiss, (ECF No. 23), filed by Defendants 11 Riverside Resort & Casino, Inc. and Riverside Resort & Casino, LLC, (collectively, 12 “Riverside”). Plaintiffs Brian Scott Giuiland, Kathleen Maddox, Jean Markgraf, Amber 13 McConnell, Darlene Martin, Robert Dapello, Ronald Hansen, Carol Laudonio, Michael J. 14 Montoya, Gary Lester, and Floyd M. Patten filed a Response, (ECF No. 28), to which Riverside 15 filed a Reply, (ECF No. 30). For the reasons discussed below, the Court grants, in part, and 16 denies, in part, the Motion to Dismiss. 17 I. BACKGROUND 18 Plaintiffs bring this class action against Riverside Resort and Casino after their sensitive 19 personal identifying information (“PII”) was stolen during a cyberattack on Riverside’s 20 computer network. (See generally First Am. Compl. (“FAC”), ECF No. 20). Lynx 21 Ransomware claimed responsibility for the attack, and Plaintiffs allege that their stolen PII has 22 already been published, or will soon be published, on the dark web. (Id. ¶¶ 62–66). On July 25, 23 2024, Riverside performed an internal investigation on the data breach. (Id. ¶¶ 6–7, 46). It 24 reported that the data breach exposed the PII of 55,155 current and former employees and 25 customers. (Id. ¶ 7). The PII included, but was not limited to, names and social security 1 numbers. (Id. ¶ 43). About six weeks after the data breach was discovered, Riverside began 2 notifying Plaintiffs and Class Members that their names and social security numbers were 3 involved in the breach. (Id. ¶¶ 9, 47). 4 Plaintiffs allege that Riverside willfully or negligently failed to take reasonable steps to 5 safeguard their PII, follow appropriate policies and procedures regarding the encryption of their 6 data, and adequately notify them of the breach. (Id. ¶¶ 13–15). They also allege that the data 7 breach was foreseeable because PII security warnings were readily available and accessible, 8 and ransomware groups were targeting casinos. (Id. ¶¶ 67–81). In fact, some of the named 9 Plaintiffs have already had their information misused in the form of unauthorized transactions, 10 suspicious spam calls, and information from credit reporting agencies that their PII has been 11 found on the dark web. (Id. ¶¶ 130, 142, 152, 163, 176, 188, 217, 229). Plaintiffs also allege 12 that their injuries include an invasion of privacy, out of pocket costs, loss of time, loss of 13 productivity to mitigate the risk of identity theft or actual identity theft, loss of the benefit of 14 the bargain, and diminution or loss of value of their PII. (Id. ¶ 83). 15 Plaintiffs bring causes of action for negligence, breach of implied contract, unjust
16 enrichment, and violations of the California Consumer Privacy Act, California Unfair 17 Competition law, Nevada Deceptive Trade Practices Act, and for declaratory judgment. (See 18 generally id.). 19 II. LEGAL STANDARD 20 Dismissal is appropriate under Rule 12(b)(6) where a pleader fails to state a claim upon 21 which relief can be granted. Fed. R. Civ. P. 12(b)(6). A pleading must give fair notice of a 22 legally cognizable claim and the grounds on which it rests, and although a court must take all 23 factual allegations as true, legal conclusions couched as factual allegations are insufficient. Bell 24 Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). Accordingly, Rule 12(b)(6) requires “more 25 than labels and conclusions, and a formulaic recitation of the elements of a cause of action will 1 not do.” Id. “To survive a motion to dismiss, a complaint must contain sufficient factual 2 matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. 3 Iqbal, 556 U.S. 662, 678 (2009) (quoting Twombly, 550 U.S. at 570). “A claim has facial 4 plausibility when the plaintiff pleads factual content that allows the court to draw the 5 reasonable inference that the defendant is liable for the misconduct alleged.” Id. This standard 6 “asks for more than a sheer possibility that a defendant has acted unlawfully.” Id. 7 If the court grants a motion to dismiss for failure to state a claim, the court should grant 8 leave to amend “unless it determines that the pleading could not possibly be cured by the 9 allegation of other facts.” Lopez v. Smith, 203 F.3d 1122, 1130 (9th Cir. 2000) (quoting Doe v. 10 United States, 58 F.3d 494, 497 (9th Cir. 1995)). Pursuant to Rule 15(a), the court should 11 “freely” give leave to amend “when justice so requires,” and in the absence of a reason such as 12 “undue delay, bad faith or dilatory motive on the part of the movant, repeated failure to cure 13 deficiencies by amendments previously allowed, undue prejudice to the opposing party by 14 virtue of allowance of the amendment, futility of the amendment, etc.” Foman v. Davis, 371 15 U.S. 178, 182 (1962).
16 III. DISCUSSION 17 Riverside moves to dismiss Plaintiffs’ FAC for two reasons. (Mot. Dismiss 1:24–27, 18 ECF No. 23). First, Riverside argues that Plaintiffs lack Article III standing to bring their 19 claims because they do not allege any actual injuries caused by the cyberattack. (Id. 1:12–24). 20 Second, Riverside contends that even if Plaintiffs have standing, they otherwise fail to state a 21 claim pursuant to Rule 12(b)(6) of the Federal Rules of Civil Procedure. (Id. 1:24–27). The 22 Court begins with Riverside’s standing argument. 23 A. Article III Standing 24 “Standing under Article III of the Constitution requires that an injury be concrete, 25 particularized, and actual or imminent; fairly traceable to the challenged action; and redressable 1 by a favorable ruling.” Monsanto Co v. Geerton Seed Farms, 561 U.S. 139, 149 (2010). “At 2 the pleading stage, ‘general factual allegations of injury resulting from defendant’s conduct 3 may suffice.” Mecinas v. Hobbs, 30 F.4th 890, 897 (9th Cir. 2022) (quoting Lujan v. Defenders 4 of Wildlife, 504 U.S. 555, 561 (1992)). 5 In a class action, standing exists where at least one named plaintiff meets these 6 requirements. Ollier v. Sweetwater Union High Sch. Dist., 768 F.3d 843, 865 (9th Cir. 2014). 7 To demonstrate standing, the “named plaintiffs who represent a class must allege and show 8 they personally have been injured, not that injury has been suffered by other, unidentified 9 members of the class to which they belong and which they purport to represent.” Lewis v. 10 Casey, 518 U.S. 343, 347 (1996) (internal quotation marks omitted). At least one named 11 plaintiff must have standing with respect to each claim that the class representatives seek to 12 bring. In re Ditropan XL Antitrust Litig., 529 F. Supp. 2d 1098, 1107 (N.D. Cal. 2007). 13 1. Injury-in-Fact 14 Riverside argues that Plaintiffs have failed to allege an injury-in-fact based on fear of 15 future harm, mitigation cost or time spent, diminished value of PII, loss of privacy, emotional
16 distress, or an increase in spam or scam communications. (Mot. Dismiss 3:14–7:1). In 17 response, Plaintiffs contend that the Ninth Circuit has found such injuries to confer standing in 18 the context of a data breach. (Resp. 2:26–3:10). The Court finds that Plaintiffs have 19 sufficiently alleged an injury-in-fact to confer standing. 20 Plaintiffs allege that their PII, including their full names and social security numbers, 21 was stolen in the cyberattack. (See FAC ¶ 47). Some Plaintiffs have reported unauthorized 22 transactions and have been notified that their information was found on the dark web, while 23 others have not yet noticed a misuse of their PII but fear future identity theft. (Id. ¶¶ 123–250). 24 The Ninth Circuit has found that the threat of identity theft, including the theft of social security 25 numbers, can constitute an injury-in-fact, even if there is no indication that the PII had been 1 misused. See Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010) (“Plaintiffs– 2 Appellants have alleged a credible threat of real and immediate harm stemming from the theft 3 of a laptop containing their unencrypted personal data.”); see also In re Zappos.com, Inc., 888 4 F.3d 1020, 1027–29 (9th Cir. 2018). For example, the Ninth Circuit found that the plaintiffs 5 sufficiently alleged a concrete injury when a thief in Krottner stole unencrypted names, 6 addresses, and social security numbers that were stored on laptops, 628 F.3d at 1143, and when 7 Zappos hackers obtained names, account numbers, passwords, e-mail addresses, billing and 8 shipping addresses, telephone numbers, full credit card numbers, and unspecified credit and 9 debit card information, 888 F.3d at 1023. Every named Plaintiff in this case has allegedly had 10 PII stolen. Additionally, Plaintiffs allege that an actual theft of their PII occurred, not simply 11 that they were worried about a risk of future theft. As the Zappos court explained, it was “the 12 sensitivity of the personal information, combined with its theft, [that] led us to conclude [in 13 Krottner] that the plaintiffs had adequately alleged an injury in fact supporting standing.” 888 14 F.3d at 1027 (emphasis added). 15 Riverside cites two cases for the proposition that Plaintiffs’ fear of speculative harm
16 cannot confer Article III standing. (Mot. Dismiss 4:4–7). Neither is persuasive here. The first, 17 TransUnion LLC v. Ramirez, did not involve the theft of PII. See 594 U.S. 413, 433 (2021). 18 Rather, the Supreme Court held the TransUnion plaintiffs did not have a concrete injury simply 19 because their TransUnion credit report, which had not been disclosed to a third party, contained 20 misleading information. Id. at 434. And in the Southern District of California case relied on by 21 Defendants, the plaintiffs did not allege that their social security numbers were stolen. Stasi v. 22 Inmediata Health Grp. Corp., No. 19CV2353 JM (LL), 2020 WL 2126317, at *5 (S.D. Cal. 23 May 5, 2020) (“Krottner and Zappos are distinguishable because Plaintiffs do not allege their 24 social security numbers were included in the information that was potentially exposed on the 25 internet.”). Because those cases are distinguishable, and the Zappos and Krottner courts have 1 found a concrete injury under facts similar to the facts of this case, the Court finds that the 2 Plaintiffs have alleged an injury-in-fact. 3 2. Traceable Injury 4 Riverside also argues that Plaintiffs’ alleged injuries, including the fraud attempts and 5 unauthorized charges, are not fairly traceable to the data breach incident. (Mot. Dismiss 7:3– 6 24). However, six weeks after Riverside discovered the data breach, it sent a breach notice 7 letter to Plaintiffs. (FAC ¶ 9). Courts in this district have found a data breach notice to be 8 sufficient to establish this standing element. See, e.g., Stallone v. Farmers Grp., Inc., No. 2:21- 9 cv-01659-GMN-VCF, 2022 WL 10091489, at *9 (D. Nev. Oct. 15, 2022). “[T]he alleged 10 harms are fairly traceable to Defendants because Defendants notified Plaintiff in a letter that he 11 was subject to the Data Breach.”); see also Huynh v. Quora, Inc., No. 18-cv-07597, 2019 WL 12 11502875, at *4 (N.D. Cal. Dec. 19, 2019) (“These alleged harms are fairly traceable to Quora 13 because Quora notified each of the Plaintiffs that they may have been subject of the 2018 Data 14 Breach.”). “A reasonable inference can therefore be drawn which traces the plausibly alleged 15 harms to the purported mishandling of [Plaintiffs’] personal information through the Data
16 Breach.” Bass v. Facebook, Inc., 394 F. Supp. 3d 1024, 1033 (N.D. Cal. 2019). The Court thus 17 finds that the FAC sufficiently alleges facts indicating that the Defendants’ failure to 18 adequately protect the Plaintiffs’ PII is sufficiently traceable to Plaintiffs’ alleged injuries. 19 3. Standing for Injunctive Relief 20 Riverside also argues that Plaintiffs lack standing for injunctive relief because they have 21 not alleged facts supporting an immediate threat of repeated injury. (Mot. Dismiss 7:28–8:6). 22 In response, Plaintiffs note that Riverside has retained their PII and that its post-breach security 23 measures are inadequate from protect them from future injury. (Resp. 8:19–27). 24 In the context of requests for injunctive relief, the standing inquiry requires plaintiffs to 25 “demonstrate that [they have] suffered or [are] threatened with a ‘concrete and particularized 1 harm,’ coupled with a ‘sufficient likelihood that [they] will again be wronged in a similar 2 way.’” Bates v. United States Parcel Serv., Inc., 511 F.3d 974, 985 (9th Cir. 2007) (quoting 3 Lujan, 504 U.S. at 560). The latter inquiry turns on whether the plaintiff has a “real and 4 immediate threat of repeated injury.” Id. The threat of future injury cannot be “conjectural or 5 hypothetical” but must be “certainly impending to” constitute an injury in fact for injunctive 6 relief purposes. Zappos, 888 F.3d at 1026. 7 Here, Plaintiffs allege that their PII is at continued risk and subject to further breaches as 8 long as Riverside fails to undertake appropriate and adequate measures to protect the PII. (FAC 9 ¶ 83). They claim that they have an interest in protecting their PII by ensuring that the storage 10 or data or documents containing the PII is not accessible online and is password protected. (Id. 11 ¶ 122). As Riverside points out, however, Plaintiffs fail to allege facts suggesting “an ongoing 12 security deficiency creating a real, immediate threat of a further data breach.” (Reply 7:13–19). 13 In Riverside’s Notice of Data Breach letter, attached to the FAC, it states that Riverside 14 initiated an investigation, disabled relevant accounts, and provided Plaintiffs with access to 15 credit monitoring services and proactive fraud assistance at no charge. (Notice of Breach, Ex. A
16 to FAC, ECF No. 20-1). Although Plaintiffs are correct that they have an interest in ensuring 17 their data is protected from future breaches, they must include allegations allowing the Court to 18 conclude that the threat of future injury is “certainly impending.” Thus, Plaintiffs’ claim for 19 injunctive relief is dismissed with leave to amend. 20 B. Claims for Relief 21 Because the Court finds that Plaintiffs have standing, it will next evaluate Riverside’s 22 arguments that Plaintiffs have failed to state a claim for each cause of action. 23 24 25 1 1. Cognizable Injury 2 Riverside first argues that all of Plaintiffs’ claims must fail due to a lack of cognizable 3 injury. (Mot. Dismiss 8:13–9:21). In rebuttal, Plaintiffs contend that they alleged cognizable 4 injuries in the form of “(1) the loss of benefit of the bargain; (2) diminution or loss of value of 5 their PII; (3) the future risk to their PII will be used to commit fraud or identity theft; (4) 6 violation of privacy;” and (5) time and expenses lost mitigating the “materialized risk and 7 imminent threat of identity theft risk.” (Resp. 9:5–8). Although Plaintiffs have sufficiently 8 alleged an injury-in-fact for standing purposes, they must still plead sufficient allegations to 9 satisfy the damages requirement for their causes of action. See Krottner v. Starbucks Corp., 406 10 F. App’x 129, 131 (9th Cir. 2010) (“our holding that Plaintiffs-Appellants pled an injury-in-fact 11 for purposes of Article III standing does not establish that they adequately pled damages for 12 purposes of their state-law claims”). 13 Beginning with Plaintiffs’ benefit of the bargain damages, the FAC alleges that Plaintiff 14 Laudonio and the California Subclass Members paid more for goods and services than they 15 otherwise would have, based on the belief that Defendant would implement reasonable data
16 security practices. (FAC ¶ 360). This Court, and other courts in the District of Nevada, have 17 found similar allegations to be sufficient for a plaintiff to allege that reasonable data security 18 was part of the bargain, which they did not receive. See, e.g., Smallman v. MGM Resorts Int’l, 19 638 F. Supp. 3d 1175, 1190 (D. Nev. 2022); In re Eureka Casino Breach Litig., No. 2:23-CV- 20 00276-CDS-BNW, 2024 WL 4253198, at *6 (D. Nev. Sept. 19, 2024). Notably, however, 21 Plaintiffs’ allegation involves only Plaintiff Laudonio and the California Subclass Members and 22 pertains specifically to count five, violation of the California Unfair Competition Law. 23 Plaintiffs’ previous allegations about general damages based on loss of benefit of the bargain 24 are vague and conclusory. (See FAC ¶ 83). The Court therefore finds that to the extent 25 1 Plaintiffs’ allege this injury as to the other Named Plaintiffs, Nevada Subclass Members, or 2 claims, it must be amended and supported with additional factual allegations. 3 Plaintiffs also allege that they suffered cognizable harm because the theft of their PII has 4 diminished in value. (Id. ¶¶ 83, 108–13). “Diminution in value of personal information can be 5 a viable theory of damages.” Pruchnicki v. Envision Healthcare Corp., 439 F. Supp. 3d 1226, 6 1234 (D. Nev. 2020), aff’d, 845 Fed. App’x 613 (9th Cir. 2021). Plaintiffs contend that their 7 PII has an “inherent market value in both legitimate and dark markets,” and that its value has 8 diminished by its unauthorized release onto the dark web. (FAC ¶ 113). Riverside argues that 9 this cannot constitute a concrete injury because plaintiffs “must establish both the existence of a 10 market for [their] personal information and an impairment of [their] ability to participate in that 11 market.” (Mot. Dismiss 5:13–22) (quoting Pruchnicki, 439 F. Supp. 3d at 1234). This Court 12 has previously explained, however, that “these pleading requirements, that Plaintiffs must 13 establish both the existence of a market for their PII and an impairment of their ability to 14 participate in that market, is not supported by Ninth Circuit precedent, and other district courts 15 in this Circuit have rejected them.” Smallman, 638 F. Supp. 3d at 1190 (collecting cases); see
16 also In re Anthem, Inc. Data Breach Litig., No. 15-MD-02617-LHK, 2016 WL 3029783, at *15 17 (N.D. Cal. May 27, 2016) (“These statements [in the case law] appear to require a plaintiff to 18 allege that there was either an economic market for their PII or that it would be harder to sell 19 their own PII, not both.”). The Court thus denies Riverside’s motion to the extent it seeks 20 dismissal on the grounds that Plaintiffs’ allegation of diminution of value is not a cognizable 21 harm. 22 Next, Plaintiffs allege that there is a future risk their PII will be used to commit fraud 23 and identity theft. While the Ninth Circuit has addressed the risk of future harm in the context 24 of standing, as discussed above, neither party provides clear guidance from the Ninth Circuit as 25 to what extent it can serve as a cognizable injury in the damages context. This Court, however, 1 found in Smallman that stolen PII can create a substantial risk of future harm sufficient to 2 constitute cognizable harm. Smallman, 638 F. Supp. 3d at 1191–92. Plaintiffs have alleged that 3 their PII has already been published on the dark web or will soon be published. (FAC ¶¶ 50, 4 62–66). Multiple named Plaintiffs have received information from credit reporting agencies 5 that their information was discovered on the dark web, and still others allege that unauthorized 6 transactions have appeared in their accounts. Even if some of the Plaintiffs have not yet 7 discovered a misuse of their PII, “Plaintiffs do not have to wait until hackers inevitably use 8 their private information for nefarious purposes to allege a cognizable injury.” In re Eureka 9 Casino Breach Litig., 2024 WL 4253198, at *5. The Court denies Riverside’s motion to the 10 extent it seeks dismissal on this ground. 11 Plaintiffs also allege that “invasion of privacy” is a cognizable injury. (FAC ¶ 83). 12 Riverside cites an unpublished case from the Southern District of New York that found 13 intrusion upon seclusion to be insufficient to confer standing because it was not defendants who 14 improperly accessed the plaintiffs’ data, but a third party. (Mot. Dismiss 5:23-6:3) (quoting 15 Aponte v. Ne. Radiology, P.C., No. 21 CV 5883 (VB), 2022 WL 1556043, at *5 (S.D.N.Y. May
16 16, 2022)). But in the context of negligence damages, not standing, this Court noted in 17 Smallman that an invasion of privacy implicates non-economic harms because “[i]n the data 18 breach context, courts within the Ninth Circuit have found that an individual’s loss of control 19 over the use of their identity due to a data breach and the accompanying impairment in value of 20 PII constitutes non-economic harms.” 638 F. Supp. 3d at 1188 (citing Stasi v. Inmediata Health 21 Grp. Corp., 501 F. Supp. 3d 898, 913 (S.D. Cal. 2020) (concluding that the plaintiffs alleged 22 noneconomic harms in the form of the privacy injury they suffered, irrespective of whether they 23 subsequently suffered identity fraud)). The Court therefore finds that Plaintiffs have 24 sufficiently alleged an invasion of privacy harm due to their loss of control over the use of their 25 identities and denies Riverside’s motion seeking dismissal on this ground. 1 Moving lastly to Plaintiffs’ allegation of lost time and expenses, Riverside argues that 2 “Plaintiffs cannot allege any out-of-pocket costs or mitigation measures that were reasonably 3 necessary in light of Riverside’s offer of comprehensive mitigation services.” (Mot. Dismiss 4 5:2–12). Plaintiffs’ response does not identify any out-of-pocket costs, and “lost time alone 5 does not establish compensable damages.” Smallman, 638 F. Supp. 3d at 1192 (citing 6 Pruchnicki v. Envision Healthcare Corp., 845 F. App’x 613, 614 (9th Cir. 2021)). 7 Accordingly, the Court dismisses Plaintiffs’ claims to the extent they rely on loss of time 8 damages. Because it is not clear that amendment is futile, the dismissal is without prejudice 9 and with leave to amend. 10 2. Negligence 11 Riverside’s first argument for the dismissal of Plaintiffs’ negligence claim is that they 12 failed to allege facts that give rise to a duty of care. (Mot. Dismiss 9:24–10:20). Under Nevada 13 law, “[t]o prevail on a negligence claim, a plaintiff must establish four elements: (1) the 14 existence of a duty of care, (2) breach of that duty, (3) legal causation, and (4) damages.” 15 Sanchez ex rel. Sanchez v. Wal-Mart Stores, Inc., 221 P.3d 1276, 1280 (Nev. 2009).
16 Plaintiffs allege that upon storing their PII, “Defendant undertook and owed a duty to 17 Plaintiffs and Class members to exercise reasonable care to secure and safeguard that 18 information and to use secure methods to do so,” and to “avoid causing a foreseeable risk of 19 harm” when storing personal information. (FAC ¶¶ 292–96). In its Motion to Dismiss, 20 Riverside argues that Nevada negligence law prescribes no general duty to control the 21 dangerous conduct of another or warn of dangerous conduct. (Mot. Dismiss 9:24–10:20). In 22 response, Plaintiffs argue that pursuant to Aleck v. ZB National Association, Riverside owes a 23 duty to their employees and customers. (Resp. 10:14–11:2). The Court in Aleck reversed and 24 remanded a decision by the district court dismissing a claim for negligence due to a lack of a 25 duty of care for a customer by bank tellers. Aleck v. ZB Nat’l Ass’n, 485 P.3d 210, at *3 (Nev. 1 2021). It contrasted the fact that the plaintiff was a customer of the defendant bank with the 2 anonymous third-party plaintiff in Sanchez—the case on which Riverside relies—to find that 3 the bank tellers owed the customer a duty of care. (Id.) 4 The Court thus agrees with Plaintiffs that Riverside owes them a duty to exercise 5 reasonable care in the storage of their personal information. Not only did the Aleck Court find 6 that a duty of care exists for a business’s customers, NRS 603.030 requires “data collectors” to 7 maintain reasonable security measures to protect personal information records “from 8 unauthorized access, acquisition, destruction, use, modification or disclosure.” Riverside, as a 9 “corporation, financial institution, or retail operator,” is a data collector. In addition, California 10 courts have made it clear that businesses owe a duty of care to their employees and customers 11 to protect PII. See Medoff v. Minka Lighting, LLC, No. 2:22-CV-08885-SVW-PVC, 2023 WL 12 4291973, at *8 (C.D. Cal. May 8, 2023) (collecting cases). 13 Even if there is a duty of care, Riverside contends, Plaintiffs failed to allege facts 14 demonstrating that the duty was breached. (Mot. Dismiss 10:21–11:11). Plaintiffs have alleged 15 that Riverside breached its duty by failing to encrypt their PII, storing their PII longer than
16 necessary, inadequately testing and training its employees, deviating from industry standards 17 such as those established by the Federal Trade Commission and National Institute of Standards 18 and Technology, failing to implement processes such as multi-layer firewalls and endpoint 19 detection, and notifying them of the breach promptly, among other things. (FAC ¶¶ 54–65, 170, 20 261–70, 299–318). A factual determination as to the reasonableness of Riverside’s actions is 21 inappropriate at this stage. Therefore, the Court finds that Plaintiffs have adequately pled facts 22 supporting the breach element. 23 Finally, Riverside argues that Nevada’s economic loss doctrine bars Plaintiffs’ 24 negligence claim. (Mot. Dismiss 11:13–12:14). The economic loss doctrine “generally ‘bars 25 unintentional tort actions when the plaintiff seeks to recover purely economic losses.’” 1 Lombino v. Bank of Am., N.A., 797 F. Supp. 2d 1078, 1082 (D. Nev. 2011) (quoting Terracon 2 Consultants W., Inc. v. Mandalay Resort Grp., 206 P.3d 81, 86 (Nev. 2009)). “In the data 3 breach context, courts within the Ninth Circuit have found that an individual’s loss of control 4 over the use of their identity due to a data breach and the accompanying impairment in value of 5 PII constitutes non-economic harms.” Smallman, 638 F. Supp. 3d at 1188 (collecting cases). In 6 this case, Plaintiffs have alleged harm under multiple theories, including an increased risk of 7 identity theft, and thus the harms are not purely economic. The Court thus denies Riverside’s 8 Motion to Dismiss on the grounds that the negligence claim is barred by the economic loss 9 doctrine. Plaintiffs’ negligence claim is sufficiently pled. 10 3. Breach of Implied Contract 11 Next, Riverside asserts that Plaintiffs’ claim for breach of implied contract fails because 12 they did not allege an “independent contractual agreement under which Riverside assumed 13 specific obligations regarding data security and data breach notification, nor are there any 14 claims of a meeting of the minds on this issue.” (Mot. Dismiss 12:20–23). Plaintiffs respond 15 that the terms of the contract were manifested by the conduct of the parties and points to this
16 Court’s decision in Smallman. (Resp. 12:21–23) (quoting Smallman, 638 F. Supp. 3d at 1194– 17 95). 18 Nevada law requires the plaintiff in a breach of contract action to show: (1) the existence 19 of a valid contract; (2) a breach by the defendant; and (3) damage as a result of the breach. 20 Mizrahi v. Wells Fargo Home Mortg., 2010 WL 2521742, at *3 (D. Nev. June 16, 2010) (citing 21 Saini v. Int’l Game Tech., 434 F. Supp. 2d 913, 919–20 (D. Nev. 2006)). Although the terms of 22 an implied contract are manifested by conduct rather than written words as in an express 23 contract, both “are founded upon an ascertainable agreement.” Smith v. Recrion Corp., 541 24 P.2d 663, 664–65 (Nev. 1975). To form an enforceable contract requires the following: (1) 25 1 offer and acceptance, (2) meeting of the minds, and (3) consideration. May v. Anderson, 121 2 119 P.3d 1254, 1257 (Nev. 2005). 3 The Smallman plaintiffs alleged that an implied contract was entered into during the 4 reservation process when they provided the hotel with their PII, and the hotel impliedly 5 promised to protect it. Smallman, 638 F. Supp. 3d at 1195. This Court explained that even 6 though the plaintiffs had not alleged an explicit promise as to the protection of the PII, “it is 7 difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of 8 . . . sensitive personal information would not imply the recipient’s assent to protect [the] 9 information sufficiently.” Id. (quoting Castillo v. Seagate Tech., LLC, No. 16-CV-01958-RS, 10 2016 WL 9280242, at *9 (N.D. Cal. Sept. 14, 2016)). It then found that because the plaintiffs 11 were required to provide their PII to stay at the hotel, and did so with the understanding that the 12 hotel would take adequate measures to protect it, that the plaintiffs had sufficiently pled their 13 implied contract claim. (Id.). 14 Like the Smallman plaintiffs, the Plaintiffs here were required to provide their PII to 15 receive employment or hospitality services. (FAC ¶ 322). They allege that a meeting of the
16 minds occurred when the Plaintiffs provided their PII to Riverside with the understanding that 17 it would be adequately protected, and that Riverside’s implied duty to protect their PII was 18 included in Riverside’s own Privacy Policy. (Id. ¶¶ 324–25). Similar allegations were found 19 sufficient by this Court in Smallman, as well as by other courts in the Ninth Circuit. See, e.g., 20 Medoff, 2023 WL 4291973 at *11 (finding adequately pled implied contract claim where 21 defendant offered to employ plaintiff in exchange for his PII and labor, defendant impliedly 22 agreed through internal policies that it would not disclose the PII, and plaintiff accepted offer 23 by providing PII in exchange for employment”); Kirsten v. California Pizza Kitchen, Inc., No. 24 2:21-CV-09578-DOC-KES, 2022 WL 16894503, at *5 (C.D. Cal. July 29, 2022) (“Other courts 25 in this district have held, and the Court agrees, that the mandatory receipt of PII implies the 1 recipient’s assent to protect the PII sufficiently.”); Landon v. TSC Acquisition Corp., No. 2:23- 2 CV-01377-SVW-PD, 2024 WL 5317240, at *9 (C.D. Cal. Nov. 1, 2024) (finding adequately 3 pled claim where plaintiffs alleged they were required to provide PII to purchase the 4 defendant’s services, the defendant agreed it would protect PII in its privacy policy, and 5 plaintiffs provided their PII in exchange for defendant’s services). The Court thus finds that the 6 Plaintiffs have adequately pled that an implied contract existed. 7 Lastly, Riverside contends that even if Plaintiffs alleged the existence of an implied 8 contract, they failed to claim a breach of any particular term, because they did not allege how 9 Riverside violated its promise. (Mot. Dismiss 14:5–13). The Court disagrees, however, 10 because Plaintiffs included specific allegations as to how Riverside failed to comply with 11 applicable standards, such as by failing to encrypt their data, train its employees on 12 cybersecurity protocols, follow FTC guidelines, or notify Plaintiffs of the breach in a timely 13 manner. (See FAC ¶¶ 44, 55, 58, 79, 81, 98, 261–70). Plaintiffs adequately pled the breach of 14 an implied contract. 15 4. Unjust Enrichment
16 Riverside also moves for the dismissal of Plaintiffs’ unjust enrichment claim. (Mot. 17 Dismiss 14:15–15:11). The Employee Plaintiffs allege that they conferred a benefit on 18 Riverside by providing their labor and PII with the understanding that Riverside would pay the 19 costs for reasonable data privacy and security from the revenue it derived therefrom. (FAC 20 ¶ 330). And the Customer Plaintiffs allege that they conferred a benefit to Riverside in the 21 form of payment for services, and that at least some of the money paid was supposed to be used 22 for data security. (Id. ¶ 331). They assert that Riverside enriched itself and increased its own 23 profits by saving the money that it reasonably should have spent to protect Plaintiffs’ PII. (Id. 24 ¶¶ 332–35). Riverside argues that Plaintiffs fail to plead a lack of legal remedies. (Mot. 25 Dismiss 14:21–15:6). It also argues that Plaintiffs have failed to allege that Riverside did not 1 provide a benefit in return. (Id. 15:7–11). In response, Plaintiffs assert that alleging they lack 2 an adequate remedy at law, at this stage of the proceedings, is sufficient to survive a motion to 3 dismiss. (Resp. 14:2–3). They also contend that they appropriately alleged that they are entitled 4 to the portion of the payments they made to Riverside for reasonable data security measures. 5 (Id. 14:10–16). 6 In Nevada, the elements of an unjust enrichment claim are: “(1) a benefit conferred on 7 the defendant by the plaintiff; (2) appreciation of the benefit by the defendant; and (3) 8 acceptance and retention of the benefit by the defendant; (4) in circumstances where it would 9 be inequitable to retain the benefit without payment.” Ames v. Caesars Ent. Corp., No. 2:17- 10 CV-02910-GMN-VCF, 2019 WL 1441613, at *5 (D. Nev. Apr. 1, 2019) (quoting 11 Leasepartners Corp. v. Robert L. Brooks Tr., 942 P.2d 182, 187 (Nev. 1997)). “It is undisputed 12 that unjust enrichment and disgorgement are equitable remedies.” Smallman, 638 F. Supp. 3d at 13 1196. Pursuant to Sonner v. Premier Nutrition Corp., a plaintiff seeking equitable relief must 14 plausibly allege that they lack an adequate remedy at law. 971 F.3d 834, 844 (9th Cir. 2020). 15 In Sonner, the Ninth Circuit held that plaintiffs must establish that they lack an adequate
16 remedy at law before securing equitable restitution for past harms. Id. The plaintiff in that case 17 failed to make such a showing because the complaint did not allege that she lacked an adequate 18 legal remedy. Id. She also conceded that she sought the same sum in equitable restitution as the 19 amount requested in damages to compensate her for the same past harm. Id. The court found 20 that she failed to explain how the same amount of money, for the exact same harm, would be 21 inadequate or incomplete. Id. 22 Riverside also cites a case in the Northern District of California for support for their 23 argument that Plaintiffs seek “monetary damages and statutory damages for virtually all of their 24 other claims, which are based on the same conduct underlying their putative unjust 25 enrichment.” (Mot. Dismiss 15:1–3). In that case, Sharma v. Volkswagen AG, the plaintiffs 1 represented a class of people who purchased or leased a vehicle with a braking defect. 524 F. 2 Supp. 3d 891, 899 (N.D. Cal. 2021). The complaint included several paragraphs about the 3 inadequacy of legal remedies, but the court did not find the allegations persuasive because the 4 plaintiff’s injury was a loss of money or loss in value. Id. at 908. The court explained that the 5 monetary injury was the same type in which other courts had found a legal remedy to be 6 appropriate. Id. (citing In re MacBook Keyboard Litig., No. 5:18-cv-02813-EJD, 2020 WL 7 6047253, at *4 (N.D. Cal. Oct. 13, 2020) (“Because Plaintiffs’ claims rest on their alleged 8 overpayments and Apple’s failure to issue refunds, the Court finds that monetary damages 9 would provide an adequate remedy for the alleged injury.”)); see also Gibson v. Jaguar Land 10 Rover N. Am., LLC, No. CV 20-00769-CJC(GJSx), 2020 WL 5492990, at *3 (C.D. Cal. Sept. 9, 11 2020) (“[T]here is nothing in the [complaint] to suggest that monetary damages would not 12 make Plaintiff or the putative class whole. Indeed, throughout the [complaint] Plaintiff 13 repeatedly alleges that he and the putative class ‘lost money or property’ as a result of Jaguar’s 14 wrongful conduct.”)). 15 Here, Plaintiffs allege that their claim is brought “in the alternative to all other claims
16 and remedies at law,” (FAC ¶ 329), and they seek “relief in the form of restitution and 17 disgorgement of all ill-gotten gains.” (Id. ¶ 339). They also allege that if the Court does not 18 enter an injunction and a second breach occurs, they will lack an adequate remedy at law 19 because the “resulting injuries are not readily quantified in full.” (Id. ¶ 381). “Simply put, 20 monetary damages, while warranted for out-of-pocket damages and other legally quantifiable 21 and provable damages, cannot cover the full extent of Plaintiffs’ and Class Members’ injuries.” 22 (Id.). So unlike the Sonner plaintiff, the Plaintiffs here allege in the alternative that they lack a 23 legal remedy. The Plaintiffs in this case also do not suffer from a purely monetary injury, nor 24 are they requesting the same sum in both restitution and monetary damages from the same 25 harm. The Court thus finds Plaintiffs’ unjust enrichment claim to be adequately pled. 1 5. Violation of the CCPA 2 Plaintiff Laudonio and the California subclass assert that Riverside violated the 3 California Consumer Privacy Act (“CCPA”) when it failed to implement and maintain 4 reasonable security procedures to protect Plaintiffs’ PII. (FAC ¶¶ 340–50). The CCPA states 5 that consumers “whose nonencrypted and nonredacted personal information . . . is subject to an 6 unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation 7 of the duty to implement and maintain reasonable security procedures and practices appropriate 8 to the nature of the information to protect the personal information” may bring a civil action. 9 Cal. Civ. Code § 1798.150(a)(1). 10 Riverside’s first argument is that Plaintiff Laudonio cannot pursue statutory damages 11 because she did not provide pre-suit notice and an opportunity to cure. (Mot. Dismiss 15:18– 12 16:3). It contends that because she filed her original complaint on September 20, 2024, served 13 pre-suit demand the same day, and then filed the FAC two months later, she did not comply 14 with the statute. (Id.). The CCPA states that actions “may be brought by a consumer if, prior to 15 initiating any action against a business for statutory damages on an individual or class-wide
16 basis, a consumer provides a business 30 days’ written notice identifying the specific 17 provisions of this title the consumer alleges have been or are being violated.” 13 Cal. Civ. Code 18 § 1798.150(b). Consumers can recover “actual pecuniary damages” or statutory damages. Id. 19 § 1798.150(a)–(b). “No notice shall be required prior to an individual consumer initiating an 20 action solely for actual pecuniary damages suffered as a result of the alleged violations of this 21 title.” Id. 22 Plaintiff Laudonio responds that she followed the CCPA’s requirements because her 23 initial complaint sought only actual damages and injunctive relief—not statutory damages. 24 (Resp. 15:21–23) (citing Laudonio Compl. ¶ 71, ECF No. 1 in 2:24-cv-01775-GMN-DJA). 25 She alleged that if Riverside did not cure the violation, she would amend the complaint to 1 pursue statutory damages, which require the 30-day notice. (Laudonio Compl. ¶ 70). She then 2 waited more than 30 days before filing the FAC seeking statutory damages. (See FAC ¶ 350). 3 The Court agrees with Plaintiff. The statute states plainly that no notice is required prior to a 4 consumer bringing suit for actual pecuniary damages, which is what Plaintiff Laudonio initially 5 sought when filing her initial complaint and providing notice on September 20, 2024. She did 6 not seek statutory damages until more than 30 days had passed and she filed the FAC in 7 November. The Court thus denies Riverside’s Motion to Dismiss this claim based on pre-suit 8 notice. 9 Riverside also argues that the Court should dismiss this claim because it rests on 10 conclusory allegations that Riverside failed to implement and maintain reasonable security 11 measures and because Plaintiff Laudonio failed to allege facts supporting that the theft occurred 12 “as a result” of its violation of the duty to maintain reasonable security measures. (Mot. 13 Dismiss 16:4–22). As the Court has found above, Plaintiffs’ factual allegations regarding the 14 specific deficiencies in Riverside’s security are sufficient and not conclusory. The allegations 15 further support the conclusion that the theft occurred as a result of the deficiencies. The Court
16 thus finds Plaintiffs’ CCPA claim to be sufficiently pled. 17 6. Violation of the California UCL 18 Plaintiffs also allege that Riverside violated the California Unfair Competition Law 19 (“UCL”) by engaging in unfair and unlawful acts. (FAC ¶¶ 351–63). Riverside moves to 20 dismiss this claim by arguing that Plaintiffs have not adequately alleged UCL standing, unfair 21 or unlawful conduct, and failed to show causation. (Mot. Dismiss 16:23–19:27). 22 The California UCL prohibits “unfair competition” and defines the term as a “business 23 act or practice” that is (1) “fraudulent,” (2) “unlawful,” or (3) “unfair.” Bus. & Prof. Code 24 §17200. Each prong of the UCL provides “a separate and distinct theory of liability[.]” Kearns 25 v. Ford Motor Co., 567 F.3d 1120, 1127 (9th Cir. 2009). To have standing to pursue a UCL 1 claim, the California Plaintiffs must show that they “lost money or property” because of 2 Defendant MGM’s conduct. Cal. Bus. & Prof. Code § 17204; see In re Facebook, Inc., 3 Consumer Privacy User Profile Litig., 402 F. Supp. 3d 767, 804 (N.D. Cal. 2019). 4 Riverside argues that none of Plaintiff Laudonio’s alleged injuries amount to cognizable 5 harm. (Mot. Dismiss 16:5–13). However, the FAC states that “Plaintiff Laudonio and 6 California Subclass Members paid Defendant money in exchange for goods or services and 7 paid more than they would have based on the belief that Defendant would implement 8 reasonable data security practices.” (FAC ¶ 360). This allegation is sufficient for standing. See 9 Smallman, 638 F. Supp. 3d at 1201–02 (finding that plaintiffs sufficiently pled allegations 10 establishing standing where plaintiffs alleged that they paid the “overinflated cost of the hotel 11 rooms they purchased as a result of Defendant[’s] omissions regarding the adequacy of data 12 security policies.”); see also In re Eureka Casino Breach Litig., 2024 WL 4253198, at *10 13 (finding standing where plaintiffs pled that they overpaid for the defendant casino’s goods and 14 services and part of their payment was designed to establish adequate safety measures). 15 Riverside also argues that Plaintiff Laudonio has not alleged unfair conduct prohibited
16 by the UCL. (Mot. Dismiss 17:14–18:11). “The UCL does not define the term ‘unfair.’ . . . 17 [And] the proper definition of ‘unfair’ conduct against consumers ‘is currently in flux’ among 18 California courts.” Davis v. HSBC Bank Nev., N.A., 691 F.3d 1152, 1169 (9th Cir. 2012). 19 There are at least two possible tests. The tethering test requires that the “unfairness must be 20 tethered to some legislatively declared policy or proof of some actual or threatened impact on 21 competition.” Lozano v. AT&T Wireless Servs., Inc., 504 F.3d 718, 735 (9th Cir. 2007) (internal 22 quotation marks omitted). The “balancing test” examines whether the challenged business 23 practice is “immoral, unethical, oppressive, unscrupulous or substantially injurious to 24 consumers and requires the court to weigh the utility of the defendant's conduct against the 25 1 gravity of the harm to the alleged victim.” In re Adobe Sys., Inc. Priv. Litig., 66 F. Supp. 3d 2 1197, 1226 (N.D. Cal. 2014). 3 Under the balancing test, Plaintiff Laudonio alleges that Riverside’s failure to implement 4 and maintain reasonable security measures was contrary to declared public policy that seeks to 5 protect data, including the FTC Act, California’s Customer Records Act, and California’s 6 Consumer Privacy Act. (FAC ¶ 354). She further alleges that the lack of security measures led 7 to substantial injuries, including those described above. (Id.). Riverside argues that Plaintiff 8 does not allege how it engaged in “immoral, unethical, oppressive, or unscrupulous” practices 9 and that Plaintiff merely parrots the element of the claim. (Mot. Dismiss 17:2–18:4). But 10 Plaintiff provides detailed allegations throughout the rest of the FAC and incorporates those 11 allegations into this claim by reference. (FAC ¶ 351). Further, several California statutes upon 12 which Plaintiff relies here reflect “California’s public policy of protecting consumer data.” In 13 re Adobe, 66 F. Supp. 3d at 1227. The Court thus follows its previous decision in Smallman, 14 and the decision of other courts in the Ninth Circuit, finding that the determination of whether 15 the defendant’s “public policy violation is outweighed by the utility of their conduct under the
16 balancing test is a question more appropriately resolved at a later stage of this litigation.” See 17 Smallman, 638 F. Supp. 3d at 1203; see also Mehta v. Robinhood Fin. LLC, No. 21-cv-01013, 18 2021 WL 6882377, at *12 (N.D. Cal. May 6, 2021) (“At the motion to dismiss stage, the Court 19 cannot say that the benefit from Robinhood's business practices of allegedly emphasizing 20 growth and profit over protecting their customers’ personal and financial information and 21 failing to implement industry-standard security measures outweighs the harms.”); In re Anthem, 22 162 F. Supp. 3d at 990 (finding, on a motion to dismiss, that the question of whether a violation 23 is outweighed by its utility should be resolved later in the litigation). 24 Riverside also argues that Plaintiff has not alleged unlawful conduct under the UCL. 25 (Mot. Dismiss 18:12–19:10). This prong prohibits “anything that can properly be called a 1 business practice and that at the same time is forbidden by law.” Cel–Tech, 20 Cal.4th at 180, 2 83 Cal.Rptr.2d 548, 973 P.2d 527 (internal quotation marks omitted). “By proscribing ‘any 3 unlawful’ business practice, the UCL permits injured consumers to ‘borrow’ violations of other 4 laws and treat them as unlawful competition that is independently actionable.” In re Adobe Sys., 5 Inc. Priv. Litig., 66 F. Supp. 3d at 1225 (quoting Cel–Tech, 20 Cal. 4th at 180). Under this 6 prong, Plaintiff’s claim is predicated on violations of the CCPA and Federal Trade Commission 7 Act (“FTCA”). Because the Court has found that Plaintiff has sufficiently alleged a violation 8 of the CCPA, as well as a violation of the unfair prong of the UCL, she has therefore alleged 9 unlawful conduct that can serve as a basis for a claim under the UCL’s unlawful prong. 10 Riverside’s last argument for dismissal is that to the extent Plaintiff is basing her UCL 11 claim on deception or misrepresentation, she must allege actual reliance. (Mot. Dismiss 19:12– 12 27). Plaintiff responds that her UCL claim is not premised on deception or actual reliance. 13 (Resp. 21:4–15). The Court thus finds Plaintiff’s UCL claim based on unlawful or unfair 14 practices to be sufficiently pled and denies Riverside’s Motion to Dismiss this claim. 15 7. Nevada Deceptive Trade Practices Act
16 The Nevada Deceptive Trade Practices Act (“NDTPA”) provides a private right of 17 action to victims of deceptive trade practices. Watkins v. Rapid Fin. Sols., Inc., No. 3:20-CV- 18 00509-MMD-CSD, 2024 WL 3938537, at *9 (D. Nev. Aug. 26, 2024). “A person engages in a 19 ‘deceptive trade practice’ when in the course of his or her business or occupation he or she 20 knowingly . . . (b) Fails to disclose a material fact in connection with the sale or lease of goods 21 or services” or “(c) Violates a state or federal statute or regulation relating to the sale of lease of 22 goods or services.” NRS 598.0923(1)(b)–(c). Plaintiffs allege that Riverside violated this 23 provision by failing to disclose the material fact that its data security measures were inadequate 24 and by violating statutes such as the FTC and NRS 603A.210 requiring data collectors to 25 “implement and maintain reasonably security measures” to protect PII. (FAC ¶¶ 367–69). 1 Riverside’s first argument for dismissal is that Plaintiffs’ “failure to disclose” claim 2 requires that Plaintiffs allege that Riverside had an affirmative duty to disclose the information. 3 (Mot. Dismiss 20:1–21:1). Riverside cites primarily to Soffer v. Five Mile Cap. Partners, LLC, 4 but as Plaintiffs point out, Soffer involved a common law fraud claim, not a statutory one. No. 5 2:12–CV–1407 JCM (GWF), 2013 WL 638832, at *10 (D. Nev. Feb. 19, 2013). And as the 6 Supreme Court of Nevada recently noted, “[s]tatutory offenses that sound in fraud are separate 7 and distinct from common law fraud.” Leigh-Pink v. Rio Props, LLC, 512 P.3d 322, 328 (Nev. 8 2022) (quoting Betsinger v. D.R. Horton, Inc., 232 P.3d 433, 436 (Nev. 2010)). Riverside has 9 thus not demonstrated that Plaintiffs must allege an affirmative duty to disclose. Riverside’s 10 other two cited district court cases, one of which is from the District of Georgia, do not 11 convince the Court otherwise. Another court in the District of Nevada mentions offhand in a 12 footnote that omissions must be true at the time defendants had a duty to disclose them, but 13 lumps together statutory and common law fraud claims in its analysis. Taddeo v. Taddeo, No. 14 2:08-CV-01463-KJD, 2011 WL 4074433, at *6 (D. Nev. Sept. 13, 2011). And the In re 15 Equifax court does not discuss Nevada law specifically, but rather broadly finds that 17 of the
16 state consumer-fraud statutes do not impose liability for omissions unless a duty to disclose 17 exists. In re Equifax, Inc., Customer Data Sec. Breach Litig., 362 F. Supp. 3d 1295, 1337 (N.D. 18 Ga. 2019). 19 Riverside also argues that Plaintiffs cannot allege a violation of a state or federal statute 20 or regulation because NRS 603A.030 only applies to protect Nevada residents and their claims 21 as to FTC violations are too vague and conclusory. (Mot. Dismiss 21:2–18). “Under NRS 22 41.600(1), ‘any person who is a victim of consumer fraud’ may bring an action against the 23 alleged perpetrator.” R.J. Reynolds Tobacco Co. v. Eighth Jud. Dist. Ct. in & for Cnty. of Clark, 24 514 P.3d 425, 429 (Nev. 2022) (quoting NRS 41.600(1) (emphasis added)). And Nevada 25 Supreme Court decisions liberally construe NDTPA claims, refusing to “read in” requirements 1 for suing. Id. at 431. Riverside cites NRS 603A.210(1), arguing that coverage is limited to the 2 “personal information of a resident of this State.” (Mot. Dismiss 21:6–10). The statute states 3 that a “data collector that maintains records which contain personal information of a resident of 4 this State shall implement and maintain reasonable security measures . . . .” NRS 603A.210(1). 5 Riverside does not argue that its records do not contain PII of Nevada residents, nor does it cite 6 a single case in which a Court has limited the application or enforcement of this statute to 7 Nevada residents. The Court thus denies Riverside’s Motion to Dismiss on this ground. 8 Plaintiffs, however, did not respond to Riverside’s argument that their FTC violations 9 were vague and conclusory. It is well settled in the District of Nevada that a party’s failure to 10 respond to arguments presented in a motion constitutes consent to the granting of the motion. 11 Layton v. Green Valley Vill. Cmty. Ass’n, No. 2:14-cv-01347-GMN-EJY, 2022 WL 1748067, at 12 *1 (D. Nev. May 27, 2022) (collecting cases). Thus, to the extent Plaintiffs’ NDTPA claim is 13 premised on FTC violations, it is dismissed. 14 8. Declaratory and Injunctive Relief 15 Lastly, Riverside argues that Plaintiffs’ claims for declaratory and injunctive relief are
16 duplicative and redundant of their other claims. (Mot. Dismiss 21:21–22:12). Plaintiffs respond 17 that their claims for declaratory and injunctive relief are distinct because they request a remedy 18 for ongoing and future conduct, and their other claims request relief for past conduct. (Resp. 19 23:18–24:1). A claim for declaratory relief may be “unnecessary where an adequate remedy 20 exists under some other cause of action.” Reyes v. Nationstar Mortg. LLC, No. 15-cv-01109- 21 LHK, 2015 WL 4554377, at *7 (N.D. Cal. July 28, 2015) (quoting Mangindin v. Wash. Mut. 22 Bank, 637 F. Supp. 2d 700, 707 (N.D. Cal. 2009)). However, “[t]he existence of another 23 adequate remedy does not preclude a declaratory judgment that is otherwise appropriate.” Fed. 24 R. Civ. P. 57. 25 1 Based on the FAC, Plaintiffs’ negligence, contract, and statutory claims seek different 2 ||relief than their declaratory and injunctive relief claims. Their negligence and contract claims 3 || seek restitution in the form of disgorgement or in the alternative, actual, consequential, and 4 || punitive damages for their injuries. (See FAC □□ 320, 327, 339). In contract, the declaratory 5 ||relief asks the Court to declare that Riverside continues to owe a legal duty, breaches it by 6 || failing to use reasonable measures, and causes injuries from that breach. (U/d. 4379). It also 7 the Court to issue injunctive relief requiring Riverside to use adequate security measures. g || Ud. 4 380). Although Plaintiffs’ contract and negligence claims also address a breach of 9 || Riverside’s duty, they seek to obtain damages for the harms they have already suffered. 10 || However, to the extent that Plaintiffs seek the Court to declare that Defendant owed a duty, 11 || breached it, and caused injury, the claim is dismissed as duplicative. Ud. § 379). And as 12 || discussed above, Plaintiffs’ claim for injunctive relief is dismissed with leave to amend due to a 13 || lack of factual allegations to demonstrate that future injury is “certainly impending.” 14 CONCLUSION 15 IT IS HEREBY ORDERED that the Motion to Dismiss, (ECF No. 23), is GRANTED, 16 ||in part, and DENIED in part. Plaintiffs’ claim for injunctive relief is dismissed with leave to 17 || amend, and Plaintiffs’ negligence and contract claims are dismissed to the extent they rely on is || loss of time damages. 19 20 DATED this 9 _ day of September, 2025. 21 22
UNITED S ES DISTRICT COURT 24 25
Page 25 of 25