1 2 O 3 4 5 6 7 8 UNITED STATES DISTRICT COURT 9 CENTRAL DISTRICT OF CALIFORNIA 10 11 CONNOR BURNS, ) Case No. CV 20-04855 DDP (SKx) ) 12 Plaintiff, ) ) ORDER GRANTING DEFENDANT’S MOTION 13 v. ) TO DISMISS SECOND AMENDED ) COMPLAINT [34] 14 MAMMOTH MEDIA, INC., ) ) 15 Defendants. ) ___________________________ ) 16 17 Presently before the court is Defendant Mammoth Media, Inc. 18 (“Mammoth”)’s Motion to Dismiss Plaintiff’s Second Amended 19 Complaint. Having considered the submissions of the parties and 20 heard oral argument, the court grants the motion and adopts the 21 following Order. 22 I. Background 23 Plaintiff Connor Burns, a citizen of Idaho, downloaded 24 Mammoth’s mobile “Wishbone” application (“app”) when he was 25 fourteen years old. (Second Amended Complaint (“SAC”) ¶ 2.) To 26 use the app, Plaintiff was required to create an account, select a 27 username and password, and provide his e-mail address. (Id.). 28 Plaintiff deleted the app soon after downloading it, but did not 1 Four years later, Mammoth informed Plaintiff that it had 2 suffered a data breach, and that “some Wishbone users’ “usernames, 3 emails, phone numbers, timezone/region, full name, bio, gender, 4 hashed [i.e., encrypted,] passwords, and profile pictures” may have 5 been compromised. (SAC ¶ 4.) Plaintiff also alleges that Mammoth 6 collected and maintained other types of user data that were also 7 compromised, including date of birth, location information, user 8 settings, social media profiles, and “access tokens.” (Id. ¶¶ 15, 9 25.) Plaintiff further alleges that data pertaining to 40 million 10 Wishbone users was circulated for sale on the dark web, and 11 ultimately released for free. (Id. ¶ 22.) 12 Plaintiff used the same e-mail address and password that he 13 used to log into the Wishbone app as his login credentials for his 14 Spotify and Reddit accounts. (SAC ¶ 40.) Plaintiff alleges that, 15 following the Wishbone data breach, an unauthorized third party 16 accessed his Spotify account, and he then had to change his Spotify 17 password to secure the account. (Id. ¶ 38, 42.) Plaintiff also 18 received notice that his Reddit account had been “compromised and 19 locked.” (Id. ¶ 39.) Plaintiff reset his Reddit password as well. 20 (Id. ¶ 42.) Plaintiff also began receiving spam e-mails. (Id. ¶ 21 41) Plaintiff spent about three hours changing other online 22 passwords, setting up fraud alerts, and reviewing his bank accounts 23 for fraudulent transactions. (Id. ¶ 58.) Plaintiff alleges that 24 the theft of his data will result in identity theft and fraud, 25 lowered credit scores resulting from fraudulent activity, loss of 26 access to online and financial accounts, and the loss of time and 27 enjoyment stemming from efforts to mitigate or prevent identity 28 theft. (Id. ¶ 64.) 1 The SAC alleges, on behalf of a putative class, three causes 2 of action for negligence, a declaratory judgment, and breach of 3 confidence. Defendant Mammoth now seeks to dismiss the SAC 4 pursuant to Federal Rule of Procedure 12(b)(1) and Rule 12(b)(6). 5 II. Legal Standard 6 A motion under Rule 12(b)(1) may challenge the court’s 7 jurisdiction facially, based on the legal sufficiency of the claim, 8 or factually, based on the legal sufficiency of the jurisdictional 9 facts. White v. Lee, 227 F.3d 1214, 1242 (9th Cir. 2000)(citing 2 10 James Wm. Moore et al., Moore’s Federal Practice 12.30[4], at 11 12-38 to 12-41 (3d ed.1999)). Where the motion attacks the 12 complaint on its face, the court considers the complaint’s 13 allegations to be true, and draws all reasonable inferences in the 14 plaintiff’s favor. Doe v. Holy See, 557 F.3d 1066, 1073 (9th Cir. 15 2009). In a factual challenge, the court is not required to accept 16 the allegations of the complaint as true, and may consider 17 additional evidence outside of the pleadings. Maya v. Centex 18 Corp., 658 F.3d 1060, 1067 (9th Cir. 2011). Once the moving party 19 has presented evidence showing a lack of subject-matter 20 jurisdiction, the burden shifts to “the party opposing the motion 21 [to] furnish affidavits or other evidence necessary to satisfy its 22 burden of establishing subject matter jurisdiction.” Safe Air for 23 Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir. 2004). If the 24 plaintiff cannot meet his burden of establishing the jurisdiction 25 it seeks to invoke, the court must dismiss the case. Fed. R. Civ. 26 P. 12(h)(3). 27 When considering a Rule 12(b)(6) motion, a court must “accept 28 as true all allegations of material fact and must construe those 1 facts in the light most favorable to the plaintiff.” Resnick v. 2 Hayes, 213 F.3d 443, 447 (9th Cir. 2000). A complaint will survive 3 a motion to dismiss when it “contain[s] sufficient factual matter, 4 accepted as true, to state a claim to relief that is plausible on 5 its face.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)(quoting 6 Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). Although a 7 complaint need not include “detailed factual allegations,” it must 8 offer “more than an unadorned, the-defendant-unlawfully-harmed-me 9 accusation.” Iqbal,556 U.S. at 678. Conclusory allegations or 10 allegations that are no more than a statement of a legal conclusion 11 “are not entitled to the assumption of truth.” Id. at 679. In other 12 words, a pleading that merely offers “labels and conclusions,” a 13 “formulaic recitation of the elements,” or “naked assertions” will 14 not be sufficient to state a claim upon which relief can be 15 granted. Id. at 678 (citations and internal quotation marks 16 omitted). 17 “When there are well-pleaded factual allegations, a court 18 should assume their veracity and then determine whether they 19 plausibly give rise to an entitlement of relief.” Iqbal,556 U.S. 20 at 679. Plaintiffs must allege “plausible grounds to infer” that 21 their claims rise “above the speculative level.” Twombly, 550 U.S. 22 at 555-56. “Determining whether a complaint states a plausible 23 claim for relief” is “a context-specific task that requires the 24 reviewing court to draw on its judicial experience and common 25 sense.” Iqbal, 556 U.S. at 679. 26 III. Discussion 27 A party invoking federal jurisdiction bears the burden of 28 demonstrating that he has Article III standing. Lujan v. Defs. of 1 Wildlife, 504 U.S. 555, 561 (1992). To meet that burden, “a 2 plaintiff must show (1) it has suffered an ‘injury in fact’ that is 3 . . . actual or imminent, not conjectural or hypothetical; (2) the 4 injury is fairly traceable to the challenged action of the 5 defendant; and (3) it is likely, as opposed to merely speculative, 6 that the injury will be redressed by a favorable decision. Friends 7 of the Earth, Inc. v. Laidlaw Env’t Servs. (TOC), Inc., 528 U.S. 8 167, 181 (2000). “Rule 12(b)(1) jurisdictional attacks can be 9 either facial or factual.” White, 227 F.3d at 1242. “In a facial 10 attack, the challenger asserts that the allegations contained in a 11 complaint are insufficient on their face to invoke federal 12 jurisdiction. By contrast, in a factual attack, the challenger 13 disputes the truth of the allegations that, by themselves, would 14 otherwise invoke federal jurisdiction.” Safe Air, 373 F.3d 1035 at 15 1039.
Free access — add to your briefcase to read the full text and ask questions with AI
1 2 O 3 4 5 6 7 8 UNITED STATES DISTRICT COURT 9 CENTRAL DISTRICT OF CALIFORNIA 10 11 CONNOR BURNS, ) Case No. CV 20-04855 DDP (SKx) ) 12 Plaintiff, ) ) ORDER GRANTING DEFENDANT’S MOTION 13 v. ) TO DISMISS SECOND AMENDED ) COMPLAINT [34] 14 MAMMOTH MEDIA, INC., ) ) 15 Defendants. ) ___________________________ ) 16 17 Presently before the court is Defendant Mammoth Media, Inc. 18 (“Mammoth”)’s Motion to Dismiss Plaintiff’s Second Amended 19 Complaint. Having considered the submissions of the parties and 20 heard oral argument, the court grants the motion and adopts the 21 following Order. 22 I. Background 23 Plaintiff Connor Burns, a citizen of Idaho, downloaded 24 Mammoth’s mobile “Wishbone” application (“app”) when he was 25 fourteen years old. (Second Amended Complaint (“SAC”) ¶ 2.) To 26 use the app, Plaintiff was required to create an account, select a 27 username and password, and provide his e-mail address. (Id.). 28 Plaintiff deleted the app soon after downloading it, but did not 1 Four years later, Mammoth informed Plaintiff that it had 2 suffered a data breach, and that “some Wishbone users’ “usernames, 3 emails, phone numbers, timezone/region, full name, bio, gender, 4 hashed [i.e., encrypted,] passwords, and profile pictures” may have 5 been compromised. (SAC ¶ 4.) Plaintiff also alleges that Mammoth 6 collected and maintained other types of user data that were also 7 compromised, including date of birth, location information, user 8 settings, social media profiles, and “access tokens.” (Id. ¶¶ 15, 9 25.) Plaintiff further alleges that data pertaining to 40 million 10 Wishbone users was circulated for sale on the dark web, and 11 ultimately released for free. (Id. ¶ 22.) 12 Plaintiff used the same e-mail address and password that he 13 used to log into the Wishbone app as his login credentials for his 14 Spotify and Reddit accounts. (SAC ¶ 40.) Plaintiff alleges that, 15 following the Wishbone data breach, an unauthorized third party 16 accessed his Spotify account, and he then had to change his Spotify 17 password to secure the account. (Id. ¶ 38, 42.) Plaintiff also 18 received notice that his Reddit account had been “compromised and 19 locked.” (Id. ¶ 39.) Plaintiff reset his Reddit password as well. 20 (Id. ¶ 42.) Plaintiff also began receiving spam e-mails. (Id. ¶ 21 41) Plaintiff spent about three hours changing other online 22 passwords, setting up fraud alerts, and reviewing his bank accounts 23 for fraudulent transactions. (Id. ¶ 58.) Plaintiff alleges that 24 the theft of his data will result in identity theft and fraud, 25 lowered credit scores resulting from fraudulent activity, loss of 26 access to online and financial accounts, and the loss of time and 27 enjoyment stemming from efforts to mitigate or prevent identity 28 theft. (Id. ¶ 64.) 1 The SAC alleges, on behalf of a putative class, three causes 2 of action for negligence, a declaratory judgment, and breach of 3 confidence. Defendant Mammoth now seeks to dismiss the SAC 4 pursuant to Federal Rule of Procedure 12(b)(1) and Rule 12(b)(6). 5 II. Legal Standard 6 A motion under Rule 12(b)(1) may challenge the court’s 7 jurisdiction facially, based on the legal sufficiency of the claim, 8 or factually, based on the legal sufficiency of the jurisdictional 9 facts. White v. Lee, 227 F.3d 1214, 1242 (9th Cir. 2000)(citing 2 10 James Wm. Moore et al., Moore’s Federal Practice 12.30[4], at 11 12-38 to 12-41 (3d ed.1999)). Where the motion attacks the 12 complaint on its face, the court considers the complaint’s 13 allegations to be true, and draws all reasonable inferences in the 14 plaintiff’s favor. Doe v. Holy See, 557 F.3d 1066, 1073 (9th Cir. 15 2009). In a factual challenge, the court is not required to accept 16 the allegations of the complaint as true, and may consider 17 additional evidence outside of the pleadings. Maya v. Centex 18 Corp., 658 F.3d 1060, 1067 (9th Cir. 2011). Once the moving party 19 has presented evidence showing a lack of subject-matter 20 jurisdiction, the burden shifts to “the party opposing the motion 21 [to] furnish affidavits or other evidence necessary to satisfy its 22 burden of establishing subject matter jurisdiction.” Safe Air for 23 Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir. 2004). If the 24 plaintiff cannot meet his burden of establishing the jurisdiction 25 it seeks to invoke, the court must dismiss the case. Fed. R. Civ. 26 P. 12(h)(3). 27 When considering a Rule 12(b)(6) motion, a court must “accept 28 as true all allegations of material fact and must construe those 1 facts in the light most favorable to the plaintiff.” Resnick v. 2 Hayes, 213 F.3d 443, 447 (9th Cir. 2000). A complaint will survive 3 a motion to dismiss when it “contain[s] sufficient factual matter, 4 accepted as true, to state a claim to relief that is plausible on 5 its face.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)(quoting 6 Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). Although a 7 complaint need not include “detailed factual allegations,” it must 8 offer “more than an unadorned, the-defendant-unlawfully-harmed-me 9 accusation.” Iqbal,556 U.S. at 678. Conclusory allegations or 10 allegations that are no more than a statement of a legal conclusion 11 “are not entitled to the assumption of truth.” Id. at 679. In other 12 words, a pleading that merely offers “labels and conclusions,” a 13 “formulaic recitation of the elements,” or “naked assertions” will 14 not be sufficient to state a claim upon which relief can be 15 granted. Id. at 678 (citations and internal quotation marks 16 omitted). 17 “When there are well-pleaded factual allegations, a court 18 should assume their veracity and then determine whether they 19 plausibly give rise to an entitlement of relief.” Iqbal,556 U.S. 20 at 679. Plaintiffs must allege “plausible grounds to infer” that 21 their claims rise “above the speculative level.” Twombly, 550 U.S. 22 at 555-56. “Determining whether a complaint states a plausible 23 claim for relief” is “a context-specific task that requires the 24 reviewing court to draw on its judicial experience and common 25 sense.” Iqbal, 556 U.S. at 679. 26 III. Discussion 27 A party invoking federal jurisdiction bears the burden of 28 demonstrating that he has Article III standing. Lujan v. Defs. of 1 Wildlife, 504 U.S. 555, 561 (1992). To meet that burden, “a 2 plaintiff must show (1) it has suffered an ‘injury in fact’ that is 3 . . . actual or imminent, not conjectural or hypothetical; (2) the 4 injury is fairly traceable to the challenged action of the 5 defendant; and (3) it is likely, as opposed to merely speculative, 6 that the injury will be redressed by a favorable decision. Friends 7 of the Earth, Inc. v. Laidlaw Env’t Servs. (TOC), Inc., 528 U.S. 8 167, 181 (2000). “Rule 12(b)(1) jurisdictional attacks can be 9 either facial or factual.” White, 227 F.3d at 1242. “In a facial 10 attack, the challenger asserts that the allegations contained in a 11 complaint are insufficient on their face to invoke federal 12 jurisdiction. By contrast, in a factual attack, the challenger 13 disputes the truth of the allegations that, by themselves, would 14 otherwise invoke federal jurisdiction.” Safe Air, 373 F.3d 1035 at 15 1039. 16 A. Risk of Identify Theft 17 i. Nature of the data 18 An increased risk of identity theft may constitute a “credible 19 threat of real and immediate harm” sufficient to constitute an 20 injury in fact for standing purposes. In re Zappos.com, Inc., 888 21 F.3d 1020, 1025 (9th Cir. 2018) (quoting Krottner v. Starbucks 22 Corp., 628 F.3d 1139, 1143 (9th Cir. 2010). Mammoth contends, in 23 the context of both a factual and facial challenge, that Plaintiff 24 here has not alleged any credible threat of future identity theft. 25 As an initial matter, although both parties have submitted expert 26 declarations, there does not appear to be a dispute that hackers 27 only obtained Plaintiff’s “name, his username for the Wishbone app, 28 his email address, a record of the date he created his Wishbone 1 profile, his gender, the user ID number that Mammoth assigned to 2 him, his encrypted password, his Mammoth assigned access token, an 3 authorization token, a Facebook ID, a url to an image, country, 4 time zone, Apple idfa, stickers left, and the date last updated.” 5 (Declaration of Brian DeBoer, ¶ 6; Declaration of Mark Clifford, ¶ 6 5.)1 Plaintiff’s compromised information did not include his date 7 of birth, address, social security number, or any financial 8 information. (De Boer Decl., ¶ 7.) Whether considered as a 9 factual or facial challenge, the key allegations relevant to risk 10 of identity theft, and thus to Plaintiff’s injury in fact, are the 11 allegations that (1) Plaintiff’s email address and password were 12 compromised and (2) Plaintiff used the same email and address and 13 password to access other online accounts, including his Spotify and 14 Reddit accounts, but not including his financial accounts.2 (SAC 15 ¶¶ 42.) 16 17 1 Although Plaintiff suggests that there is some factual 18 dispute as to the nature of one of these items, the “Apple idfa,” the affidavits submitted are not in direct conflict. Mark 19 Clifford, in support of Plaintiff’s position, relates a description of the function of the “Apple idfa” generally, and opines that that 20 function conflicts with Brian DeBoer’s description of the “Apple idfa.” (Clifford Decl. ¶¶ 40-43.) Mammoth, however, submits 21 additional evidence that the datum deBoer describes as an “Apple idfa” is a series of characters that identifies Plaintiff to 22 Mammoth if he uses an Apple account to log in to the Wishbone app, but cannot be used to access or change any Apple account. 23 (Declaration of Solene Schwartz,, ¶ 12.) Thus, Mammoth contends, the item DeBoer describes as the “Apple idfa” is not a “true idfa” 24 of the sort described in the Clifford Declaration. (Reply at 1:17- 20.) 25 2 Although the SAC alleges that hackers obtained “hashed,” or 26 encrypted passwords, Plaintiff also alleges that Mammoth’s encryption methods were outdated and easily circumvented. (SAC ¶ 27 30.) The Clifford declaration supports this allegation, and the DeBoer declaration takes no position on the effectiveness of the 28 encryption protocol. (Clifford Decl., ¶ 12-15.) 1 Plaintiff seeks to liken the data breach at issue here to 2 those in Krottner and Zappos. In Krottner, the court found a 3 sufficient risk of identity theft to confer standing where a thief 4 obtained a laptop containing unencrypted names, addresses, and 5 social security numbers. Krottner v. Starbucks Corp., 628 F.3d 6 1139, 1141 (9th Cir. 2010). In Zappos, hackers obtained names, 7 passwords, email addresses, billing and shipping addresses, phone 8 numbers, and credit and debit card information. Zappos, 888 F.3d 9 at 1024. Some plaintiffs also alleged that hackers subsequently 10 took over e-mail accounts and sent advertisements to all of the 11 plaintiffs’ contacts. Id. at 1027-28. Notwithstanding a lack of 12 compromised social security information, the Zappos court concluded 13 that “the information taken in the data breach still gave hackers 14 the means to commit fraud or identity theft,” and found the risk of 15 identity theft sufficient to constitute an injury in fact for 16 purposes of standing. Id. 17 In his attempt to draw parallels between this case and Zappos, 18 Plaintiff mischaracterizes the latter by asserting that the Zappos 19 court “focused on the likelihood of harm that could arise from non- 20 financial information compromised in the breach.” (Opp. at 7:8-9.) 21 Not so. Rather, the court likened “the sensitivity of the stolen 22 data” to that of the social security numbers stolen in Krottner. 23 Zappos, 888 F.3d at 1027. Indeed, the court specifically 24 analogized credit card information to social security numbers, 25 explaining that Congress has taken specific steps to safeguard the 26 confidentiality of the former. Id. Although the court did refer 27 to nonfinancial harm suffered by plaintiffs whose email accounts 28 were hacked, the court stated only that such attacks “further 1 support Plaintiffs’ contention that the hackers accessed 2 information that could be used to help commit identity fraud or 3 identity theft.” Id. at 28. That information, of course, included 4 sensitive credit card information. The Zappos court did not, 5 however, suggest that the hacked email accounts alone evidenced an 6 ongoing risk of identity theft or constituted an injury in fact.3 7 Although Plaintiff also refers repeatedly to unauthorized 8 access to his Spotify account following the Wishbone data breach, 9 Plaintiff acknowledges that such an attack does not rise to the 10 level of identity theft.4 (Opp. at 10:9.) Nor is it clear to the 11 court how the Spotify issue “underscore[s] the present risk Mr. 12 Burns faces.” (Id.) Plaintiff alleges that, while he did use the 13 same email address and password for his Wishbone and Spotify 14 accounts, he did not use those credentials for his financial 15 accounts.5 (SAC ¶ 42.) And even if, as Plaintiff alleges, the 16 3 Plaintiff also mistakenly relies upon the Zappos court’s 17 recitation of allegations that “the type of information accessed in the Zappos breach can be used to commit identity theft, including 18 by placing them at higher risk of ‘phishing’ and ‘pharming’ . . . .” Zappos, 888 F.3d at 1027. As the court observed, the defendant 19 in Zappos raised only a facial challenge to standing. Id. at 1023 n.2. The court was therefore required to take the plaintiff’s 20 phishing allegations at face value. Doe, 557 F.3d at 1073. Furthermore, “the type of information accessed in the Zappos 21 breach” was, as discussed above, qualitatively different from that obtained here. The DeBoer Declaration essentially states that the 22 information obtained here was useless, and the Clifford declaration does not suggest that the theft of Plaintiff’s email address or 23 password made Plaintiff more vulnerable to phishing attacks. 24 4 Notwithstanding Plaintiff’s occasional reference to his Reddit account, there is no allegation that his Reddit account was 25 breached, only that was “compromised and locked.” (SAC ¶ 39.) See Clifford Dec., ¶ 29 (“I was unable to confirm that an email address 26 and password were sufficient to access Reddit at the time Mr. Burns’s information was stolen.”). 27 5 In light of this allegation, it is difficult to see how any 28 (continued...) 1 Wishbone hackers were able to discover Plaintiff’s “personal music 2 listening history,” Plaintiff does not explain how that data is in 3 any way comparable to social security numbers, credit card 4 information, or other sensitive information that might give rise to 5 a risk of identity theft.6 6 ii. Mitigation Efforts 7 There appears to be no dispute among the parties that, in 8 certain cases, a Plaintiff’s mitigation efforts may constitute an 9 actual injury sufficient to confer standing. See, e.g., Adkins v. 10 Facebook, Inc., 424 F. Supp. 3d 686, 692 (N.D. Cal. 2019). Even in 11 appropriate cases, however, such efforts must be reasonable. See 12 Holly v. Alta Newport Hosp., Inc., No. 219CV07496ODWMRWX, 2020 WL 13 1853308, at *6 (C.D. Cal. Apr. 10, 2020). Even taking Plaintiff’s 14 allegations at face value, his efforts to set up fraud alerts and 15 monitor bank accounts for fraudulent transactions were not 16 necessary or reasonable. Plaintiff appears to suggest that his 17 mitigation efforts were reasonable because he did not know the 18 scope of the data breach, as Mammoth informed him that the hacked 19 5(...continued) 20 future identity theft or breach of a financial account could be traceable to Mammoth and the Wishbone breach. Plaintiff’s 21 suggestion that future harm might be traceable to Mammoth because he might have other accounts that he forgot about that use the same 22 Wishbone credentials has no merit. (Opp. at 16.) 23 6 Plaintiff also alleges that his Spotify account “could reveal” other personal information. (SAC ¶ 41.) As an initial 24 matter, Plaintiff does not specify what types of personal information could possibly be revealed through his Spotify account. 25 Furthermore, to the extent Plaintiff suggests that the Wishbone data was the first, and the Spotify breach the second, domino in a 26 series of breaches that might each reveal a separate piece of a mosaic that might eventually and cumulatively give rise to a risk 27 of identity theft, that assertion is too speculative to constitute a concrete injury in fact. 28 1 e-mailed addresses, user names, and other data comprised only “some 2 of the compromised data.” (Plaintiff’s Supplemental Memorandum at 3 8:28) (emphasis Plaintiff’s). But Plaintiff knew what data he had 4 provided to Mammoth when he created a Wishbone account as a 5 fourteen year-old, and knew that that data set did not include 6 financial or any other sensitive information. Nor could the 7 subsequent hacking of Plaintiff’s Spotify account justify his 8 fraud-fighting efforts. Plaintiff knew that the login credentials 9 he used for both his Wishbone and Spotify accounts were not the 10 same credentials he used for more sensitive accounts. Nor does, or 11 could, Plaintiff allege that hackers’ ability to access his Spotify 12 listening history somehow necessitated his fraud-focused remedial 13 efforts. 14 Even considering only the information known to Plaintiff at 15 the time, the data accessed in the Wishbone breach was not 16 sensitive enough to create a sufficient risk of identity theft to 17 constitute an actual injury for purposes of standing. Plaintiff’s 18 efforts to mitigate any such illusory risk are, therefore, also 19 insufficient to support standing. 20 B. Inherent Value of Data 21 Plaintiff also argues that, independent of the risk of 22 identity theft, he has suffered harm in the form of diminution in 23 the value of his personal data. (Opp. at 12-13). As explained in 24 this Court’s prior Order, several courts have rejected similar 25 theories as implausible, speculative, or otherwise infirm, 26 especially where, as here, there is no allegation of a legitimate 27 market for the information. See, e.g., In re Facebook, Inc., 28 Consumer Priv. User Profile Litig., 402 F. Supp. 3d 767, 784 (N.D. 1 Cal. 2019) (“The plaintiffs do not plausibly allege that they 2 intended to sell their non-disclosed personal information to 3 someone else. Nor, in any event, do they plausibly allege that 4 someone else would have bought it as a stand-alone product. The 5 plaintiffs’ economic-loss theory is therefore purely hypothetical 6 and does not give rise to standing.”); Svenson v. Google Inc., 65 7 F. Supp. 3d 717, 724–25 (N.D. Cal. 2014); Low v. LinkedIn Corp., 8 No. 11-CV-01468-LHK, 2011 WL 5509848, at *5 (N.D. Cal. Nov. 11, 9 2011); LaCourt v. Specific Media, Inc., No. SACV 10-1256 GW JCGX, 10 2011 WL 1661532, at *4–5 (C.D. Cal. Apr. 28, 2011); Chambliss v. 11 Carefirst, Inc, 189 F. Supp. 3d 564, 572 (D. Md. 2016); Green v. 12 eBay Inc., No. CIV.A. 14-1688, 2015 WL 2066531, at *5 (E.D. La. May 13 4, 2015); cf. In re Google Inc. Cookie Placement Consumer Priv. 14 Litig., 806 F.3d 125, 149 (3d Cir. 2015); Adkins v. Facebook, Inc., 15 No. C 18-05982 WHA, 2019 WL 3767455, at *3 (N.D. Cal. Aug. 9, 16 2019); but see In re Anthem, Inc. Data Breach Litig., No. 17 15-MD-02617-LHK, 2016 WL 3029783, at *15 (N.D. Cal. May 27, 2016). 18 Although the SAC, like the First Amended Complaint, does not 19 allege the existence of a legitimate market for Plaintiff’s data, 20 the Clifford Declaration does state that such a market exists, 21 pointing to a browser extension that allows users to allow data 22 tracking in exchange for rewards “points.” (Clifford Decl. ¶ 38). 23 Even assuming the existence of such a legitimate market were 24 alleged in the SAC, however, it is not clear how the Wishbone 25 breach would diminish the value of Plaintiff’s information. First, 26 it is not clear that the browser extension Clifford describes 27 28 tracks the same type of data accessed in the Wishbone breach.’ 2|| Second, even assuming that to be the case, it is not clear how or whether Plaintiff’s data, a nonrival good, commands a lesser price or fewer “rewards” by dint of having been accessed by hackers in 5] the past. Thus, even assuming that Plaintiff's data does have value, he has not sufficiently alleged that he has been deprived of any such value. IV. Conclusion 9 For the reasons stated above, Defendant’s Motion to Dismiss is GRANTED.® Plaintiff’s SAC is DISMISSED, with prejudice. 11 IT IS SO ORDERED. 12 13 Dated: August 29, 2023 DEAN D. PREGERSON 14 United States District Judge 15 16 17 18 19 20 21 22 23 24 25 26 | ——_—_c_“—i —™ — ’ See note 1, above. 28 ° Having concluded that the SAC must be dismissed for lack of standing, the court does not reach Defendant’s other arguments. 12