1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 LELAND DAMNER, 7 Case No. 20-cv-05177-JCS Plaintiff, 8 v. ORDER GRANTING MOTION TO 9 DISMISS FIRST AMENDED FACEBOOK INC., COMPLAINT AND DISMISSING 10 WITH LEAVE TO AMEND Defendant. 11 Re: Dkt. No. 28
12 13 I. INTRODUCTION 14 Plaintiff Leland Damner, pro se, brings this action against Defendant Facebook Inc. 15 (“Facebook”) based on allegations that his Facebook account was hacked, causing him to lose 16 access to and control over his account, and that Facebook has refused to assist him in restoring 17 access to the account. Presently before the Court is Facebook’s Motion to Dismiss First Amended 18 Complaint (“Motion”). The Court finds that the Motion is suitable for determination without a 19 hearing and therefore vacates the Motion hearing scheduled for January 8, 2021 pursuant to 20 Civil Local Rule 7-1(b). The Initial Case Management Conference set for the same date will be 21 continued to April 2, 2021 at 2:00 p.m. For the reasons stated below, the Motion is GRANTED.1 22 II. BACKGROUND 23 A. Procedural Background 24 On May 11, 2020, Plaintiff filed this action in the District of Arizona, asserting five causes 25 of action: (1) violation of the Stored Communications Act (“SCA”), 18 U.S.C. § 2701(a); (2) 26 violation of the SCA, 18 U.S.C. § 2702(a); (3) intrusion upon seclusion; (4) negligence; and (5) 27 1 breach of written contract. Facebook filed a motion to dismiss, or, in the alternative, a motion to 2 transfer venue. Dkt. No. 9. Plaintiff stipulated to Facebook’s request to transfer the action to the 3 Northern District of California and the case was transferred to this Court. See Dkt. Nos. 17, 18. 4 With the exception of the request to transfer, the Arizona District Court denied Facebook’s motion 5 to dismiss without prejudice. After the case was transferred to this Court, the parties stipulated to 6 the filing of the First Amended Complaint (“FAC”). Dkt. No. 23. The FAC includes the five 7 initial causes of action and three new ones: (6) breach of the implied covenant of good faith and 8 fair dealing; (7) violation of Cal. Civ. Code § 1798.29; and (8) fraudulent and negligent 9 misrepresentation. FAC ¶¶ 42-58. 10 B. Allegations in the First Amended Complaint 11 “Facebook operates a social networking website which allows its users to interact and 12 communicate with other individuals.” FAC ¶ 6. According to Plaintiff, each of Facebook’s 13 “billions of users” regularly record into their Facebook profiles a “virtual tsunami of private 14 information.” Id. ¶ 7. Plaintiff alleges that “[a] vital feature of the viral spread of Facebook is the 15 appearance of control users have over their sensitive information” based on Facebook’s privacy 16 settings. Id. ¶ 8. Because of these privacy settings, users “reasonably expect [u]ser information 17 will only be accessible to the extent they authorize such access.” Id. ¶ 9. Plaintiff alleges that 18 “[p]rivacy is very important to Facebook users” and that its CEO, Mark Zuckerberg “has publicly 19 acknowledged that people share on Facebook because they ‘know their privacy is going to be 20 protected.’” Id. 21 “Facebook sets forth its data security policy in a Statement of Rights and Responsibilities 22 and in a separate Data Policy.” Id. ¶ 10. According to Plaintiff, the “opening line” of the 23 Statement of Rights and Responsibilities (“SRR”) states as follows: 24 1. Privacy Your privacy is very important to us. We designed our Data Policy to make important 25 disclosures about how you can use Facebook to share with others and how we collect 26 and can use your content and information. We encourage you to read the Data Policy, and to use it to help you make informed decisions. 27 2. Sharing Your Content and Information how it is shared through your privacy and application settings. 1 2 Id. ¶ 11. Plaintiff alleges that “[i]n order to register as [a user] of Facebook, [he] was required to, 3 and did, affirmatively assent to its Terms and Conditions and Privacy Policy.” Id. ¶ 35. 4 Plaintiff alleges that he “relied on Facebook’s promises to secure his data” and provided 5 his “valuable personal data.” Id. ¶ 13. He further alleges that on April 20, 2020, his Facebook 6 account was “hacked by an unknown source.” Id. ¶ 15. Plaintiff alleges that someone, unknown to 7 him still today, “has control over Plaintiff’s Facebook account and is sending messages to other 8 users demanding money.” Id. at ¶ 18. According to the FAC, this unknown hacker has “changed 9 Plaintiff’s password and other credentials, so Plaintiff is effectively locked out of his account.” Id. 10 Plaintiff alleges that when he learned his account had been hacked he called Facebook and sent 11 messages and emails to Facebook employees seeking assistance in restoring access to his account 12 but that he received no response. Id. at ¶¶ 16, 17. According to Plaintiff, Facebook is on notice of 13 the problem but will not “properly assist” him in recovering his account from the hacker. Id. ¶ 19. 14 C. Facebook’s Statement of Rights and Responsibilities2 15 The SRR states that it is Facebook’s “terms of service that governs [its] relationship with 16 users[.]” Pricer Decl., Ex. A (SRR), Preamble. In addition to the language quoted in Plaintiff’s 17 FAC, reproduced above, the SRR contains the following provisions: 18 • “We do our best to keep Facebook safe, but we cannot guarantee it.” Id. § 3. 19 • “We are not responsible for the conduct, whether online or offline, of any user of 20 Facebook.” Id. § 15.2. • “WE TRY TO KEEP FACEBOOK UP, BUG-FREE, AND SAFE, BUT YOU USE IT AT 21 YOUR OWN RISK. WE ARE PROVIDING FACEBOOK AS IS WITHOUT ANY 22 EXPRESS OR IMPLIED WARRANTIES INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 23
24 2 The Court considers the contents of the SRR under the doctrine of incorporation by reference, which allows courts to consider on a Rule 12(b)(6) “documents whose contents are alleged in the 25 complaint.” See Swartz v. KPMG LLP, 476 F.3d 756, 763 (9th Cir. 2007) (“in order to ‘[p]revent[ ] plaintiffs from surviving a Rule 12(b)(6) motion by deliberately omitting . . . documents upon 26 which their claims are based,’ a court may consider a writing referenced in a complaint but not explicitly incorporated therein if the complaint relies on the document and its authenticity is 27 unquestioned.”) (citation omitted). Here, Plaintiff repeatedly invokes the terms of the SRR in PURPOSE, AND NON-INFRINGEMENT. WE DO NOT GUARANTEE THAT 1 FACEBOOK WILL ALWAYS BE SAFE, SECURE OR ERROR-FREE OR THAT 2 FACEBOOK WILL ALWAYS FUNCTION WITHOUT DISRUPTIONS, DELAYS OR IMPERFECTIONS. FACEBOOK IS NOT RESPONSIBLE FOR THE ACTIONS, 3 CONTENT, INFORMATION, OR DATA OF THIRD PARTIES, AND YOU RELEASE US, OUR DIRECTORS, OFFICERS, EMPLOYEES, AND AGENTS FROM ANY 4 CLAIMS AND DAMAGES, KNOWN AND UNKNOWN, ARISING OUT OF OR IN ANY WAY CONNECTED WITH ANY CLAIM YOU HAVE AGAINST ANY SUCH 5 THIRD PARTIES. . . .” Id. § 15.3 (capitalization in original). 6 D. The SCA 7 “Enacted in 1986 as Section II of the Electronic Communications Protection Act 8 (“ECPA”), the SCA creates criminal and civil liability for certain unauthorized access to stored 9 communications and records.” In re iPhone Applic. Litig., 844 F.Supp.2d 1040, 1056–57 (N.D. 10 Cal. 2012). Section 2701(a) makes it an offense for anyone to “(1) intentionally accesses without 11 authorization a facility through which an electronic communication service is provided; or (2) 12 intentionally exceeds an authorization to access that facility; and thereby obtain[ ], alter[ ], or 13 prevent[ ] authorized access to a wire or electronic communication while it is in electronic storage 14 in such system . . . .” 18 U.S.C. § 2701; see also 18 U.S.C. § 2707(a) (creating private right of 15 action for violations of SCA). There is an exception, however, for “conduct authorized . . . by the 16 person or entity providing a wire or electronic communications service[.]” 18 U.S.C. § 17 2701(c)(1). 18 Section 2702(a) provides as follows: 19 (a) Prohibitions.--Except as provided in subsection (b) or (c)— 20
(1) a person or entity providing an electronic communication service 21 to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by 22 that service; and
23 (2) a person or entity providing remote computing service to the public shall not knowingly divulge to any person or entity the 24 contents of any communication which is carried or maintained on that service– 25
(A) on behalf of, and received by means of electronic 26 transmission from (or created by means of computer processing of communications received by means of 27 electronic transmission from), a subscriber or customer of (B) solely for the purpose of providing storage or computer 1 processing services to such subscriber or customer, if the provider is not authorized to access the contents of any 2 such communications for purposes of providing any services other than storage or computer processing; and 3 (3) a provider of remote computing service or electronic 4 communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or 5 customer of such service (not including the contents of communications covered by paragraph (1) or (2)) to any 6 governmental entity. 7 18 U.S.C. § 2702(a). 8 E. The Motion 9 In the Motion, Facebook contends all of Plaintiff’s claims fail as a matter of law and 10 therefore must be dismissed under Rule 12(b)(6) of the Federal Rules of Civil Procedure. With 11 respect to Plaintiff’s claim under § 2701(a), Facebook argues that the claim fails because it is 12 exempt under § 2701(c). In any event, it argues, Plaintiff has not alleged any facts showing 13 unauthorized access by Facebook and cannot do so because Facebook cannot hack its own server, 14 as a matter of common sense. Likewise, Facebook asserts, Plaintiff has not alleged any facts that 15 would establish unlawful intent on Facebook’s part. Facebook argues that the claim under § 16 2702(a) also fails because Plaintiff has not plausibly alleged that Facebook “knowingly 17 divulge[d]” his private information. According to Facebook, “[a]n alleged failure to take steps to 18 protect information in the event of a hack, even if true, does not constitute ‘knowingly divulg[ing]’ 19 information under the SCA.” Motion at 8. 20 Facebook argues that if the Court dismisses the SCA claims it should decline to exercise 21 supplemental jurisdiction over the state law claims but that if it retains jurisdiction, those claims 22 are inadequately pled as well. With respect to the breach of contract claim, Facebook contends the 23 terms of the SRR contradict Plaintiff’s allegations as to the nature of the agreement he contends 24 was breached. Similarly, the SRR defeats his claim for breach of the covenant of good faith and 25 fair dealing, which cannot impose substantive duties or limits on the contracting parties beyond 26 those incorporated in the specific terms of the agreement. According to Facebook, Plaintiff has 27 “not identified a contractual term that Facebook has violated, nor can Plaintiff tie any conduct by 1 the SRR.” Id. at 11. 2 Facebook argues that Plaintiff’s negligence claim fails because it is based on the existence 3 of a duty to safeguard his personal information, which is contradicted by the terms of the SRR. It 4 further contends Plaintiff has failed to allege with any specificity how Facebook breached such a 5 duty even if there is one. “The FAC does not, for example, allege how the hack was plausibly 6 caused by any alleged action or inaction by Facebook.” Id. at 13. 7 Facebook challenges Plaintiff’s claims for negligent and fraudulent misrepresentation on 8 the grounds that Plaintiff does not plead the existence of any actionable misrepresentation with 9 particularity. With respect to the statement by Mark Zuckerberg that users “engage and share 10 their content and feel free to connect because they know their privacy is going to be protected[,]” 11 see FAC ¶ 54, Facebook argues that “Plaintiff lacks any basis to allege that statement was a 12 misrepresentation” because “[t]he FAC explicitly states that the alleged hack was entirely the 13 action of an unknown third-party and not any action in Facebook’s control.” Motion at 14 (citing 14 FAC ¶ 15). Nor can Plaintiff plausibly allege he relied on Zuckerberg’s statement, Facebook 15 contends, given the vagueness of Zuckerberg’s statement and the specific statements in the SRR 16 “in which Facebook foreswears any responsibility for the actions of third parties and emphasizes 17 that Facebook cannot guarantee its platform will be safe.” Id. (citing Pricer Decl., Ex. A (SRR) §§ 18 3, 15.3). According to Facebook, the fraudulent misrepresentation claim fails for the additional 19 reason that it is subject to the heightened pleading standard of Rule 9(b) of the Federal Rules of 20 Civil Procedure, which Plaintiff has not satisfied. Finally, it argues that the negligent 21 misrepresentation claim fails because such a claim can be based only on misrepresentations about 22 “past or existing facts, not future promises.” Id. at 15. 23 Facebook argues that Plaintiff’s claim for intrusion on seclusion fails because Plaintiff 24 “fails to allege that Facebook – as opposed to the hacker – intruded on Plaintiff’s privacy.” 25 Moreover, Facebook asserts, “the SRR specifies that Plaintiff ‘release[s] [Facebook] . . . from any 26 claims and damages, known and unknown, arising out of or in any way connected with any claim 27 you have against any such third parties.’” Id. at 16 (citing Pricer Decl. Ex. A (SRR), § 15.3). 1 1798.29 because that provision applies only to state agencies. 2 III. ANALYSIS 3 A. Legal Standards Under Rule 12(b)(6) 4 A complaint may be dismissed for failure to state a claim on which relief can be granted 5 under Rule 12(b)(6) of the Federal Rules of Civil Procedure. “The purpose of a motion to dismiss 6 under Rule 12(b)(6) is to test the legal sufficiency of the complaint.” N. Star Int’l v. Ariz. Corp. 7 Comm’n, 720 F.2d 578, 581 (9th Cir. 1983). Generally, a claimant’s burden at the pleading stage 8 is relatively light. Rule 8(a) of the Federal Rules of Civil Procedure states that a “pleading which 9 sets forth a claim for relief . . . shall contain . . . a short and plain statement of the claim showing 10 that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a). 11 In ruling on a motion to dismiss under Rule 12(b)(6), the court takes “all allegations of 12 material fact as true and construe[s] them in the light most favorable to the non-moving party.” 13 Parks Sch. of Bus., 51 F.3d at 1484. Dismissal may be based on a lack of a cognizable legal 14 theory or on the absence of facts that would support a valid theory. Balistreri v. Pacifica Police 15 Dep’t, 901 F.2d 696, 699 (9th Cir. 1990). A pleading must “contain either direct or inferential 16 allegations respecting all the material elements necessary to sustain recovery under some viable 17 legal theory.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 562 (2007) (citing Car Carriers, Inc. v. 18 Ford Motor Co., 745 F.2d 1101, 1106 (7th Cir. 1984)). “A pleading that offers ‘labels and 19 conclusions’ or ‘a formulaic recitation of the elements of a cause of action will not do.’” Ashcroft 20 v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Twombly, 550 U.S. at 555). “[C]ourts ‘are not bound 21 to accept as true a legal conclusion couched as a factual allegation.’” Twombly, 550 U.S. at 555 22 (quoting Papasan v. Allain, 478 U.S. 265, 286 (1986)). “Nor does a complaint suffice if it tenders 23 ‘naked assertion[s]’ devoid of ‘further factual enhancement.’” Iqbal, 556 U.S. at 678 (quoting 24 Twombly, 550 U.S. at 557). Rather, the claim must be “‘plausible on its face,’” meaning that the 25 claimant must plead sufficient factual allegations to “allow the court to draw the reasonable 26 inference that the defendant is liable for the misconduct alleged.” Id. (quoting Twombly, 550 U.S. 27 at 570). 1 B. SCA Claims 2 The SCA has a “narrow scope[;]” it “‘is not a catch-all statute designed to protect the 3 privacy of stored Internet communications.’” In re Google, Inc. Privacy Policy Litig., No. C-12- 4 01382-PSG, 2013 WL 6248499, at *12 (N.D. Cal. Dec. 3, 2013) (quoting Orin S. Kerr, A User’s 5 Guide to the Stored Communications Act, and a Legislator’s Guide to Amending It, 72 GEO. 6 WASH. L. REV. 1208, 1214 (2004)). Thus, Section 2701(a) makes it an offense to access an 7 account only if it is “without authorization.” Moreover, Section 2701(c) exempts conduct “by the 8 person or entity providing a wire or electronic communications service.” 9 Plaintiff asserts a claim under § 2701(a) based on the allegation that Facebook 10 “intentionally refused to take the necessary steps and dedicate[ ] resources to restore Plaintiff’s 11 account” after it was hacked. FAC ¶ 24. Yet Plaintiff has not alleged any access to Plaintiff’s 12 account by Facebook (as opposed to the alleged third-party hacker) that was without authorization. 13 See In re Google, Inc. Privacy Policy Litig., No. C-12-01382-PSG, 2013 WL 6248499, at *12 14 (N.D. Cal. Dec. 3, 2013) (dismissing § 2701(a) claim on the pleadings on the basis that 15 “[w]hatever the propriety of Google’s actions, it plainly authorized actions that it took itself.”); 16 Svenson v. Google Inc., 65 F. Supp. 3d 717, 726 (N.D. Cal. 2014) (dismissing § 2701(a) claim on 17 the pleadings where “[i]t appear[ed] from the face of the complaint that the ‘facility’ in question 18 was Defendants’ own servers” and the plaintiff did “not allege any facts suggesting that 19 Defendants were not authorized to access their own servers as required under § 2701(a).”). 20 Further, the exception in subsection (c) clearly applies to the alleged actions and/or inaction on 21 Facebook’s part with respect to the protection of Plaintiff’s personal information and its efforts to 22 restore Plaintiff’s access to his account. Therefore, Plaintiff’s claim under Section 2701(a) fails to 23 state a claim. 24 Plaintiff’s second SCA claim, asserted under § 2702(a), is based on the allegation that 25 Facebook “unlawfully divulge[ed] the contents of Plaintiff’s communications to third parties, 26 including but not limited to whomever the hacker is sending communications or information to 27 while logged in to Plaintiff’s account.” FAC ¶ 24. This claim fails because Plaintiff must allege 1 order to state a claim under § 2702(a). While the SCA does not define the term “knowingly[,]” 2 courts that have addressed the meaning of the term have looked to the following definition, found 3 in the legislative history: 4 The term knowingly means that the Defendant was aware of the nature of the conduct, aware of or possessing a firm belief in the 5 existence of the requisite circumstances and an awareness of or a firm belief about the substantial certainty of the result. 6 7 Muskovich v. Crowell, No. CIV. 3-95-CV-20007, 1996 WL 707008, at *4 (S.D. Iowa Aug. 30, 8 1996) (quoting H.R. Rep. No. 647, 99th Cong., 2nd Sess. at 64 (1986) (emphasis added in 9 Muskovich)). 10 In Muskovich, an employee of the defendant company made harassing anonymous calls to 11 the plaintiff, having obtained her unlisted telephone number from company records. 1996 WL 12 707008, at *1. The plaintiff alleged that the defendant violated § 2702(a) by failing to implement 13 adequate safety procedures to protect her private information and that the defendant “knew or 14 should have known” that the lack of safeguards would lead to the disclosure of her telephone 15 number. Id. at *3. The Court disagreed, holding that it was not enough that the defendant may 16 have been “aware of the possibility that an employee could obtain such information[.]” Id. at *4- 17 5. Relying on the definition of “knowingly” quoted above, the court reasoned that “[a]wareness of 18 a ‘possibility’ does not rise to the level of awareness of a ‘substantial certainty’ required for 19 liability” under § 2702(a). Id. Similarly, in Worix v. MedAssets, Inc., the court dismissed an SCA 20 claim in a data breach case because “the failure to take reasonable steps to safeguard data does not, 21 without more, amount to divulging that data knowingly.” 857 F. Supp. 2d 699, 703 (N.D. Ill. 22 2012); see also In re Yahoo! Inc. Customer Data Sec. Breach Litig., No. 16-MD-02752-LHK, 23 2017 WL 3727318, at *42 (N.D. Cal. Aug. 30, 2017) (noting that the court was not aware of any 24 court in the Ninth Circuit that had addressed the scope of the term “knowingly” in 18 U.S.C. § 25 2702 and holding based on, inter alia, Worix and Muskovich, that the plaintiffs could not state 26 claims under the SCA “simply because a defendant failed to prevent a data breach.”). 27 The Court finds the reasoning of Worix and Muskovich to be persuasive and therefore 1 “knowingly divulged” any communication in violation of § 2702(a). In particular, no facts are 2 alleged in the FAC that would establish that Facebook knew with substantial certainty that its 3 allegedly insufficient efforts to safeguard Plaintiff’s account or restore access to it would result in 4 Plaintiff’s communications being divulged by a third-party hacker. 5 For these reasons, the Court concludes that Plaintiff has failed to allege any viable claim 6 under the SCA. 7 C. State Law Claims 8 1. Intrusion on Seclusion 9 Plaintiff asserts a claim for intrusion on seclusion based on the allegations that he input his 10 private information into his Facebook account because the Facebook’s privacy settings gave him a 11 false sense of security as to who would be able to access this information. FAC ¶¶ 29-30. These 12 allegations are not sufficient to state a claim for intrusion on seclusion under California law. 13 Under California law, an action for intrusion on seclusion “has two elements: (1) intrusion 14 into a private place, conversation or matter, (2) in a manner highly offensive to a reasonable 15 person.” Shulman v. Grp. W Prods., Inc., 18 Cal. 4th 200, 231 (1998), as modified on denial of 16 reh’g (July 29, 1998). Under the first element, courts consider whether the defendant 17 “‘intentionally intrude[d], physically or otherwise, upon the solitude or seclusion of another,’ that 18 is, into a place or conversation private to [the defendant].” Id. (citing Rest.2d Torts, § 652B; 19 Miller v. Nat’l Broad. Co., 187 Cal. App. 3d 1463, 1482 (1986)). Plaintiff has pointed to no 20 authority that suggests that failure to take adequate measures to protect against the intentional 21 intrusion of a third party satisfies the first element of a claim for intrusion on seclusion and the 22 Court has found none. Further, Plaintiff cannot base his claim against Facebook on the actions of 23 the third party who allegedly hacked his account because Plaintiff alleges in the FAC that he 24 agreed to the terms of service in the SRR, which releases Facebook from any liability based on the 25 actions of third parties. See FAC ¶ 353; Marder v. Lopez, 450 F.3d 445, 448 (9th Cir. 2006) 26
27 3 In paragraph 35 of the FAC, Plaintiff refers to Facebook’s “Terms and Conditions and Privacy 1 (dismissing claims under Rule 12(b)(6) based on release that was referenced in the complaint and 2 that the court treated as part of the complaint ).4 Therefore, the Court concludes that Plaintiff has 3 failed to state a claim for intrusion on seclusion against Facebook based on the allegations in the 4 FAC. 5 2. Negligence 6 Plaintiff asserts a claim for negligence based on the allegation that Facebook breached a 7 duty to Plaintiff to “exercise reasonable care in safeguarding and protecting” his personal 8 information by failing to “maintain[ ] and test[ ] Facebook’s security systems and tak[e] other 9 reasonable security measures to protect and adequately secure the personal data of Plaintiff from 10 unauthorized access and use.” FAC ¶ 32. In order to state a claim for negligence, a plaintiff must 11 allege that: (1) the defendant has a legal duty to use due care; (2) the defendant breached such 12 legal duty; (3) the defendant’s breach was the proximate or legal cause of the resulting injury; and 13 (4) there was resulting damage to the plaintiff. Ladd v. County of San Mateo, 12 Cal.4th 913, 917, 14 (1996). “The existence of a duty of care is a question of law to be determined by the court alone.” 15 Camp v. State of California, 184 Cal. App. 4th 967, 975 (2010) (citing Ballard v. Uribe, 41 16 Cal.3d 564, 572, fn. 6 (1986)). Here, Plaintiff’s allegation that Facebook owed him a duty of care 17 to keep his personal information safe is contradicted by the terms of the SRR, which expressly 18 disclaim such a duty. See Pricer Decl. Ex. A (SRR), §§ 3, 15.3; Young v. Facebook, Inc., No. 19 5:10-CV-03579-JF/PVT, 2010 WL 4269304, at *5 (N.D. Cal. Oct. 25, 2010) (dismissing 20 negligence claim against Facebook based on allegation that Facebook owed the plaintiff a duty “to 21 use due care when hiring and training personnel to monitor and enforce website activity according 22 to their outlined contractual agreement” because “the Statement of Rights and Responsibilities 23 expressly disclaims any duty to provide for the safety of Facebook users.”). Therefore, the Court 24 finds that Plaintiff fails to state a claim for negligence.
25 26
27 4 The Court notes that Plaintiff did not respond to Facebook’s arguments challenging this claim 1 3. Breach of Contract 2 Plaintiff alleges that the SRR was a binding agreement between Plaintiff and Facebook 3 under which Plaintiff “transmitted sensitive personal information . . . to Facebook in exchange for 4 use of Facebook and Facebook’s promise that it would not share that personal information with 5 third parties, including hackers.” FAC ¶ 37. He asserts a breach of contract claim on the basis that 6 Facebook allegedly failed to safeguard his sensitive personal information as promised. Id. ¶40. In 7 particular, he alleges that Facebook failed to keep its promise to keep Facebook safe and bug-free. 8 Id. ¶ 41 (quoting SRR §§ 3, 15). Plaintiff fails to state a viable claim for breach of contract, 9 however, because he does not point to any specific provision that was breached. See Frances T. v. 10 Vill. Green Owners Assn., 42 Cal. 3d 490, 512–13 (1986) (dismissing breach of contract claim 11 because the plaintiff did not point to any provision in the alleged agreement that imposed the 12 obligation that was allegedly breached). 13 Plaintiff quotes incomplete phrases from Sections 3 and 15 of the SRR in support of his 14 breach of contract claim but those sections do not, when read in their entirety, constitute promises 15 to safeguard Plaintiff’s private information. In particular, Section 3 states “We do our best to keep 16 Facebook safe, but we cannot guarantee it.” Pricer Decl., Ex. A (SRR) § 3 (emphasis added). 17 Likewise, Section 15 states, “WE TRY TO KEEP FACEBOOK UP, BUG-FREE, AND SAFE, 18 BUT YOU USE IT AT YOUR OWN RISK.” Id. § 15 (emphasis added). The section goes on to 19 state that Facebook is being provided “AS IS,” that Facebook does not “GUARANTEE THAT 20 FACEBOOK WILL ALWAYS BE SAFE, SECURE OR ERROR-FREE OR THAT FACEBOOK 21 WILL ALWAYS FUNCTION WITHOUT DISRUPTIONS, DELAYS OR IMPERFECTIONS[,]” 22 and that Facebook is not responsible for the actions of third parties. Id. In other words, the SRR 23 makes clear that Facebook did not promise to safeguard Plaintiff’s private information. Therefore, 24 the FAC does not allege a valid claim for breach of contract. 25 4. Breach of Implied Covenant of Good Faith and Fair Dealing 26 Plaintiff’s claim for breach of implied covenant of good faith and fair dealing also fails to 27 state a claim. “Every contract imposes on each party a duty of good faith and fair dealing in each 1 3d 1371, 1393 (1990), as modified on denial of reh’g (Oct. 31, 2001) (citing Rest.2d, Contracts, § 2 205; Egan v. Mutual of Omaha Ins. Co. 24 Cal.3d 809, 818, 169 (1979); Seaman’s Direct Buying 3 Service, Inc. v. Standard Oil Co., 36 Cal.3d 752, 768 (1984)). This duty requires that neither party 4 “will do anything which will injure the right of the other to receive the benefits of the agreement.” 5 Id. (internal quotations and citations omitted). On the other hand, “[t]he covenant ‘cannot impose 6 substantive duties or limits on the contracting parties beyond those incorporated in the specific 7 terms of their agreement.’” Appling v. State Farm Mut. Auto. Ins. Co., 340 F.3d 769, 779 (9th Cir. 8 2003) (quoting Guz v. Bechtel Nat. Inc., 24 Cal. 4th 317, 350 (2000)). 9 Plaintiff asserts his claim for breach of the implied covenant based on the allegations that 10 “Facebook is on notice that Plaintiff’s user account has been taken over[,] Facebook has a duty to 11 assist Plaintiff in thwarting the hack and recovering the account. Facebook will not properly [do] 12 so.” FAC ¶ 45. According to Plaintiff, “Facebook’s conduct demonstrates a failure or refusal to 13 discharge contractual responsibilities including its duty to do its best to keep Facebook safe.” Id. ¶ 14 46. As discussed above, however, Plaintiff has not pointed to any contractual obligation on 15 Facebook’s part to keep Facebook safe; rather, the SRR disavows such an obligation. As a claim 16 for breach of the covenant of good faith cannot impose substantive duties not found in the 17 underlying contract, Plaintiff fails to state a claim. 18 5. Cal. Civ. Code § 1798.29 19 In the FAC, Plaintiff asserts a claim under Cal. Civ. Code § 1798.29 based on the 20 allegation that “Facebook intentionally refused to take the necessary steps and dedicated resources 21 to restore Plaintiff's account.” Section 1798.29 is a provision of the Information Practices Act of 22 1977 and applies to state agencies; it does not apply to private businesses. See Cal. Civ. Code § 23 1798.45 (allowing individuals to “bring a civil action against an agency” when the agency does 24 not comply with relevant provisions of the Act). Because Facebook is not a state agency, this 25 claim fails as a matter of law.5
26 27 1 6. Fraudulent and Negligent Misrepresentation 2 Plaintiff brings claims for negligent and fraudulent misrepresentation based on alleged 3 misrepresentations by Facebook that his privacy would be protected. FAC ¶ 54. His allegations 4 fall short as to both claims. 5 To state a claim for fraudulent misrepresentation, a plaintiff must allege: 6 (1) the defendant represented to the plaintiff that an important fact was true; (2) that representation was false; (3) the defendant knew 7 that the representation was false when the defendant made it, or the defendant made the representation recklessly and without regard for 8 its truth; (4) the defendant intended that the plaintiff rely on the representation; (5) the plaintiff reasonably relied on the 9 representation; (6) the plaintiff was harmed; and (7) the plaintiff’s reliance on the defendant’s representation was a substantial factor in 10 causing that harm to the plaintiff. 11 Graham v. Bank of Am., N.A., 226 Cal. App. 4th 594, 605-06 (2014) (internal quotation marks 12 and citation omitted). A claim for fraudulent misrepresentation is subject to the heightened 13 pleading standard of Rule 9(b) of the Federal Rule of Civil Procedure, which requires that “[i]n 14 alleging fraud or mistake, a party must state with particularity the circumstances constituting fraud 15 or mistake.” Broge v. ALN Int’l, Inc., No. 17-CV-07131-BLF, 2018 WL 6308194, at *5 (N.D. Cal. 16 Dec. 3, 2018). “In order to satisfy this heightened pleading standard, a plaintiff must provide ‘an 17 account of the time, place, and specific content of the false representations as well as the identities 18 of the parties to the misrepresentations.’” Id. (quoting Swartz v. KPMG LLP, 476 F.3d 756, 764 19 (9th Cir. 2007) (internal quotation marks and citation omitted); and citing Vess v. Ciba-Geigy 20 Corp. USA, 317 F.3d 1097, 1106 (9th Cir. 2003) (“Averments of fraud must be accompanied by 21 the who, what, when, where, and how of the misconduct charged.” (internal quotation marks and 22 citation omitted))). 23 To state a claim for negligent misrepresentation, a plaintiff must allege the defendant: 24 (1) asserted a material fact, (2) which was untrue, (3) without a reasonable grounds for believing it to be true, (4) with the intent 25 that plaintiff would rely upon the assertion, (5) that the plaintiff justifiably relied upon the representation, and (6) as a result was 26 harmed. 27 First Am. Specialty Ins. Co. v. Carmax Auto Superstores California, LLC, No. C 16-05951-WHA, 1 CIBC World Markets Corp., 157 Cal. App. 4th 835, 845 (2007), as modified (Dec. 26, 2007)). 2 Plaintiff's misrepresentation claims fail because he does not plausibly allege — much less 3 allege with particularity — any misleading statements that his privacy would be protected. 4 || The only specific statement alleged in the FAC in support of this claim is one by Facebook CEO 5 || Mark Zuckerberg that users “engage and share their content and feel free to connect because they 6 || know their privacy is going to be protected.” FAC 4 54. This vague statement is not a 7 || representation of material fact about Facebook’s commitment to protecting user’s privacy. Even 8 if it were, however, Plaintiff has not alleged facts showing “justifiable” or “reasonable” reliance 9 on the statement given that Facebook expressly warns users in the SRR, to which Plaintiff agreed, 10 || that it does not protect users’ safety or take responsibility for the actions of third parties. 11 Therefore, Plaintiff fails to state a claim for negligent or fraudulent misrepresentation. 12 || Iv. CONCLUSION 13 For the reasons discussed above, the Motion is GRANTED and Plaintiff’s claims are 14 || dismissed. While it is not clear from his opposition brief that Plaintiff will be able to cure the 3 15 || defects identified herein, in light of his pro se status the Court will allow Plaintiff to amend his a 16 || complaint to address the deficiencies in pleading as to his existing claims. Plaintiff's Second 3 17 Amended Complaint shall be filed no later than February 1, 2021. 18 IT IS SO ORDERED. 19 20 Dated: December 31, 2020 21 CZ J PH C. SPERO 22 ief Magistrate Judge 23 24 25 26 27 28