Durgan v. U-Haul International Incorporated

• Court: District Court, D. Arizona
• Decided: October 27, 2023
• Docket: 2:22-cv-01565
• Status: Unknown

Opinion

1 WO 2 3 4 5 6 IN THE UNITED STATES DISTRICT COURT 7 FOR THE DISTRICT OF ARIZONA

9 Felicia Durgan, et al., No. CV-22-01565-PHX-MTL

10 Plaintiffs, ORDER

11 v.

12 U-Haul International Incorporated,

13 Defendant. 14 15 Plaintiffs are former customers of Defendant U-Haul International Incorporated. As 16 part of the transaction, Plaintiffs provided Defendant with their personal identifiable 17 information (“PII”). During the summer of 2022, Defendant fell victim to a cyber-attack 18 by unknown hackers. The hackers gained access to Plaintiffs’ PII. Plaintiffs subsequently 19 sued Defendant, alleging that Defendant failed to take reasonable precautions to protect 20 their PII. (Doc. 33.) Defendant moves to dismiss Plaintiffs’ First Amended Consolidated 21 Class Action Complaint (“FAC”). (Doc. 34.) The Court rules as follows. 22 I. BACKGROUND 23 Defendant previously moved to dismiss Plaintiffs’ Consolidated Class Action 24 Complaint. (Doc. 22.) The Court granted the Motion with respect to all claims except 25 Plaintiffs’ claim under the California Consumer Privacy Act (“CCPA”).1 (Doc. 31 at 27.) 26 It dismissed Plaintiffs’ claim under Oregon’s Unlawful Trade Practices Act with prejudice, 27 but otherwise granted leave to amend. (Id.) Thereafter, Plaintiffs filed their FAC. (Doc.

28 1 The Court fully recounted the factual background of the case in that Order. (Doc. 31 at 1-3.) It will not repeat that background here. 1 33.) It asserts claims of negligence, breach of implied contract, and violations of the 2 Arizona Consumer Fraud Act (“ACFA”) and the CCPA. (Id. at ¶¶ 182-255.) Defendant 3 again moves to dismiss all claims. (Doc. 34.) 4 II. LEGAL STANDARD 5 To survive a Rule 12(b)(6) motion to dismiss, “a complaint must contain sufficient 6 factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” 7 Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 8 544, 570 (2007)). A claim is facially plausible when it contains “factual content that allows 9 the court to draw the reasonable inference” that the moving party is liable. Id. At the 10 pleading stage, a court’s duty is to accept all well-pleaded complaint allegations as true. Id. 11 Facts should be viewed “in the light most favorable to the non-moving party.” Faulkner v. 12 ADT Sec. Servs., Inc., 706 F.3d 1017, 1019 (9th Cir. 2013). “[Dismissal] is proper if there 13 is a ‘lack of a cognizable legal theory or the absence of sufficient facts alleged under a 14 cognizable legal theory.’” Conservation Force v. Salazar, 646 F.3d 1240, 1242 (9th Cir. 15 2011) (citation omitted). Generally, when deciding a Rule 12(b)(6) motion, courts shall 16 look only to the face of the complaint and documents attached thereto. Van Buskirk v. Cable 17 News Network, Inc., 284 F.3d 977, 980 (9th Cir. 2002); Hal Roach Studios, Inc. v. Richard 18 Feiner & Co., Inc., 896 F.2d 1542, 1555 n.19 (9th Cir. 1989). 19 III. DISCUSSION 20 A. Negligence 21 To state a claim for negligence under Arizona law, “a plaintiff must prove: (1) a 22 duty requiring the defendant to conform to a certain standard of care; (2) breach of that 23 standard; (3) a causal connection between the breach and the resulting injury; and (4) actual 24 damages.” CVS Pharmacy, Inc. v. Bostwick ex rel., 251 Ariz. 511, 517 (2021) (quoting 25 Quiroz v. ALCOA Inc., 243 Ariz. 560, 563-64 (2018)). Defendant argues that Plaintiffs fail 26 to allege a cognizable injury and causation. (Doc. 34 at 2-5.) Plaintiffs counter that their 27 alleged injuries are concrete, and they sufficiently allege causation. (Doc. 35 at 2-7.) 28 1 1. Cognizable Injury 2 Plaintiffs rely upon the same allegations of injury that they cited in response to 3 Defendant’s first Motion to Dismiss. (Compare Doc. 23 at 2-9 with Doc. 35 at 2-6.) 4 Namely, Plaintiffs allege that they are at an ongoing risk of imminent harm and that they 5 have suffered injury stemming from their reasonable mitigation efforts and the diminution 6 in the value of their PII. (Doc. 35 at 2-6.) Defendant responds that Plaintiffs simply repeat 7 previously rejected arguments that remain unavailing. (Doc. 38 at 1-4.) 8 i. Risk of Harm 9 Plaintiffs argue that the theft of their PII is sufficient to demonstrate a credible risk 10 of imminent harm. (Doc. 35 at 3-5.) They do not dispute that the compromised information 11 at issue is limited to names, dates of birth, and driver’s license or state identification 12 numbers. (Id.) The Court previously stated that “[w]ithout disclosure of social security 13 number, bank, or credit card information, the Court finds that the PII does not present a 14 clear ability for unscrupulous actors to commit fraud or identity theft.” (Doc. 31 at 6.) 15 Accordingly, it found that Plaintiffs did not allege a risk of imminent harm. (Id.) 16 Plaintiffs’ FAC contains new allegations describing how bad actors may make 17 limited use of the PII. (Doc. 33 ¶¶ 71-89.) For example, Plaintiffs allege that the 18 compromised information may allow the hackers to steal more information using “social 19 engineering.” (Doc. 33 ¶ 73.) The hackers may then develop “Fullz” packages, which 20 consist of bits and pieces of compromised PII. (Id. ¶¶ 74-78.) Additionally, Plaintiffs 21 provide examples of types of fraud that bad actors may commit with a stolen driver’s 22 license number. (Id. ¶¶ 81-84.) But courts within the Ninth Circuit have encountered this 23 situation before, and as the Court previously noted, have consistently found that theft of 24 this specific type of PII, while undoubtedly problematic, is insufficient to demonstrate 25 imminent harm. (See Doc. 31 at 4-6 (collecting cases)). Thus, the Court again finds that 26 Plaintiffs fail to allege a cognizable risk of imminent harm. 27 ii. Plaintiffs’ Mitigation Efforts 28 Plaintiffs argue that their FAC “adequately demonstrates that [they] have 1 experienced concrete, redressable harm from the [d]ata [b]reach in the form of the lost time 2 and out-of-pocket expenses they necessarily incurred in responding to the [d]ata [b]reach.” 3 (Doc. 35 at 5.) For “costs incurred in an effort to mitigate the risk of future harm [to be 4 cognizable], the future harm being mitigated must itself be imminent.” In re Adobe Sys., 5 Inc. Priv. Litig., 66 F. Supp. 3d 1197, 1217 (N.D. Cal. 2014); see also Antman v. Uber 6 Techs. Inc., No. 15-cv-01175-LB, 2018 WL 2151231, at *9 (N.D. Cal. May 10, 2018) 7 (stating that “the risk of identity theft must first be real and imminent, and not speculative, 8 before mitigation costs establish injury in fact”) (citations omitted). 9 For the same reasons that Plaintiffs’ allegations of future harm are speculative, 10 Plaintiffs’ mitigation expenses surrounding the data breach merely establish conjectural or 11 hypothetical harms. Thus, Plaintiffs’ mitigation expenses are similarly speculative. (Doc. 12 31 at 6); See Muransky v. Godiva Chocolatier, Inc., 979 F.3d 917, 931 (11th Cir. 2020) 13 (reasoning that wasted time and mitigation efforts “necessarily rise[] or fall[] with [the] 14 Court’s determination of whether the risk posed . . . is itself a concrete harm”). Moreover, 15 Plaintiffs do not argue that any mitigation efforts or expenses, even if not speculative, were 16 reasonable. See Griffey v. Magellan Health Inc., 562 F. Supp. 3d 34, 47 (D. Ariz. 2021) 17 (citing In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 18 942, 970 (S.D. Cal. 2014)) (requiring mitigation efforts and expenses to be “reasonable and 19 necessary”). The Court therefore finds that Plaintiffs’ mitigation efforts are not cognizable. 20 iii. Diminution in Value of PII 21 To successfully show harm arising from diminution in PII’s value, a plaintiff must 22 “establish both the existence of a market for her personal information and an impairment 23 of her ability to participate in that market.” Svenson v. Google Inc., No. 13-CV-0480-BLF, 24 2016 WL 8943301, at *9 (N.D. Cal. Dec. 21, 2016) (citing In re Google, Inc. Priv. Pol’y 25 Litig., No. 5:12-CV-001382-PSG, 2015 WL 4317479, at *4 (N.D. Cal. July 15, 2015)). 26 Merely alleging that PII has value in general is insufficient. See Pruchnicki, 845 F. App’x 27 at 614-15 (finding no compensable damages where a plaintiff established that personal 28 information may have value in general but “failed to adequately allege that her personal 1 information actually lost value”) (emphasis in original) (citation omitted). 2 Plaintiffs first allege that the existence of data brokers demonstrates a market for 3 PII. (Doc. 35 at 5-6; Doc. 33 ¶ 98.) They contend that their ability to participate in that 4 market has been impaired because their PII is available on the dark web and no longer rare. 5 (Doc. 35 at 5-6; Doc. 33 ¶ 100.) But Plaintiffs fail to allege that a legitimate market exists 6 for dates of birth or driver’s license or state identification numbers. (Doc. 33 ¶ 98.) Their 7 allegation of a general market for PII, but not a market for the specific type of PII at issue 8 here, is insufficient. Pruchnicki, 845 F. App’x at 614-15. 9 Plaintiffs next allege that a market exists for their PII because consumers derive 10 economic benefit “from being able to use it and control the use of it.” (Doc. 33 ¶ 99.) They 11 allege that their ability to participate in that market has been impaired by the theft of their 12 PII, which has “left [them] to face greater transaction costs or even outright denial of 13 participation in ordinary transactions.” (Doc. 35 at 6; see also Doc. 33 ¶ 99 (“A consumer’s 14 ability to use their PII is encumbered when their identity or credit profile is infected 15 by misuse or fraud . . . In this sense, among others, the theft of PII in the [d]ata 16 [b]reach led to a diminution in value of the PII.”).) One court has accepted such 17 allegations. Smallman v. MGM Resorts Int’l, 638 F. Supp. 3d 1175, 1191 (D. Nev. 2022) 18 (“[T]he [d]ata [b]reach devalued Plaintiffs’ PII by interfering with their fiscal autonomy. 19 Any past and potential future misuse of Plaintiffs’ PII impairs their ability to participate in 20 the economic marketplace.”). 21 The Court finds that there is a market for Plaintiffs’ PII because disclosure of that 22 PII is, at times, necessary for their participation in the economic marketplace.2 In that 23 respect, the Court finds the reasoning of Smallman persuasive. But Plaintiffs have failed to 24 allege that their ability to participate in that market has been impaired. (See Doc. 25 33 ¶¶ 97-104.) They do not allege that they have actually incurred increased transaction 26 costs or outright denial of participation in ordinary transactions because of any fraud or 27 misuse of their PII. (See id.) The Court is left to guess whether such things will occur. The

28 2 This is evidenced by the fact that Plaintiffs were required to disclose the PII to Defendant as part of the transaction. (Doc. 33 ¶ 99.) 1 Court declines to adopt the full reasoning of Smallman, which appears to permit such 2 speculative injury. 638 F. Supp. 3d at 1191 (referencing “potential future misuse of 3 Plaintiffs’ PII” when discussing diminution in the value of that PII). Accordingly, 4 Plaintiffs’ allegedly diminished PII value is not a cognizable injury. 5 iv. Lost Benefit of the Bargain 6 Defendant argues that Plaintiffs fail to adequately plead lost benefit of the bargain 7 as a cognizable injury. (Doc. 34 at 4-5.) Plaintiffs do not refute this. (See Doc. 35 at 2-6.) 8 Defendant contends that Plaintiffs have accordingly “conceded the insufficiency of their 9 benefit of the bargain allegations.” (Doc. 38 at 3.) Defendant is correct. “The Court will 10 not manufacture arguments for Plaintiff[s] . . . It is a well-settled principle that by failing 11 to address arguments in an opposition, a party effectively concedes a claim.” Thompson v. 12 Isagenix Int’l LLC., No. CV-18-04559-PHX-SPL, 2020 WL 1432840, *4 (D. Ariz. Mar. 13 24, 2020) (citing Walsh v. Nev. Dep’t of Human Res., 471 F.3d 1033, 1037 (9th Cir. 2006)). 14 Thus, the Court finds that the supposed lost benefit of the bargain does not establish a 15 cognizable injury. 16 2. Causation 17 Defendant argues that, while “Plaintiffs now claim that [Defendant] could have 18 prevented the [d]ata [b]reach by undertaking a variety of actions . . . they still fail to explain 19 how those deficiencies ‘led to the alleged harm.’” (Doc. 34 at 5 (quoting Doc. 31 at 10).) 20 Plaintiffs respond that they have plead a connection between Defendant’s inadequate 21 security and the subsequent data breach. (Doc. 35 at 6-7; see Doc. 33 ¶¶ 40-44, 54-55.) 22 They are correct. See Griffey, 562 F. Supp. 3d at 45. Plaintiffs’ allegations concerning 23 Defendant’s purported failure to protect the PII directly relate to the hackers’ ability to 24 successfully steal the PII. (See Doc. 33 ¶¶ 40-44, 54-55.) This point, however, is 25 inconsequential as Plaintiffs fail to allege a cognizable injury. Accordingly, their 26 negligence claim must be dismissed. See Bostwick ex rel., 251 Ariz. at 517. 27 B. Breach of Implied Contract 28 Contracts may be express or implied. See Barmat v. John & Jane Doe Partners A-D, 1 155 Ariz. 519, 521-22 (1987). “The distinction between an express contract and one 2 implied in fact is that in the former the undertaking is made by words written or 3 spoken, while in the latter conduct rather than words conveys the necessary assent and 4 undertakings.” Id. at 521 (citation omitted). To succeed on a breach of contract claim, “the 5 plaintiff has the burden of proving the existence of the contract, its breach and the 6 resulting damages.” Thomas v. Montelucia Villas, LLC, 232 Ariz. 92, 96 (2013) (quoting 7 Graham v. Asbury, 112 Ariz. 184, 185 (1975)). “For a valid contract to exist, there must 8 have been an offer, acceptance of the offer, consideration, sufficient specification of 9 terms so that the obligations involved can be ascertained, and the parties must have 10 intended to be bound by the agreement.” Day v. LSI Corp., 174 F. Supp. 3d 1130, 1153 11 (D. Ariz. 2016) (citations omitted). 12 Previously, the Court found that Plaintiffs failed to sufficiently allege the terms of 13 the contract, consideration, and cognizable damages. (Doc. 31 at 10-12.) Defendant 14 contends that Plaintiffs’ FAC suffers from these same defects. (Doc. 34 at 5-7; Doc. 38 at 15 3-4.) Plaintiffs respond that they now adequately allege the existence and breach of the 16 purported implied contract. (Doc. 35 at 7-10.) 17 1. Terms 18 Plaintiffs argue that the specific terms of the alleged implied contract are 19 encompassed by Defendant’s privacy policy, wherein Defendant represents that it “[u]ses 20 commercially reasonable physical, managerial, and technical safeguards to preserve the 21 integrity and security of your [i]nformation and our systems.” (Doc. 35 at 8 (quoting 22 Privacy Notice, UHAUL, https://www.uhaul.com/Legal/#Security (last visited Oct. 23, 23 2023).) Defendant responds that the privacy policy does not promise data security, but to 24 the contrary, expressly notes that “while [Defendant’s] Internet-based technology enables 25 it to lower costs and better serve customers, it ‘exposes [Defendant] to various risks 26 including . . . cyber-attacks.’” (Doc. 38 at 3-4 (Privacy Notice, UHAUL, 27 https://www.uhaul.com/Legal/#Security (last visited Oct. 23, 2023).) 28 The Court previously found that Plaintiffs failed to “specify the alleged promises 1 [Defendant] made to Plaintiffs.” (Doc. 31 at 11.) This is no longer the case. Plaintiffs allege 2 that Defendant, as evidenced by its privacy policy, promised to take commercially 3 reasonable steps to protect their PII. (Doc. 33 ¶ 221.) Defendant’s disclaimer that a 4 cyber-attack nonetheless remains possible does not negate their commitment to exercise 5 commercially reasonable precautions. Thus, Plaintiffs adequately allege the terms of the 6 purported implied contract. 7 2. Consideration 8 Under Arizona law, “[c]onsideration is defined as bargained for exchange whereby 9 the promisors . . . receive some benefit or the promisee . . . suffers a detriment.” Coup v. 10 Scottsdale Plaza Resort, LLC, 823 F. Supp. 2d 931, 943 (D. Ariz. 2011). Plaintiffs contend 11 that they sufficiently allege consideration because they provided Defendant with their PII 12 and Defendant promised to protect their PII. (Doc. 35 at 9.) Plaintiffs assert that they “only 13 provided their PII because Defendant agreed to safeguard and protect their PII” in its 14 privacy policy. (Id.) But Plaintiffs do not allege that they relied upon or read the privacy 15 policy before entering into a business relationship with Defendant. (See Doc. 33 16 ¶¶ 218-232.) The privacy policy cannot have been part of the Parties’ bargained for 17 exchange if Plaintiffs did not rely upon it or were not aware of its existence. 18 3. Damages 19 Plaintiffs assert that they allege cognizable damages in the form of lost benefit of 20 the bargain. (Doc. 35 at 7.) They state that “Plaintiffs lost the benefit of their bargain by 21 providing valuable consideration for data security that was not provided.”3 (Doc. 35 at 7.) 22 But as the Court has already noted, “Plaintiffs’ allegations offer nothing to further a claim 23 that [Defendant] promised or agreed to these expectations as part of a bargain. Indeed, it 24 is difficult to imagine that Plaintiffs could provide as much; Plaintiffs purchased and sought 25 physical storage and rental truck services, not data security.” (Doc. 31 at 8) (emphasis 26 3 Plaintiffs, as part of their negligence claim, allege that they suffered injury in the form of 27 lost benefit of the bargain. As mentioned, though, they fail to argue in support of that allegation. They allege the same injury here in the context of their breach of implied 28 contract claim. This time, however, they provide brief argument in support of the allegation. (Doc. 35 at 7.) As a result, the Court addresses it on the merits. 1 added.) In short, Plaintiffs do not allege that data security was part of their bargain. As 2 mentioned, they do not even allege that they were aware of the privacy policy when the 3 bargain was made. 4 Additionally, Plaintiffs incorporate the damages alleged in their negligence claim. 5 (Id.) They are not cognizable for the reasons already discussed in this Order. Because 6 Plaintiffs fail to allege consideration or damages, their breach of implied contract claim 7 must also fail. 8 C. Arizona Consumer Fraud Act 9 The ACFA prohibits fraudulent, deceptive, or misleading conduct in connection 10 with the sale of consumer goods and services. A.R.S. § 44-1522(A). “To prevail [on an 11 ACFA claim], a plaintiff must establish that (1) the defendant made a misrepresentation in 12 violation of the Act, and (2) defendant’s conduct proximately caused plaintiff to suffer 13 damages.” Cheatham v. ADT Corp., 161 F. Supp. 3d 815, 825 (D. Ariz. 2016) (citation 14 omitted). The ACFA provides liability for affirmative misrepresentations and omissions. 15 See Maurer v. Cerkvenik-Anderson Travel, Inc., 181 Ariz. 294, 297 (Ct. App. 1994). 16 As an initial matter, the Court must determine whether Plaintiffs’ claim under the 17 ACFA is subject to the heightened pleading requirements of Rule 9(b) of the Federal Rules 18 of Civil Procedure. That rule applies to claims that allege fraud. Fed. R. Civ. P. 9(b); BHPH 19 Capital LLC v. JV Wholesalers, LLC, No. CV-22-00143-PHX-DJH, 2023 WL 5932801, at 20 *2 (D. Ariz. Sept. 12, 2023). 21 Claims brought under the ACFA sound in fraud because they require the plaintiff to 22 demonstrate a misrepresentation. Cheatham, 161 F. Supp. 3 at 825. Accordingly, Rule 9(b) 23 applies. BHPH Capital, No. CV-22-00143-PHX-DJH, 2023 WL 5932801, at *2. Plaintiffs 24 attempt to avoid this requirement by alleging that Defendant has violated the ACFA not by 25 making a misrepresentation, but by engaging in an unfair practice—namely, “failing to 26 implement and maintain reasonable security measures to protect and secure 27 Plaintiffs’ . . . PII in a manner that complied with applicable laws, regulations, and industry 28 standards.” (Doc. 33 ¶ 237.) But to the Court’s knowledge, no court within the State of 1 Arizona or the Ninth Circuit has ever held that an unfair practice alone constitutes a 2 violation of the ACFA. This Court and other courts within the Ninth Circuit have 3 consistently held that an ACFA claim must include a false promise or misrepresentation. 4 See, e.g., Garner v. Medicis Pharmaceutical Corp., No. CV-21-00145-PHX-GMS, 2023 5 WL 6295052, at *2 (D. Ariz. Sept. 27, 2023); Gannon v. Truly Nolen of Am. Inc., No. 6 CV-22-428-TUC-JAS, 2023 WL 6536477, at *4 (D. Ariz. Aug. 31, 2023); Sweidy v. Spring 7 Ridge Academy, No. CV-21-08013-PHX-SPL, 2023 WL 5278680, at *3 (D. Ariz. Aug. 16, 8 2023); Creech v. Barrett Fin. Grp. LLC, No. CV-22-00871-PHX-SMB, 2023 WL 9 4847598, at *4 (D. Ariz. July 28, 2023). Arizona courts are in accord. See, e.g., Strojnik v. 10 FlagExpress, LLC, No. 1 CA-CV 21-0074, 2021 WL 5183632, at *2-3 (Ariz. Ct. App. 11 Nov. 9, 2021); Strojnik v. Best Western Int’l Inc., No. 1 CA-CV 22-0036, 2022 WL 12 7262416, at *2 (Ariz. Ct. App. Oct. 13, 2022). Because Plaintiffs do not allege that 13 Defendant made a false promise or misrepresentation, they do not plead a violation of the 14 ACFA. Thus, their claim must be dismissed. 15 D. California Consumer Privacy Act 16 The Court previously declined to dismiss Plaintiffs’ claim under the CCPA. (Doc. 17 31 at 15-16.) Defendant again argues that Plaintiffs fail to adequately plead their claim. 18 (Doc. 34 at 9-10.) Plaintiffs respond that Defendant effectively asks the Court to reconsider 19 its prior decision and should have made that request in a motion for reconsideration. (Doc. 20 35 at 14.) Because it failed to do so, say Plaintiffs, the Court should reject its argument as 21 procedurally defective. (Id.) Defendant responds that it is not asking the Court to reconsider 22 its prior ruling, but to evaluate Defendant’s new arguments which respond to Plaintiffs’ 23 FAC. (Doc. 38 at 6.) 24 Defendant is not, as Plaintiffs characterize, “attempting to file a motion for 25 reconsideration within its motion to dismiss.” (Doc. 35 at 14.) The Court permitted 26 Plaintiffs to amend and refile their complaint, including their allegations that Defendant 27 violated the CCPA. (Doc. 31 at 27.) Plaintiffs took that opportunity. (Compare Doc. 28 18 ¶¶ 267-79 with Doc. 33 ¶¶ 243-55.) Defendant is permitted to raise new arguments 1 about why that amended claim should be dismissed. Accordingly, the Court will consider 2 the merits of Defendant’s arguments. 3 The CCPA provides a private right of action to consumers whose “personal 4 information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as 5 a result of [a] business’s violation of the duty to implement and maintain reasonable 6 security procedures and practices.” Cal. Civ. Code § 1798.150(a). To prevail on a CCPA 7 claim, “a plaintiff must allege that his personal information was subject to 8 ‘unauthorized . . . disclosure as a result of’ a business’s failure to implement and maintain 9 reasonable security procedures and practices.” Gershfeld v. Teamviewer US, Inc., No. 10 SACV 21-00058-CJC (ADSx), 2021 WL 3046775, at *2 (C.D. Cal. June 24, 2021), aff’d, 11 No. 21-55753, 2023 WL 334015 (9th Cir. Jan. 20, 2023) (internal marks and 12 citation omitted). 13 The Court previously found “sufficient the Complaint’s allegations that [Defendant] 14 could have prevented the [d]ata [b]reach by encrypting Plaintiffs’ PII.” (Doc. 31 at 15-16.) 15 Defendant contends that this was inappropriate as “the CCPA applies only to consumers 16 ‘whose nonencrypted and nonredacted personal information . . . is subject to an 17 unauthorized access.’” (Doc. 34 at 9 (quoting Cal. Civ. Code § 1798.150(a)(1).) Thus, 18 Defendant argues that “the fact that the data at issue here was unencrypted is already a 19 prerequisite to Plaintiffs’ claim; the failure to encrypt information cannot also serve as the 20 alleged unreasonable security practice.” (Id. at 9-10.) Plaintiffs do not dispute Defendant’s 21 interpretation of the statutory language but emphasize that the Court did not solely base its 22 earlier decision upon Defendant’s failure to encrypt Plaintiffs’ PII. (Doc. 35 at 14-15.) 23 The Court need not determine whether Defendant’s interpretation of the CCPA is 24 correct because it finds that Plaintiffs allege a failure to implement reasonable security 25 procedures, notwithstanding Defendant’s failure to encrypt the PII. Plaintiffs allege that 26 Defendant should have “destroyed the data it no longer had a reasonable need to maintain 27 or only stored data in an Internet-accessible environment when there was a reasonable 28 need . . . to do so and with proper safeguards.” (Doc. 33 ¶ 57.) Additionally, Plaintiffs 1 identify fourteen cybersecurity best-practices that Defendant should have followed but 2 allegedly did not. (Id. ¶¶ 58-59.) These allegations are sufficient to plead a “violation of 3 the duty to implement and maintain reasonable security procedures and practices” 4 independent of Defendant’s failure to encrypt the PII. See Cal. Civ. Code § 1798.150(a). 5 Defendant also argues that Plaintiffs’ CCPA claim must be dismissed because they 6 do not allege a sufficient causal connection between Defendant’s purported failure to 7 implement reasonable security procedures and the hackers’ ability to exfiltrate the PII. 8 (Doc. 34 at 10.) Not so. Plaintiffs allege that their PII was stolen by hackers employing a 9 phishing scheme.4 (Doc. 33 ¶ 44.) Defendant’s alleged shortcomings directly relate to the 10 hackers’ ability to successfully utilize such a scheme. For example, if Defendant had 11 utilized adequate filtering software, the phishing emails would never have reached the 12 employees’ inboxes. (Id. ¶ 44.) If Defendant’s employees had been adequately trained, the 13 phishing emails, even if they reached the employees’ inboxes, would not have been 14 successful. (Id. ¶ 40.) If Defendant had implemented multi-factor authentication, the 15 hackers would not have been able to access Defendant’s systems even if the phishing 16 emails had been successful. (Id. ¶ 42.) If Defendant had not stored the PII in an unencrypted 17 form in an internet-accessible system, the hackers would not have been able to access or 18 read it even if they had gained access to Defendant’s systems. (Id. ¶¶ 4, 42, 44.) Finally, if 19 Defendant had destroyed the PII when it was no longer in use, much of the PII would not 20 have been stolen regardless of how successful the hackers’ scheme was. (Id. ¶ 44.) Thus, 21 the Court will not dismiss Plaintiffs’ CCPA claim. 22 IV. LEAVE TO AMEND 23 Plaintiffs request leave to amend “to the extent any portion of [Defendant’s] Motion 24 is granted.” (Doc. 35 at 17.) District courts “shall grant leave to amend freely ‘when justice 25 4 “Phishing is a type of online scam that targets consumers by sending them an e-mail that 26 appears to be from a well-known source – an internet service provider, a bank, or a mortgage company, for example. It asks the consumer to provide personal identifying 27 information. Then a scammer uses the information to open new accounts, or invade the consumer’s existing accounts.” Phishing Scams, Federal Trade Commission, 28 https://www.ftc.gov/news-events/topics/identity-theft/phishing-scams (last visited Oct. 19, 2023). 1 so requires.’” Lopez v. Smith, 203 F.3d 1122, 1130 (9th Cir. 2000) (en banc) (quoting Fed. 2 R. Civ. P. 15 (a)). Courts in the Ninth Circuit are to apply this policy “with extreme 3 liberality.” Morongo Band of Mission Indians v. Rose, 893 F.2d 1074, 1079 (9th Cir. 1990). 4 To that end, “a district court should grant leave to amend even if no request to amend the 5 pleading was made . . .” Lacey v. Maricopa Cnty., 693 F.3d 896, 926 (9th Cir. 2012) 6 (internal marks and citation omitted). The Court, however, “may in its discretion deny 7 leave to amend due to undue delay, bad faith or dilatory motive . . . , repeated failure to 8 cure deficiencies . . . , undue prejudice to the opposing party by virtue of the allowance of 9 the amendment, [and] futility of amendment.” Zucco Partners, LLC v. Digimarc Corp., 10 552 F.3d 981, 1007 (9th Cir. 2009) as amended (Feb. 10, 2009) (internal marks and citation 11 omitted). Absent a “strong showing of any of [these] factors, there exists a presumption 12 under Rule 15(a) in favor of granting leave to amend.” Eminence Capital, LLC v. Aspeon, 13 Inc., 316 F.3d 1048, 1052 (9th Cir. 2003) (emphasis in original). 14 Having previously granted leave to amend, and considering the factors under Rule 15 15(a), the Court finds that leave to amend would be futile and unduly prejudicial to 16 Defendant’s interests in finality. Plaintiffs had the opportunity to remedy the deficiencies 17 in their Complaint, which the Court specifically identified for them, by pleading additional 18 facts. They did not do so. The only reasonable explanation for this is that those facts do not 19 exist. Zucco Partners, 552 F.3d at 1007 (“The fact that Zucco failed to correct these 20 deficiencies is a strong indication that the plaintiffs have no additional facts to plead.”) 21 (cleaned up); see also Nguyen v. Endologix, Inc., 962 F.3d 405, 420 (9th Cir. 2020). 22 Providing Plaintiffs with a third opportunity is unlikely to change this. Instead, it will 23 prejudice Defendant by needlessly prolonging the litigation. Therefore, the Court will not 24 grant Plaintiffs leave to amend. Anderson v. Peregrine Pharmaceuticals, Inc., 654 Fed. 25 Appx. 281, 282 (9th Cir. 2016) (quoting Zuco Partners, 552 F.3d at 1007) (noting that 26 where “‘the plaintiff has previously been granted leave to amend and has subsequently 27 failed to add the requisite particularity to its claims, the district court’s discretion to deny 28 leave to amend is particularly broad’”). V. CONCLUSION 2 Accordingly, 3 IT IS ORDERED granting in part and denying in part Defendant U-Haul || International Incorporated’s Motion to Dismiss (Doc. 34). 5 IT IS FURTHER ORDERED that Plaintiffs’ claims for negligence, breach of 6 || implied contract, and violation of the Arizona Consumer Fraud Act are dismissed with 7\| prejudice. 8 IT IS FINALLY ORDERED that the Motion is denied in all other respects. 9 Dated this 27th day of October, 2023. 10 Wichal T. Hburde Michael T. Liburdi 13 United States District Judge 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

-14-