UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK
FRITZCO LLC, et al., on behalf of themselves and all others similarly situated, 21-CV-10432 (JPO) Plaintiffs, OPINION AND ORDER -v-
VERIZON COMMUNICATIONS INC., et al., Defendants.
J. PAUL OETKEN, District Judge: Plaintiffs FritzCo LLC, Los Gatos-Saratoga Community Education and Recreation (“Los Gatos”), and the Law Office of Samuel M. Smith (the “Smith Firm”) bring this action against Defendants Verizon Communications, Inc. and Cellco Partnership (jointly, “Verizon”) alleging negligence, negligence per se, breach of implied contract, and unjust enrichment stemming from a 2020 data breach affecting Verizon Wireless business accounts. The Court granted Verizon’s motion to compel arbitration as to FritzCo and the Smith Firm and otherwise stayed litigation. (ECF No. 62 at 12.) On May 12, 2025, the Court lifted the stay as to Los Gatos. (ECF No. 66.) Before the Court now is Verizon’s motion to dismiss the Second Amended Complaint and motion to strike the claims of FritzCo and the Smith Firm. (ECF No. 76.) For the reasons that follow, Verizon’s motion is granted in part and denied in part. I. Background A. Factual Background The following factual allegations are taken from the Second Amended Complaint (the “SAC”) and presumed true for the purpose of resolving Verizon’s motion to dismiss. See Fink v. Time Warner Cable, 714 F.3d 739, 740-41 (2d Cir. 2013). Since April 2019, Verizon has offered its services to businesses through the Verizon Business Group. (ECF No. 72 (“SAC”) ¶¶ 37-38.) To create and maintain a Verizon Business account, customers must provide certain information to Verizon and designate a Point of Contact, who must also provide certain information. (Id. ¶ 5.) Access to a Verizon Business account allows a user to view monthly call logs, which contain location information for the origin and destination of each call along with the
phone numbers of the origin and destination of each call, the call duration, and time and date information. (Id. ¶ 85.) When a Verizon Business account holder seeks to change a shipping or business address, the account holder is typically subjected to Verizon’s multi-factor authentication (“MFA”), which requires a user to provide at least two verification factors to access a resource. (Id. ¶ 15.) Verizon also provides email notifications such that the Point of Contact receives a text message or email from Verizon confirming that the customer sought to make a purchase or change account information. (Id. ¶ 60.) Los Gatos is a California nonprofit that contracted with Verizon to purchase wireless services and devices for its business use. (Id. ¶¶ 32, 84.) In doing so, Los Gatos opened a
Verizon Business account, signed up for individual cellphone numbers and devices for each of its employees, and provided Verizon with information including email addresses, personal and business physical addresses, telephone numbers, credit card information, and the names and contact information of its employees. (Id. ¶ 85.) Neither Los Gatos nor Verizon has located a written contract for these services. (Id. ¶ 84.) In November 2020, the email address listed for the Point of Contact on Los Gatos’s Verizon Business account began receiving thousands of emails on a daily basis. (Id. ¶ 86.) The practice of flooding an email inbox with spam, sometimes called “email bombing,” can be used to conceal legitimate emails under the high volume of spam emails and can render the email account inoperable. (Id. ¶¶ 8-9, 86.) After the email bombing, Los Gatos experienced a surge in billing on its Verizon Business account, from an average of $350 to $400 a month to over $4,000 a month. (Id. ¶¶ 64, 87.) Upon review of the Verizon Business account, Los Gatos’s Point of Contact discovered a number of unauthorized device purchases. (Id. ¶ 87.) Los Gatos’s business address had also been changed and the unauthorized devices were shipped to the new address.
(Id. ¶ 88.) Los Gatos immediately notified Verizon, and Verizon concluded that there had been fraud on the account. (Id.) The SAC alleges that other Verizon Business customers also fell victim to a breach of their Verizon Business accounts. For example, FritzCo’s primary business email account was email bombed in December 2020, to the point that Google disabled the account for reaching a maximum number of emails. (Id. ¶ 46.) A week after the email bombing began, FritzCo discovered an email from Verizon thanking it for the purchase of an iPhone which FritzCo had not purchased. (Id. ¶ 50.) After FritzCo alerted Verizon of the unauthorized purchase, Verizon confirmed that FritzCo’s account had been flagged for fraud four days before the fraudulent
purchase was made. (Id. ¶ 52.) FritzCo’s Point of Contact then located a list of over 3,000 emails associated with Verizon Business accounts that had been email bombed and dozens of those accounts confirmed they were the Point of Contact for a Verizon Business account and that theirs was the only email in their organization that had been targeted or email bombed. (Id. ¶ 17.) The SAC further alleges that the perpetrators of the breach were able to bypass or disable the MFA and fraud prevention protocols Verizon has in place. (Id. ¶¶ 16, 18.) FritzCo’s Point of Contact reached out to Verizon’s Executive Director of Fraud and Credit Strategy on December 9, 2020 to inform him of the fraud and the potential existence of 3,000 victims. (Id. ¶ 76.) Although Verizon followed up with FritzCo, including through the Manager of External Fraud Investigations, who stated that he was “sure” that there were “definitely millions of dollars here worth of fraud,” the SAC alleges that Verizon has not fixed the inadequacies in its cybersecurity that allowed the breach to occur. (Id. ¶¶ 77-80, 89.) These inadequacies include, as alleged in the SAC, failure to adequately safeguard customers’ confidential information, failure to properly monitor data security systems for existing intrusions
and weaknesses, failure to perform penetration tests to determine the strength of Verizon’s security system, failure to properly train information technology staff, failure to inform customers when their customer information has been stolen, and failure to promptly respond to the data breach and to take steps to eliminate the possibility of repeated breach. (Id. ¶ 115.) B. Procedural Background Plaintiffs commenced this putative class action on December 7, 2021. (ECF No. 1.) On September 30, 2022, the Court granted Verizon’s motion to compel arbitration as to the claims brought by FritzCo and the Smith Firm, on the basis that both Plaintiffs had signed a valid arbitration agreement. (ECF No. 62.) The Court stayed the remaining claims pending arbitration. (Id. at 10-11.) However, the Court held that Los Gatos could seek leave to vacate
the stay if arbitration was not completed within one year of the arbitration order. (Id. at 11.) On April 30, 2025, Los Gatos filed a letter motion to reopen the case, noting that neither Verizon, FritzCo, nor the Smith Firm had initiated arbitration. (ECF No. 63 at 4.) After a telephone conference, the Court granted the motion to lift the stay on May 12, 2025. (ECF No. 66.) Los Gatos filed the SAC on June 20, 2025. (SAC.) Verizon then filed the present motion to dismiss and motion to strike on July 28, 2025 (ECF No. 76), alongside an accompanying memorandum of support (ECF No. 78 (“Mem.”)). Los Gatos filed an opposition on August 28, 2025 (ECF No. 80 (“Opp.”)), and Verizon filed a reply in further support on September 18, 2025 (ECF No. 81 (“Reply”)). II. Legal Standard “To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). “While a complaint attacked by a Rule 12(b)(6) motion to dismiss does not need detailed factual
allegations, a plaintiff's obligation to provide the grounds of his entitlement to relief requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do.” Twombly, 550 U.S. at 555 (cleaned up). “The court must also construe all reasonable inferences that can be drawn from the complaint in the light most favorable to the complaint.” Lynch v. City of New York, 952 F.3d 67, 75 (2d Cir. 2020) (quotation marks omitted). “In considering a motion to dismiss for failure to state a claim pursuant to Rule 12(b)(6), a district court may consider the facts alleged in the complaint, documents attached to the complaint as exhibits, and documents incorporated by reference in the complaint.” DiFolco v. MSNBC Cable L.L.C., 622 F.3d 104, 111 (2d Cir. 2010). “Where a document is not incorporated
by reference, the court may never[the]less consider it where the complaint relies heavily upon its terms and effect, thereby rendering the document integral to the complaint.” Id. (quotation marks omitted). III. Discussion A. Motion to Strike Verizon moves to strike FritzCo’s and the Smith Firm’s claims from the SAC. (Mem. at 14-15.) Federal Rule of Civil Procedure 12 provides that a “court may strike from a pleading an insufficient defense or any redundant, immaterial, impertinent, or scandalous matter.” Fed. R. Civ. P. 12(f). “To succeed on a motion to strike, the moving party has to meet a high standard to show that ‘no evidence in support of the allegation could be admissible.’” Fangrui Huang v. GW of Flushing I, Inc., No. 17-CV-3181, 2019 WL 145528, at *7 (E.D.N.Y. Jan. 9, 2019) (quoting Lipsky v. Commonwealth United Corp., 551 F.2d 887, 893 (2d Cir. 1976)). “Subsequent to its holding in Lipsky, the Second Circuit clarified that Rule 12(f) is ‘designed for excision of material from a pleading, not for dismissal of claims in their entirety.’” Id. (quoting Day v.
Moscow, 955 F.2d 807, 811 (2d Cir. 1992)). The Court granted Verizon’s motion to compel arbitration as to FritzCo and the Smith Firm. (ECF No. 62.) However, as the Court recognized, “one of the three parties ha[s] a right to proceed in court.” (ECF No. 74 at 6.) When the Court lifted the stay in this case, it made clear that it is “only allowing the claims as to Los Gatos to go forward.” (Id. at 7.) To the extent that Plaintiffs argue that an exception contained in the arbitration agreement applies and allows all plaintiffs to proceed (Opp. at 14), that argument fails.1 This Court previously concluded that the 0F exception in the arbitration agreement applies only if a party faces an “ongoing or imminent” unauthorized disclosure of confidential information. (ECF No. 62 at 8.) Los Gatos argues that the SAC provides additional allegations establishing an ongoing pattern of security weaknesses. (Opp. at 14.) But these new allegations are not different in kind from the allegations in Plaintiffs’ first amended complaint and do not change the fact that the asserted claims concern Verizon’s alleged conduct in relation to a past data breach. (Compare Mem. at 16-17 (collecting allegations from the first amended complaint) with SAC ¶¶ 127-40.) Because the case proceeds only with respect to Los Gatos, the Court considers the allegations in the SAC only to the extent they relate to Los Gatos’s claims and disregards the
1 The Court notes that Plaintiffs have not filed a motion for reconsideration of the opinion and order granting Verizon’s motion to compel arbitration and have not otherwise taken action to reinstate FritzCo and the Smith Firm in this case. claims asserted by FritzCo and the Smith Firm. It is unnecessary to strike those claims from the SAC. Accordingly, Verizon’s motion to strike is denied. B. Motion to Dismiss Los Gatos brings negligence, negligence per se, breach of implied contract, and unjust enrichment claims, as well as claims under the California Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq.2 (See generally SAC.) The Court addresses each in turn. 1F 1. Injury Verizon’s principal argument for dismissal is that Los Gatos has failed to adequately allege a cognizable injury resulting from the data breach. (Mem. at 17-25.) To establish standing to proceed in federal court, “a plaintiff must show (i) that he suffered an injury in fact that is concrete, particularized, and actual or imminent; (ii) that the injury was likely caused by the defendant; and (iii) that the injury would likely be redressed by judicial relief.” TransUnion LLC v. Ramirez, 594 U.S. 413, 423 (2021). “A concrete and particularized injury ‘must affect the plaintiff in a personal and individual way[,]’ and it must be ‘de facto,’ meaning that it has to ‘actually exist.’” In re Unite Here Data Sec. Incident Litig., 740 F. Supp. 3d 364, 373 (S.D.N.Y. 2024) (quoting Spokeo, Inc. v. Robins, 578 U.S. 330, 339-40 (2016)).
The Supreme Court has held that disclosure of private information and intrusion upon seclusion qualify as concrete intangible harms. TransUnion, 594 U.S. at 425. “The Second Circuit has clarified that to establish an injury in fact based on the disclosure of a plaintiff’s [personal identifying information], the plaintiff must either demonstrate actual injuries resulting from the disclosure or ‘a substantial risk of harm’ under the McMorris factors.” Cantinieri v.
2 In its opposition brief, Los Gatos indicates that it withdraws its claims under the California Customer Records Act and the California Consumer Privacy Act. (Opp. at 10 n.1.) Accordingly, the Court does not address these claims. Verisk Analytics, Inc., No. 21-CV-6911, 2024 WL 5202579, at *11 (E.D.N.Y. Dec. 23, 2024) (quoting Bohnak v. Marsh & McLennan Cos., Inc., 79 F.4th 276, 288 (2d Cir. 2023)). Here, Los Gatos alleges that it provided Verizon personal identifying information— including names, personal and business addresses, employee contact information, email addresses, telephone numbers, call logs, and credit card information. (SAC ¶ 85.) Los Gatos
further alleges that this information was improperly accessed in a data breach, that the hackers used its account to complete unauthorized purchases, and that it had to review its account and notify Verizon of the fraud. (Id. ¶¶ 85-88.) These allegations mirror those in Pena, where the Second Circuit concluded that the plaintiff had established a concrete injury because he alleged that his “personal information was ‘exposed as the result of a targeted attempt to obtain that [information],’ his information was subsequently ‘misused,’ and he expended time and money to resolve the misuse with his credit card companies.” Pena v. Brit. Airways, PLC (UK), 849 F. App’x 13, 14 (2d Cir. 2021) (summary order) (quoting McMorris v. Carlos Lopez & Assocs., LLC, 995 F.3d 295, 303 (2d Cir. 2021)).3 Accordingly, Los Gatos has sufficiently alleged 2F concrete injury to survive the motion to dismiss. Verizon does not appear to challenge traceability and redressability. In any event, the SAC sufficiently pleads that Los Gatos suffered its injury as a result of Verizon’s alleged
3 Verizon points to cases that have been dismissed for lack of standing where the data alleged to have been breached contained only “relatively quotidian private information” like names, addresses, and phone numbers. See, e.g., Liau v. Weee! Inc., No. 23-CV-1177, 2024 WL 729259, at *5 (S.D.N.Y. Feb. 22, 2024). Those cases are distinguishable, as they largely did not involve actual misuse of the accessed information, and the harm alleged was only precautionary measures taken by plaintiffs or the receipt of spam calls and emails. See id. at *4. Moreover, the SAC—read with all reasonable inferences in the light most favorable to Los Gatos—alleges that the breach resulted in access to “payment data [and] passwords.” Id. (contrasting access to these categories of data with access to names, addresses, and phone numbers). (See, e.g., SAC ¶¶ 4, 85.) mishandling of its personal information through the data breach. (SAC ¶¶ 86-87 (alleging that the email listed as Los Gatos’s Point of Contact on its Verizon Business account was email bombed and that Los Gatos received a surge in its Verizon bill); id. ¶¶ 21-22 (alleging that Los Gatos, along with the other data breach victims, did not find evidence of phishing or fraudulent activity outside of their Verizon Business accounts); id. ¶ 115 (identifying Verizon’s purported
failures to protect Los Gatos’s information).) To the extent Verizon disputes the occurrence of the alleged breach (Mem. at 12), it must save that argument for a later stage in this litigation. 2. Tort Claims Because Los Gatos’s tort claims are premised on diversity jurisdiction, the Court applies the choice-of-law principles of the forum state, New York. See Klaxon Co. v. Stentor Elec. Mfg. Co., 313 U.S. 487, 496 (1941). The SAC does not allege that a choice-of-law agreement applies to Los Gatos’s claims. Verizon cites only New York law in support of its motion to dismiss the tort claims. (See generally Mem.) Although Los Gatos predominantly cites New York law, it also cites some California cases without indicating which law it believes governs its claims. (See generally Opp.)
“In the absence of an applicable choice of law clause, New York choice of law requires a two-step inquiry to determine whether New York or [California] law applies.” Weyant v. Phia Grp. LLP, No. 17-CV-8230, 2018 WL 4387557, at *3 (S.D.N.Y. Sept. 13, 2018). “The first step is to determine whether the laws of the two jurisdictions conflict.” Id. (citing Fireman’s Fund Ins. Co. v. Great Am. Ins. Co. of N.Y., 822 F.3d 620, 641 (2d Cir. 2016)). If there is a conflict, “the second step in a contract case is to apply the ‘center of gravity’ test to determine which jurisdiction’s law applies.” Id. (quoting Fireman’s Fund Ins. Co., 822 F.3d at 641). Because no conflict has been demonstrated between the relevant law of New York and California, and because both parties primarily cite New York law in their briefing, the Court applies New York law. Contractual Obligations Prods. LLC v. AMC Networks, Inc., No. 04-CV-2867, 2007 WL 9683718, at *5 n.9 (S.D.N.Y. Mar. 30, 2007); Rudolph v. Hudson’s Bay Co., No. 18-CV-8472, 2019 WL 2023713, at *9 (S.D.N.Y. May 7, 2019) (noting that “the laws of California and New York are substantially the same” for negligence, negligence per se, breach of an implied contract, and unjust enrichment).
a. Negligence and Negligence Per Se Under New York state law, a plaintiff asserting a negligence claim must show: “(1) the existence of a duty on defendant’s part as to plaintiff; (2) a breach of this duty; and (3) injury to the plaintiff as a result thereof.” Borley v. United States, 22 F.4th 75, 78 (2d Cir. 2021); see also Rudolph, 2019 WL 2023713, at *9 (recognizing that California has the same elements). Los Gatos has sufficiently pleaded the elements of a negligence claim. “Although appellate courts in New York have yet to address the duty of care owed by custodians or disclosers of [personal identifying information] in this context, district courts applying New York law have found that a duty of care existed when the custodian was in the best position to
protect information on its own servers from data breach, understood the importance of data security to its business, knew it was the target of cyber-attacks, and touted its data security to current and potential customers, and . . . liability would have been limited to the individuals whose personal information it obtained while providing its services.” In re USAA Data Sec. Litig., 621 F. Supp. 3d 454, 469 (S.D.N.Y. 2022) (quotation marks omitted). “A company’s privacy policy can evidence a duty to safeguard” personal information. Lazar v. Int’l Shoppes, LLC, No. 24-CV-4170, 2025 WL 1475627, at *2 (E.D.N.Y. May 22, 2025). The SAC alleges that Verizon stored customer information on its internal systems and had a duty to use reasonable care in protecting such information pursuant to, among other things, “common law, industry standards, . . . and representations made in its own privacy policy to keep customers’ account information confidential and to protect it from unauthorized access.” (SAC ¶ 109; see also id. ¶ 110, 148.) The SAC further alleges that Verizon was aware of the importance of data security and has been “put on notice of its inadequate data security protocol multiple times in the past several years.” (Id. ¶ 127.) These allegations sufficiently establish that
Verizon had a duty to safeguard Los Gatos’s information. The SAC further alleges that Verizon breached this duty by failing to take reasonable steps to protect customer information and caused the breach of Los Gatos’s information and the subsequent unauthorized purchases. For example, the SAC alleges that Verizon failed to properly monitor its data security system, to properly train its information technology staff, and to mitigate harm following the data breach. (Id. ¶ 115.) The SAC further alleges a deficiency in Verizon’s MFA system that allowed users to change the MFA settings without use of the old MFA, such that MFA could be disabled without approval. (Id. ¶ 147.) These allegations are sufficient to state a negligence claim. See, e.g., Sackin v. TransPerfect Glob., Inc., 278 F. Supp.
3d 739, 748 (S.D.N.Y. 2017); Lazar, 2025 WL 1475627, at *3. Verizon argues that dismissal is warranted as to all of Los Gatos’s tort claims because Los Gatos has failed to plead damages. (Opp. at 19-25.) However, Los Gatos has alleged cognizable damages substantially for the same reasons that it has alleged Article III injury. The SAC alleges that Los Gatos was charged for fraudulent product purchases and incurred improper fees and had its business address improperly changed. (SAC ¶¶ 86-88.) As a result of the breach and unauthorized purchases, Los Gatos had to update the password for its account and lost time and business resources in trying to undo the fraud. (Id. ¶¶ 88, 153.) Like in Rudolph, these allegations of loss are sufficient to allege damages. 2019 WL 2023713, at *9; see also Jones v. Marsh & McLennan Cos., Inc., No. 21-CV-6096, 2025 WL 1517999, at *2 (S.D.N.Y. May 28, 2025) (collecting cases in support of the proposition that “[a]s to negligence, New York law does not require an economic loss in data breach cases”). Verizon also argues that Los Gatos contracted away any claim to damages that it has by agreeing to the Generally Available Terms and Conditions (for ADSL) (the “ADSL Terms”).
(Mem. at 18.) The ADSL Terms limit Verizon’s liability to that “arising solely and directly from mistakes, omissions, interruptions, delays, errors, or defects in transmission occurring in the course of furnishing Service that are not caused in whole or in part by acts or omissions of any other person.” (ECF No. 77-5 ¶ 3.1.) But as Los Gatos points out, nothing in the SAC indicates that Los Gatos agreed to the ADSL. (See Opp. at 16; SAC ¶ 84 (alleging that neither Los Gatos nor Verizon has located a written contract between the parties for these services).) Verizon does not suggest that the ADSL Terms are integral to the complaint or incorporated by reference. Instead, it relies on the fact that, in their first amended complaint, Plaintiffs alleged that Verizon Business customers agreed to the ADSL Terms. (Reply at 7 (citing ECF No. 23 ¶¶ 116-18.)
However, “[a]n amended complaint supersedes a[] [prior] complaint and the allegations in plaintiff’s [prior] complaint cannot be used to dismiss the plaintiff’s amended complaint.” Cassin v. Prudential Ins. Co. of Am., No. 04-CV-2913, 2004 WL 2360023, at *2 (S.D.N.Y. Oct. 19, 2004) (quotation marks omitted). Verizon’s argument therefore raises a factual dispute that cannot be resolved at this juncture. Verizon’s remaining arguments are unpersuasive. First, it argues that “Plaintiffs cannot show a legal duty extraneous to their contracts with Verizon.” (Mem. at 17.) But the SAC does not allege a contract between Verizon and Los Gatos. (SAC ¶ 84.) Second, Verizon argues that the economic loss doctrine forecloses Los Gatos’s claim because the SAC does not allege physical injury or property damage. (Mem. at 17-18.) Under the economic loss doctrine, “[a] defendant is not liable to a plaintiff for economic loss unless there exists a special relationship that requires the defendant to protect against the risk of harm to plaintiff.” Toretto v. Donnelley Fin. Sols., Inc., 583 F. Supp. 3d 570, 590 (S.D.N.Y. 2022) (quotation marks omitted). Although the New York Court of Appeals has not yet addressed the applicability of the economic loss
doctrine to data breach cases, “numerous federal courts applying New York law have concluded that the economic loss doctrine does not bar negligence claims in data breach cases.” Id. (collecting cases); see also Sackin, 278 F. Supp. 3d at 749; Rudolph, 2019 WL 2023713, at *9. Moreover, because the SAC does not allege a contract between Verizon and Los Gatos, it alleges a “negligence claim[] for breach of a duty independent of a contractual obligation.” In re Waste Mgmt. Data Breach Litig., No. 21-CV-6147, 2022 WL 561734, at *3 (S.D.N.Y. Feb. 24, 2022). On the other hand, Los Gatos’s negligence per se claim must be dismissed. Los Gatos bases its claim on Section 5 of the Federal Trade Commission Act (the “FTC Act”) and N.Y. Gen. Bus. Law. § 899-aa (the “NY Shield Act”). (SAC ¶¶ 183-84.) But “Section 5 does not
provide for a private right of action” and “allowing a negligence per se claim to proceed based on a violation of the [FTC Act] would be inconsistent with the legislative scheme.” Toretto, 583 F. Supp. 3d. at 598 (cleaned up). Accordingly, courts in this district and in New York have dismissed negligence per se claims predicated on the FTC Act. Id.; Smahaj v. Retrieval-Masters Creditors Bureau, Inc., 131 N.Y.S.3d 817, 827 (N.Y. Sup. Ct. 2020); Cohen v. Ne. Radiology, P.C., No. 20-CV-1202, 2021 WL 293123, at *7 (S.D.N.Y. Jan. 28, 2021) (“[N]either the parties nor the Court have identified a single case in this Circuit that has recognized that a private cause of action for negligence per se arises under New York law from violations of . . . the FTC Act.”). Because the NY Shield Act also does not create or imply a private right of action, it similarly cannot serve as the basis for a negligence per se claim. See Smahaj, 131 N.Y.S.3d at 827; Abdale v. N. Shore Long Island Jewish Health Sys., Inc., 19 N.Y.S.3d 850, 857-58 (N.Y. Sup. Ct. 2015); In re USAA Data Sec. Litig., 621 F. Supp. 3d at 471 n.7. 4 3F b. Breach of Implied Contract “An implied-in-fact contract would arise from a mutual agreement and an ‘intent to promise, when the agreement and promise have simply not been expressed in words.’” Maas v. Cornell Univ., 94 N.Y.2d 87, 93 (N.Y. 1999) (quoting 1 Williston, Contracts § 1:5, at 20 (4th ed. 1990)). “Under New York law, ‘[a] contract implied in fact may result as an inference from the facts and circumstances of the case, although not formally stated in words, and is derived from the ‘presumed’ intention of the parties as indicated by their conduct.’” Leibowitz v. Cornell Univ., 584 F.3d 487, 506-07 (2d Cir. 2009) (quoting Jemzura v. Jemzura, 36 N.Y.2d 496, 504 (N.Y. 1975)). “A contract implied in fact is as binding as one that is express, and similarly ‘requires such elements as consideration, mutual assent, legal capacity and legal subject matter.’” Id. at 507 (quoting Maas, 94 N.Y.2d at 94).
The SAC plausibly alleges a claim for breach of an implied contract. The SAC alleges that Los Gatos had to provide confidential information to Verizon in order to set up a Verizon Business account, that Verizon had a privacy policy promising that it used safeguards to protect against unauthorized access to information stored in its systems, and that Los Gatos provided its information with the expectation that Verizon would comply with its obligations to keep that data safeguarded. (SAC ¶¶ 85, 110, 114.) These facts establish that Verizon obtained and
4 To the extent Los Gatos seeks to rely on California law, its negligence per se claim also fails because negligence per se is not an independent cause of action under California law. See Quiroz v. Seventh Ave. Ctr., 140 Cal. App. 4th 1256, 1285 (Cal. Ct. App. 2006) (noting that negligence per se is only “an evidentiary doctrine” and does not provide a private right of action). maintained confidential customer information as part of providing services to Verizon Business customers, “evincing an implicit promise by defendants to protect their [customers’ information] from unauthorized users.” Cohen, 2021 WL 293123, at *9. Additionally, Verizon’s representations in its privacy policy “further support[] a finding of an implicit promise.” Sackin, 278 F. Supp. 3d at 750; see also Lazar, 2025 WL 1475627, at *4. Because the SAC alleges
specific measures that Verizon failed to take to protect customer data and explains how those failures allowed the breach to occur, it sufficiently pleads breach of an implied contract. (SAC ¶¶ 115, 145-49.) Cf. In re Waste Mgmt. Data Breach Litig., 2022 WL 561734, at *5 (dismissing an implied contract claim where complaint failed to explain what measures the defendant took or failed to take to protect data). Verizon again argues that the SAC does not adequately allege damages (Mem. at 27), but this argument fails for the reasons discussed above. And contrary to Verizon’s contention, Los Gatos has alleged an implied contract claim in more than a conclusory fashion, as it has alleged “a course of conduct and dealing that raises an inference of an implied contract for the exercise
of reasonable care in protecting plaintiffs’ private information in exchange for plaintiffs’ provision of business.” Wallace v. Health Quest Sys., Inc., No. 20-CV-545, 2021 WL 1109727, at *11 (S.D.N.Y. Mar. 23, 2021) (“Plaintiffs need not plead the implied contract’s precise terms to survive a motion to dismiss.”). Verizon also fails to show that an express contract precludes the implied contract claim. Although Verizon again seems to argue that Los Gatos agreed to the ADSL Terms (Mem. at 28), there is no indication of such agreement in the SAC (SAC ¶ 84). c. Unjust Enrichment To adequately plead unjust enrichment, “the plaintiff must allege that (1) the other party was enriched, (2) at that party’s expense, and (3) that it is against equity and good conscience to permit the other party to retain what is sought to be recovered.” Georgia Malone & Co. v. Rieder, 19 N.Y.3d 511, 516 (N.Y. 2012). “[U]njust enrichment is not a catchall cause of action to be used when others fail.” Corsello v. Verizon New York, Inc., 18 N.Y.3d 777, 790 (N.Y. 2012). “It is available only in unusual situations when, though the defendant has not breached a contract nor committed a recognized tort, circumstances create an equitable obligation running
from the defendant to the plaintiff.” Id. Verizon argues that the unjust enrichment claim fails because it is duplicative of Los Gatos’s other claims. (Mem. at 29.) Although “[t]he existence of a contract, whether express or implied, precludes recovery on quasi-contractual claims such as unjust enrichment,” Wallace, 2021 WL 1109727, at *11, “where the existence and terms of a contract are in dispute, a claim premised on unjust enrichment may proceed in the alternative,” Rudolph, 2019 WL 2023713, at *12 (citing Leroy Callender, P.C. v. Fieldman, 252 A.D.2d 468, 469 (1st Dep’t 1998)). Because Verizon disputes the formation of an implied contract (Mem. at 27-28), Los Gatos is correct that its implied contract claim does not preclude its unjust enrichment claim.
However, the New York Court of Appeals has clarified that “[a]n unjust enrichment claim is not available where it simply duplicates, or replaces, a conventional contract or tort claim.” Corsello, 18 N.Y.3d at 790 (emphasis added). Here, like in Corsello, Los Gatos has “allege[d] that Verizon committed actionable wrongs.” Id. at 791. Although Los Gatos contends that the unjust enrichment claim is distinct from the implied contract claim because it arises from not just a contractual duty but also “common law, industry standards, . . . and representations made in its own privacy policy,” it does not seem to address whether the claim is duplicative of its tort claims. (Opp. at 31 (quoting SAC ¶ 109) (emphasis removed).) In any event, the Court concludes that it is indeed duplicative. Los Gatos pleads a viable negligence claim against Verizon, and the conduct underlying that claim overlaps with the conduct underlying the unjust enrichment claim. (Compare SAC ¶ 171 (alleging that Verizon was negligent “by disclosing and providing access to [Los Gatos’s] information to unauthorized third parties” and “by failing to properly supervise the manner in which the personal information was stored, used, and exchanged”) with id. ¶ 211 (alleging that
Verizon has been unjustly enriched through its “wrongful conduct,” including “failure to employ adequate data security measures . . . and its other conduct facilitating the theft and fraudulent use of [Los Gatos’s] Confidential Information”).) To the extent that Los Gatos argues that its unjust enrichment claim is premised on “industry standards” and “representations made in its own privacy policy,” rather than on a common law duty (Opp. at 27 (quotation marks omitted)), that is a distinction without a difference. An unjust enrichment claim does not turn on whether the defendant had a duty or the source of that duty. Instead, the “[t]ypical” unjust enrichment cases “are those in which the defendant, though guilty of no wrongdoing, has received money to which he or she is not entitled.” Corsello, 18 N.Y.3d at 790. Here, Los Gatos’s unjust enrichment
claim hinges on Verizon’s receipt of Los Gatos’s information and its failure to adequately protect that information. (SAC ¶¶ 204-06, 214.) That is, in all material ways, duplicative of the negligence claim. “Ultimately, the plaintiff[’s] unjust enrichment claim simply repackages the same theories of harm alleged in its contract and tort actions.” In re Waste Mgmt. Data Breach Litig., 2022 WL 561734, at *6 (emphasis added). Los Gatos cannot proceed on this claim in the alternative. See Mahoney v. Endo Health Sols., Inc., No. 15-CV-9841, 2016 WL 3951185, at *11 (S.D.N.Y. July 20, 2016) (dismissing unjust enrichment claim where the plaintiff adequately pleaded a tort claim); Weisblum v. Prophase Labs, Inc., 88 F. Supp. 3d 283, 297 (S.D.N.Y. 2015) (same); In re Gen. Motors LLC Ignition Switch Litig., 257 F. Supp. 3d 372, 434 (S.D.N.Y. 2017) (same), modified on reconsideration, No. 14-MC-2543, 2017 WL 3443623 (S.D.N.Y. Aug. 9, 2017). Accordingly, the Court grants Verizon’s motion to dismiss the unjust enrichment claim. 3. California Unfair Competition Law California’s Unfair Competition Law (“UCL”) prohibits unlawful competition, which it
defines as “any unlawful, unfair or fraudulent business act or practice.” Cal. Bus. & Prof. Code § 17200 et seq. “A business act or practice may violate the UCL if it is either unlawful, unfair, or fraudulent.” Rubio v. Cap. One Bank, 613 F.3d 1195, 1203 (9th Cir. 2010) (quotation marks omitted). However, a private plaintiff can bring suit under the UCL only if it “has suffered injury in fact and has lost money or property as a result of the unfair competition.” Cal. Bus. & Prof. Code § 17204. “Whereas a federal plaintiff’s injury in fact may be intangible[,] . . . a UCL plaintiff’s injury in fact [must] specifically involve lost money or property.” Ehret v. Uber Techs., Inc., 68 F. Supp. 3d 1121, 1132 (N.D. Cal. 2014). The SAC sufficiently alleges UCL-specific standing. The SAC alleges a “monetary difference between the amount paid for services as promised and the services actually provided
by Verizon (which did not include adequate or industry standard data protection).” (SAC ¶ 190.) “[T]hese allegations are sufficient to allege that [Los Gatos] suffered ‘benefit of the bargain’ losses,” which establishes standing under the UCL. In re Yahoo! Inc. Customer Data Sec. Breach Litig., No. 16-MD-02752, 2017 WL 3727318, at *21 (N.D. Cal. Aug. 30, 2017); see also Kwikset Corp. v. Superior Ct., 51 Cal. 4th 310, 323 (Cal. 2011) (noting that a plaintiff establishes economic injury by showing that it “surrender[ed] in a transaction more, or acquire[d] in a transaction less, than [it] otherwise would have”). In addition to UCL standing, plaintiffs “must establish that [they] lack[] an adequate remedy at law before securing equitable restitution for past harm under the UCL.” Sonner v. Premier Nutrition Corp., 971 F.3d 834, 844 (9th Cir. 2020). Los Gatos alleges that it is not guaranteed adequate relief without a Court order requiring Verizon to take steps to ensure that its information is adequately protected against future intrusions. (Opp. at 32-33 (citing SAC ¶ 154).) Courts increasingly decline to apply Sonner to bar UCL claims for injunctive relief, especially where the plaintiff claims unauthorized disclosure of its personal information. See,
e.g., Brooks v. Thomson Reuters Corp., No. 21-CV-01418, 2021 WL 3621837, at *11 (N.D. Cal. Aug. 16, 2021) (collecting cases). At the motion to dismiss stage, Los Gatos has done enough to allege that it lacks an adequate remedy at law.5 4F As to the substance, the UCL provides a separate and distinct theory of liability under each of its unlawful, unfair, and fraudulent prongs. In re Yahoo! Inc. Customer Data Sec. Breach Litig., 2017 WL 3727318, at *23. “The ‘unlawful’ prong of the UCL prohibits anything that can properly be called a business practice and that at the same time is forbidden by law.” Id. (quotation marks omitted). “The ‘unfair’ prong of the UCL creates a cause of action for a business practice that is unfair even if not proscribed by some other law.” Id. The “fraud” prong of the UCL prohibits business practices that are likely to deceive members of the public. Id. at *24. Los Gatos alleges claims under all three prongs. (SAC ¶¶ 230-34.)
5 Verizon once again also argues that the ADSL Terms preclude Los Gatos’s claim. (Mem. at 30.) But as the Court previously noted, there is no indication in the SAC that Los Gatos agreed to the ADSL Terms. (See SAC ¶ 84.) Verizon also argues that an entity like Los Gatos cannot individually seek relief under the UCL. (Mem. at 32.) But it relies on case law that concerned Facebook’s ability to advance a UCL claim as a consumer rather than a competitor. See Facebook, Inc. v. Rankwave Co., No. 19-CV-03738, 2019 WL 8895237, at *12 (N.D. Cal. Nov. 14, 2019). Los Gatos is neither a “Fortune 100” company, see id, nor a potential competitor to Verizon. Instead, it is an individual consumer of a Verizon service. 4. Unlawful On the “unlawful” prong, Los Gatos argues that it has sufficiently pleaded violations of the FTC Act and the common law.6 (Opp. at 33.) But Los Gatos cannot rely on its implied 5F breach and negligence claims. The Ninth Circuit has held that “a common law violation such as breach of contract is insufficient” standing alone to assert a UCL “unlawful” claim. Shroyer v. New Cingular Wireless Servs., Inc., 622 F.3d 1035, 1044 (9th Cir. 2010). District courts in the Ninth Circuit have understood Shroyer to apply to other common law claims like negligence. See, e.g., Mendez v. Selene Fin. LP, No. 16-CV-09335, 2017 WL 1535085, at *6 (C.D. Cal. Apr. 27, 2017) (“Plaintiff’s sole remaining claim is for negligence. Common law claims such as negligence cannot form the basis of an unlawful prong claim under the UCL.”). However, Los Gatos can proceed on its “unlawful” UCL claim because it also pleads violations of Section 5 of the FTC Act, 15 U.S.C. § 45. (SAC ¶ 232.) Although Section 5 does not provide a private civil right of action, “[v]irtually any state, federal or local law can serve as the predicate for an action under [the UCL].” Davis v. HSBC Bank Nev., N.A., 691 F.3d 1152, 1168 (9th Cir. 2012). Accordingly, the Ninth Circuit has held in a non-precedential
memorandum opinion that a violation of the FTC’s Guides Against Deceptive Pricing can serve as the basis for a UCL “unlawful” claim, even though the FTC Guides do not provide a private right of action. Rubenstein v. Neiman Marcus Grp. LLC, 687 F. App’x 564, 567 (9th Cir. 2017). Although a prior Ninth Circuit non-precedential opinion had held that the FTC Act cannot serve as the basis for a UCL “unlawful” claim, O’Donnell v. Bank of Am., Nat’l Ass’n, 504 F. App’x 566, 568 (9th Cir. 2013), courts have interpreted Rubenstein to allow UCL claims to proceed
6 Although the SAC also asserts a UCL “unlawful” claim based on the California Customer Records Act (SAC ¶ 231), Los Gatos has dropped its claim under that statute and has seemingly dropped its UCL claim based on the CCRA. (Opp. at 10 n.1, 33.) under the FTC Act. See, e.g., Kindred Studio Illustration & Design, LLC v. Elec. Commc’n Tech., LLC, No. 18-CV-7661, 2018 WL 6985317, at *7 (C.D. Cal. Dec. 3, 2018); Inga v. Bellacor.com, Inc., No. 19-CV-10406, 2020 WL 5769080, at *3 (C.D. Cal. July 17, 2020). The Court agrees with the reasoning in Rubenstein and the recent district court cases. The text of the UCL does not indicate that “unlawful” cases must rely only on laws that provide
private rights of action. Indeed, the California Supreme Court has allowed UCL claims based on another federal statute whose private right of action for damages had previously been repealed, noting that, “[b]y proscribing any unlawful business practice, [the UCL] borrows violations of other laws and treats them as unlawful practices that the [UCL] makes independently actionable.” Rose v. Bank of America, N.A., 57 Cal. 4th 390, 396 (Cal. 2013) (cleaned up). Thus, “it is in enacting the UCL itself, and not by virtue of particular predicate statutes, that the Legislature has conferred upon private plaintiffs specific power to prosecute unfair competition claims.” Id. (cleaned up). Los Gatos has also sufficiently pleaded that Verizon violated Section 5 of the FTC Act.
“To prove unlawful competition under FTC Section 5, Plaintiff must show that ‘the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.’” Kindred Studio Illustration & Design, LLC, 2018 WL 6985317, at *7 (quoting 15 U.S.C. § 45(n)). Los Gatos has done that here (see SAC ¶¶ 114-21), and, beyond a conclusory assertion to the contrary (Mem. at 32), Verizon does not actually argue that Los Gatos has failed to make such a showing. Moreover, “[a]t the motion to dismiss stage, the Court cannot say that the benefits from [Verizon’s] business practices of allegedly emphasizing growth and profit over protecting their customers’ personal and financial information and failing to implement industry-standard security measures outweighs the harm.” Mehta v. Robinhood Fin. LLC, No. 21-CV-01013, 2021 WL 6882377, at *12 (N.D. Cal. May 6, 2021). 5. Unfair The UCL does not define “unfair” business practices, leaving courts to fill in “the proper definition of ‘unfair’ conduct against consumers.” Cappello v. Walmart Inc., 394 F. Supp. 3d
1015, 1023 (N.D. Cal. 2019) (quotation marks omitted). Courts typically apply either a balancing test to “weigh the utility of the defendant’s conduct against the gravity of the harm to the alleged victim,” Davis v. HSBC Bank Nevada, N.A., 691 F.3d 1152, 1169 (9th Cir. 2012) (quotation marks omitted), or a tethering test to determine if the alleged unfairness is “tethered to some legislatively declared policy or proof of some actual or threatened impact on competition,” Lozano v. AT & T Wireless Servs., Inc., 504 F.3d 718, 735 (9th Cir. 2007) (quotation marks omitted). Los Gatos alleges that Verizon’s conduct has violated California’s public policy by failing to take reasonable measures to protect its consumer data, in contravention of Verizon’s own privacy policy and the public policy set out in California’s Consumer Records Act, Cal. Civ.
Code § 1798.81.5. (SAC ¶ 230.) At the motion to dismiss stage, these allegations are sufficient to state a claim under the “unfair” prong of the UCL. See, e.g., Cappello, 394 F. Supp. 3d at 1024 (noting “California’s well-established public policy of protecting consumer data” and concluding that allegations that the defendant breached its privacy policy contravenes that policy). Moreover, at this early stage of litigation, the Court cannot conclude that the utility of Verizon’s conduct outweighs the gravity of the harm to Los Gatos. See Linear Tech. Corp. v. Applied Materials, Inc., 152 Cal. App. 4th 115, 134-35 (Cal. Ct. App. 2007) (“Whether a practice is deceptive, fraudulent, or unfair is generally a question of fact which requires ‘consideration and weighing of evidence from both sides’ and which usually cannot be made on [a motion to dismiss].”). 6. Fraudulent “Distinct from common law fraud, a fraudulent prong UCL claim requires only a showing that ‘members of the public are likely to be deceived.’” Copart, Inc. v. Sparta
Consulting, Inc., 339 F. Supp. 3d 959, 987 (E.D. Cal. 2018) (quoting Berryman v. Merit Prop. Mgmt., Inc., 152 Cal. App. 4th 1544, 1556 (Cal. Ct. App. 2007)). “There can be a violation without ‘actual deception, reasonable reliance and damage.’” Id. (quoting Daugherty v. American Honda Motor Co., Inc., 144 Cal. App. 4th 824, 838 (Cal. Ct. App. 2006)). However, “[c]laims stated under the fraud prong of the UCL are subject to the particularity requirements of Federal Rule of Civil Procedure 9(b).” In re Yahoo! Inc. Customer Data Sec. Breach Litig., 2017 WL 3727318, at *24. “[W]hether a business practice is deceptive will usually be a question of fact not appropriate for decision on [a motion to dismiss].” Williams v. Gerber Prods. Co., 552 F.3d 934, 938 (9th Cir. 2008). Here, Los Gatos alleges that Verizon represented in its privacy policy that it would take
steps to protect customers’ confidential information but that Verizon in fact was not complying with its duties to safeguard customer data. (SAC ¶¶ 110, 114, 230-36.) Los Gatos recites the representation made in the privacy policy with specificity. (Id. ¶ 110 (quoting Verizon’s representation that it “use[s] technical, administrative and physical safeguards to help protect against unauthorized access to, use or disclosure of information”).) Such an alleged misrepresentation is actionable, as “[a] reasonable consumer could rely on this statement as representing that Defendants did, in fact, use safeguards” and that those safeguards “were sufficient to protect users’ information from ordinary data security threats.” In re Yahoo! Inc. Customer Data Sec. Breach Litig., 2017 WL 3727318, at *26.’ IV. Conclusion For the foregoing reasons, Defendants’ motion to dismiss is GRANTED in part and DENIED in part and Defendants’ motion to strike is DENIED. The motion to dismiss is granted as to Los Gatos’s negligence per se and unjust enrichment claims and denied as to the remaining claims. Defendants shall file an answer to Los Gatos’s remaining claims within 14 days of the date of publication of this opinion and order. See Fed. R. Civ. P. 12(a)(4)(A). The Clerk of Court is directed to close the motion at Docket Number 76. SO ORDERED. Dated: March 16, 2026 New York, New York
| ] J. PAUL OETKEN United States District Judge
’ For the first time in reply, Verizon cites In re Yahoo! Inc. Customer Data Sec. Breach Litig. for the proposition that Los Gatos needed and failed to allege reliance on the statements in the privacy policy. (Reply at 16.) This argument is forfeited. See Rona v. Trump, 797 F. Supp. 3d 278, 287 (S.D.N.Y. 2025). In any event, California state appellate court decisions make clear that a UCL claim need not allege reasonable reliance, unlike common law fraud. See, e.g., Berryman, 152 Cal. App. 4th at 1556.