1 WO 2 3 4 5 6 IN THE UNITED STATES DISTRICT COURT 7 FOR THE DISTRICT OF ARIZONA
9 Chris Griffey, et al., No. CV-20-01282-PHX-MTL
10 Plaintiffs, ORDER
11 v.
12 Magellan Health Incorporated,
13 Defendant. 14 15 Magellan Health, Inc.’s (“Magellan’s”) computer systems were hacked and a data 16 breach occurred. The personally identifiable information (“PII”) and protected health 17 information (“PHI”) of Magellan employees, Magellan contractors, and Magellan- 18 administered health care benefit plan participants was stolen. Plaintiffs, in their individual 19 capacities and as putative class representatives, assert several claims against Magellan 20 arising from the data breach. The Court previously granted a motion to dismiss with leave 21 to amend. (Doc. 39.) Magellan has filed a Motion to Dismiss (Doc. 41, the “Motion”) the 22 Second Amended Consolidated Class Action Complaint (Doc. 40, the “Second Amended 23 Complaint”) arguing that (1) Plaintiffs have not alleged a cognizable loss on their 24 negligence and consumer protection claims and (2) Plaintiffs’ unjust enrichment claims 25 and their various state law claims do not adequately allege “how Magellan’s data security 26 was inadequate.” (Doc. 41 at 2.) The Motion (Doc. 41) will be granted in part and denied 27 in part.1
28 1 Both parties have submitted legal memoranda, and oral argument would not have aided the Court’s decisional process. See Partridge v. Reich, 141 F.3d 920, 926 (9th Cir. 1998); 1 I. FACTUAL BACKGROUND 2 The factual background has been previously summarized by this Court. See Griffey 3 v. Magellan Health Inc., No. CV-20-01282-PHX-MTL, 2021 WL 4427065, at *1–2 (D. 4 Ariz. Sept. 27, 2021). It will not be repeated here except where necessary or where new 5 facts have been alleged. For example, the Second Amended Complaint asserts in greater 6 detail why the data security that Magellan employed to protect Plaintiffs’ PII and PHI was 7 inadequate. (Doc. 40 ¶¶ 58–65; 77–96.) Plaintiffs allege that Magellan failed to implement 8 cybersecurity safeguards outlined by the Department of Health and Human Services’ 9 Office for Civil Rights, the Federal Bureau of Investigation, the United States 10 Cybersecurity & Infrastructure Security Agency, the Microsoft Threat Protection 11 Intelligence Team, the University of Illinois Chicago, and the Center for Internet Security. 12 (See id. ¶¶ 83–96.) 13 These security safeguards include, but are not limited to: encrypting PII and PHI, 14 educating and training employees, “correcting the configuration of software and network 15 devices” (Id. ¶ 84), enabling strong spam filters, scanning incoming and outgoing emails, 16 patching operating systems, configuring firewalls, “[s]et[ting] anti-virus and anti-malware 17 programs to conduct regular scans automatically” (Id. ¶ 88), managing privileged accounts, 18 “configur[ing] access controls . . . with least privilege in mind” (Id.), and “[d]isabl[ing] 19 macro scripts from office files transmitted via email” (Id.). (See id. ¶¶ 77–96.) Additionally, 20 Plaintiffs allege that Magellan “fail[ed] to monitor ingress and ingress network traffic; 21 maintain an inventory of public facing [i]ps; monitor elevated privileges; equip its server 22 with anti-virus or anti-malware; and employ basic file integrity monitoring.” (Id. ¶ 91.) The 23 Second Amended Complaint posits that “the occurrence of the Data Breach indicates that 24 Defendant failed to adequately implement one or more of the above measures to prevent 25 ransomware attacks.” (Id.) Plaintiffs also allege that Magellan “failed to meet the minimum 26 standards of the following cybersecurity frameworks: the NIST Cybersecurity Framework 27 Version 1.1 (including without limitation PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, 28 see also LRCiv 7.2(f); Fed. R. Civ. P. 78(b). 1 PR.AC-6, PR.AC-7, PR.AT-1, PR.DS-1, PR.DS-5, PR.PT-1, PR.PT-3, DE.CM-1, 2 DE.CM-4, DE.CM-7, DE.CM-8, and RS.CO-2), and the Center for Internet Security’s 3 Critical Security Controls . . . which are established standards in reasonable cybersecurity 4 readiness.” (Id. ¶ 96.) 5 The Second Amended Complaint also alleges that Magellan has not provided an 6 adequate credit monitoring service since the data breach. (See id. ¶¶ 5, 9, 11, 15, 26–27, 7 99.) Plaintiffs allege that the service that Magellan offers does not provide alerts for or 8 monitor whether a Plaintiff’s personal information appears on the dark web or service and 9 credit applications. (Id. ¶ 5.) They also allege that it does not provide alerts or monitor for 10 a USPS address change verification or fake personal information connected to a person’s 11 identity. (Id.) Additionally, they allege that it does not offer “identity theft monitoring and 12 protection.” (Id. ¶¶ 9, 11.) Finally, Plaintiffs allege that the services offered by Magellan 13 “fail[ed] to provide for the fact that victims of Data Breaches and other unauthorized 14 disclosures commonly face multiple years of ongoing identity theft and financial fraud.” 15 (Id. ¶ 104.) 16 II. STANDARD OF REVIEW 17 A complaint must contain “a short and plain statement of the claim showing that the 18 pleader is entitled to relief” such that the defendant is given “fair notice of what 19 the . . . claim is and the grounds upon which it rests.” Bell Atl. Corp. v. Twombly, 550 U.S. 20 545, 555 (2007) (quoting Fed. R. Civ. P. 8(a)(2); Conley v. Gibson, 355 U.S. 41, 47 (1957)). 21 A complaint does not suffice “if it tenders ‘naked assertion[s]’ devoid of ‘further factual 22 enhancement.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Twombly, 550 U.S. 23 at 556). Dismissal under Rule 12(b)(6) “can be based on the lack of a cognizable legal 24 theory or the absence of sufficient facts alleged under a cognizable legal theory.” Balistreri 25 v. Pacifica Police Dep’t, 901 F.2d 696, 699 (9th Cir. 1988). A complaint, however, should 26 not be dismissed “unless it appears beyond doubt that the plaintiff can prove no set of facts 27 in support of the claim that would entitle it to relief.” Williamson v. Gen. Dynamics Corp., 28 208 F.3d 1144, 1149 (9th Cir. 2000). 1 The Court must accept material allegations in a complaint as true and construe them 2 in the light most favorable to Plaintiffs. North Star Int’l v. Arizona Corp. Comm’n, 720 3 F.2d 578, 580 (9th Cir. 1983). “Indeed, factual challenges to a plaintiff’s complaint have 4 no bearing on the legal sufficiency of the allegations under Rule 12(b)(6).” See Lee v. City 5 of Los Angeles, 250 F.3d 668, 688 (9th Cir. 2001). Review of a Rule 12(b)(6) motion is 6 “limited to the content of the complaint.” North Star Int’l, 720 F.2d at 581. 7 III. DISCUSSION 8 A. Negligence 9 “‘To establish a defendant’s liability for a negligence claim, a plaintiff must prove: 10 (1) a duty requiring the defendant to conform to a certain standard of care; (2) breach of 11 that standard; (3) a causal connection between the breach and the resulting injury; and (4) 12 actual damages.’” CVS Pharmacy, Inc. v. Bostwick, 251 Ariz. 511, 517 (2021) (quoting 13 Quiroz v. ALCOA Inc., 243 Ariz. 560, 563–64 (2018)). As before, Plaintiffs Culberson, 14 Rayam, Leather, Williams, Ranson, Flanders, and Lewis allege that “[Magellan] had a duty 15 of care to use reasonable means to secure and safeguard its computer property—and Class 16 Members’ PII and PHI held within it—to prevent disclosure of the information, and to 17 safeguard the information from theft.” (Doc. 40 ¶ 142.) They also allege that this “duty 18 included a responsibility to implement processes by which it could detect a breach of its 19 security systems in a reasonably expeditious period and to give prompt notice to those 20 affected in the case of a Data Breach.” (Id.) Magellan does not contest Plaintiffs’ 21 allegations regarding duty and breach; it does argue that Plaintiffs improperly alleged 22 causation and damages. (Doc. 41 at 4–7.) 23 1. Causation 24 “Plaintiffs [have] proved causation if they showed both actual cause and proximate 25 cause, which are ordinarily questions of fact for the jury.” Torres v. Jai Dining Servs. 26 (Phoenix) Inc., 252 Ariz. 28, ---, 497 P.3d 481, 483 (2021). “In order to prove proximate 27 cause, a ‘[p]laintiff need only present probable facts from which the causal relationship 28 reasonably may be inferred.’” Pompeneo v. Verde Valley Guidance Clinic, 226 Ariz. 412, 1 414 (App. 2011) (quoting Robertson v. Sixpence Inns of Am., Inc., 163 Ariz. 539, 546 2 (1990)). “But like any other element of a cause of action, [proximate causation] must be 3 adequately alleged at the pleading stage in order for the case to proceed. If a plaintiff’s 4 allegations, taken as true, are insufficient to establish proximate causation, then the 5 complaint must be dismissed; if they are sufficient, then the plaintiff is entitled to an 6 opportunity to prove them.” Lexmark Int’l, Inc. v. Static Control Components, Inc., 572 7 U.S. 118, 134 n.6 (2014) (citation omitted). 8 Previously, this Court determined that Plaintiffs Rayam, Leather, Williams, Ranson, 9 Flanders, and Lewis properly alleged causation, but Plaintiff Culberson had not properly 10 alleged causation because she had only alleged future injuries. Griffey, 2021 WL 11 4427065, at *3–4. Plaintiffs Rayam, Leather, Williams, Ranson, Flanders, and Lewis’ 12 allegations remain substantially similar such that they have still adequately alleged 13 causation. (Docs. 40; 52-1.) This time Culberson does allege current injuries—“[s]ince the 14 Data Breach, Plaintiff Culberson has had to replace her ATM card three times and has had 15 to stop auto billing from her cellphone and insurance companies.” (Doc. 40 ¶ 13.) Magellan 16 argues that Culberson still has not established causation because she has not properly 17 alleged that its data security was inadequate. (Doc. 41 at 9.) Quoting this Court’s previous 18 order, Magellan argues that, without properly alleging that Magellan’s data security was 19 inadequate, Culberson’s conclusion that it proximately caused Culberson’s injuries is 20 conclusory.2 (Id.) 21 The Court finds that Plaintiffs’ Second Amended Complaint sufficiently alleges that 22 Magellan employed inadequate data security. The pleadings aver several security standards 23 that Magellan allegedly failed to satisfy. Supra Section I. For example, it did not comply 24 with security guidelines and standards promulgated by the United States Cybersecurity & 25 Infrastructure Security Agency, the Federal Bureau of Investigation, and the Department 26 of Health and Human Services’ Office for Civil Rights. Id. These shortcomings allegedly
27 2 Griffey, 2021 WL 4427065, at *8, 11 (“Alleging that a system was inadequate because a negative result occurred is conclusory, and Plaintiffs’ claim that Magellan’s system fell 28 below an ill-defined standard is conclusory . . . . And so, the Court find that Plaintiffs fail to properly allege that Magellan’s data security was inadequate.”). 1 included very basic procedures such as monitoring ingress and ingress network traffic. Id. 2 Thus, based on the allegations in the Second Amended Complaint, the causal 3 relationship between her injuries and Magellan’s inadequate data security can be 4 reasonably inferred: Magellan’s data security was inadequate, a data breach occurred, and 5 her injuries began. Magellan’s only argument to break this chain of causation is that its 6 data security was adequate. But at this early stage, Magellan’s argument constitutes an 7 improper factual assertion. Because the Plaintiffs have properly pleaded that Magellan’s 8 data security was inadequate, the Court concludes that Culberson’s allegations properly 9 plead causation. And so, every Plaintiff who alleged a negligence claim in the Second 10 Amended Complaint has pleaded sufficient facts to establish causation. 11 2. Damages 12 “In assessing whether credit monitoring services in the context of data breach cases 13 are recoverable in negligence, courts have generally analogized to medical monitoring 14 cases, which require a plaintiff to plead that the monitoring costs were both reasonable and 15 necessary.” In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. 16 Supp. 2d 942, 970 (S.D. Cal. 2014), order corrected, No. 11md2258 AJB (MDD), 2014 17 WL 12603117 (S.D. Cal. Feb. 10, 2014). In medical monitoring cases, courts look to four 18 factors to determine if the costs of future medical surveillance may be recovered: “(1) the 19 significance and extent of exposure, (2) the toxicity of the contaminant, and the seriousness 20 of the harm for which the individuals are at risk, and (3) the relative increase in the chance 21 of the harm in those exposed, such that (4) monitoring the effects of exposure is reasonable 22 and necessary.” Stollenwerk v. Tri-W. Health Care All., 254 F. App’x 664, 666 (9th Cir. 23 2007) (cleaned up). As this Court has previously noted, the majority of courts view 24 allegations of lost time and the increased risk of future harm as non-cognizable negligence 25 injuries. Griffey, 2021 WL 4427065, at *4. 26 Plaintiffs Williams and Rayam’s alleged damages are unchanged from the previous 27 complaint. (Doc. 52-1 ¶¶ 2–3, 6–7; compare Doc. 40 ¶ 164, with Doc. 30 ¶ 131.) Magellan 28 argues that their allegations do not constitute a cognizable loss because their allegations 1 amount to claims for lost time and the risk of future harm. (See Doc. 41 at 4–5.) Citing In 2 re Banner Health Data Breach Litig., CV-16-02696-PHX-SRB, 2017 WL 6763548, at *8 3 (D. Ariz. Dec. 20, 2017), Williams and Rayam argue that because they have “‘suffered 4 actual misuse of their personal information,’” they “‘have clearly suffered an actual injury 5 for which they may recover.’” (Doc. 42 at 4.) The Court agrees with Magellan. Williams 6 and Rayam allege that both instances of attempted fraud were unsuccessful.3 (Doc. 40 ¶¶ 2– 7 3, 6–7.) The only damages they allege as a result of the “actual misuse” are lost time 8 addressing the attempted fraud and the increased risk of future harm. (Id.) Those are not 9 cognizable negligence damages. Similarly, Culberson alleges that she “has had to replace 10 her ATM card three times and has had to stop auto billing from her cellphone and insurance 11 companies.” (Id. ¶ 13.) But Culberson alleges no out-of-pocket expenses. And so, she also 12 alleges nothing more than lost time monitoring her credit and an increased risk of future 13 harm. Thus, Williams, Rayam, and Culberson did not allege actual damages and their 14 alleged loss is not cognizable. 15 In its prior Order, the Court rejected Plaintiffs Leather, Ranson, Flanders, and 16 Lewis’ claims for out-of-pocket damages because those claims did not specifically allege 17 why Magellan’s data security systems were inadequate.4 See Griffey, 2021 WL 18 4427065, at *6. This time, as previously explained, the Court finds that the Plaintiffs have 19 adequately alleged that Magellan’s data security was inadequate. Supra Section III.A(1). 20 Plaintiffs’ alleged damages stem from not only Magellan’s allegedly inadequate 21 data security, but also the allegedly inadequate complimentary data protection services that 22 it offered to Plaintiffs after the breach. Plaintiffs have successfully alleged that these 23 3 Rayam only alleges that he suffered “an unauthorized and fraudulent charge in the amount 24 of $3.79.” (Doc. 40 ¶ 3.) He does not allege that he was required to pay the charge. (Id.) 4 In one sentence in its Reply, Magellan raises the issue that Ranson has only alleged that 25 he has “enrolled” in extra data monitoring services without articulating a price paid for the 26 extra services. (Doc. 44 at 3.) Because this issue was first raised in Magellan’s reply brief, it has been waived and will not be considered. Autotel v. Nevada Bell Tel. Co., 697 F.3d 27 846, 852 n.2 (9th Cir. 2012) (“‘Arguments raised for the first time in a reply brief are 28 waived.’” (citing Turtle Island Restoration Network v. U.S. Dep’t of Commerce, 672 F.3d 1160, 1166 n.8 (9th Cir. 2012) (brackets omitted))). 1 services were inadequate for protecting their identities after their personal information was 2 compromised. See supra Section I. For example, the services that Magellan offered 3 Plaintiffs did not provide basic services, such as alerts when personal information was 4 entered on credit applications or when fake personal information was tied to one of the 5 Plaintiff’s identities. Id. Furthermore, the services were allegedly offered for too short of a 6 period of time to protect Plaintiffs’ identities after the data breach. Id. As a result, Plaintiffs 7 allege that they were forced to spend extra money to properly secure their PII and PHI. Id. 8 These additional costs are the negligence damages they plead in this case. 9 (See Doc. 40 ¶¶ 5, 8–11, 14–15, 138–166.) 10 Plaintiffs Leather, Ranson, and Lewis all properly allege that they suffered 11 cognizable negligence damages because they aver that the extra data security services that 12 they purchased and enrolled in were reasonable and necessary to protect their PII and PHI. 13 (Id. ¶¶ 5, 8–10, 14–15; see generally ¶¶ 138–166.) Plaintiff Flanders alleges that he hired 14 a consultant for the same reason—the stolen information was sensitive and the services 15 that Magellan offered were inadequate to protect him from the data breach. (Id. ¶ 11.) Thus, 16 all four Plaintiffs alleged that they paid out-of-pocket to remedy the harm done to them by 17 Magellan’s alleged negligence. 18 To determine if Leather, Ranson, Lewis, and Flanders properly pleaded cognizable 19 negligence claims, the Court applies the Stollenwerk factors. According to the alleged facts, 20 their data was exposed to the entire dark web—a vast digital landscape where criminals 21 can acquire and misuse their personal data. Plaintiffs also properly alleged a variety of 22 serious harms, including identity theft, that can result from their PII and PHI being exposed 23 on the dark web. Plaintiffs also sufficiently alleged that, without their additional purchases, 24 they would suffer an increased risk of serious harm to their PII and PHI. Thus, all four 25 Stollenwerk factors weigh in favor of determining that this alleged injury is a cognizable 26 negligence claim. Furthermore, the only argument that Magellan raises in opposition is that 27 Plaintiffs paying for additional services was unnecessary because its complimentary 28 services were adequate. (Doc. 41 at 6–7; Doc. 44 at 1, 3–4.) This is an argument better 1 suited for summary judgment, as it relies on facts not yet in the record. 2 Therefore, the Court finds that Leather, Ranson, Flanders, and Lewis have 3 adequately alleged a cognizable negligence claim. Leather, Ranson, Flanders, and Lewis’ 4 negligence claims will not be dismissed. Conversely, Culberson, Rayam, and Williams 5 have not alleged a cognizable negligence claim; and so, their claims will be dismissed. 6 B. Unjust Enrichment 7 Each plaintiff asserts an unjust enrichment claim against Magellan. Under Arizona 8 law, “[a]n unjust enrichment claim requires proof of ‘(1) an enrichment, (2) an 9 impoverishment, (3) a connection between the enrichment and impoverishment, (4) the 10 absence of justification for the enrichment and impoverishment, and (5) the absence of a 11 remedy provided by law.’” Perdue v. La Rue, 250 Ariz. 34, 42 (App. 2020) (quoting Wang 12 Elec., Inc. v. Smoke Tree Resort, LLC, 230 Ariz. 314, 318 (App. 2012)). The Court 13 previously dismissed all of the unjust enrichment claims because Plaintiffs’ First Amended 14 Consolidated Class Action Complaint failed to sufficiently allege that Magellan’s data 15 security systems were inadequate to withstand a data breach incident. Griffey, 2021 WL 16 4427065, at *6–8. Plaintiffs have augmented their factual allegations to include additional 17 detail explaining their general theory of liability. Magellan renews its motion to dismiss 18 the unjust enrichment claims, arguing that the claims still fail at the pleading stage because 19 “Plaintiffs concede that they did not pay anything to Magellan. Accordingly, Magellan 20 could not have been enriched at Plaintiffs’ expense.” (Doc. 41 at 15 (record citation 21 omitted).) 22 The Court generally finds the unjust enrichment theory dubious. As best the Court 23 can tell, the health plan participants’ unjust enrichment theory alleges that Magellan 24 represented that a portion of the premiums paid to it by Plaintiffs’, or some other third- 25 party payors on Plaintiffs’ behalf, was intended for a data security system that protected 26 their PHI and PII. (See Doc. 40 ¶¶ 167–77.) They allege that Magellan did not expend the 27 resources required to implement this system. (Id.) As a result, Plaintiffs’ information was 28 allegedly stolen by cyber criminals. (Id.) Magellan was, allegedly, unjustly enriched 1 because it pocketed money that was intended for this system. (Id.) As Magellan 2 emphasizes, some plaintiffs—Laura Leather, Joseph Rivera, and Teresa Culberson—did 3 not pay Magellan directly. (Doc. 41 at 9–10.) Those payments were, instead, made to an 4 affiliate or the state in which Magellan administers those plaintiffs’ health care services. 5 (Id.) The Court finds that, as a matter of law, these plaintiffs cannot state an unjust 6 enrichment claim. 7 Plaintiff Lewis’ connection with Magellan is even more attenuated. He does not 8 specifically allege anything to establish a relationship between him and Magellan or one 9 of Magellan’s affiliates. (Doc. 40 ¶¶ 14–15.) He alleges that he paid for health services that 10 Magellan sold, but he does not specify to whom or what those payments were made. 11 (See id. ¶¶ 14–15, 252–64.) Thus, Lewis’ unjust enrichment claim fails because he has not 12 properly alleged that Magellan was enriched by his payments. 13 The former employee and contractor plaintiffs—Chris Griffey, Bharath Rayam, 14 Michael Domingo, Clara Williams, Daniel Ranson, and Mitchell Flanders—theorize that 15 their compensation packages included data protection against cyber piracy. (Doc. 42 at 6– 16 7; see Doc. 40 ¶¶ 167–77.) The Motion to Dismiss argues that former employee and 17 contractor plaintiffs were not unjustly enriched because they “were paid for their services.” 18 (Doc. 44 at 10.) The Court again expresses skepticism toward this unjust enrichment 19 theory. Nonetheless, construing all of the pleading allegations and reasonable inferences in 20 the former employee and contractor plaintiffs’ favor, the Court finds that these plaintiffs 21 have asserted sufficient allegations to survive the Motion to Dismiss. 22 In short, the Motion to Dismiss Plaintiffs’ unjust enrichment claims is granted in 23 part. Those plaintiffs who are part of the health plan participants group and whose costs 24 were paid by others are dismissed: Laura Leather, Joseph Rivera, and Teresa Culberson. 25 Keith Lewis’ claim is dismissed for failing to properly allege enrichment. For all other 26 plaintiffs, the Motion is denied. 27 C. California Consumer Protection Act 28 “Any consumer whose . . . personal information . . . is subject to an unauthorized 1 access and exfiltration, theft, or disclosure as a result of [a] business’s violation of the duty 2 to implement and maintain reasonable security procedures and practices appropriate to the 3 nature of the information to protect the personal information may institute a civil action” 4 under the California Consumer Protection Act (“California CPA”). Cal. Civ. Code 5 § 1798.150. The California CPA allows for the recovery of statutory damages. 6 Id. § 1798.150(b). To recover such damages, consumers must first provide 30-days’ 7 written notice to the business from which they are trying to collect statutory damages 8 before initiating litigation. Id. 9 Ranson, a California resident, alleges that Magellan violated the California CPA by 10 failing to prevent the data breach and providing inadequate data security for his 11 information. (Doc. 40 ¶¶ 189–200.) The Court previously dismissed this claim because 12 Ranson had not alleged out-of-pocket damages, he had not sought statutory damages, he 13 had not complied with the California CPA’s 30-day notice requirement, and he had failed 14 to establish why Magellan’s data security was inadequate. Griffey, 2021 WL 15 4427065, at *14–15. Magellan’s Motion again argues that Ranson has not alleged 16 compliance with the California CPA’s 30-day notice requirement. (Doc. 41 at 14–15; 17 Doc. 44 at 9–11.) Ranson counters that the notice was timely because more than 30 days 18 have elapsed between the notice and the eventual filing of the Second Amended Complaint. 19 (Doc. 42 at 15.) 20 The Court finds that Ranson failed to allege that he provided notice as required by 21 the California CPA. In analogous circumstances, courts have held that the objective of a 22 “pre-suit notice,” such as the requirement here, is “to allow the defendant an opportunity 23 to cure the defect outside of court.” T & M Solar & Air Conditioning, Inc. v. Lennox Int’l 24 Inc., 83 F. Supp. 3d 855, 875 (N.D. Cal. 2015). The 30-day notice required by the 25 California CPA serves the same purpose. If a notice filed before the 30-day deadline could 26 be updated when an amended complaint is filed and satisfy the 30-day notice requirement, 27 then having the pre-suit notice requirement would be pointless. Ranson alleges that he gave 28 notice on December 8, 2020, three days before filing his California CPA claim. (Doc. 41- 1 1; see Doc. 30.) He cannot supplement the time between the notice and the initiation of the 2 lawsuit by amending his complaint. Clearly, he failed to satisfy the 30-day notice 3 requirement. The California CPA claim is dismissed with prejudice. 4 D. Florida Unfair and Deceptive Trade Practices Act 5 Lewis, a Florida resident, alleges that Magellan violated the Florida Unfair and 6 Deceptive Trade Practices Act (“Florida DUTPA”). Specifically, that Magellan “engaged 7 in deceptive, unfair, and unlawful trade acts or practices in the conduct of trade or 8 commerce, in violation of Fla. Stat. § 501.204(1)” and “Fla. Stat. § 501.171(2)” by 9 disseminating the Notice of Privacy Practices in Florida. (Doc. 40 ¶¶ 252–64; see 10 id. ¶¶ 55–57.) He also alleges that these misrepresentations “substantial[ly] injur[ed]” him. 11 (Id. ¶ 261.) 12 “‘A claim for damages under [the Florida DUTPA] has three elements: (1) a 13 deceptive act or unfair practice; (2) causation; and (3) actual damages.’” Caribbean Cruise 14 Line, Inc. v. Better Bus. Bureau of Palm Beach Cty., Inc., 169 So. 3d 164, 167 (Fla. Dist. 15 Ct. App. 2015) (citing Kertesz v. Net Transactions, Ltd., 635 F. Supp. 2d 1339, 1348 (S.D. 16 Fla. 2009)). Magellan argues that Lewis’ Florida DUTPA claims fail because he is not a 17 consumer. (Doc. 41 at 13.) Magellan also argues that, even if Lewis need not have been a 18 consumer to assert a Florida DUTPA claim, he “must still allege that a consumer was 19 injured.” (Doc. 44 at 9 (emphasis omitted).) Next, Magellan argues that Lewis has failed 20 to allege that he suffered a “cognizable loss” or that any consumer suffered a “consumer 21 injury.” (Id.) Finally, Magellan argues that Lewis’ allegations amount to an extraterritorial 22 application of the Florida DUTPA. (Doc. 41 at 11–12; Doc. 44 at 7–8.) 23 Lewis counters that his status as a consumer is irrelevant because “[n]umerous 24 Florida district courts . . . have . . . held that . . . non-consumers may bring [Florida 25 DUTPA] claims.” (Doc. 42 at 13; id. at 12–13.) Lewis further argues that, even when a 26 consumer purchase is not involved, “inadequate data security—like the kind at issue in this 27 case—has been found to be an unfair trade practice for [Florida DUTPA] purposes.” 28 (Id. at 14.) Finally, Lewis argues that he has not alleged an extraterritorial application of 1 the Florida DUTPA. (Doc. 42 at 9–11.) 2 This Court finds the Florida court’s analysis in Caribbean Cruise Line compelling 3 and adopts its stance that “the legislative change regarding the claimant able to recover 4 under [the Florida DUTPA] from a ‘consumer’ to a ‘person’ must be afforded significant 5 meaning. This change indicates that the legislature no longer intended [the Florida 6 DUTPA] to apply to only consumers, but to other entities able to prove the remaining 7 elements of the claim as well.” 169 So. 3d at 169. A claimant must prove, however, that 8 “there was an injury or detriment to consumers in order to satisfy all of the elements of a 9 [Florida DUTPA] claim.” Id. (emphasis omitted). Consistent with the holding in Caribbean 10 Cruise Line, the Court finds that Lewis’ status as a non-consumer does not affect his ability 11 to bring the claim. Thus, the Court must examine each element of a Florida DUTPA claim 12 to determine if Lewis’ Florida DUTPA claim is properly pleaded. “An objective test is 13 used to determine whether an act is deceptive under [the Florida DUTPA], and ‘the plaintiff 14 must show that the alleged practice was likely to deceive a consumer acting reasonably in 15 the same circumstances.’” Marrache v. Bacardi U.S.A., Inc., 17 F.4th 1084, 1098 (11th 16 Cir. 2021) (quoting Carriuolo v. Gen. Motors Co., 823 F.3d 977, 983–84 (11th Cir. 2016)). 17 Lewis alleges that, in its Notice of Privacy Practices, Magellan states that it 18 “believe[s] in protecting the privacy of [Plaintiffs’] health information” and that the “law 19 requires [it] to maintain the privacy of [Plaintiffs’] PHI.” (Doc. 40 ¶ 56.) He also alleges 20 that Magellan states “[t]he law also requires us to provide you with this notice of our legal 21 duties and privacy practices with respect to your PHI. We are required to follow the terms 22 of the privacy policy that is currently in effect.” (Id.) A reasonable Florida consumer under 23 the circumstances would likely read that policy, deduce that Magellan’s data security 24 system adhered to applicable legal requirements, and assume that Magellan implemented 25 adequate data security systems. But Magellan allegedly failed to do so. See 26 supra Section III.A. As a result, Lewis’ PII and PHI were stolen, and he needed to purchase 27 additional data security. Id. Thus, causation has also been adequately pleaded. This leaves 28 only the question of damages. 1 To recover under the Florida DUTPA, Lewis must plead “actual damages.” 2 Caribbean Cruise Line, Inc., 169 So. 3d at 167. “‘[A]ctual damages’ do not include 3 consequential damages.” Rollins, Inc. v. Butland, 951 So. 2d 860, 869 (Fla. Dist. Ct. App. 4 2006). “Actual damages under [the Florida DUTPA] ‘are measured according to the 5 difference in the market value of the product or service in the condition in which it was 6 delivered and its market value in the condition in which it should have been delivered 7 according to the contract of the parties.’” Marrache, 17 F.4th at 1098 (quoting Carriuolo, 8 823 F.3d at 986); see also In re Cap. One Consumer Data Sec. Breach Litig., 488 F. Supp. 9 3d 374, 424 n.33 (E.D. Va. 2020) (“For example . . . consequential damages from the Data 10 Breach would include the costs for credit monitoring and identity protection services or the 11 time and expenses related to monitoring their financial accounts since they bear no relation 12 to the diminution in the product value.”). Here, some of Lewis’ alleged damages are the 13 fees he paid for additional data security. (Doc. 40 ¶¶ 14–15.) These are consequential 14 damages, which do not support a claim. See In re Cap. One Consumer Data Sec. Breach 15 Litig., 488 F. Supp. 3d at 424. 16 But Lewis also alleges damages for “overpaying for the products and services sold 17 by [Magellan].” (Id. ¶ 258.) He does not explicitly allege that he overpaid for health 18 services provided by Magellan. But, given the allegations in the Second Amended 19 Complaint (Doc. 40) and the arguments found elsewhere in his Response Brief (Doc. 42), 20 it is reasonable to infer that he alleges that he overpaid for health services that Magellan in 21 some way administers because Magellan’s data security was inadequate. As this Court has 22 found, Lewis has failed to allege that these payments enriched Magellan. Supra Section 23 III.B. But that does not inhibit Lewis from suffering actual damages as defined in 24 Marrache. Magellan administered the heath services for which Lewis paid and there was 25 a market value difference between the services as marketed in the Notice of Privacy 26 Policies and the services Lewis actually received because Magellan provided inadequate 27 data security services. 28 The Florida DUTPA does not apply extraterritorially. Eli Lilly & Co. v. Tyco 1 Integrated Sec., LLC., No. 13-80371-CIV, 2015 WL 11251732, at *4 (S.D. Fla. Feb. 10, 2 2015) (holding the Florida DUTPA only applies to actions that occur within Florida, but 3 the actions need not occur exclusively in Florida). Here, Magellan’s allegedly deceptive or 4 unfair action was the dissemination of the Notice of Privacy Practices to Lewis in his home 5 state of Florida. (See Doc. 40 ¶¶ 55–57.) As the Court explained, Lewis has properly 6 pleaded that the Notice was deceptive and its dissemination qualifies as an alleged violation 7 of the Florida DUPTA. Thus, the Court finds that Lewis has not pleaded an extraterritorial 8 application of the Florida DUTPA. And so, Lewis has properly alleged a Florida DUTPA 9 claim on behalf of himself and the putative subclass. 10 E. New York General Business Law § 349 11 “Deceptive acts or practices in the conduct of any business, trade or commerce or 12 in the furnishing of any service in [New York] are . . . unlawful.” N.Y. Gen. Bus. Law 13 § 349 (“New York GBL § 349”). “‘To make out a prima facie case under [§] 349, a plaintiff 14 must demonstrate that (1) the defendant’s deceptive acts were directed at consumers, (2) 15 the acts are misleading in a material way, and (3) the plaintiff has been injured as a result.’” 16 Grossman v. Simply Nourish Pet Food Co. LLC, 516 F. Supp. 3d 261, 278 (E.D.N.Y. 2021) 17 (quoting Maurizio v. Goldsmith, 230 F.3d 518, 521 (2d Cir. 2000)). “An act is materially 18 misleading if it is ‘likely to mislead a reasonable consumer acting reasonably under the 19 circumstances.’ ‘It is well settled that a court may determine as a matter of law that an 20 allegedly deceptive advertisement would not have mislead a reasonable consumer.’” 21 Harris v. Pfizer Inc., No. 1:21-CV-06789-DLC, 2022 WL 488410, at *7 (S.D.N.Y. Feb. 22 16, 2022) (quoting Fink v. Time Warner Cable, 714 F.3d 739, 741 (2d Cir. 2013)). 23 Leather, a New York resident, contends that she sufficiently pleads a violation of 24 § 349 in the Second Amended Complaint. (Doc. 40 ¶¶ 202–15; Doc. 42 at 11–12.) She 25 asserts that the representations made by Magellan about the reliability of its data security 26 systems constitute a § 349 violation. (See Doc. 40 ¶¶ 202–15; Doc. 42 at 11–12.) 27 Magellan’s Motion to Dismiss challenges Leather’s alleged injury on the grounds that she 28 has (1) not sufficiently alleged a cognizable loss, (2) alleged an improper extraterritorial 1 application of § 349, (3) not sufficiently alleged how Magellan’s notice was false or 2 misleading, (4) not sufficiently alleged that Magellan’s data security was inadequate, and 3 (5) not sufficiently alleged that Magellan’s complimentary credit-monitoring services were 4 insufficient. (Doc. 41 at 6–7, 11–13; Doc. 44 at 7–8.) This Court has already decided that 5 Plaintiffs have properly alleged that Magellan’s data security was inadequate and that 6 Magellan’s complimentary credit-monitoring services were insufficient; those arguments 7 will not be revisited. Supra Section III.A. 8 1. Extraterritoriality and Deceptive Act Directed at Consumers 9 Magellan argues that Leather asserts an extraterritorial application of § 349 because 10 the fact that she allegedly received a notice of Magellan’s privacy policies in her home 11 state of New York is not enough to establish that liability-creating conduct occurred. 12 (Doc. 41 at 12.) The Second Amended Complaint specifically alleges that the Notice was 13 disseminated to Leather in New York. (Doc. 40 ¶ 206.) Presumably, she received and read 14 the Notice in New York. The information provided in the Notice allegedly deceived her 15 into thinking that Magellan had adequate data security. See supra Section III.D. Such 16 allegations are enough to state a § 349 claim. See Haft v. Haier US Appliance Sols., Inc., 17 No. 1:21-CV-00506-GHW, 2022 WL 62181, at *13 (S.D.N.Y. Jan. 5, 2022) (“[T]o qualify 18 as a prohibited act under [§ 349], the deception of a consumer must occur in New York.”) 19 (citing Goshen v. Mut. Life Ins. Co. of New York, 98 N.Y.2d 314, 325 (2002)). 20 2. Materially Misleading 21 The Court must next decide whether Leather has sufficiently pleaded that 22 Magellan’s actions were materially misleading. As previously noted, she alleges that 23 Magellan made statements in the Notice of Privacy Practices which, when combined, could 24 be construed as a representation that Magellan’s data security systems for her PII and PHI 25 were adequate. Supra Section III.D. But, based on her allegations, Magellan failed to 26 implement adequate data security systems. See supra Section III.A. Such statements would 27 likely mislead a reasonable New York consumer acting reasonably under the circumstances 28 to wrongly assume that Magellan’s data security was adequate. See supra Section III.D. 1 Thus, she has properly alleged that the notice that Magellan disseminated was a materially 2 misleading statement. See Harris, 2022 WL 488410, at *7 (quoting Fink, 714 F.3d at 741) 3 (“An act is materially misleading if it is ‘likely to mislead a reasonable consumer acting 4 reasonably under the circumstances.’”). 5 3. Cognizable Injury 6 “‘To make out a prima facie case under [§] 349, a plaintiff must demonstrate 7 that . . . the plaintiff has been injured . . . .’” Grossman, 516 F. Supp. 3d at 278 (quoting 8 Maurizio, 230 F.3d at 521). “‘Injury is adequately alleged under [§ 349] by a claim that a 9 plaintiff paid a premium for a product based on defendants’ inaccurate representations.’” 10 Id. at 282 (quoting Ackerman v. Coca-Cola Co., No. CV-09-0395 (JG)(RML), 2010 WL 11 2925955, at *23 (E.D.N.Y. July 21, 2010)). 12 Here, Leather alleges that she paid for Magellan’s services, including its data 13 security systems for PII and PHI, by paying for health services. See supra Section III.B. 14 She also alleges that these payments were, in part, predicated on the representations 15 Magellan made in the Notice of Privacy Practices, which was disseminated to Leather in 16 New York. (Doc. 40 ¶¶ 55–57.) She further alleges that among other representations that 17 were misleading, the Notice said that “the law requires [Magellan] to maintain the privacy 18 of your PHI,” and that “Magellan . . . believe[s] in protecting the privacy of your health 19 information.” (Id. ¶ 56.) 20 The alleged statements in Magellan’s Notice imply that Magellan implemented 21 good data security to protect people like Leather. See supra Section III.D. And, as this 22 Court has already discussed, Plaintiffs have properly alleged that Magellan’s data security 23 was inadequate. Supra Section III.A. Based on this Notice, Leather would reasonably 24 believe that her PII and PHI were sufficiently protected. Supra Section III.D. Leather 25 alleges that she relied on these representations when deciding to pay for Magellan health 26 services. (Doc. 40 ¶¶ 210–11.) Thus, in part, she paid for what she understood to be 27 adequate data security services when, in reality, they were inadequate services. This portion 28 of her fees paid to Magellan constitutes a premium that she paid for data security services 1 that she never received. And so, this Court finds that Leather has properly alleged that 2 Magellan’s Notice was an inaccurate representation which induced her to continue to pay 3 for its health services. This satisfies the definition of a cognizable § 349 injury. Therefore, 4 Leather has sufficiently alleged a § 349 claim to survive a motion to dismiss. 5 F. Remaining Statutory Claims 6 Plaintiffs Domingo, Rivera, and Ranson allege that Magellan violated several state 7 consumer protection statutes: Pennsylvania’s Unfair Trade Practices and Consumer 8 Protection Law (“Pennsylvania CPL”), Wisconsin’s Deceptive Trade Practices Act 9 (“Wisconsin DTPA”), and California’s Unfair Competition Law (“California UCL”). 10 (Doc. 40 ¶¶ 178–88, 216–51.) Magellan argues that Plaintiffs’ Pennsylvania CPL, 11 Wisconsin DTPA, and California UCL claims have failed to allege a cognizable loss. (See 12 Doc. 41 at 4–7; Doc. 44 at 2–4.) Magellan also argues that Ranson asserts an impermissible 13 extraterritorial application of the California UCL. (Doc. 41 at 11–12; Doc. 44 at 7–8.) 14 1. Pennsylvania Unfair Trade Practices and Consumer Protection Law 15 The Pennsylvania CPL requires that Domingo, a Pennsylvania resident, allege that 16 he “suffered [an] ascertainable loss as a result of” his reliance on Magellan’s deceptive act. 17 Cessna v. REA Energy Coop., Inc., 258 F. Supp. 3d 566, 579 (W.D. Pa. 2017); see also 18 Yocca v. Pittsburgh Steelers Sports, Inc., 578 Pa. 479, 854 A.2d 425, 438 (2004) (“To bring 19 a private cause of action under the [Pennsylvania CPL], a plaintiff must show that he 20 justifiably relied on the defendant’s wrongful conduct or representation and that he suffered 21 harm as a result of that reliance.”). An ascertainable loss must be a “loss of money or 22 property” due to the defendant’s infringing behavior. Grimes v. Enter. Leasing Co. of 23 Philadelphia, LLC, 629 Pa. 457, 464 (2014). Here, Domingo alleges no present harm—not 24 even lost time. (Doc. 40 ¶ 4.) Domingo’s only conceivable claim for damages is unknown 25 future injuries that are clearly not “ascertainable.” See, e.g., Grimes, 629 Pa. at 466 26 (concluding “that a plaintiff could incur an ‘ascertainable loss’ simply by hiring counsel” 27 is an “untenable” interpretation of the statute). Because “[o]nly those who can meet the 28 requirements of the [Pennsylvania CPL] private cause of action may bring a personal 1 action, and [Domingo’s] allegations simply do not satisfy the statutory ‘ascertainable loss’ 2 element,” his Pennsylvania CPL claims are dismissed. Id. 3 2. Wisconsin Deceptive Trade Practices Act 4 Only a person who has suffered a pecuniary loss may recover under the Wisconsin 5 DTPA. Pagoudis v. Keidl, 399 Wis. 2d 75, 96 (App. 2021). “‘Pecuniary 6 loss’ . . . encompass[es] any monetary loss.” Mueller v. Harry Kaufmann Motorcars, Inc., 7 359 Wis. 2d 597, 613 (App. 2014). Rivera, a Wisconsin resident, alleges no present harm— 8 not even lost time. (Doc. 40 ¶ 12.) Rivera’s only conceivable claim for damages involves 9 unknown future injuries and lost time. Neither are pecuniary because neither involve 10 monetary loss. Thus, Rivera’s Wisconsin DTPA claims do not articulate a cognizable loss 11 and are dismissed. 12 3. California Unfair Competition Law 13 a. Cognizable Loss 14 To survive a motion to dismiss under the California UCL, Ranson, a California 15 resident, must allege that he “‘lost money or property’ as a result of [Magellan’s] conduct.” 16 Klein v. Facebook, Inc., No. 20-CV-08570-LHK, 2022 WL 141561, at *39 (N.D. Cal. Jan. 17 14, 2022) (quoting Brown v. Google, No. 20-CV-3664-LHK, 2021 WL 6064009, at *14 18 (N.D. Cal. Dec. 22, 2021)). In Klein, the court determined that the cash value of a plaintiff’s 19 personal information satisfied this requirement. See 2022 WL 141561, at *39 (“Thus, [the 20 plaintiffs] have adequately alleged that, by providing Facebook with their information and 21 attention, they lost money or property.” (internal quotation omitted)). Ranson similarly 22 alleges cash value associated with his stolen PII and PHI. (Doc. 40 ¶¶ 71–76.) Ranson also 23 alleges that he enrolled in extra data security because of specific deficiencies in the services 24 that Magellan offered him after the data breach. Supra Section III.A. And so, he has 25 sufficiently alleged a cognizable loss to sustain his California UCL claims. 26 b. Extraterritoriality 27 Magellan’s only alleged instance of liability-creating conduct in California was the 28 Notice of Privacy Practices it allegedly disseminated to Ranson in California. 1 (See Doc. 40 ¶¶ 55–57, 182.) In that Notice, Ranson alleges, Magellan made false 2 representations regarding the data security it implemented to protect the PII and PHI it had 3 collected. (See id. ¶¶ 77–82, 178–88.) “‘[A] plaintiff must show that the misrepresentation 4 was an immediate cause of the injury-producing conduct . . . [;]’ [h]owever, a ‘plaintiff is 5 not required to allege that the challenged misrepresentations were the sole or even the 6 decisive cause of the injury-producing conduct.’” Kwikset Corp. v. Superior Ct., 51 Cal. 7 4th 310, 327 (2011) (quoting In re Tobacco II Cases, 46 Cal. 4th 298, 326, 328 (2009)). 8 “[F]or example, in Hale v. Sharp Healthcare, 183 Cal. App. 4th [1373, 1385–86 (2010)], 9 the Court of Appeal found the complaint adequate where, from its allegations, one could 10 infer the plaintiff had relied on a defendant’s representation that it would charge its ‘regular 11 rates.’” Kwikset, 51 Cal. 4th at 327. Similarly, here, the Court finds that one could infer 12 from the Second Amended Complaint that Ranson relied on Magellan’s representation in 13 the Notice of Privacy Practices. See supra Section III.D–E (drawing the same conclusion 14 with regard to the Florida and New York plaintiffs). And the Court has already decided 15 that Ranson has properly pleaded that those statements were misrepresentations because 16 he has sufficiently alleged that Magellan’s data security systems were inadequate. See 17 supra Section III.A, D–E. Thus, Ranson has properly alleged that Magellan made 18 qualifying misrepresentations in California. 19 G. Rule 9(b) 20 “It is established law that Rule 9(b)’s particularity requirement applies to state law 21 causes of action relating to fraud when asserted in federal court.” Irving Firemen’s Relief 22 & Ret. Fund v. Uber Techs., Inc., 998 F.3d 397, 404 (9th Cir. 2021) (citing Vess v. Ciba- 23 Geigy Corp. USA, 317 F.3d 1097, 1103 (9th Cir. 2003)). To satisfy this standard, the 24 complaint “must ‘identify the who, what, when, where, and how of the misconduct 25 charged, as well as what is false or misleading about the purportedly fraudulent statement, 26 and why it is false.’” Depot, Inc. v. Caring for Montanans, Inc., 915 F.3d 643, 668 (9th 27 Cir. 2019) (quoting Salameh v. Tarsadia Hotel, 726 F.3d 1124, 1133 (9th Cir. 2013)). 28 Magellan argues that Plaintiffs have not sufficiently alleged the “‘when, where, and 1 how’ the alleged misconduct occurred” to meet Rule 9(b)’s heightened pleading standard. 2 (Doc. 41 at 11; see id. at 10–11.) Plaintiffs Ranson, Leather, and Lewis argue that the 3 Second Amended Complaint properly specifies that Magellan’s statements in the Notice 4 of Privacy Practices, which was disseminated in their home states, were the 5 misrepresentations on which their California UCL, New York GBL § 349, and Florida 6 DUTPA causes of action are predicated. (Doc. 42 at 7–9.) 7 Here, the Court concludes that Ranson, Leather, and Lewis have articulated “the 8 who, what, when, where, and how of the misconduct charged, as well as what is false or 9 misleading about the purportedly fraudulent statement, and why it is false.” Depot, Inc., 10 915 F.3d at 688. They allege that Magellan (“who”) made statements in its Notice of 11 Privacy Practices (“what”) “when” it disseminated the Notice to Ranson, Leather, and 12 Lewis in California, New York, and Florida (“where”). This Court has already decided that 13 they have properly alleged that those statements were false or misleading because, contrary 14 to its representations in the Notice of Privacy Practices, Magellan’s data security systems 15 were inadequate. Supra Section III.A, D. Thus, Ranson, Leather, and Lewis have met the 16 Rule 9(b) pleading standard for their California UCL, New York GBL § 349, and Florida 17 DUTPA claims. 18 H. Leave to Amend 19 Federal Rule of Civil Procedure 15(a) provides that leave to amend should be freely 20 granted “when justice so requires.” Fed. R. Civ. P. 15(a)(2). “The power to grant leave to 21 amend . . . is entrusted to the discretion of the district court, which ‘determines the 22 propriety of a motion to amend by ascertaining the presence of any of four factors: bad 23 faith, undue delay, prejudice to the opposing party, and/or futility.’” Serra v. Lappin, 600 24 F.3d 1191, 1200 (9th Cir. 2010) (quoting William O. Gilley Enters. v. Atl. Richfield Co., 25 588 F.3d 659, 669 n.8 (9th Cir.2009)). “[W]here the plaintiff has previously been granted 26 leave to amend and has subsequently failed to add the requisite particularity to its claims, 27 the district court’s discretion to deny leave to amend is particularly broad.” Zucco Partners, 28 LLC v. Digimarc Corp., 552 F.3d 981, 1007 (9th Cir. 2009), as amended (Feb. 10, 2009) 1 (quotations omitted). District courts properly deny leave to amend if the proposed 2 amendment would be futile or “the amended complaint would be subject to dismissal.” 3 Saul v. United States, 928 F.2d 829, 843 (9th Cir. 1991). “[A] proposed amendment is futile 4 only if no set of facts can be proved under the amendment to the pleadings that would 5 constitute a valid and sufficient claim.” Miller v. Rykoff-Sexton, Inc., 845 F.2d 209, 214 6 (9th Cir. 1988). 7 Here, Plaintiffs have not requested leave to amend. (Doc. 42.) Additionally, 8 Plaintiffs have been afforded multiple opportunities to amend their claims. In the abstract, 9 granting leave to amend would not be futile because a set of facts could be alleged that 10 would constitute a valid, specific, and properly pleaded negligence, unjust enrichment, 11 California CPA, Pennsylvania CPL, and Wisconsin DTPA claim. But in practice, given 12 Plaintiffs’ multiple opportunities to properly plead these claims, it is clear why they have 13 not requested leave to amend: the facts necessary to properly plead these claims do not 14 exist. Accordingly, leave to amend will not be granted because it would be futile. 15 IV. CONCLUSION 16 Accordingly, 17 IT IS ORDERED denying in part and granting in part the Motion to Dismiss 18 Plaintiffs’ Second Amended Consolidated Class Action Complaint (Doc. 41). Plaintiffs 19 Culberson, Rayam, Williams, and their similarly situated putative class members’ 20 negligence claims are dismissed with prejudice. Plaintiffs Leather, Ranson, Flanders, 21 Lewis, and their similarly situated putative class members’ negligence claims will remain. 22 IT IS FURTHER ORDERED that Plaintiffs Leather, Rivera, Lewis, and 23 Culberson’s unjust enrichment claims are dismissed with prejudice. Plaintiffs Ranson, 24 Domingo, Griffey, Rayam, Williams, and Flanders’ unjust enrichment claims will remain. 25 IT IS FURTHER ORDERED that, regarding the California Consumer Privacy 26 Act, the Pennsylvania Unfair Trade Practices and Consumer Protection Law, and the 27 Wisconsin Deceptive Trade Practices Act causes of action, the Motion is granted. Causes 28 of Action Four, Six, and Seven are dismissed, with prejudice. 1 IT IS FINALLY ORDERED that with regard to all other causes of action, the 2|| Motion to Dismiss Plaintiffs’ Second Amended Consolidated Class Action Complaint is 3 || denied. Those causes of action shall remain. 4 Dated this Ist day of June, 2022. 5 ° Wichal T. Fburde Michael T. Liburdi 8 United States District Judge 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
-23-