In re Robinhood Data Security Litigation

• Court: District Court, N.D. California
• Decided: March 6, 2023
• Docket: 3:21-cv-08906
• Status: Unknown

Opinion

1 2 3 UNITED STATES DISTRICT COURT 4 NORTHERN DISTRICT OF CALIFORNIA 5 6 IN RE ROBINHOOD DATA SECURITY Case No. 21-cv-08906-JD LITIGATION 7 ORDER RE MOTION TO DISMISS 8

9 10

11 12 This putative class action arises from a November 2021 data breach that is said to have 13 exposed the full names, email addresses, dates of birth, zip codes, and other personally identifiable 14 information (PII) of over seven million customers of defendant Robinhood Markets, Inc. See Dkt. 15 No. 34 ¶ 3. In an 84-page consolidated amended complaint (CAC), 25 Robinhood customers in 16 California, Illinois, New York, Utah, South Carolina, Georgia, Virginia, Massachusetts, 17 Oklahoma, New Jersey, Kansas, Kentucky, and Florida allege 24 claims ranging from negligence 18 and breach of contract to violations of multiple state consumer protection and data security laws. 19 See id. ¶¶ 12-36, 118-370. The named plaintiffs have sued on behalf of themselves, a putative 20 national class, and 11 putative state subclasses. Id. ¶ 105. 21 Robinhood has asked to dismiss the CAC under Federal Rules of Civil Procedure 12(b)(1) 22 and 12(b)(6). Dkt. No. 38. Dismissal is warranted on grounds other than those proposed by 23 Robinhood. 24 The CAC as it currently stands is not a workable pleading under Rule 8. To start, the 25 claims for the national class include negligence, negligence per se, breach of contract, breach of 26 implied contract, unjust enrichment, and declaratory judgment. Dkt. No. 34 ¶¶ 118-94. These are 27 common law claims, and the CAC is silent about the law that is intended to govern them. 1 matter jurisdiction. Id. ¶ 9. CAFA is a species of diversity jurisdiction, which means that the 2 Court will apply state substantive law to resolve the claims. See In re Facebook Biometric 3 Information Privacy Litig., 185 F. Supp. 3d 1155, 1167-68 (N.D. Cal. 2016). What that state law 4 might be is not identified in the CAC. This is a problem because the parties are literally all over 5 the map. The named plaintiffs are citizens of 13 different states, and Robinhood is alleged to be a 6 Delaware business entity with a principal place of business in California. See Dkt. No. 34 ¶¶ 12- 7 40. 8 The motion to dismiss briefing compounded the lack of clarity by citing a potpourri of 9 cases from multiple state jurisdictions, which the parties appear to have selected mainly for 10 content they liked rather than for good reasons of choice of law. See, e.g., Dkt. No. 38 at 7-8; Dkt. 11 No. 48 at 6-8. As a result, the parties did not provide useful arguments on key issues such as the 12 possible application of the economic loss rule. Robinhood posited, with little explanation, that the 13 California economic loss rule applies to the negligence claims. Dkt. No. 38 at 7. Plaintiffs said 14 that the California rule is inapplicable because “Plaintiffs are from various states beyond 15 California, including some where the economic loss rule does not apply.” Dkt. No. 48 at 6. This 16 is no way to litigate the sprawling claims on behalf of multiple putative classes in the CAC. 17 Another problem is that the CAC is thin on facts. To be sure, the occurrence of the data 18 breach is based on public and user communications by Robinhood, see, e.g., Dkt. No. 34 ¶¶ 49-51, 19 and some of the named plaintiffs alleged concrete and particularized injuries from the breach, see 20 id. ¶¶ 94-99. Even so, the CAC is a bit anemic with respect to its main theory that Robinhood did 21 not properly protect user data. For the most part, plaintiffs say only that “it appears” that 22 Robinhood did not use adequate security measures, and allege “on information and belief” that 23 Robinhood did not follow Federal Trade Commission data security guidelines. Id. ¶¶ 51, 70. The 24 lengthy summaries of data security safeguards in the CAC are untethered to facts indicating that 25 Robinhood’s conduct fell short in any way. See id. ¶¶ 67-79. This is not necessarily a flaw that 26 dooms plaintiffs’ case, but the absence of facts about Robinhood’s conduct exacerbates the general 27 lack of clarity in the CAC. 1 Robinhood bears responsibility for its own shortcomings. Its Rule 12(b)(6) brief teed up a 2 || new theory on almost every page, typically without any meaningful discussion or analysis. See 3 Dkt. No. 38 at 6-15. In the end, it simply threw out bullet points linked to footnotes stuffed with 4 || citations to statutes and cases. See id. at 14-15 and nn. 3-10. Such half-baked briefing falls well 5 below the standards of professionalism expected of counsel and parties in this District. It also 6 || violates the Court’s Standing Order for Civil Cases, which expressly states that arguments raised 7 with inadequate supporting authority and discussion will be disregarded. Going forward, briefs 8 and arguments that are not in conformance with the Standing Order will be summarily denied. 9 Overall, the CAC did not present “a short and plain statement of the claim showing that the 10 || pleader is entitled to relief,” as Rule 8(a)(2) requires. It is dismissed and plaintiffs may file by 11 March 20, 2023, a second amended complaint that conforms to this order. No new claims or 12 || parties may be added without the Court’s prior consent. A failure to meet this deadline will result 13 in a dismissal of the case under Rule 41(b). IT IS SO ORDERED. 3 15 Dated: March 6, 2023 16

JAMES PONATO Z 18 United flates District Judge 19 20 21 22 23 24 25 26 27 28