1 2 3 4 5 6 7 8 UNITED STATES DISTRICT COURT 9 SOUTHERN DISTRICT OF CALIFORNIA 10 11 In re: SOLARA MEDICAL SUPPLIES, Case No.: 3:19-cv-2284-H-KSC LLC CUSTOMER DATA SECURITY 12 BREACH LITIGATION ORDER GRANTING IN PART AND 13 DENYING IN PART DEFENDANT’S
MOTION TO DISMISS; GRANTING 14 PLAINTIFFS THIRTY DAYS LEAVE 15 TO AMEND
16 [Doc. No. 31.] 17
18 This is a data privacy class action. On November 13, 2019, Solara Medical Supplies, 19 LLC (“Solara”) notified its customers of a security incident that may have compromised 20 the information related to certain individuals associated with Solara. This class action seeks 21 redress for that incident. On November 29, 2019, Plaintiff Juan Maldonado filed a 22 complaint alleging various common law and other state law causes of action. (Doc. No. 1.) 23 On January 7, 2020, the Court consolidated the Maldonado matter with two other pending 24 actions related to the same security incident. (Doc. No. 10.) On January 23, 2020, Plaintiffs 25 filed their Consolidated Class Action Complaint. (Doc. No. 24.) Plaintiffs seek to represent 26 a nationwide class of all persons “whose Personal and Medical Information was 27 compromised by the Data Breach.” (Doc. No. 24 ¶147.) Alternatively, Plaintiffs propose 28 1 representing subclasses based on state or on the type of personal and medical information 2 compromised. (Id. ¶¶152-153.) 3 On March 9, 2020, Defendant Solara filed a motion to dismiss. (Doc. No. 31.) On 4 March 30, 2020, Plaintiffs responded. (Doc. No. 32.) On April 6, 2020, Defendant replied. 5 (Doc. No. 34.) On April 10, 2020, Plaintiffs filed a Notice of Supplemental Authority 6 regarding the Ninth Circuit’s recent decision in In re Facebook, Inc. Internet Tracking 7 Litig. No. 17-17486, 2020 WL 1807978 (9th Cir. Apr. 9, 2020). (Doc. No. 35.) The Court 8 held a hearing on April 13, 2020 and requested supplemental briefing from the parties on 9 the application of In re Facebook to this case. (Doc. No. 37.) Stuart A. Davidson, William 10 B. Federman, and William M. Sweetnam appeared for Plaintiffs and Jon Peter Kardassakis 11 appeared for the Defendant. On April 24, 2020, Defendant filed its Objection to Plaintiffs’ 12 Notice of Supplemental Authority. (Doc. No. 40.) On May 1, 2020, Plaintiffs replied. (Doc. 13 No. 41.) For the following reasons, the Court GRANTS in part and DENIES in part 14 Defendant’s motion to dismiss. 15 I. Background 16 In this putative class action, Plaintiffs are six individuals who allege that their 17 personal and medical information was exposed after Solara’s computer systems were 18 compromised by cyber criminals in 2019. (Doc. No. 24.) Defendant Solara is a direct-to- 19 consumer supplier of medical devices related to the care of diabetes as well as a registered 20 pharmacy in the state of California. (Id. ¶1.) Solara’s principle place of business is 21 California. (Id.) Plaintiffs allege that between April 2, 2019 and June 20, 2019, cyber 22 criminals were able to gain access to Solara’s computer systems which contained the health 23 and personal information of tens of thousands of individuals (the “Breach”). (Id.) Plaintiffs 24 allege that a variety of personal information was exposed in the breach including names, 25 addresses, dates of birth, Social Security numbers, Employee Identification Numbers, 26 confidential medical information, health insurance information, Medicare and Medicaid 27 IDs, as well as financial information for thousands of individuals. (Id. ¶2) 28 1 On or around November 11, 2019, Plaintiffs received a letter from Solara regarding 2 the breach and offering “Plaintiffs and Class members twelve months of identity repair and 3 monitoring services.” (Id. ¶95.) On or around November 13, 2019, Solara issued a press 4 release notifying the public that on June 14, 2019, it had “determined that an unknown 5 actor gained access to a limited number of employee Office 365 accounts . . . .” (Id. ¶25.) 6 Plaintiffs further allege that these Office 365 accounts were not encrypted. (Id. ¶30.) 7 Plaintiff Juan Maldonado, a citizen of Pennsylvania, received a letter from Solara on 8 or around November 20, 2019, informing him that his “name, date of birth, medical 9 information, and health insurance information” had been compromised in the Breach. (Id. 10 ¶100.) Plaintiff Maldonado, alleges that on December 2, 2019, while visiting the hospital 11 for urgent medical care, he learned that his health insurance and billing information had 12 been changed. (Id. ¶101.) Plaintiff Maldonado alleges that he has also suffered stress and 13 anxiety as a result of the Breach. (Id. ¶102.)
14 Plaintiff Adam William Bickford, a citizen of Connecticut, received a letter from 15 Solara, on or around November 11, 2019, informing him that his “name, date of birth, and 16 medical information” was present on a Solara employee’s email account that was 17 compromised in the Breach. (Id. ¶106.) Plaintiff Bickford alleges that he has spent over 18 three hours responding to the threat posed by the data breach and has “noticed an increase 19 in medical-related spam phone calls . . . .” (Id. ¶108.) 20 Plaintiff Jeffrey Harris, a citizen of North Carolina, received a letter from Solara 21 informing him that his “name, date of birth, Social Security number, medical information, 22 billing/claims information, health insurance information, and Medicare ID/Medicaid ID” 23 was exposed by the Breach. (Id. ¶114.) Plaintiff Harris alleges that he has spent hours 24 addressing the data breach and has suffered anxiety as a result. (Id. ¶116.) 25 Plaintiff Alex Mercado, a citizen of California, received a letter from Solara 26 informing him that his “name, date of birth, Social Security number, medical information, 27 billing/claims information, health insurance information, and Medicare ID/Medicaid ID” 28 1 was exposed by the Breach. (Id. ¶125.) Plaintiff Mercado also alleges that he has suffered 2 anxiety as a result of the Breach. (Id. ¶129.) 3 Plaintiff Thomas Wardrop, a citizen of Michigan, received a letter from Solara 4 informing him that his “name, date of birth, medical information, billing and claims 5 information, and health insurance information was compromised in the Data Breach.” (Id. 6 ¶132.) Plaintiff Wardrop alleges that he has “experienced unexplained credit inquiries and 7 spam/phishing attempts that he believes are related to the Data Breach.” (Id. ¶135.) 8 Plaintiff Kristi Keally, legal guardian of minor plaintiff M.K., a citizen of 9 Pennsylvania, received a letter from Solara informing her that her minor child’s “name, 10 date of birth, medical information, medical insurance information, and billing and claims 11 information was compromised in the Data Breach.” (Id. ¶139.) Plaintiff Keally alleges that 12 she has “expended time and suffered loss of productivity from taking time to address and 13 attempt to” deal with the consequences of the Breach for M.K. (Id. ¶141.) 14 II. Legal Standards 15 Defendant moves to dismiss the claims of all Plaintiffs for failure to state a claim 16 under Federal Rule of Civil Procedure 12(b)(6). A defendant may move to dismiss a 17 complaint for failing to state a claim upon which relief can be granted under Rule 12(b)(6). 18 “Dismissal under Rule 12(b)(6) is appropriate only where the complaint lacks a cognizable 19 legal theory or sufficient facts to support a cognizable legal theory.” Mendiondo v. 20 Centinela Hosp. Med. Ctr., 521 F.3d 1097, 1104 (9th Cir. 2008). To survive a 12(b)(6) 21 motion, a plaintiff must plead “enough facts to state a claim to relief that is plausible on its 22 face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). A claim is facially plausible 23 when a plaintiff pleads “factual content that allows the court to draw the reasonable 24 inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 25 U.S. 662, 678 (2009). 26 In reviewing the plausibility of a complaint, courts “accept factual allegations in the 27 complaint as true and construe the pleadings in the light most favorable to the nonmoving 28 party.” Manzarek v. St. Paul Fire & Marine Ins. Co., 519 F.3d 1025, 1031 (9th Cir. 2008). 1 Nonetheless, courts do not “accept as true allegations that are merely conclusory, 2 unwarranted deductions of fact, or unreasonable inferences.” In re Gilead Scis. Secs. Litig., 3 536 F.3d 1049, 1055 (9th Cir. 2008) (quoting Sprewell v. Golden State Warriors, 266 F.3d 4 979, 988 (9th Cir. 2001)). The Court also need not accept as true allegations that contradict 5 matter properly subject to judicial notice or allegations contradicting the exhibits attached 6 to the complaint. Sprewell, 266 F.3d at 988. 7 Additionally, claims sounding in fraud are subject to the heightened pleading 8 requirements of Rule 9(b) of the Federal Rules of Civil Procedure, which requires that a 9 plaintiff alleging fraud “must state with particularity the circumstances constituting fraud.” 10 Fed. R. Civ. P. 9(b); see Kearns v. Ford Motor Co., 567 F.3d 1120, 1124 (9th Cir. 2009). 11 To satisfy the heightened standard under Rule 9(b), the allegations must be “specific 12 enough to give defendants notice of the particular misconduct which is alleged to constitute 13 the fraud charged so that they can defend against the charge and not just deny that they 14 have done anything wrong.” Semegen v. Weidner, 780 F.2d 727, 731 (9th Cir. 1985). Thus, 15 claims sounding in fraud must allege “an account of the time, place, and specific content 16 of the false representations as well as the identities of the parties to the misrepresentations.” 17 Swartz v. KPMG LLP, 476 F.3d 756, 764 (9th Cir. 2007) (per curiam) (internal quotation 18 marks omitted); see also Vess v. Ciba-Geigy Corp. USA, 317 F.3d 1097, 1106 (9th Cir. 19 2003) (“Averments of fraud must be accompanied by the who, what, when, where, and 20 how of the misconduct charged.”) (internal quotation marks omitted). 21 Where a motion to dismiss is granted, “leave to amend should be granted ‘unless the 22 court determines that the allegation of other facts consistent with the challenged pleading 23 could not possibly cure the deficiency.’” DeSoto v. Yellow Freight Sys., Inc., 957 F.2d 24 655, 658 (9th Cir. 1992) (quoting Schreiber Distrib. Co. v. Serv-Well Furniture Co., 806 25 F.2d 1393, 1401 (9th Cir. 1986)). In other words, where leave to amend would be futile, 26 the Court may deny leave to amend. See Desoto, 957 F.2d at 658; Schreiber, 806 F.2d at 27 1401. 28 1 III. Discussion 2 1. Negligence 3 Defendant argues that Plaintiffs cannot maintain a cause of action for negligence 4 because the economic loss doctrine bars their claims and because Plaintiffs cannot 5 adequately allege causation. (Doc. No. 31 at 4-6.) Plaintiffs argue that they fall within one 6 of the exceptions to the economic loss doctrine. (Doc No. 32 at 3-4.) Specifically, Plaintiffs 7 argue that they have: (1) pled non-economic harm, (2) that Solara owed them an 8 independent duty to safeguard their information, and (3) that a special relationship existed 9 between the parties. (Doc No. 32 at 3-4.) Plaintiffs also argue that they have adequately 10 alleged causation. (Id.) 11 To state a claim for negligence in California, a plaintiff must establish the following 12 elements: (1) the defendant had a duty, or an “obligation to conform to a certain standard 13 of conduct for the protection of others against unreasonable risks,” (2) the defendant 14 breached that duty, (3) that breach proximately caused the plaintiff's injuries, and (4) 15 damages. Corales v. Bennett, 567 F.3d 554, 572 (9th Cir. 2009). 16 Generally, purely economic losses are not recoverable in tort. Seely v. White Motor 17 Co., 63 Cal. 2d 9, 16–17 (1965). “[T]he economic loss rule prevent[s] the law of contract 18 and the law of tort from dissolving one into the other.” Robinson Helicopter Co. v. Dana 19 Corp., 34 Cal. 4th 979, 988 (2004) (quotation omitted). The rule serves to “limit liability 20 in commercial activities that negligently or inadvertently go awry.” Id. at 991 n.7, 22 21 Cal.Rptr.3d 352, 102 P.3d 268. “Economic loss consists of damages for inadequate value, 22 costs of repair and replace of the defective product or consequent loss of profits—without 23 any claim of personal injury or damages to other property.” Id. at 272 (Cal. 2004) (internal 24 quotation marks omitted). Here, Plaintiffs have alleged they have lost time responding to 25 the Breach as well as suffering from increased anxiety and so do not allege purely economic 26 losses. (Doc. No. 24 ¶¶ 102, 108, 116, 129, 135, and 141.) The economic loss rule therefore 27 does not apply. See Bass v. Facebook, Inc., 394 F.Supp. 3d 1024, 1039 (N.D. Cal. 2019). 28 1 Since Plaintiffs have pled non-economic losses, the Court need not consider the remaining 2 two exceptions to the economic loss doctrine. 3 Defendant also argues that the negligence cause of action should be dismissed for 4 “the independent reason that plaintiffs are unable to allege” that the Breach caused them 5 cognizable, non-speculative harm. (Doc. No. 31 at 14.) Plaintiffs argue that they have 6 articulated specific “non-general damages in their costs and lost time caused by the 7 breach.” (Doc. No. 32 at 15.) The Court agrees. Increased time spent monitoring one’s 8 credit and other tasks associated with responding to a data breach have been found by 9 others courts to be specific, concrete, and non-speculative. See Bass, 394 F. Supp 3d at 10 1039; Corona v. Sony Pictures Entertainment, Inc., No. 14-CV-09600, 2015 WL 3916744, 11 at *4 (C.D. Cal. June 15, 2015). The Court denies Defendant’s motion to dismiss Plaintiffs’ 12 negligence cause of action. 13 2. Negligence Per Se 14 Next, Defendant argues that Plaintiffs’ negligence per se claim is not an independent 15 cause of action but an evidentiary presumption. (Doc. No. 31 at 6-7.) Plaintiffs concede 16 that it is not a separate cause of action but argue that in order to invoke the presumption 17 they are “required to allege facts to support its application.” (Doc. No. 32 at 16.) 18 In order to invoke negligence per se under California law, Plaintiffs must allege four 19 essential elements: (1) Defendant violated a statute, ordinance or regulation of a public 20 entity; (2) the violation was the proximate cause of Plaintiff's injury; (3) the injury resulted 21 from an occurrence, the nature of which the statute, ordinance or regulation was designed 22 to prevent; and (4) the person suffering the injury was one of the class of persons for whose 23 protection the statute, ordinance or regulation was adopted. Carson v. Depuy Spine, Inc., 24 365 Fed.Appx. 812, 815 (9th Cir. 2010.); Cal. Evid. Code § 669.
25 Defendant is correct that negligence per se is not a separate cause of action but an 26 evidentiary doctrine. Plaintiffs are also correct that they need to allege facts supporting 27 application of the doctrine. Harris v. Burlington Northern Santa Fe Railroad., No. EDCV 28 09-197 ABC, 2013 WL 1212268, at *3 (C.D. Cal. July 12, 2013). To do so under the law, 1 Plaintiffs should plead facts to support application of the negligence per se doctrine within 2 the negligence cause of action in an amended complaint. As a result, the Court grants the 3 Defendant’s motion to dismiss the negligence per se cause of action without prejudice. 4 3. Breach of Contract 5 Defendant moves to dismiss Plaintiffs’ breach of contract claim arguing Plaintiffs 6 have not adequately alleged who entered into a contract with Solara. (Doc. No. 31 at 7.) 7 Defendant also argues that Plaintiffs fail to plead facts “demonstrating cognizable 8 damages.” (Id. at 8-9.) Plaintiffs argue that they have alleged entering into contracts with 9 Solara in exchange for medical supplies. (Doc. No. 32 at 7.) 10 Under California law, to state a claim for breach of contract, a plaintiff must plead 11 “the contract, plaintiffs’ performance (or excuse for nonperformance), defendant’s breach, 12 and damage to plaintiff therefrom.” Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1028 13 (N.D. Cal. 2012). A plaintiff must plead “appreciable and actual damage” in relation to 14 their breach of contract claim. Id. (citing Aguilera v. Pirelli Armstrong Tire Corp., 223 F.3d 15 1010, 1015 (9th Cir. 2000)). “Nominal damages, speculative harm, or threat of future harm 16 do not suffice to show legally cognizable injury.” Id. 17 Plaintiffs’ complaint alleges that “Defendant entered into contracts with Plaintiffs 18 and Class Members.” (Doc. No. 24 ¶207.) “In an action for breach of a written contract, a 19 plaintiff must allege the specific provisions in the contract creating the obligation the 20 defendant is said to have breached.” Young v. Facebook, Inc., 790 F.Supp.2d 1110, 1117 21 (N.D. Cal. 2011); see also Miron v. Herbalife Int’l, Inc., 11 Fed.Appx. 927, 929 (9th Cir. 22 2001) (“The district court's dismissal of the Mirons’ breach of contract claims was proper 23 because the Mirons failed to allege any provision of the contract which supports their 24 claim.”). Plaintiffs argue that Solara’s “Notice of Privacy Practices” and “Patient Bill of 25 Rights” form the basis for their express contract claim. (Doc. No. 32 at 7-8.) Solara’s 26 Notice of Privacy Practices states that: 27 Solara Medical Supplies . . . is committed to protecting your privacy and understands the importance of safeguarding your personal health 28 1 information. We are required by federal law to maintain the privacy of health information that identifies you or that could be used to identify 2 you . . . . 3 (Doc. No. 24 ¶37.) And Solara’s Patient Bill of Rights enumerates the following rights: 4 The Client Bill of Rights is designed to recognize, promote, and protect, 5 an individual’s right to be treated with dignity and respect within the health care system. . . . As our client you have the right to . . . 6 Confidentiality of your records and Solara Medical Supplies, LLC 7 policy for accessing and disclosure of records.
8 (Id. ¶38.) Plaintiffs allege that these documents form the basis for their express 9 breach of contract claim and that every Plaintiff was provided with a copy of both 10 documents. (Id.) In reviewing a Rule 12(b)(6) motion to dismiss, this Court must accept 11 as true all facts alleged in the complaint and draws all reasonable inferences in favor of 12 the claimant. See Retail Prop. Trust v. United Bhd. of Carpenters & Joiners of Am., 768 13 F.3d 938, 945 (9th Cir. 2014). Accordingly, the Court declines to dismiss Plaintiffs’ 14 express breach of contract claim. 15 Next, Defendant argues that Plaintiffs have not pled facts “demonstrating 16 cognizable damage.” (Doc. No. 31 at 8.) Plaintiffs argue that they have adequately pled a 17 diminution in the value of their personal information as a result of the Breach. (Doc. No. 18 32 at 8.) The dissemination of one’s personal information can satisfy the damages element 19 of a breach of contract claim. See In re Facebook Privacy Litigation., 572 Fed.Appx. 494 20 (9th Cir. 2014). As a result, the Court declines to dismiss Plaintiffs’ breach of express 21 contract claim. 22 4. Breach of Implied Contract 23 As an alternative theory, Plaintiffs plead breach of an implied contract. “An 24 implied-in-fact contract requires proof of the same elements necessary to evidence an 25 express contract: mutual assent or offer and acceptance, consideration, legal capacity and 26 lawful subject matter.” Northstar Financial Advisors Inc. v. Schwab Investments, 779 F.3d 27 28 1 1036, 1050–51 (9th Cir. 2015). Plaintiffs have adequately alleged facts to support a theory 2 of breach of implied contract in the alternative to breach of express contract. 3 5. Breach of Implied Covenant of Good Faith and Fair Dealing 4 Defendant moves to dismiss Plaintiffs’ claim for a breach of the implied covenant 5 of good faith and fair dealing arguing that Plaintiffs fail to allege a conscious and deliberate 6 act” by Solara to frustrate the purposes of the parties’ agreement. (Doc. No. 31 at 11.) 7 Plaintiffs argue that Solara’s security failures were “conscious and deliberate.” (Doc. No. 8 32 at 11.) 9 Under California law, “[e]very contract imposes on each party a duty of good faith 10 and fair dealing in each performance and its enforcement.” Carson v. Mercury Ins. Co., 11 210 Cal. App. 4th 409, 429 (2012) (internal quotation marks omitted). “The covenant ‘is 12 based on general contract law and the long-standing rule that neither party will do anything 13 which will injure the right of the other to receive the benefits of the agreement.’” Rosenfeld 14 v. JP Morgan Chase Bank, N.A., 732 F. Supp. 2d 952, 968 (N.D. Cal. 2010) (quoting 15 Waller v. Truck Ins. Exchange, Inc., 11 Cal. 4th 1, 36 (1995)). In order to establish a breach 16 of the covenant of good faith and fair dealing, a plaintiff must show: “(1) the parties entered 17 into a contract; (2) the plaintiff fulfilled his obligations under the contract; (3) any 18 conditions precedent to the defendant’s performance occurred; (4) the defendant unfairly 19 interfered with the plaintiff's rights to receive the benefits of the contract; and (5) the 20 plaintiff was harmed by the defendant's conduct.” Id. “California law makes clear that 21 establishing breach of the implied covenant requires proof of a conscious and deliberate 22 act, which unfairly frustrates the agreed common purpose of the agreement.” Claridge v. 23 RockYou, Inc., 785 F.Supp.2d 855, 865 (N.D. Cal. 2011). 24 Plaintiffs argue that Solara’s security failures are evidence of a conscious and 25 deliberate act. They argue that Solara’s actions were “plausibly conscious and deliberate 26 since they contravened Solara’s own policies and violated various laws and regulations 27 including HIPPA requirements.” (Doc. No. 32 at 11.) Plaintiffs argue that Solara should 28 “have known about its weakness toward email-related threats” and yet failed to take action. 1 (Doc. No. 1. ¶71.) In reviewing a Rule 12(b)(6) motion to dismiss, this Court must accept 2 as true all facts alleged in the complaint and draws all reasonable inferences in favor of the 3 claimant. See Retail Prop. Trust v. United Bhd. of Carpenters & Joiners of Am., 768 F.3d 4 938, 945 (9th Cir. 2014). Defendant’s arguments are better suited for a motion for summary 5 judgment when the record is more fully developed. Accordingly, the Court declines to 6 dismiss Plaintiffs’ claim for a breach of the covenant of good faith and fair dealing at this 7 time. 8 6. Unjust Enrichment 9 Defendant moves to dismiss Plaintiffs’ unjust enrichment claim arguing that “there 10 is no cause of action in California for unjust enrichment. (Doc. No. 31 at 11.) Plaintiffs 11 argue that this is not the case. (Doc. No. 32 at 12.) Plaintiffs are correct. “The California 12 Supreme Court has clarified California law and allowed independent claims for unjust 13 enrichment to proceed.” Bruton v. Gerber Prod. Co., 703 Fed.Appx. 468, 470 (9th Cir. 14 2017) (citing Hartford Cas. Ins. Co. v. J.R. Mktg., 61 Cal. 4th 988, 1000 (2015)). 15 Accordingly, the Court declines to dismiss Plaintiffs’ unjust enrichment claim. 16 7. California Confidentiality of Medical Information Act Claim 17 Solara moves to dismiss Plaintiffs’ California Confidential of Medical Information 18 Act (“CMIA”) claims, which arise under California Civil Code sections 56.101(a) and 19 56.36(b). Section 56.101(a) requires health care providers to maintain medical information 20 “in a manner that preserves the confidentiality of the information contained therein” and 21 creates a private right of action, enforced through section 56.36(b), for patients’ whose 22 health care provider “negligently creates, maintains, preserves, stores, abandons, destroys, 23 or disposes of medical information.” Cal. Civ. Code § 56.101(a). 24 Under section 56.36(b), “any individual may bring an action against any person or 25 entity who has negligently released information concerning him or her in violation of this 26 part for . . . nominal damages of one thousand dollars ($1,000).” Cal. Civ. Code § 27 56.36(b)(1). When suing for nominal damages, plaintiffs do not have to prove they 28 “suffered or [were] threatened with actual damages,” Cal. Civ.Code § 56.36(b)(1), but they 1 must plead that an unauthorized third party viewed or accessed their confidential 2 information. Regents of the Univ. of Cal. v. Super Ct., 220 Cal.App. 4th 549, 570 (2013); 3 Sutter Health v. Super Ct., 227 Cal.App. 4th 1546, 1555 (2014) (“[W]ithout an actual 4 confidentiality breach, a health care provider has not violated section 56.101 and therefore 5 does not invoke the remedy provided in section 56.36.”). 6 Defendant argues that the CMIA claim should be dismissed because the statute 7 requires an “affirmative act of communication” and that Plaintiffs do not plead that an 8 unauthorized person actually viewed their confidential medical information. (Doc. No. 31 9 at 12-13.) Solara also argues that the employee email accounts at issue are not subject to 10 the electronic health record system provision of California Civil Code §56.101(b). (Id.) 11 Plaintiffs argue that they are not required to allege an “affirmative disclosure” by Solara at 12 the pleading stage. (Doc. No. 32 at 13.) Furthermore, Plaintiffs argue that they have alleged 13 that their “medical information was actually viewed in the breach.” (Id.) Plaintiffs also 14 argue that email accounts are subject to California Civil Code §56.101(b). (Id. at 15.) 15 The CMIA does not require an affirmative act of communication by the Defendant. 16 Section 56.101(a) obligates every provider of health care “who creates, maintains, 17 preserves, stores, abandons, destroys, or disposes of medical information shall do so in a 18 manner that preserves the confidentiality of the information contained therein” and that any 19 health care provider who “who negligently creates, maintains, preserves, stores, abandons, 20 destroys, or disposes of medical information shall be subject to the remedies and penalties 21 provided under subdivisions (b) and (c) of Section 56.36.” The plain text of the statute does 22 not require an affirmative disclosure by the medical provider to create liability but in fact 23 creates a remedy for those who store records negligently. California courts that have had 24 occasion to consider Defendant’s argument have rejected it. See Regents of Univ. of Cal. 25 v. Superior Court, 220 Cal. App. 4th 549, 568 (2013). 26 Next, Defendant’s argument that Plaintiffs have not pled unauthorized viewing of 27 their medical records is unavailing. Plaintiffs have plausibly pled facts that could give rise 28 to the inference that their medical information has been viewed by an unauthorized third 1 party. Plaintiffs attach to their complaint letters they received from Solara indicating that 2 their information was exposed in the breach. (Doc. No. 24 Exh. 1-6.) Plaintiffs have also 3 pled an increase in medical-related spam emails and phone calls following the data breach. 4 (Id. ¶¶108, 117, 128, 135.) These events plausibly give rise to the inference that Plaintiffs’ 5 information was exposed in the Breach. 6 Finally, Defendant’s argument that no electronic health record system is at issue in 7 Plaintiffs’ complaint is not persuasive. The text of the statute broadly defines “electronic 8 medical record” as “an electronic record of health-related information on an individual that 9 is created, gather, managed, and consulted by authorized health care clinicians and staff.” 10 §56.101(c). Defendant’s arguments are better suited for a motion for summary judgment 11 when the record is more fully developed as to whether the communications are subject to 12 the CMIA. In reviewing a Rule 12(b)(6) motion to dismiss, this Court must accept as true 13 all facts alleged in the complaint and draws all reasonable inferences in favor of the 14 claimant. See Retail Prop. Trust v. United Bhd. of Carpenters & Joiners of Am., 768 F.3d 15 938, 945 (9th Cir. 2014). Accordingly, the Court declines to dismiss Plaintiffs’ CMIA 16 claim. 17 8. California Consumer Records Act 18 Next, Defendant moves to dismiss Plaintiffs’ California Records Act Claim 19 (“CRA”). (Doc. No. 31 at 14.) The CRA “regulates businesses with regard to treatment 20 and notification procedures relating to their customers’ personal information.” Corona v. 21 Sony Pictures Ent'mt, 2015 WL 3916744, at *6 (C.D. Cal. June 15, 2015). Plaintiffs allege 22 that Defendant violated § 1798.82 of the CRA. This provision provides, in relevant part: 23 A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose 24 a breach of the security of the system following discovery or notification of 25 the breach in the security of the data to a resident of California (1) whose unencrypted personal information was, or is reasonably believed to have 26 been, acquired by an unauthorized person . . . . 27 28 1 Cal. Civ. Code § 1798.82(a). The statute requires that disclosure “shall be made in the most 2 expedient time possible and without unreasonable delay.” Id. The statute also describes the 3 information that must be included in the security breach notification and the form that the 4 security breach notification must take. See § 1798.82(d). 5 To allege a “cognizable injury” arising from Defendant’s alleged failure to timely 6 notify Plaintiffs of the Data Breach, Plaintiffs must allege “incremental harm suffered as a 7 result of the alleged delay in notification,” as opposed to harm from the Data Breach itself. 8 Dugas v. Starwood Hotels & Resorts Worldwide, Inc., 2016 WL 6523428, at *7 (S.D. Cal. 9 Nov. 3, 2016); see also In re Sony Gaming Networks, 996 F. Supp. 2d 942, 1010 (S.D. Cal 10 Jan. 21, 2014) (“[A] plaintiff must allege actual damages flowing from the unreasonable 11 delay (and not the intrusion itself) in order to recover actual damages”). 12 Where Plaintiffs have failed to allege injury arising from a Defendant’s “delayed 13 notification,” courts have dismissed § 1798.82 claims. See, e.g., Dugas, 2016 WL 6523428, 14 at *7 (dismissing § 1798.82 claim because Plaintiff did not allege “what, if any, concrete 15 harm resulted from Defendants’ alleged failure to promptly notify [its] customers of the 16 data breach”); In re Sony Gaming Networks, 996 F. Supp. 2d at 1010 (dismissing § 1798.82 17 claim where plaintiffs “failed to allege how” a ten-day delay in notification caused 18 plaintiffs’ injuries). 19 Defendant argues that the CRA claim should be dismissed because Plaintiffs fail to 20 allege damages as a result of the alleged delay in notification. (Doc. No. 31 at 14.) Plaintiffs 21 argue that “Solara waited nearly five months after discovering the breach” to notify them 22 and that this delay prevented Plaintiffs from taking steps to protect their personal 23 information from identify theft. (Doc. No. 32 at 23.) Plaintiffs have adequately alleged 24 incremental harm as a result of Solara’s five-month delay in notification. See In re Yahoo! 25 Inc. Customer Data Security Breach Litig., 2017 WL 37277318 (N.D. Cal. Aug. 30, 2017) 26 (finding incremental harm adequately pled in a data breach case when plaintiffs plausibly 27 alleged that they could not take mitigation steps based upon delay). Defendant’s arguments 28 1 are better suited for a motion for summary judgment when the record is more fully 2 developed. As a result, the Court declines to dismiss Plaintiffs’ CRA claim at this time. 3 9. California Unfair Competition Law 4 California's Unfair Competition Law (“UCL”) provides a cause of action for 5 business practices that are (1) unlawful, (2) unfair, or (3) fraudulent. Cal. Bus. & Prof. 6 Code § 17200, et seq. Each prong of the UCL provides a “separate and distinct theory of 7 liability.” Lozano v. AT&T Wireless Servs., Inc., 504 F.3d 718, 731 (9th Cir. 2007). 8 Plaintiffs allege that Defendant’s conduct violated all three prongs of the UCL. Defendant 9 argues that Plaintiffs’ UCL claims fail for several reasons. First, Defendant argues that 10 Plaintiffs lack standing to bring claims under the UCL. Second, Defendant argues that the 11 UCL claim fails to satisfy Rule 9(b). Third, Defendant argues that Plaintiffs have not pled 12 that Defendant’s actions were either unlawful or unfair. The Court addresses each of these 13 arguments below. 14 a. UCL Standing 15 In order to establish standing for a UCL claim, Plaintiffs must show that they 16 personally lost money or property “as a result of the unfair competition.” Cal. Bus. & Prof. 17 Code § 17204; Kwikset Corp. v. Sup. Ct., 51 Cal. 4th 310, 330 (2011). The California 18 Supreme Court has explained standing. 19 There are innumerable ways in which economic injury from unfair competition may be shown. A plaintiff may (1) surrender in a transaction 20 more, or acquire in a transaction less, than he or she otherwise would have; 21 (2) have a present or future property interest diminished; (3) be deprived of money or property to which he or she has a cognizable claim; (4) be 22 required to enter into a transaction, costing money or property, that would 23 otherwise have been unnecessary. Id. at 323. 24 Defendant argues that “Plaintiffs fail to allege actual lost money or property.” (Doc. 25 No. 31 at 15.) Plaintiffs respond that they have all experienced injury under the UCL in 26 two legally cognizable ways. First, Plaintiffs “acquired less in their transactions with Solara 27 than they would have if Solara had sufficiently protected their Personal Information.” (Doc. 28 1 No. 32 at 16-17.) Second, Plaintiffs lost “their legally protected interest in their Personal 2 Information” as a result of the breach. (Id.) 3 Plaintiffs first theory of damages is sufficient to establish standing under the UCL. 4 Courts in California have consistently held that benefit of the bargain damages represents 5 economic injury for purposes of the UCL. See In re Adobe Sys., Inc. Privacy Litig., 66 6 F.Supp.3d 1197, 1224 (N.D. Cal. 2014) (finding standing under the UCL because “[f]our 7 of the six [p]laintiffs allege they personally spent more on Adobe products than they would 8 had they known Adobe was not providing the reasonable security Adobe represented it was 9 providing.”); In re LinkedIn User Privacy Litig., 2014 WL 1323713, *4 (N.D. Cal. Mar. 10 28, 2014) (finding that benefit of the bargain losses are “sufficient to confer . . . statutory 11 standing under the UCL.”). Taken together, Kwikset, In re Adobe, and In re LinkedIn 12 demonstrate that benefit of the bargain losses, as alleged in the consolidated amended 13 complaint, constitute economic injury cognizable under the UCL. Here, Plaintiffs have all 14 pled that “they acquired less in their transactions with Solara than they would have if Solara 15 had sufficiently protected their Personal Information.” (Doc. No. 24 ¶¶78-95.) These 16 allegations are enough to establish standing for purposes of the UCL. 17 b. Rule 9(b) 18 “To state a claim under the ‘fraud’ prong of [the UCL], a plaintiff must allege facts 19 showing that members of the public are likely to be deceived by the alleged fraudulent 20 business practice.” Antman v. Uber Technologies, Inc., 2015 WL 6123054, *6 (N.D. Cal. 21 Oct. 19, 2015). Claims stated under the fraud prong of the UCL are subject to the 22 particularity requirements of Federal Rule of Civil Procedure 9(b). Kearns v. Ford Motor 23 Co., 567 F. 3d 1120, 1125 (9th Cir. 2009). Under Rule 9(b), “[i]n alleging fraud or mistake, 24 a party must state with particularity the circumstances constituting fraud or mistake.” Fed. 25 R. Civ. P. 9(b). Plaintiffs must include “an account of the time, place, and specific content 26 of the false representations” at issue. Swartz v. KPMG LLP, 476 F.3d 756 (9th Cir. 2007). 27 Lastly, a plaintiff must plead that he or she “actually relied on the misrepresentation or 28 omission” to bring a UCL claim. Backhaut v. Apple, Inc., 74 F. Supp. 3d 1033, 1047 (N.D. 1 Cal. 2014) (citing In re Tobacco II Cases, 46 Cal. 4th 298, 326 (2009)). “This showing of 2 actual reliance under the UCL requires a plaintiff to allege that ‘the defendant’s 3 misrepresentation or nondisclosure was an immediate cause of the plaintiff’s injury- 4 producing conduct.’” Perkins v. LinkedIn Corp., 53 F. Supp. 3d 1190, 1220 (N.D. Cal. 5 2014) (quoting In re Tobacco II, 46 Cal. 4th at 326). Defendant argues that Plaintiffs’ 6 fraudulent misrepresentation and omission claims fail. The Court will address each now. 7 i. Fraudulent Misrepresentation 8 Plaintiffs’ fraudulent misrepresentation claims stem from Solara’s statements in (1) 9 its Notice of Privacy Practices, (2) its patient Bill of Rights, (3) the Privacy Policy for its 10 software application and (4) the Terms and Conditions for it’s website. (Doc. No. 32 at 17- 11 18.) Defendant argues that “no plaintiff alleges who they received these statements from, 12 how they received them, when, or where.” (Doc. No. 31 at 16.) 13 All Plaintiffs allege that they were given a copy of the Notice of Privacy Practices 14 and the Patient Bill of Rights. However, Defendant is correct that Plaintiffs fail to 15 adequately plead their misrepresentation claim to the extent they rely on statements in the 16 Privacy Policy for Solara’s software application and the Terms and Service of their 17 website. Plaintiffs do not allege having been exposed to the statements in either the 18 software application or Solara’s website. Accordingly, to the extent Plaintiffs’ UCL claim 19 is premised on statements in the Privacy Policy and the Terms of Service, the Court grants 20 Defendant’s motion to dismiss the fraudulent misrepresentation claim. 21 Where a motion to dismiss is granted, “leave to amend should be granted ‘unless the 22 court determines that the allegation of other facts consistent with the challenged pleading 23 could not possibly cure the deficiency.’” DeSoto v. Yellow Freight Sys., Inc., 957 F.2d 24 655, 658 (9th Cir. 1992) (quoting Schreiber Distrib. Co. v. Serv-Well Furniture Co., 806 25 F.2d 1393, 1401 (9th Cir. 1986)). In other words, where leave to amend would be futile, 26 the Court may deny leave to amend. See Desoto, 957 F.2d at 658; Schreiber, 806 F.2d at 27 1401. The Court permits Plaintiffs an attempt to cure the deficiency under the UCL 28 1 fraudulent misrepresentation prong under the standards of Rule 9(b) in an amended 2 complaint if they can do so. 3 ii. Fraudulent Omission 4 For an omission to be actionable under the UCL, “the omission must be contrary to 5 a representation actually made by the defendant, or an omission of a fact the defendant was 6 obliged to disclose.” Daugherty v. Am. Honda Motor Co., 144 Cal.App.4th 824, 835 7 (2006); see also Berryman v. Merit Prop. Mgmt., Inc., 152 Cal.App.4th 1544, 1557 (2007) 8 (“[A] failure to disclose a fact one has no affirmative duty to disclose is [not] ‘likely to 9 deceive’ anyone within the meaning of the UCL.” (quoting Daugherty, 144 Cal.App.4th at 10 838, 51 Cal.Rptr.3d 118)). There are four circumstances in which a duty to disclose may 11 arise: “(1) when the defendant is the plaintiff's fiduciary; (2) when the defendant has 12 exclusive knowledge of material facts not known or reasonably accessible to the plaintiff; 13 (3) when the defendant actively conceals a material fact from the plaintiff; [or] (4) when 14 the defendant makes partial representations that are misleading because some other 15 material fact has not been disclosed.” Collins v. eMachines, Inc., 202 Cal.App.4th 249, 255 16 (2011). “[A] fact is deemed ‘material,’ and obligates an exclusively knowledgeable 17 defendant to disclose it, if a ‘reasonable [consumer]’ would deem it important in 18 determining how to act in the transaction at issue.” Id. at 256, 134 Cal.Rptr.3d 588 (citing 19 Engalla v. Permanente Med. Grp., Inc., 15 Cal.4th 951, 977 (1997)). 20 Plaintiffs claim that Solara had exclusive knowledge of the fact that its security 21 practices fell short of industry standards, and that this fact was material. (Doc. No. 32 at 22 20.) Plaintiffs also claim that Solara had a duty to disclose this fact, and that Solara's failure 23 to do so is an actionable omission under the UCL. (Id.) Defendant argues that Plaintiffs fail 24 to plead a duty to disclose. (Doc. No. 31 at 26.) 25 Plaintiffs have adequately pled a duty to disclose based upon Defendant’s exclusive 26 knowledge of the alleged inadequacy of its security measures. Plaintiffs adequately allege 27 that the omission was a material fact. (Doc. No. 24 ¶¶24-35, 341.) As a result, the Court 28 declines to dismiss Plaintiffs’ fraudulent omission UCL claim. 1 iii. Unlawful 2 “The unlawful prong of the UCL prohibits anything that can properly be called a 3 business practice and that at the same time is forbidden by law.” In re Adobe, 66 F.Supp.3d 4 at 1225 (internal quotation marks omitted). “Generally, violation of almost any law may 5 serve as a basis for a UCL claim.” Antman v. Uber Technologies, Inc., 2015 WL 6123054, 6 *6 (N.D. Cal. Oct. 19, 2015) (internal quotation marks omitted). However, a UCL claim 7 “must identify the particular section of the statute that was violated, and must describe with 8 reasonable particularity the facts supporting the violation.” Baba v. Hewlett–Packard Co., 9 2010 WL 2486353, *6 (N.D. Cal. June 16, 2010) (internal quotation marks omitted). 10 Defendant argues that Plaintiffs have failed to allege conduct that equates to a 11 violation of another law. (Doc. No. 31 at 27.) Plaintiffs argue that they have alleged that 12 Solara has unlawfully violated “the CMIA, the California Consumer Records Act, and 13 several state laws.” (Doc. No. 32.) The Court agrees. Defendant’s arguments are better 14 suited for a motion for summary judgment when the record is more fully developed. As a 15 result, the Court denies Defendant’s motion to dismiss Plaintiffs’ unlawful UCL claim at 16 this time. 17 iv. Unfair 18 The “unfair” prong of the UCL creates a cause of action for a business practice that 19 is unfair even if not proscribed by some other law. Korea Supply Co. v. Lockheed Martin 20 Corp., 29 Cal. 4th 1134, 1143 (2003). “The UCL does not define the term ‘unfair’ . . . [and] 21 the proper definition of ‘unfair’ conduct against consumers ‘is currently in flux’ among 22 California courts.” Id. 23 The balancing approach requires the Court to “weigh the utility of the defendant’s 24 conduct against the gravity of the harm to the alleged victim.” Davis v. HSBC Bank 25 Nevada, N.A., 691 F.3d 1152, 1169 (9th Cir. 2012) (internal quotation marks omitted). 26 Plaintiffs “may proceed with a UCL claim under the balancing test by either alleging 27 immoral, unethical, oppressive, unscrupulous or substantially injurious conduct by 28 Defendants or by demonstrating that Defendants' conduct violated an established public 1 policy.” Anthem, 162 F. Supp. 3d at 990. In opposition, Defendant argues that Plaintiffs’ 2 claims are insufficient. (Doc. No. 31 at 19-20.) 3 At this stage of the proceeding, Plaintiffs’ complaint sufficiently alleges that 4 Defendant’s conduct was unfair. Here, Plaintiffs allege that Solara advertised “adequate 5 data privacy and security practices and procedures” when such practices were deficient. 6 (Doc. No. 24 ¶241.) Plaintiffs allege that a variety of personal information was exposed in 7 the breach including: names, addresses, dates of birth, Social Security numbers, Employee 8 Identification Numbers, confidential medical information, health insurance information, 9 Medicare and Medicaid IDs, as well as financial information for thousands of individuals. 10 (Id. ¶2). They further allege that Solara promised to protect their privacy and understood 11 the importance of protecting health information. Plaintiffs additionally allege that Solara’s 12 action were plausibly conscious and deliberate since they contravened Solara’s own 13 policies and violated various laws and regulations including HIPPA requirements.” (Doc. 14 No. 32 at 11.). Plaintiffs also allege that Solara should have known about its weakness 15 toward email related threats and failed to take action to prevent the Breach. 16 Defendant’s arguments are better suited for a motion for summary judgment when 17 the record is more fully developed. Under Anthem, Plaintiffs have sufficiently alleged that 18 Defendant’s conduct has violated public policy. 162 F. Supp. 3d at 990. Accordingly, the 19 Court declines to dismiss the unfair prong of Plaintiffs’ UCL claim at this time. 20 10. Connecticut Unfair Trade Practices Claim 21 Defendant moves to dismiss Plaintiff Bickford’s Connecticut Unfair Trade Practices 22 Claim (“CUTPA”). The CUTPA provides: “No person shall engage in unfair methods of 23 competition and unfair or deceptive acts or practices in the conduct of any trade or 24 commerce.” Conn. Gen. St. § 42–110b(a). “Any person who suffers any ascertainable loss 25 of money or property, real or personal, as a result of the use or employment of a method, 26 act or practice prohibited by section 42–110b, may bring an action” to recover actual 27 damages, punitive damages, and equitable relief. Conn. Gen. St. 42–110g(a). 28 1 Defendant argues that Plaintiff Bickford lacks standing and fails to allege a violation 2 of the CUTPA. Plaintiff Bickford argues that his “benefit of the bargain” losses are 3 sufficient to satisfy standing and that he has adequately alleged a violation of the CUTPA. 4 The Supreme Court of Connecticut held that “[w]henever a consumer has received 5 something other than what he bargained for, he has suffered a loss of money or property.” 6 Hinchliffe v. Ameican Motors Corp., 440, A.2d 810, 814 (Ct. 1981). Plaintiff Bickford 7 alleges that he has suffered an injury based on “the difference in value between what 8 Plaintiff Bickford should have received from Defendant when Defendant represented 9 Plaintiff Bickford’s Personal and Medical Information would be protected by reasonable 10 data security and Defendant’s defective and deficient performance of that obligation . . . .” 11 (Doc. No. 24 ¶114.) These allegations are sufficient to satisfy CUPTA’s standing 12 requirement. 13 Next, Defendant argues that Plaintiff Bickford failed to plead a violation of the 14 CUPTA. The elements are “substantially the same as those alleged under the California 15 UCL claim.” (Doc. No. 31 at 21.) Plaintiff Bickford argues that he has plausibly alleged 16 that “Solara’s inadequate security measures violated various statutes and the well- 17 established public policy of protecting people’s personal information . . . .” (Doc. No. 32.) 18 The Court agrees. 19 The CUTPA is to be construed in accord with interpretations by the Federal Trade 20 Commission and by the federal courts of the Federal Trade Commission Act. Conn. Gen. 21 St. § 42–110b(b). The FTC weights the following factors in determining whether a practice 22 is unfair: 23 1) Whether the practice, without necessarily having been previously considered unlawful, offends public policy as it has been established by 24 statutes, the common law, or otherwise-whether, in other words, it is within 25 at least the penumbra of some common law, statutory, or other established concept of unfairness; (2) whether it is immoral, unethical, oppressive, or 26 unscrupulous; (3) whether it causes substantial injury to consumers . . . . 27 28 1 Cheshire Mortgage Serv. Inc. v. Montes, 223 Conn. 80, 612 A.2d 1130, 1143 (1992). Here, 2 Plaintiff Bickford alleges that “Defendant engaged in unlawful, unfair, and deceptive acts 3 and practices with respect to the sale of medical supplies by failing to disclose the Data 4 Breach to the alternative Connecticut Class in a timely and accurate manner” and by 5 “failing to take proper action following the Data Breach to enact adequate privacy and 6 security measures and protect the alternative Connecticut Class’ Personal and Medical 7 Information from further unauthorized disclosure, release, data breach, and theft.” (Doc. 8 No. 24 ¶293.) 9 In reviewing a Rule 12(b)(6) motion to dismiss, this Court must accept as true all 10 facts alleged in the complaint and draws all reasonable inferences in favor of the claimant. 11 See Retail Prop. Trust, 768 F.3d 938, 945 (9th Cir. 2014). Defendant’s arguments are better 12 suited for a motion for summary judgment when the record is more fully developed. As a 13 result, the Court denies Defendant’s motion to dismiss Plaintiff Bickford’s CUPTA claim. 14 11. Michigan Consumer Protection Act Claim 15 Defendant moves to dismiss Plaintiff Wardrop’s Michigan Consumer Protection Act 16 (“MCPA”) claim. (Doc. No. 32 at 26). The MCPA prohibits “[u]nfair, unconscionable, or 17 deceptive methods, acts, or practices in the conduct of trade or commerce [.]” Mich. Comp. 18 Laws Ann. § 445.903(1). A plaintiff can pursue a claim under the MCPA based on fraud, 19 deception, or breach of express or implied warranties. See Parsley v. Monaco Coach Corp., 20 327 F.Supp.2d 797, 807 (W.D. Mich. 2004). 21 Defendant argues that Plaintiff Wardrop lacks standing and fails to allege a violation 22 of the MCPA. (Doc. No. 31 at 23.) Plaintiff Wardrop argues that his “benefit of the bargain” 23 and non-economic losses are sufficient to satisfy standing. (Doc. No. 32 at 26-27.) Plaintiff 24 is correct. 25 Courts in Michigan have interpreted the MCPA to allow for damages for a 26 “frustration of the plaintiff’s expectation” as well as other non-economic harms. Mayhall 27 v. A.H. Pond Co., 341 N.W.2d 268, 271-72 (Mich. App. 1983); Avery v. Indus Mortg. Co., 28 135 F. Supp. 2d 840, 845 (W.D. Mich. 2001). Plaintiff Wardrop alleges that he has suffered 1 damages in the form of the “the difference in value between what Plaintiff Wardrop should 2 have received from Defendant when Defendant represented Plaintiff Wardrop’s Personal 3 and Medical Information would be protected by reasonable data security and Defendant’s 4 defective and deficient performance of that obligation.” (Doc. No. 24 ¶138.) Plaintiff 5 Wardrop also alleges anxiety as a result of the breach. (Doc. No. 24 ¶136.) These 6 allegations are sufficient to satisfy the standing requirement of the MCPA. 7 Next, Solara argues that Plaintiff Wardrop has not “pled fraudulent conduct” and 8 therefore “has not pled a violation of the MCPA based on fraudulent representation with 9 the particularity required under Rule 9(b).” (Doc. No. 31 at 24.) Defendant also maintains 10 that Plaintiff’s allegations are “substantially the same as his allegations for fraudulent 11 conduct under the California UCL.” (Id. at 24.) The Court has granted the motion to dismiss 12 the fraudulent misrepresentation claim under the UCL to the extent it is premised on 13 statements in Solara’s Privacy Policy and the Terms of Service but denied the remainder 14 of Defendant’s motion. 15 Plaintiff Wardrop alleges fraudulent acts consisting of misrepresentation and 16 concealment but he fails to allege the fraudulent misrepresentation with the particularity 17 required by Rule 9(b). Plaintiff Wardrop fails to adequately plead misrepresentation to the 18 extent it is premised on statements in Solara’s Privacy Policy and the Terms of Service. 19 Plaintiff Wardrop has not alleged that he has been exposed to the statements in either 20 document. As a result, the Court grants Defendant’s motion to dismiss Plaintiff Wardrop’s 21 MCPA claim for failure to plead the fraudulent misrepresentation claim with particularity 22 under Rule 9(b). 23 Where a motion to dismiss is granted, “leave to amend should be granted ‘unless the 24 court determines that the allegation of other facts consistent with the challenged pleading 25 could not possibly cure the deficiency.’” DeSoto v. Yellow Freight Sys., Inc., 957 F.2d 26 655, 658 (9th Cir. 1992) (quoting Schreiber Distrib. Co. v. Serv-Well Furniture Co., 806 27 F.2d 1393, 1401 (9th Cir. 1986)). In other words, where leave to amend would be futile, 28 the Court may deny leave to amend. See Desoto, 957 F.2d at 658; Schreiber, 806 F.2d at 1 1401. The Court grants leave to amend to cure the deficiency or to delete the fraudulent 2 misrepresentation claim from an amended complaint. 3 12. Michigan Identify Theft Protection Act Claim 4 Next, Defendant moves to dismiss Plaintiff Wardrop’s claim under the Michigan 5 Identify Theft Protection Act (“ITPA”). (Doc. No. 31 at 28.) The ITPA requires businesses 6 to provide notice of a security breach, “without unreasonable delay” to a Michigan resident 7 if that resident's unencrypted and unredacted “personal information” was accessed by an 8 unauthorized person. Mich. Comp. Laws § 445.72(1). “Personal information” is defined as 9 a person's “first name or first initial and last name” linked to one or more data elements 10 including a “credit or debit card number, in combination with any required security code, 11 access code, or password that would permit access to any of the resident's financial 12 accounts.” Id. at § 445.63(r). The ITPA notice provision applies when the business 13 discovers a security breach or receives notice of a security breach, unless the breach is not 14 likely to cause harm. Id. at § 445.7 15 Defendant argues that Plaintiff Wardrop’s claim must be dismissed because the 16 statute only allows recovery of a fine through state prosecution. (Doc. No. 31 at 28.) 17 Michigan law provides for a civil fine for a violation of the data-breach notice statute, and 18 that the “attorney general or a prosecuting attorney may bring an action to recover” that 19 fine. Mich. Comp. Laws § 445.72(13). However, the statute also provides that the quoted 20 subsection 13 does “not affect the availability of any civil remedy for a violation of state 21 or federal law.” Id. § 445.72(15). Courts have found that consumers may bring a civil action 22 to enforce Michigan's data-breach notice statute through Michigan's consumer-protection 23 statute or other laws. In re Target Corp. Data Sec. Breach Litig., 66 F.Supp.3d 1154, 1169 24 (D. Minn. 2014). 25 Next, Defendant argues that Plaintiff Wardrop fails to allege an “unreasonable 26 delay” by Solara in notifying him of the Breach. Plaintiff Wardrop alleges that Solara 27 discovered the data breach on June 28, 2019 but did not notify him of its occurrence until 28 nearly five months later. (Doc. No. 32 at 39.) Plaintiff Wardrop also alleges experiencing 1 “unexplained credit inquires and spam/phishing attempts” as a result of the Breach. (Doc. 2 No. 24 ¶135.) Plaintiff Wardrop further alleges that this delay prevented him from taking 3 steps to protect his personal information from identify theft. (Doc. No. 32 at 23.) In 4 reviewing a Rule 12(b)(6) motion to dismiss, this Court must accept as true all facts alleged 5 in the complaint and draws all reasonable inferences in favor of the claimant. See Retail 6 Prop. Trust v. United Bhd. of Carpenters & Joiners of Am., 768 F.3d 938, 945 (9th Cir. 7 2014). As a result, the Court denies the motion to dismiss Plaintiff Wardrop’s ITPA claim. 8 13. North Carolina Deceptive Trade Practices Act Claim 9 Defendant also moves to dismiss Plaintiff Harris’s claim under the North Carolina 10 Deceptive Trade Practices Act (“NCUDTPA”). Under the NCUDTPA a plaintiff must 11 demonstrate the following: (1) the defendant committed an unfair or deceptive trade 12 practice; (2) the action in question was in or affecting commerce; and (3) the act 13 proximately caused injury to the plaintiff. Spartan Leasing v. Pollard, 101 N.C.App. 450, 14 400 S.E.2d 476, 482 (1991). An act is unfair when it is unethical or unscrupulous, and it is 15 deceptive if it tends to deceive. Marshall v. Miller, 302 N.C. 539, 276 S.E.2d 397, 403 16 (1981). 17 Defendant argues that the claim must be dismissed because Plaintiff Harris has failed 18 to plead facts showing “actual damages.” (Doc. No. 31 at 25.) Plaintiff Harris alleges that 19 he has adequately alleged damages by describing significant distress and anxiety as a result 20 of the Breach. (Doc. No. 24 ¶325.) Plaintiff Harris also alleges that he was “subjected to a 21 barrage of spam calls” and was “prevented from protecting himself sooner.” (Id.) These 22 allegations satisfy the injury requirement of the NCUDTPA. See e.g., Salami v. JPMorgan 23 Chase Bank, N.A., 2019 WL 2526467, at *8 (M.D.N.C. June 19, 2019). 24 Defendant also argues that the NCUDTPA claim sounds in fraud and must be plead 25 with particularity and therefore the claim fails “for the same reasons . . . the California 26 UCL claim” does. (Id. at 26.) The Court has granted the motion to dismiss the fraudulent 27 misrepresentation claim under the UCL to the extent it is premised on statements in 28 1 Solara’s Privacy Policy and the Terms of Service but denied the remainder of Defendant’s 2 motion. 3 Plaintiff Harris alleges fraudulent acts consisting of misrepresentation and 4 concealment but he fails to allege the fraudulent misrepresentation with the particularity 5 required by Rule 9(b). Plaintiff Harris fails to adequately plead misrepresentation to the 6 extent it is premised on statements in Solara’s Privacy Policy and the Terms of Service. 7 Plaintiff Harris has not alleged that he has been exposed to the statements in either 8 document. As a result, the Court grants Defendant’s motion to dismiss Plaintiff Harris’s
9 NCUDTPA claim for failure to plead the fraudulent misrepresentation claim with 10 particularity under Rule 9(b). 11 Where a motion to dismiss is granted, “leave to amend should be granted ‘unless the 12 court determines that the allegation of other facts consistent with the challenged pleading 13 could not possibly cure the deficiency.’” DeSoto v. Yellow Freight Sys., Inc., 957 F.2d 14 655, 658 (9th Cir. 1992) (quoting Schreiber Distrib. Co. v. Serv-Well Furniture Co., 806 15 F.2d 1393, 1401 (9th Cir. 1986)). In other words, where leave to amend would be futile, 16 the Court may deny leave to amend. See Desoto, 957 F.2d at 658; Schreiber, 806 F.2d at 17 1401. The Court grants leave to amend to cure the deficiency or to delete the fraudulent 18 misrepresentation claim from an amended complaint. 19 14. Pennsylvania Unfair Trade Practices Act Claims 20 Defendant moves to dismiss Plaintiff Maldonado’s and Keally’s claims for violating 21 the Pennsylvania Unfair Trade Practices and Consumer Protection Law (“UTPCPL”). 22 (Doc. No. 31 at 26.) To prevail on a claim under the catch-all provision of Pennsylvania's 23 Uniform Trade Practices and Consumer Protection Law, a plaintiff need not establish 24 common law fraud; he need only show (1) a deceptive act likely to deceive a reasonable 25 consumer, (2) justifiable reliance on that act, and (3) a resulting ascertainable loss. Malibu 26 Media, LLC v. Doe, 238 F.Supp.3d 638, 647 (M.D. Pa. 2017). 27 Pennsylvania courts have found that the lost benefit of the bargain can satisfy the 28 “ascertainable loss” element of a UTPCPL claim. See e.g., Dibish v. Ameriprise Fin., Inc., 1 134 A.3d 1079, 1089 (Pa. Super. Ct. 2016). Plaintiff Maldonado and Plaintiff Keally each 2 allege an ascertainable loss in the diminution in value of their personal information and the 3 loss of the benefit of their bargain. (Doc. No. 24 ¶105, 142.) Accordingly, the Court 4 declines at this time to dismiss the UTPCPL claims. 5 15. Declaratory or Injunctive Relief 6 Defendant moves to dismiss Plaintiffs’ request for declaratory or injunctive relief. 7 (Doc. No. 31 at 29-30.) Defendant argues that a claim for declaratory relief cannot survive 8 independently of other claims. In this order, the Court grants in part and denies in part the 9 Defendant’s motion to dismiss. As a result, Plaintiffs’ claim for declaratory relief stands. 10 Defendant also moves to dismiss Plaintiffs’ claim for injunctive relief. The Court 11 notes that a request for injunctive relief is more properly classified as a prayer for relief 12 and not a separate cause of action. In an amended complaint, any request for injunctive 13 relief should be in a prayer for relief and not a separate cause of action. 14 CONCLUSION 15 For the foregoing reasons, the Court GRANTS in part and DENIES in part 16 Defendant’s Motion to Dismiss. (Doc. No. 31.) The Court GRANTS Plaintiffs thirty days 17 to file an amended complaint, to cure the deficiencies outlined above if they can do so. 18 IT IS SO ORDERED. 19 DATED: May 7, 2020
20 MARILYN L. HUFF, District Judge 21 UNITED STATES DISTRICT COURT 22 23 24 25 26 27 28