1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 7 DANIEL JIMENEZ JR., et al., Case No. 24-cv-02746-JST
8 Plaintiffs, ORDER GRANTING IN PART AND 9 v. DENYING IN PART MOTION TO DISMISS 10 OE FEDERAL CREDIT UNION, Re: ECF No. 29 Defendant. 11
12 13 Before the Court is Defendant OE Federal Credit Union’s (“OEFCU”) motion to dismiss. 14 ECF No. 29. The Court will grant the motion in part and deny it in part. 15 I. BACKGROUND1 16 This case involves an alleged ransomware attack on and data breach of OEFCU’s network 17 that resulted in unauthorized access to the personally identifiable information (“PII”) and protected 18 health information (“PHI”) of Plaintiffs Daniel Jimenez Jr., Mark Hendren, Erica Jaramillo, and 19 the class members they seek to represent. ECF No. 16 ¶¶ 1–2. 20 OEFCU is “the country’s largest labor based credit union.” See id. ¶ 24 (internal quotation 21 marks omitted). It maintains the PII/PHI of current and former customers, including: full names; 22 Social Security numbers; dates of birth; bank and/or financial account information; Taxpayer 23 Identification Numbers; driver’s license numbers; usernames and passwords; passport numbers; 24 medical procedure information; clinical or treatment information; medical provider names; and 25 health insurance information. Id. ¶ 25. Plaintiffs “directly or indirectly entrusted” OEFCU with 26
27 1 For the purposes of deciding this motion, the Court accepts as true the following factual 1 their PII/PHI. Id. ¶ 26. 2 Between approximately August 19, 2023 and October 29, 2023, OEFCU suffered a 3 targeted data breach impacting at least the above categories of PII/PHI. See id. ¶¶ 33, 44. OEFCU 4 sent impacted individuals of the data breach a notice letter on April 30, 2024, informing them of 5 the breach. Id. ¶ 33. Third-party reports have confirmed that the perpetrators of the cyber-attack 6 were from the cybercriminal group “No Escape.” Id. ¶ 47. Following the breach, OEFCU offered 7 impacted individuals with access to a complimentary 12-month membership with a fraud and 8 identity-monitoring service. Id. ¶¶ 11, 96. 9 Plaintiffs allege that OEFCU failed to comply with the minimum standards of the 10 following frameworks: “the NIST Cybersecurity Framework Version 1.1 (including without 11 limitation PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.AT-1, PR.DS-1, 12 PR.DS-5, PR.PT-1, PR.PT-3, DE.CM-1, DE.CM-4, DE.CM-7, DE.CM-8, and RS.CO-2), and the 13 Center for Internet Security’s Critical Security Controls (CIS CSC), which are all established 14 standards in reasonable cybersecurity readiness,” and that this failure allowed the data breach to 15 occur. Id. ¶ 70. Plaintiffs further allege that OEFCU failed to engage in other security measures, 16 including failing to: “maintain an adequate data security system to reduce the risk of data breaches 17 and cyber-attacks; . . . properly monitor their own data security systems for existing intrusions; 18 . . . ensure that their vendors with access to their computer systems and data employed reasonable 19 security procedures; [and] . . . protect against reasonably anticipated threats or hazards to the 20 security or integrity of electronic PII/PHI.” Id. ¶ 72. 21 Because of the data breach, Plaintiffs “anticipate[] spending considerable time and money 22 on an ongoing basis to try to mitigate and address harms caused by the Data Breach. This includes 23 changing passwords, cancelling credit and debit cards, and monitoring their accounts for 24 fraudulent activity.” Id. ¶ 100. Plaintiffs allege that they have been “placed at a present, 25 imminent, immediate, and continuing increased risk of harm from fraud and identity theft” and 26 that they “may also incur out-of-pocket costs for protective measures such as credit monitoring 27 fees, credit report fees, credit freeze fees, and similar costs directly or indirectly related to the Data 1 will continue to suffer from anxiety and emotional distress. Id. ¶ 113. Hendren and Jaramillo 2 additionally allege that they have received an increased number of spam and scamming calls, 3 texts, and/or emails as a result of the data breach. Id. ¶¶ 130, 145. 4 Plaintiffs assert the following causes of action on behalf of themselves and a class of “[a]ll 5 persons identified by Defendant (or its agents or affiliates) as being among those individuals 6 impacted by the Data Breach, including all who were sent a notice of the Data Breach,” id. ¶ 154: 7 negligence; breach of implied contract; invasion of privacy; unjust enrichment; violation of the 8 California Unfair Competition Law (“UCL”), Cal. Bus. & Prof. Code § 17200, et seq.; violation of 9 the California Consumer Privacy Act (“CCPA”), Cal. Civ. Code § 1798.150; violation of the 10 California Customer Records Act (“CCRA”), Cal. Civ. Code § 1798.90, et seq.; and declaratory 11 relief under the Declaratory Judgment Act, 28 U.S.C. §§ 2201, et seq. See id. at 51–75.2 12 II. JURISDICTION 13 This Court has jurisdiction under 28 U.S.C. § 1332(d)(2). 14 III. LEGAL STANDARD 15 “Dismissal under Rule 12(b)(6) is appropriate only where the complaint lacks a cognizable 16 legal theory or sufficient facts to support a cognizable legal theory.” Mendiondo v. Centinela 17 Hosp. Med. Ctr., 521 F.3d 1097, 1104 (9th Cir. 2008). To survive a motion to dismiss, “a 18 complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is 19 plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atlantic Corp. v. 20 Twombly, 550 U.S. 544, 570 (2007)). “A claim has facial plausibility when the plaintiff pleads 21 factual content that allows the court to draw the reasonable inference that the defendant is liable 22 for the misconduct alleged.” Id. In determining whether a plaintiff has met the plausibility 23 requirement, a court must “construe the pleadings in the light most favorable to the nonmoving 24 party.” Knievel, 393 F.3d at 1072. 25 26 27 1 IV. DISCUSSION 2 A. Negligence 3 “In order to establish negligence under California law, a plaintiff must establish four 4 required elements: (1) duty; (2); breach; (3) causation; and (4) damages.” Ileto v. Glock Inc., 349 5 F.3d 1191, 1203 (9th Cir. 2003). The parties here dispute the elements of duty, breach, and 6 damages. 7 1. Duty 8 “The general rule in California is that everyone is responsible for an injury occasioned to 9 another by his or her want of ordinary care or skill in the management of his or her property or 10 person. In other words, each person has a duty to use ordinary care and is liable for injuries 11 caused by his failure to exercise reasonable care in the circumstances.” Cabral v. Ralphs Grocery 12 Co., 51 Cal. 4th 764, 771 (2011) (simplified); see also Cal. Civ. Code § 1714 (“Everyone is 13 responsible, not only for the result of his or her willful acts, but also for an injury occasioned to 14 another by his or her want of ordinary care or skill in the management of his or her property or 15 person.”). 16 Plaintiffs contend that OEFCU stored their PII/PHI without implementing reasonable 17 safeguards against foreseeable risks of unauthorized access and that this led to the data breach that 18 injured them. District courts have routinely found comparable allegations sufficient to establish a 19 duty at the motion to dismiss stage for negligence claims. See, e.g., In re Facebook, Inc., 20 Consumer Priv. User Profile Litig., 402 F. Supp. 3d 767, 799 (N.D. Cal. 2019) (finding a duty 21 because “Facebook had a responsibility to handle its users’ sensitive information with care”); 22 Bass v. Facebook, Inc., 394 F. Supp. 3d 1024, 1039 (N.D. Cal. 2019) (finding a duty where 23 Facebook allegedly failed to comply with industry data-security standards); In re San Francisco 24 49ers Data Breach Litig., No. 3:22-CV-05138-JD, 2024 WL 3849336, at *2 (N.D. Cal. Aug. 15, 25 2024) (finding that a negligence claim was sufficiently pleaded where data breach victims alleged 26 that the 49ers obtained and stored their PII without using reasonable safeguards against hacking). 27 Accordingly, the Court finds that OEFCU had a duty to store Plaintiffs’ PII/PHI with care. 1 2. Breach 2 OEFCU argues that Plaintiffs have not sufficiently pleaded a breach of any applicable duty 3 because they have only alleged “labels and conclusions” rather than facts “describing the steps that 4 [OEFCU] could have or should have taken to prevent” the data breach. See ECF No. 46 at 3. The 5 Court disagrees. 6 Plaintiffs specifically allege that OEFCU failed to meet the minimum standards of the 7 following frameworks: “the NIST Cybersecurity Framework Version 1.1 (including without 8 limitation PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.AT-1, PR.DS-1, 9 PR.DS-5, PR.PT-1, PR.PT-3, DE.CM-1, DE.CM-4, DE.CM-7, DE.CM-8, and RS.CO-2), and the 10 Center for Internet Security’s Critical Security Controls (CIS CSC), which are all established 11 standards in reasonable cybersecurity readiness,” and that this failure allowed for the data breach 12 to occur. ECF No. 16 ¶ 70. Plaintiffs have also pointed out other security measures that OEFCU 13 failed to implement. See id. ¶ 72 (alleging that OEFCU failed, among other things, to “properly 14 monitor their own data security systems for existing intrusions; . . . [and] ensure that their vendors 15 with access to their computer systems and data employed reasonable security procedures”). 16 Plaintiffs have thus pleaded specific facts describing how OEFCU breached its duty of care to take 17 appropriate measures to safeguard their PII/PHI. See Schmitt v. SN Servicing Corp., No. 21-CV- 18 03355-WHO, 2021 WL 3493754, at *5 (N.D. Cal. Aug. 9, 2021) (noting that the “burden to plead 19 a corresponding breach based on SNSC's inadequate security measures is not high”); see also In re 20 San Francisco 49ers Data Breach Litig., 2024 WL 3849336, at *2. 21 3. Damages 22 The Ninth Circuit has not addressed the question of what kind of damages must be alleged 23 to support a negligence claim in the data breach context. But district courts within the circuit have 24 generally found “[i]ncreased time spent monitoring one’s credit and other tasks associated with 25 responding to a data breach . . . to be specific, concrete, and non-speculative.” In re Solara Med. 26 Supplies, LLC Customer Data Sec. Breach Litig., 613 F. Supp. 3d 1284, 1296 (S.D. Cal. 27 2020); see, e.g., Schmitt v. SN Servicing Corp., No. 21-CV-03355-WHO, 2021 WL 3493754, at *6 1 cognizable forms of harm”); In re Accellion, Inc. Data Breach Litig., 713 F. Supp. 3d 623, 637 2 (N.D. Cal. 2024), reconsideration denied, No. 21-CV-01155-EJD, 2024 WL 4592367 (N.D. Cal. 3 Oct. 28, 2024) (“Additionally, a ‘growing number of federal courts have now recognized Loss of 4 Value of PII as a viable damages theory. And a growing number of courts now recognize that 5 individuals may be able to recover Consequential Out of Pocket Expenses that are incurred 6 because of a data breach, including for time spent reviewing one’s credit accounts.’”) (quoting In 7 re Experian Data Breach Litig., 2016 WL 7973595, at *5 (C.D. Cal. Dec. 29, 2016)); but see 8 Corona, 2015 WL 3916744, at *4 (finding, without discussion, that “general allegations of lost 9 time are too speculative to constitute cognizable injury” in case involving an alleged hack, theft, 10 and misuse of employee financial and medical information). 11 Here, Plaintiffs allege that as a result of the data breach, they have spent time monitoring 12 their accounts and contacting credit bureaus to place freezes on their accounts because they have 13 been placed as imminent risk of identity theft. See ECF No. 16 ¶¶ 100, 102, 106, 128. They also 14 allege that because of the data breach, they have suffered from anxiety, sleep disruption, and 15 emotional distress. Id. ¶¶ 113, 147. Hendren and Jaramillo additionally allege that they have 16 received an increased number of spam calls, texts, and/or emails, as well as a spike in scam emails 17 and phone calls purporting to involve credit, loans, and taxes, because of the data breach. Id. ¶¶ 18 130, 145. Taken together, the Court finds that Plaintiffs have alleged plausible damages to 19 support their negligence claim. See Landon v. TSC Acquisition Corp., No. 2:23-CV-01377-SVW- 20 PD, 2024 WL 5317240, at *8 (C.D. Cal. Nov. 1, 2024) (finding that the victims of a data breach 21 sufficiently alleged emotional damages to survive the motion to dismiss); Schmitt v. SN Servicing 22 Corp., No. 21-CV-03355-WHO, 2021 WL 3493754, at *5–6 (N.D. Cal. Aug. 9, 2021) (finding 23 that time spend on credit monitoring is a cognizable form of harm to support a negligence claim); 24 Stasi v. Inmediata Health Grp. Corp., 501 F. Supp. 3d 898, 918 (S.D. Cal. 2020) (finding that 25 plaintiffs alleged plausible damages in the form of lost time, where plaintiffs experienced 26 increased spam and phishing contacts, even if their e-mail addresses or phone numbers were not 27 directly included in the information that was compromised). 1 B. Breach of Implied Contract 2 “An implied contract is one, the existence and terms of which are manifested by conduct.” 3 Cal. Civ. Code § 1621. To plead breach of an implied contract, a plaintiff must allege: “(1) the 4 contract, (2) plaintiff's performance or excuse for nonperformance, (3) defendant's breach, and (4) 5 the resulting damages to plaintiff.” Reichert v. Gen. Ins. Co. of Am., 68 Cal. 2d 822, 830 (1968) 6 (citations omitted). 7 OEFCU primarily argues that Plaintiffs’ breach of implied contract claim fails because 8 Plaintiffs have not sufficiently alleged the existence of a contract—contending specifically that 9 Plaintiffs have not cited “the consideration OEFCU exchanged that is required to create an 10 enforceable contract.” ECF No. 46 at 6–7. The Court disagrees. 11 Here, Jimenez and Hendren have pleaded that they were required to provide their PII/PHI 12 to OEFCU as a condition of becoming its customers. See ECF No. 16 ¶ 114 (“Plaintiff Jimenez 13 provided his information to Defendant as a condition of becoming a customer of Defendant”); 14 id. ¶ 124 (“As a condition of obtaining services at OEFCU, [Hendren] was required to provide his 15 PII/PHI to Defendant.”). That alleged requirement is sufficient to constitute consideration for an 16 implied contract whereby OEFCU implicitly agreed to reasonably safeguard their PII/PHI. See In 17 re 49ers, 2024 WL 3849336, at *3 (“The amended complaint states that plaintiffs were required to 18 disclose their PII to the 49ers, to the 49ers’ benefit, with the understanding that the 49ers would 19 reasonably protect their information. That is enough for the implied contract claim to go 20 forward.”); Castillo v. Seagate Tech., LLC, No. 16-CV-01958-RS, 2016 WL 9280242, at *9 (N.D. 21 Cal. Sept. 14, 2016) (finding that the plaintiffs adequately alleged a claim of implied breach of 22 contract because they alleged that they were required to submit their PII to Seagate as a condition 23 of employment and Seagate failed to take adequate measures and reasonable efforts to safeguard 24 their information). Because Jaramillo does not allege that she was a customer of OEFCU, 25 however, see ECF No. 40 at 21 n.4, her claim for breach of implied contract is dismissed with 26 leave to amend. 27 C. Invasion of Privacy 1 specific, protected privacy interest; (2) a reasonable expectation of privacy; and (3) a “sufficiently 2 serious” invasion of the privacy interest such that it “constitute[s] an egregious breach of the social 3 norms underlying the privacy right.” Hill v. Nat’l Collegiate Athletic Ass’n, 7 Cal. 4th 1, 35–37 4 (1994). 5 OEFCU argues that its alleged cybersecurity practices leading to the data breach do not 6 constitute the type of egregious breach of social norms that satisfies the third element of this 7 claim. See ECF No. 29 at 14. It states that Plaintiffs do not “contend that OEFCU intended for 8 their PII to be stolen by cybercriminals,” id., and that “[l]osing personal data through insufficient 9 security doesn’t rise to the level of an egregious breach of social norms underlying the protection 10 of sensitive data like social security numbers.” Id. (quoting Schmitt, 2021 WL 3493754, *7). 11 “Under California law, courts must be reluctant to reach a conclusion at the pleading stage 12 about how offensive or serious the privacy intrusion is.” In re Facebook, Inc., Consumer Priv. 13 User Profile Litig., 402 F. Supp. 3d 767, 797 (N.D. Cal. 2019). “Actionable invasions of privacy 14 must be sufficiently serious in their nature, scope, and actual or potential impact to constitute an 15 egregious breach of the social norms underlying the privacy right.” Hill v. Nat’l Collegiate 16 Athletic Assn., 7 Cal. 4th 1, 37 (1994). When determining whether an invasion is “highly 17 offensive,” courts consider “the degree and setting of the intrusion,” as well as “the intruder’s 18 motives and objectives.” Hernandez v. Hillsides, Inc., 47 Cal. 4th 272, 287 (Cal. 2009). Given 19 the factually intensive nature of the inquiry, “[c]ourts are generally hesitant to decide claims of 20 this nature at the pleading stage.” In re Meta Pixel Healthcare Litig., 647 F. Supp. 3d at 799. Only 21 if the allegations “show no reasonable expectation of privacy or an insubstantial impact on privacy 22 interests” can the “question of [a serious or highly offensive] invasion [ ] be adjudicated as a 23 matter of law.” Hill, 7 Cal. 4th at 40. 24 Plaintiffs argue that the data breach constitutes “an ‘egregious breach of social norms’ 25 because the Data Breach exposed protected health information—including, inter alia, prescription 26 information, treatment information, clinical information, and medical procedure information.” 27 ECF No. 40 at 14 (citing ECF No. 16 ¶¶ 25, 44). They also argue that “the offensiveness of the 1 of PII/PHI which was then viewed by at least 108 individuals on the Dark Web.” Id. (quoting 2 ECF No. 16 ¶¶ 47–52). 3 As this Court has previously stated, it agrees with those courts that “have refused to 4 dismiss invasion of privacy claims at the motion to dismiss stage where, as here, a data breach 5 involved medical information, because the disclosure of such information is more likely to 6 constitute an “egregious breach of the social norms” that is “highly offensive.” St. Aubin v. 7 Carbon Health Techs., Inc., No. 24-CV-00667-JST, 2024 WL 4369675, at *13 (N.D. Cal. Oct. 1, 8 2024) (quoting In re Ambry Genetics Data Breach Litig., 567 F. Supp. 3d 1130, 1143 (C.D. Cal. 9 2021)); see also Doe v. Beard, 63 F. Supp. 3d 1159, 1170 (C.D. Cal. 2014) (denying motion to 10 dismiss where plaintiff’s HIV-positive status was disclosed). Accordingly, at least at this stage of 11 the proceedings, the Court cannot conclude as a matter of law that the disclosure of the PII and 12 PHI involved here, is not highly offensive. See Lau v. Gen Digital Inc., No. 22-CV-08981-JST, 13 2023 WL 10553772, at *6 (N.D. Cal. Sept. 13, 2023). 14 D. Unjust Enrichment 15 The Ninth Circuit “has construed the common law to allow an unjust enrichment cause of 16 action through quasi-contract.” ESG Capital Partners, LP v. Stratos, 828 F.3d 1023, 1038 (9th 17 Cir. 2016) (citing Astiana v. Hain Celestial Grp., Inc., 783 F.3d 753, 762 (9th Cir. 2015)). Under 18 California law, “a quasi-contract action for unjust enrichment does not lie where [] express 19 binding agreements exist and define the parties’ rights.” E.g., California Med. Ass’n, Inc. v. Aetna 20 U.S. Healthcare of California, Inc., 94 Cal. App. 4th 151, 172 (2001). 21 OEFCU argues that Plaintiffs’ unjust enrichment claim is barred because they have alleged 22 a claim for breach of implied contract and have not “pleaded facts that the contract may be 23 unenforceable or invalid.” See ECF No. 29 at 15. OEFCU primarily cites In re Sequoia Benefits 24 & Insurance Data Breach Litigation, No. 22-CV-08217-RFL, 2024 WL 1091195, at *9 (N.D. Cal. 25 Feb. 22, 2024), as support. In re Sequoia is distinguishable. The court in that case dismissed the 26 unjust enrichment claim because the plaintiffs alleged the existence of an express contract and 27 brought a claim for breach of contract, not breach of implied contract. See In re Sequoia Benefits 1 distinguishable on the same basis. See In the Black Res., LLC v. Blitz Design, Inc., No. 3:22-CV- 2 04227-WHO, 2022 WL 17082372, at *4 (N.D. Cal. Nov. 17, 2022) (claim for breach of express 3 contract); In re Med. Cap. Sec. Litig., No. ML102145DOCRNBX, 2010 WL 11508332, at *4 4 (C.D. Cal. Aug. 31, 2010) (same). 5 Here, Plaintiffs bring only a claim for breach of implied contract. OEFCU cites no case, 6 and the Court has found none, barring a plaintiff from bringing claims for both unjust enrichment 7 and breach of implied contract. Indeed, “[t]he doctrine of implied contracts has its foundation in 8 the doctrine of unjust enrichment.” Gonzales v. State of California, 68 Cal. App. 3d 621, 627–28 9 (quoting McCaffrey v. Cronin, 140 Cal. App. 2d 528, 535 (1956)), abrogated on other grounds by 10 City of Stockton v. Superior Ct., 42 Cal. 4th 730 (2007). The Court therefore declines to dismiss 11 Plaintiffs’ unjust enrichment claim. 12 E. California Unfair Competition Law 13 To bring a UCL claim, a person must have “suffered injury in fact and . . . lost money or 14 property as a result of the unfair competition.” Cal. Bus. & Prof. Code § 17204. Thus, a UCL 15 plaintiff must “(1) establish a loss or deprivation of money or property sufficient to qualify as 16 injury in fact, i.e., economic injury, and (2) show that that economic injury was the result of, i.e., 17 caused by, the unfair business practice or false advertising that is the gravamen of the claim.” 18 Kwikset Corp. v. Superior Court, 51 Cal. 4th 310, 322 (2011) (emphasis in original). 19 Plaintiffs argue that they satisfy the UCL’s injury requirement because they allege that 20 they “spent time and resources mitigating the fallout from the Data Breach,” were “deprived the 21 benefit of their bargain with Defendant and suffered damage to the value of their PII/PHI.” ECF 22 No. 40 at 16–17. Plaintiffs’ arguments are unavailing. 23 First, courts generally view lost time alone as a non-economic injury that is insufficient to 24 confer statutory standing under the UCL. See In re Sequoia Benefits & Ins. Data Breach Litig., 25 No. 22-CV-08217-RFL, 2024 WL 1091195, at *7 (N.D. Cal. Feb. 22, 2024). Second, Plaintiffs 26 fall short of alleging they actually incurred a monetary loss. See ECF No. 16 ¶¶ 14, (“Plaintiffs 27 and Class Members may also incur out of pocket costs for . . . protective measures to deter and 1 specifically alleges having signed up for a credit monitoring service, but he alleges that he signed 2 up for “credit monitoring and identity theft protection services offered by Defendant”—which 3 Plaintiffs acknowledge were complimentary. See id. ¶¶ 11, 128. And while Plaintiffs allege that 4 they were deprived the benefit of their bargain, they do not allege any actual losses related to that 5 deprivation. Nowhere do Plaintiffs allege that they paid any actual sums to OEFCU to receive any 6 services. See generally ECF No. 16. 7 Finally, Plaintiffs’ general allegation that they “suffered damage to the value of their 8 PII/PHI” does not suffice to establish UCL standing. As this Court has recently explained:
9 Numerous courts have held that disclosure of personal information alone does not constitute economic or property loss sufficient to 10 establish UCL standing, unless the plaintiff provides specific allegations regarding the value of the information. See, e.g., In re 11 Yahoo! Inc. Customer Data Sec. Breach Litig., No. 16-MD-02752- LHK, 2017 WL 3727318, at *22 (N.D. Cal. Aug. 30, 2017) (rejecting 12 UCL standing to victims of data breach who had failed to allege specific benefit-of-the-bargain losses or out-of-pocket expenses); In 13 re Facebook Privacy Litig., 791 F. Supp. 2d 705, 714 (N.D. Cal. 2011), aff’d 572 F. App’x 494 (9th Cir. 2014) (“A plaintiff’s personal 14 information does not constitute property under the UCL.”). 15 Swarts v. The Home Depot, Inc., No. 23-cv-0995-JST, 2023 WL 5615453 (N.D. Cal. Aug. 30, 16 2023); see also Katz-Lacabe v. Oracle Am., Inc., 668 F. Supp. 3d 928, 943 (N.D. Cal. 2023) 17 (concluding that “[t]he weight of the authority in the district and the state” indicates “that the mere 18 misappropriation of personal information does not establish compensable damages” sufficient to 19 confer standing under the UCL (quotation marks and citations omitted)). 20 Because Plaintiffs do not sufficiently allege having incurred a monetary loss, their UCL 21 claims are dismissed for lack of statutory standing. See In re Yahoo! Inc. Customer Data Sec. 22 Breach Litig., No. 16-MD-02752-LHK, 2017 WL 3727318, at *22 (N.D. Cal. Aug. 30, 2017) 23 (finding that the plaintiffs who alleged having paid for credit monitoring services and late fees 24 related to identity theft had UCL standing but that the plaintiffs who only alleged facing an 25 “imminent risk of future costs” did not have UCL standing). 26 F. CCPA 27 The CCPA provides: Any consumer whose nonencrypted and nonredacted personal 1 information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to 2 implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal 3 information may institute a civil action . . . . 4 Cal. Civ. Code § 1798.150(a)(1). 5 The parties dispute whether OEFCU is a “business” as defined under the statute. As 6 relevant here, to qualify as a “business” under the CCPA, an entity must both collect consumer PII 7 and “determine[] the purposes and means of the processing” of that PII. See id. § 1798.140(d)(1); 8 see also Karter v. Epiq Sys., Inc., 2021 WL 4353274, at *2 (C.D. Cal. July 16, 2021). 9 Furthermore, the CCPA in a separate section provides that actions against “service providers” that 10 violate the CCPA shall be instituted by the California Attorney General—not individual 11 consumers. See Cal. Civ. Code § 1798.155(b). And a “service provider” is defined as an entity 12 “that processes information on behalf of a business and to which the business discloses a 13 consumer's personal information for a business purpose pursuant to a written contract.” Cal. Civ. 14 Code § 1798.140(v). Accordingly, Plaintiffs can only state a claim against OEFCU if it is a 15 “business” and not a “service provider.” 16 OEFCU provides no explanation as to how it fits the definition of a “service provider” 17 other than pointing to Plaintiffs’ passing description of OEFCU as a “financial services provider” 18 in a different context in the first amended complaint. See ECF No. 29 at 19–20. It otherwise 19 primarily relies on In re Accellion, Inc. Data Breach Litig., 713 F. Supp. 3d 623 (N.D. Cal. 2024), 20 to argue that Plaintiffs fail to allege that OEFCU meets the definition of a business under the 21 statute. In that case, the plaintiffs alleged that “Accellion was hired by various companies to 22 ‘securely transfer’ and to ‘facilitate secure, encrypted file sharing that exceeded limits imposed on 23 the size of email attachments.’” Id. at 641. The court thus found that it was actually Accellion’s 24 customers—not Accellion itself—who made the decisions as to why and how any personal 25 information was transferred. Id. 26 Here, however, Plaintiffs specifically allege that OEFCU collected Plaintiffs’ PII and PHI 27 as a condition of providing its services. ECF No. 16 ¶¶ 28, 114, 124, 136, 244. OEFCU thus 1 information needed to provide financial services to its “current and former customers.” See id. ¶ 2 25. And Plaintiffs further alleged that OEFCU determined the “means” of processing their 3 PII/PHI by choosing to store that information and the method of storing that information. See id. ¶ 4 3 (alleging that OEFCU “stored that PII/PHI, unencrypted, in an Internet-accessible environment 5 on Defendant’s network”). Plaintiffs thus plausibly allege that OEFCU is a business under the 6 CCPA. See Karter v. Epiq Sys., Inc., No. SACV 20-01385-CJC (KESX), 2021 WL 4353274, at 7 *2 (C.D. Cal. July 16, 2021) (finding that when an entity collects consumers’ personal information 8 from consumers “in order to perform its services,” that “is an activity for a business” under the 9 CCPA). 10 Accordingly, the Court declines to dismiss Plaintiffs’ CCPA claim. 11 G. CCRA 12 The CCRA “regulates businesses with regard to treatment and notification procedures 13 relating to their customers' personal information.” In re Yahoo! Inc. Customer Data Sec. Breach 14 Litig., 2017 WL 3727318, at *33 (quoting Corona v. Sony Pictures Ent., 2015 WL 3916744, at *6 15 (C.D. Cal. June 15, 2015)). Section 1798.82(a) of the CCRA provides, in relevant part:
16 A person or business that conducts business in California, and that owns or licenses computerized data that includes personal 17 information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the 18 data to a resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by 19 an unauthorized person . . . . The disclosure shall be made in the most expedient time possible and without unreasonable delay . . . . 20 Cal. Civ. Code § 1798.82(a). 21 Plaintiffs argue that OEFCU’s delay in waiting at least six months to notify impacted 22 victims of the data breach about the breach constituted unreasonable delay under the CCRA. 23 OEFCU primarily responds that Plaintiffs have not alleged that they have suffered any incremental 24 harm caused by the delay in notice. See ECF No. 46 at 12–14. 25 Reading the first amended complaint in the light most favorable to Plaintiffs, the Court 26 finds that Plaintiffs have sufficiently alleged that had they been given timelier notice, they would 27 have been able to “tak[e] appropriate measures from protecting themselves against harm,” see 1 ECF No. 16 ¶¶ 253–54, including signing up for credit monitoring and fraud prevention services at 2 an earlier time and reducing the likelihood that they would receive the spam and phishing calls, 3 texts, and emails that they have since received. See In re Yahoo! Inc. Customer Data Sec. Breach 4 Litig., 2017 WL 3727318, at *41 (finding that the plaintiffs adequately alleged incremental harm 5 by alleging that, if they had been notified earlier, they could have secured identity theft protection 6 or requested a credit freeze to mitigate the damage from their information being stolen); see also 7 Stasi v. Inmediata Health Grp. Corp., 501 F. Supp. 3d 898, 925 (S.D. Cal. 2020) (declining to 8 dismiss the CCRA claim at the motion-to-dismiss stage). 9 OEFCU also argues that Plaintiffs are not “customers” of OEFCU within the meaning of 10 the CCRA. See ECF No. 29 at 20–21; see also Cal. Civ. Code § 1798.80(c) (defining “customer” 11 as “an individual who provides personal information to a business for the purpose of purchasing or 12 leasing a product or obtaining a service from the business”). Plaintiffs respond that because 13 Jimenez and Hendren alleged that they provided their PII to OEFCU as a condition of receiving its 14 services, they have demonstrated their status as “customers” under the CCRA. See ECF No. 40 at 15 21; see also ECF No. 16 ¶ 114 (“Plaintiff Jimenez provided his information to Defendant as a 16 condition of becoming a customer of Defendant”); id. ¶ 124 (“As a condition of obtaining services 17 at OEFCU, [Hendren] was required to provide his PII/PHI to Defendant.”).3 18 Accordingly, the Court declines to dismiss Jimenez and Hendren’s CCRA claims at this 19 stage. 20 H. Declaratory Relief 21 The Federal Declaratory Judgment Act provides that, “[i]n a case of actual controversy 22 within its jurisdiction, . . . any court of the United States, upon filing of an appropriate pleading, 23 may declare the rights and other legal relations of any interested party seeking such declaration, 24 whether or not further relief is or could be sought.” 28 U.S.C. § 2201(a). The “Act does not grant 25 litigants an absolute right to a legal determination.” t’Bear v. Forman, 359 F. Supp. 3d 882, 902 26 3 Jaramillo does not oppose dismissal of her CCRA claim because she does not allege to be a 27 customer of OEFCU. See ECF No. 40 at 21 n.4. Accordingly, the Court dismisses Jaramillo’s 1 (N.D. Cal. 2019) (quoting U.S. v. Washington, 759 F.2d 1353, 1356 (9th Cir. 1985)). “Rather, the 2 decision to grant declaratory relief rests within a district court’s discretion.” Allstate Ins. 3 Co. v. Bos, No. CV 12-1024 PSG (RZx), 2012 WL 12930703, at *1 (N.D. Cal. Feb. 17, 2012). 4 “Declaratory relief should be denied when it will neither serve a useful purpose in clarifying and 5 settling the legal relations in issue nor terminate the proceedings and afford relief from the 6 uncertainty and controversy faced by the parties.” t’Bear, 359 F. Supp. 3d at 902-03 (quoting 7 U.S v. Washington, 759 F.2d at 1357). 8 OEFCU argues that Plaintiffs’ requested declaratory relief is duplicative of their 9 negligence claim. In their claim for declaratory relief, Plaintiffs ask the Court to declare that 10 OEFCU “owed, and continues to owe, a legal duty to employ reasonable data security to secure 11 the PII/PHI it possesses,” that OEFCU “breached, and continues to breach, its duty by failing to 12 employ reasonable measures to secure its customers’ personal and financial information,” and that 13 OEFCU’s “breach of its legal duty continues to cause harm to Plaintiffs and the Class.” ECF No. 14 16 at 73–74. Plaintiffs also ask for “corresponding injunctive relief,” id. at 74, which the Court 15 understands as a separate request for an injunction. 16 Plaintiffs argue that their negligence and declaratory relief claims are distinct because 17 while Plaintiffs seek monetary damages through their other causes of action for OEFCU’s past 18 conduct, their declaratory relief claim seeks to “address [OEFCU’s] current and future data 19 security practices.” See ECF No. 40 at 22. The Court finds Plaintiffs’ argument unpersuasive. 20 While Plaintiffs do style their request for declaratory relief as regarding OEFCU’s ongoing 21 breach, the determinations they request merely restate the elements of their negligence claim. The 22 proposed declaratory relief would have the same effect as, and duplicate, a finding on their 23 negligence claim. The Court thus dismisses Plaintiffs’ claim for declaratory relief because it 24 would “neither serve a useful purpose in clarifying and settling the legal relations in issue nor 25 terminate the proceedings and afford relief from the uncertainty and controversy faced by the 26 parties.” t’Bear, 359 F. Supp. 3d at 902-03 (quoting U.S v. Washington, 759 F.2d at 1357). 27 Moreover, declaratory relief is a remedy and not a standalone cause of action. See Doe 1 v. 1 claim, granting leave to amend would be futile. Accordingly, Plaintiffs’ claim for declaratory 2 || relief is dismissed with prejudice. 3 CONCLUSION 4 For the reasons set forth above, the Court grants OEFCU’s motion to dismiss in part: the 5 breach-of-implied-contract claim and the CCRA claim brought by Erica Jaramillo are dismissed 6 with leave to amend; Plaintiffs’ UCL claims are dismissed with leave to amend; and Plaintiffs’ 7 claim for declaratory relief is dismissed with prejudice. The Court denies the remainder of 8 OEFCU’s motion. 9 Plaintiffs may file an amended complaint within 28 days of this order solely to address the 10 || deficiencies identified in the order. Failure to timely file an amended complaint will result in 11 dismissal of the relevant claims with prejudice. 12 IT IS SO ORDERED. : 13 Dated: August 19, 2025 . .
M4 JON S. TIGA 15 nited States District Judge 2 16
18 19 20 21 22 23 24 25 26 27 28