Michael Terpin v. AT and T Inc

• Court: District Court, C.D. California
• Decided: February 24, 2020
• Docket: 2:18-cv-06975
• Status: Unknown

Opinion

O 1

2 3 4 5 6 7

8 United States District Court 9 Central District of California

11 MICHAEL TERPIN, Case No. 2:18-cv-06975-ODW (KSx)

12 Plaintiff, ORDER GRANTING, IN PART, AND 13 v. DENYING, IN PART, 14 AT&T MOBILITY, LLC, et al., DEFENDANT’S MOTION TO 15 DISMISS [33] Defendants.

16 17 I. INTRODUCTION 18 Defendant AT&T Mobility, LLC (“AT&T”) moves to dismiss Plaintiff Michael 19 Terpin’s (“Terpin”) First Amended Complaint (“FAC”) (the “Motion”). (Mot., ECF 20 No. 33.) For the reasons that follow, the Court GRANTS, IN PART, AND DENIES, 21 IN PART, AT&T’s Motion.1 22 II. FACTUAL AND PROCEDURAL BACKGROUND 23 As previously set forth in the Court’s July 19, 2019 Order (“July Order”), (ECF 24 No. 29), granting in part and denying in part AT&T’s motion to dismiss the original 25 Complaint, Mr. Terpin is a prominent and well-known member of the cryptocurrency 26 community. (FAC ¶¶ 18–19, ECF No. 32.) He is domiciled in Puerto Rico with a 27

28 1 Having carefully considered the papers filed in connection with the Motion, the Court deemed the matter appropriate for decision without oral argument. Fed. R. Civ. P. 78; C.D. Cal. L.R. 7-15. 1 residence in California. (FAC ¶ 1.) On June 11, 2017, Mr. Terpin’s phone suddenly 2 became inoperable because his cell phone number had been hacked. (FAC ¶ 83.) 3 After hackers attempted and failed eleven times to change Mr. Terpin’s AT&T 4 password in AT&T retail stores, the hackers were able to change his password 5 remotely. (FAC ¶ 83.) Mr. Terpin alleges that this allowed the hackers to gain 6 control of his phone number, which allowed them to divert his personal information, 7 including telephone calls and text messages, to gain access to his accounts that use his 8 telephone number for authentication. (FAC ¶¶ 83–84.) Mr. Terpin asserts the hackers 9 used his telephone number to access his cryptocurrency accounts and also 10 impersonated him by using his Skype account. (FAC ¶ 84.) By impersonating Mr. 11 Terpin, the hackers convinced one of Mr. Terpin’s clients to send them cryptocurrency 12 and diverted the cryptocurrency to themselves. (FAC ¶ 84.) Later that day, AT&T 13 was able to cutoff the hackers’ access to Mr. Terpin’s telephone number. (FAC ¶ 84.) 14 However, by this time, the hackers had stolen substantial funds from Mr. Terpin. 15 (FAC ¶ 84.) 16 Around June 13, 2017, Mr. Terpin met with AT&T representatives in Puerto 17 Rico to discuss the hack. (FAC ¶ 85.) AT&T allegedly promised to place Mr. 18 Terpin’s account on a “higher security level with special protection.” (FAC ¶ 86 19 (internal quotation marks omitted).) This included requiring a six-digit passcode 20 (known only to Mr. Terpin and his wife) of anyone attempting to access or change Mr. 21 Terpin’s account settings or transfer his telephone number to another phone. (FAC 22 ¶ 86.) Mr. Terpin maintains that he “relied upon AT&T’s promises that his account 23 would be much more secure against hacking, including SIM swap fraud, after it 24 implemented the increased security measures,” which led him to remain an AT&T 25 customer. (FAC ¶ 88.) 26 On Sunday, January 7, 2018, Mr. Terpin’s phone again became inoperable. 27 (FAC ¶ 91.) Mr. Terpin alleges that an employee at an AT&T store in Norwich, 28 1 Connecticut assisted an imposter with a SIM card swap.2 (FAC ¶¶ 90–91.) This 2 resulted in AT&T transferring Mr. Terpin’s phone number to an imposter. (FAC 3 ¶ 91.) Mr. Terpin alleges that when his phone became inoperable, he attempted to 4 contact AT&T to have his telephone number canceled, but AT&T failed to promptly 5 cancel his account. (FAC ¶ 93.) By having access to Mr. Terpin’s phone number, Mr. 6 Terpin alleges that “the hackers were able to intercept Mr. Terpin’s personal 7 information, including telephone calls and text messages, change passwords, access 8 programs and files and locate information that allowed them to gain access to his 9 cryptocurrency wallets and/or accounts.” (FAC ¶ 96.) Specifically, Mr. Terpin alleges 10 that the hackers used a cell phone with his telephone number to send “a password 11 reset request to [Mr. Terpin’s password protected] program or programs which then 12 sent a [2-Factor Authentication (“2FA”)] message to Mr. Terpin’s telephone number, 13 which was by virtue of the SIM swap in the hackers’ possession.” (FAC ¶ 92.) Mr. 14 Terpin further alleges that the hackers created new passwords, which allowed them to 15 “locate[] a file with confidential information to access Mr. Terpin’s [cryptocurrency] 16 wallets and/or accounts.” (FAC ¶ 92.) Mr. Terpin alleges that, as a result, between 17 January 7 and 8, 2018, the hackers stole nearly $24 million worth of cryptocurrency 18 from him. (FAC ¶ 91.) 19 On August 15, 2018, Mr. Terpin filed his Complaint asserting sixteen causes of 20 action. (See generally Compl., ECF No. 1.) AT&T moved to dismiss the Complaint 21 in its entirety, which the Court granted in part and denied in part, with leave to amend. 22 (See July Order.) On August 9, 2019, Mr. Terpin filed his FAC against AT&T 23 alleging nine causes of action for: (1) declaratory relief that AT&T’s consumer 24 agreement is unconscionable and contrary to public policy; (2) unauthorized 25 disclosure of customer confidential proprietary information, 47 U.S.C. §§ 206, 222; 26

2 Mr. Terpin alleges that “SIM swapping consists of tricking a provider . . . into transferring the 27 target’s phone number to a SIM card controlled by the criminal. Once they get the phone number, 28 fraudsters can leverage it to reset the victims’ passwords and break into their online accounts.” (FAC ¶ 69.) 1 (3) deceit by concealment, California Civil Code sections 1709, 1710; 2 (4) misrepresentation; (5) negligence; (6) negligent supervision and training; 3 (7) negligent hiring; (8) breach of contract – privacy policy; and (9) breach of implied 4 contracts (in the alternative to breach of express contract). (FAC ¶¶ 107–204.) 5 AT&T now moves to dismiss the FAC in its entirety arguing that Mr. Terpin’s claims 6 still lack the requisite factual detail to survive dismissal. (See generally Mot.) 7 III. LEGAL STANDARD 8 A court may dismiss a complaint under Rule 12(b)(6) for lack of a cognizable 9 legal theory or insufficient facts pleaded to support an otherwise cognizable legal 10 theory. Balistreri v. Pacifica Police Dep’t, 901 F.2d 696, 699 (9th Cir. 1988). To 11 survive a dismissal motion, a complaint need only satisfy the minimal notice pleading 12 requirements of Rule 8(a)(2)—a short and plain statement of the claim. Porter v. 13 Jones, 319 F.3d 483, 494 (9th Cir. 2003). The factual “allegations must be enough to 14 raise a right to relief above the speculative level.” Bell Atl. Corp. v. Twombly, 550 15 U.S. 544, 555 (2007). That is, the complaint must “contain sufficient factual matter, 16 accepted as true, to state a claim to relief that is plausible on its face.” Ashcroft v. 17 Iqbal, 556 U.S. 662, 678 (2009) (internal quotation marks omitted). 18 The determination of whether a complaint satisfies the plausibility standard is a 19 “context-specific task that requires the reviewing court to draw on its judicial 20 experience and common sense.” Id. at 679. A court is generally limited to the 21 pleadings and must construe all “factual allegations set forth in the complaint . . . as 22 true and . . . in the light most favorable” to the plaintiff. Lee v. City of Los Angeles, 23 250 F.3d 668, 679 (9th Cir. 2001). However, a court need not blindly accept 24 conclusory allegations, unwarranted deductions of fact, and unreasonable inferences. 25 Sprewell v. Golden State Warriors, 266 F.3d 979, 988 (9th Cir. 2001). 26 Where a district court grants a motion to dismiss, it should generally provide 27 leave to amend unless it is clear the complaint could not be saved by any amendment. 28 See Fed. R. Civ. P. 15(a); Manzarek v. St. Paul Fire & Marine Ins. Co., 519 F.3d 1 1025, 1031 (9th Cir. 2008). Leave to amend may be denied when “the court 2 determines that the allegation of other facts consistent with the challenged pleading 3 could not possibly cure the deficiency.” Schreiber Distrib. Co. v. Serv-Well Furniture 4 Co., 806 F.2d 1393, 1401 (9th Cir. 1986). Thus, leave to amend “is properly 5 denied . . . if amendment would be futile.” Carrico v. City and Cty. of San Francisco, 6 656 F.3d 1002, 1008 (9th Cir. 2011). 7 IV. DISCUSSION 8 A. Proximate Cause 9 AT&T first moves to dismiss the FAC on the basis that Mr. Terpin fails to 10 sufficiently allege proximate cause. (Mot. 5–10.) In its July Order partially 11 dismissing the initial Complaint, the Court concluded that Mr. Terpin “sufficiently 12 alleged that the [hacker/fraudster’s] criminal act was reasonably foreseeable”; 13 however, Mr. Terpin “fail[ed] to sufficiently allege proximate cause,” because he did 14 “not connect how granting the hackers/fraudsters access to [his] phone number 15 resulted in him losing $24 million.” (July Order 6.) The Court now finds that Mr. 16 Terpin has adequately pled proximate cause and, thus, the FAC survives AT&T’s 17 motion to dismiss on that basis. 18 “It is a well established principle of [the common] law that in all cases of loss, 19 we are to attribute it to the proximate cause, and not to any remote cause.” Bank of 20 Am. Corp. v. Miami, 137 S. Ct. 1296, 1305 (2017) (alteration in original) (internal 21 quotation marks omitted). “Proximate cause is that cause which, in natural and 22 continuous sequence, unbroken by any efficient intervening cause, produced the injury 23 [or damage complained of] and without which such result would not have occurred.” 24 California v. Superior Court, 150 Cal. App. 3d 848, 857 (1984) (alteration in original) 25 (internal quotation marks omitted). The proximate cause requirement “bars suits for 26 alleged harm that is ‘too remote’ from the defendant’s unlawful conduct.” Lexmark 27 Int’l, Inc. v. Static Control Components, Inc., 572 U.S. 118, 133 (2014). 28 1 Mr. Terpin pleads sufficient facts in the FAC to allow the Court to plausibly 2 infer that the hackers’ access to Mr. Terpin’s phone number enabled them to steal his 3 cryptocurrency. Specifically, Mr. Terpin alleges that an AT&T agent named “Jahmil 4 Smith . . . was bribed by a criminal gang” to “fabricate information indicating that Mr. 5 Terpin visited [an AT&T] store and showed identification.” (FAC ¶¶ 8, 11.) Mr. 6 Terpin further alleges that Smith transferred a SIM card linked to Mr. Terpin’s phone 7 number to a telephone under the hackers’ control, which the hackers then used “to 8 intercept communications, including text messages, to reset passwords for Mr. 9 Terpin’s accounts” through 2FA methods. (FAC ¶¶ 11, 12.) Finally, Mr. Terpin 10 alleges the hackers employed 2FA “to access files under [his] accounts containing 11 confidential information,” used the confidential information to access his 12 cryptocurrency wallets and/or exchanges, and transferred funds to cryptocurrency 13 wallets and/or exchanges under the hackers’ control. (FAC ¶¶ 8, 12.) 14 AT&T contends that Mr. Terpin does not plead any facts to support the assertion 15 that 2FA was involved here because if, “for example, Mr. Terpin stored his 16 cryptocurrency in an online wallet and that wallet provider does not employ two- 17 factor authentication . . . the SIM swap would have little, if any, role in the alleged 18 cryptocurrency theft.” (Mot. 8.) However, Mr. Terpin does not allege the hackers 19 used 2FA methods to crack his cryptocurrency accounts; rather, Mr. Terpin alleges the 20 hackers used 2FA methods to access other programs and files containing “confidential 21 information” that enabled the hackers to crack his cryptocurrency accounts. (See FAC 22 ¶¶ 8, 11, 12, 91, 92.) AT&T disputes the sufficiency of this allegation because Mr. 23 Terpin does not identify the specific “accounts” where he kept his confidential 24 information. (Mot. 6–7.) The Court finds this allegation adequate, however, because 25 Mr. Terpin alleges sufficient facts for the Court to reasonable infer the hackers may 26 have used 2FA methods to glean Mr. Terpin’s personal information from various 27 accounts, such as email or cloud storage. (See FAC ¶¶ 12, 64, 92.) At this stage, Mr. 28 Terpin is not required to reconstruct the precise sequence of the hack, but rather, 1 merely establish a “natural and continuous sequence” of plausible events connecting 2 the hackers’ access to his phone number to the theft of his cryptocurrency. California, 3 150 Cal. App. 3d at 857. 4 Accordingly, the Court DENIES AT&T’s motion to dismiss Mr. Terpin’s eight 5 remaining claims that rely on the $24 million in alleged damages based on sufficient 6 proximate cause. 7 B. Economic Loss Doctrine (Claims 3–7) 8 AT&T next contends that the economic loss doctrine bars Mr. Terpin’s tort 9 claims. (Mot. 10–13.) As the Court explained in its prior order, California law 10 generally bars tort claims for economic loss based on fraud and negligence.3 (July 11 Order 12–14.) Where there is a special relationship between the parties, however, a 12 plaintiff may recover in tort for economic losses incurred as a result of a defendant’s 13 contractual breach. See J’Aire Corp. v. Gregory, 24 Cal. 3d 799, 804 (1979). AT&T 14 contends that Mr. Terpin has failed to allege a special relationship giving rise to a duty 15 on its part to ensure that Mr. Terpin did not suffer purely economic losses. Under 16 J’Aire, courts consider six factors in assessing whether the parties have the necessary 17 special relationship to recover for tortious conduct: 18 (1) the extent to which the transaction was intended to affect the 19 plaintiff, (2) the foreseeability of harm to the plaintiff, (3) the degree of certainty that the plaintiff suffered injury, (4) the closeness of the 20 connection between the defendant’s conduct and the injury suffered, 21 (5) the moral blame attached to the defendant’s conduct and (6) the policy of preventing future harm. 22 23 Id. at 804. All six factors must be considered by the court and the presence or absence 24 3 In his Opposition, Mr. Terpin attempts to fashion his third cause of action—deceit by 25 concealment—into a fraudulent inducement claim in order to except it from the economic loss rule. (See Opp’n to Mot. (“Opp’n”) 15–16, ECF No. 34.) Because Mr. Terpin has not properly pled a 26 fraudulent inducement claim in the FAC, the Court declines to address whether it is subject to the economic loss rule. Schneider v. Cal. Dep’t. of Corr., 151 F.3d 1194, 1197 n.1 (9th Cir. 1998) (“In 27 determining the propriety of a Rule 12(b)(6) dismissal, a court may not look beyond the complaint to 28 a plaintiff’s moving papers, such as a memorandum in opposition to a defendant’s motion to dismiss.”). 1 of one factor is not decisive. Kalitta Air, LLC v. Cent. Tex. Airborne Sys., Inc., 315 F. 2 App’x 603, 605–06 (9th Cir. 2008). 3 Applying these factors, the Court previously found that Mr. Terpin failed to 4 plead facts showing that he had a special relationship with AT&T. Specifically, the 5 Court noted that Mr. Terpin had sufficiently alleged “that it was foreseeable that [he] 6 would suffer injury if AT&T did not protect his personal information” and “the degree 7 of certain[ty] of his injury” but Mr. Terpin had not adequately pleaded “the extent to 8 which the transaction was intended to benefit [him], the closeness of the connection 9 between AT&T’s conduct and the injury suffered, the moral blame attached to AT&T’s 10 conduct, or the policy of preventing future harm.” (July Order 14.) 11 In an effort to satisfy the first, and fourth through sixth J’Aire factors, Mr. 12 Terpin now alleges that: (1) Mr. Terpin had a contract with AT&T for the provision of 13 mobile telephone services, including the ability to make telephone calls, receive text 14 messages, access the Internet, send e-mails, and use a variety of other applications, 15 which required Mr. Terpin to provide AT&T with his personal information; 16 (2) AT&T’s lack of adequate security measures proximately caused Mr. Terpin’s 17 damages; (3) AT&T’s conduct warrants moral blame because AT&T promised to 18 secure Mr. Terpin’s personal information; and (4) holding AT&T accountable will 19 require AT&T and other telecommunication companies to provide reasonable, reliable, 20 and industry-standard security measures. (FAC ¶¶ 52–58, 100–06.) 21 First, although the contract entered into between the parties related only to 22 mobile telephone services, Mr. Terpin was required to share his personal information 23 with AT&T with the understanding that AT&T would adequately protect it, including 24 the SIM card linked to his telephone number and personal data. Here, the Court finds 25 that this exchange of personal information based on a promise of safekeeping is 26 sufficient to satisfy the first J’Aire factor. See, e.g., In re Yahoo! Inc. Customer Data 27 Sec. Breach Litig., 313 F. Supp. 3d 1113, 1132 (N.D. Cal. 2018) (finding the J’Aire 28 exception applied in part because plaintiffs were required to turn over their personal 1 information to defendants with the understanding defendants would safeguard it and 2 inform plaintiffs of any breaches). Second, as discussed above, Mr. Terpin’s damages 3 were allegedly suffered precisely because AT&T provided inadequate security 4 measures to protect his SIM card. Third, AT&T is morally culpable because Mr. 5 Terpin alleges it is “[a]ware of the vulnerability of its customers in having their 6 [p]ersonal [i]nformation stolen through SIM swapping” but AT&T “has done nothing 7 to prevent that practice, including enforcing its own privacy policy and adhering to its 8 promises to provide special or additional protection to its customers’ accounts.” (FAC 9 ¶ 105.) Fourth, and finally, AT&T’s failure to adequately protect Mr. Terpin’s personal 10 information implicates the consumer data protection concerns expressed in federal 11 statutes, such as Section 222 of the Federal Communications Act (“FCA”). See 47 12 U.S.C. § 222. 13 Based on these allegations, Mr. Terpin has adequately pleaded a “special 14 relationship” with AT&T. Accordingly, the Court DENIES AT&T’s motion to dismiss 15 Mr. Terpin’s fraud and negligence claims based on the economic loss rule. AT&T 16 asserts additional arguments for the dismissal of Mr. Terpin’s deceit by concealment 17 and misrepresentation claims; therefore, the Court turns to these arguments next. 18 C. Deceit by Concealment (Claim 3) 19 Under California law, a plaintiff may assert a claim for deceit by concealment 20 based on “[t]he suppression of a fact, by one who is bound to disclose it, or who gives 21 information of other facts which are likely to mislead for want of communication of 22 that fact.” Cal. Civ. Code § 1710(3). An action for fraud and deceit based on 23 concealment has five elements: 24 (1) the defendant must have concealed or suppressed a material fact, 25 (2) the defendant must have been under a duty to disclose the fact to the plaintiff, (3) the defendant must have intentionally concealed or 26 suppressed the fact with the intent to defraud the plaintiff, (4) the 27 plaintiff must have been unaware of the fact and would not have acted as he did if he had known of the concealed or suppressed fact, and 28 (5) as a result of the concealment or suppression of the fact, the 1 plaintiff must have sustained damage. 2 3 In re Yahoo!, 313 F. Supp. 3d at 1133. AT&T challenges only two elements, arguing 4 that Mr. Terpin fails to sufficiently plead duty or reliance in connection with his deceit 5 by concealment claim. (Mot. 13–15.) First, the Court addresses Mr. Terpin’s 6 allegations regarding AT&T’s duty to disclose. 7 California law recognizes four circumstances in which an obligation to disclose 8 may arise: “(1) when the defendant is in a fiduciary relationship with the plaintiff; 9 (2) when the defendant had exclusive knowledge of material facts not known to the 10 plaintiff; (3) when the defendant actively conceals a material fact from the plaintiff; 11 and (4) when the defendant makes partial representations but also suppresses some 12 material facts.” LiMandri v. Judkins, 52 Cal. App. 4th 326, 336 (1997). 13 Mr. Terpin fails to sufficiently allege a duty to disclose. The gravamen of Mr. 14 Terpin’s concealment claim is that AT&T hid the fallibility of its data security system 15 from him (FAC ¶¶ 139–145), but as AT&T indicates, it did in fact disclose the limits 16 of its security to Mr. Terpin. Mr. Terpin’s AT&T contract specifically states that 17 AT&T “cannot guarantee that your Personal Information will never be disclosed in a 18 manner inconsistent with [AT&T’s] Policy (for example, as the result of unauthorized 19 acts by third parties that violate the law or this Policy).” (FAC, Ex. B at 96). Mr. 20 Terpin contends that AT&T had “exclusive knowledge of the vulnerability of its 21 security practices,” but many of Mr. Terpin’s own allegations regarding the prevalence 22 of SIM swap fraud in the cryptocurrency community suggest the exact opposite. (See 23 Opp’n 16–17; see also FAC ¶¶ 59–82.) Further, the FAC is devoid of specific 24 allegations of “affirmative acts” AT&T took “in hiding, concealing, or covering up” its 25 imperfect security. Czuchaj v. Conair Corp., 2014 WL 1664235, at *6 (S.D. Cal. Apr. 26 18, 2014) (citation omitted). As such, Mr. Terpin’s allegations are insufficient to state 27 28 1 a claim for deceit by concealment.4 2 Accordingly, the Court GRANTS AT&T’s motion to dismiss Mr. Terpin’s third 3 claim, with leave to amend. As the Court previously noted, although Mr. Terpin is 4 given leave to amend, he should not replead this claim if he cannot cure these 5 deficiencies. 6 D. Misrepresentation (Claim 4) 7 To state an intentional misrepresentation claim under California law, Mr. Terpin 8 must plead: “(1) misrepresentation; (2) knowledge of falsity; (3) intent to defraud or to 9 induce reliance; (4) justifiable reliance; and (5) resulting damage.” Yastrab v. Apple 10 Inc., 173 F. Supp. 3d 972, 977–78 (N.D. Cal. 2016). Mr. Terpin avers that AT&T 11 intentionally misrepresented material facts concerning the reliability of its data 12 security system in its Privacy Policy and Code of Business Conduct (“COBC”). Mr. 13 Terpin also alleges that AT&T “failed to disclose that it did not adhere to its own 14 standards, including the heightened security standards” of requiring a six-digit 15 passcode of anyone attempting to access or change Mr. Terpin’s account settings. 16 (FAC ¶ 152.) Mr. Terpin maintains that AT&T’s promises of data security led him to 17 remain an AT&T customer. (FAC ¶ 152.) 18 Mr. Terpin’s FAC allegations fail to state an intentional misrepresentation claim 19 for two reasons. First, as AT&T points out, Mr. Terpin does not allege that he actually 20 read AT&T’s Privacy Policy or COBC, which makes Mr. Terpin’s allegation that he 21 reasonably relied on the statements contained therein implausible. See, e.g., In re 22 Yahoo! Inc. Customer Data Sec. Breach Litig., No. 19-MD-02752-LHK, 2017 WL 23 3727318, at *27–28 (N.D. Cal. Aug. 30, 2017) (dismissing affirmative 24 misrepresentation claim because plaintiffs did not allege that they “actually read” 25 defendant’s Privacy Policy). Second, Mr. Terpin does not allege that AT&T intended 26 to ignore its heightened security protocol when it represented to Mr. Terpin that it 27

28 4 Having found no duty to disclose, the Court does not address whether Mr. Terpin sufficiently pleads reliance on AT&T’s alleged non-disclosure. 1 would require a six-digit passcode before allowing changes to his account. See 2 Tarmann v. State Farm Mut. Auto. Ins. Co., 2 Cal. App. 4th 153, 158–59 (1991) 3 (holding that intentional misrepresentation claim based on a false promise requires 4 plaintiff to plead that “the promisor did not intend to perform at the time he or she 5 made the promise and that it was intended to deceive or induce the promisee to do or 6 not do a particular thing.”); see also Las Palmas Assocs. v. Las Palmas Ctr. Assocs., 7 235 Cal. App. 3d 1220, 1238 (1991) (“A promise to do something necessarily implies 8 the intention to perform, and, where such an intention is absent, there is an implied 9 misrepresentation of fact, which is actionable fraud.”). Therefore, Mr. Terpin’s 10 allegations fall short of pleading actionable fraud. 11 Because Mr. Terpin fails to allege knowledge of falsity and justifiable reliance, 12 the Court GRANTS AT&T’s motion to dismiss the fourth claim, with leave to 13 amend in the event Mr. Terpin can plead that he actually relied upon the statements in 14 AT&T’s Privacy Policy and COBC or that AT&T never intended to adhere to its 15 heightened security protocols. See Leadsinger, Inc. v. BMG Music Publ’g, 512 F.3d 16 522, 532 (9th Cir. 2008) (ruling leave to amend proper when amendment is not futile). 17 E. Breach of Implied Contract (Claim 9) 18 AT&T renews its motion to dismiss Mr. Terpin’s claim for breach of implied 19 contract on the basis that he failed to sufficiently plead conduct that could manifest 20 agreement to particular terms of an implied contract. (See Mot. 16–18.) 21 In California, the elements of a claim for breach of an express or implied 22 contract are the same. Gomez v. Lincare, Inc., 173 Cal. App. 4th 508, 525 (2009). To 23 state a claim for breach of an implied contract, a plaintiff must allege facts sufficient 24 to establish: (1) the existence of a contract; (2) performance by the plaintiff or excuse 25 for nonperformance; (3) breach by the defendant; and (4) damages. First Commercial 26 Mortg. Co. v. Reece, 89 Cal. App. 4th 731, 745 (2001). In an implied contract, the 27 existence and terms of the contract are manifested by the parties’ conduct. Cal. Civ. 28 Code § 1621. 1 Mr. Terpin pleads his breach of implied contract claim as an alternative to his 2 breach of contract claim. (FAC ¶ 202.) He realleges that AT&T breached the implied 3 contracts “by failing to adhere to the terms of the applicable Privacy Policy and 4 COBC . . . to maintain the confidentiality and security of the Personal Information of 5 Mr. Terpin.” (FAC ¶ 203.) However, Mr. Terpin fails again to sufficiently allege the 6 parties’ conduct that forms the basis of the implied contract. The Court previously 7 found Mr. Terpin’s allegation that his “opening of an AT&T wireless account . . . 8 created implied contracts” too conclusory to state a claim. (July Order 15.) Mr. 9 Terpin now alleges in his FAC that “the opening of and the ongoing and continued use 10 of an AT&T wireless account by Mr. Terpin created . . . implied contracts.” (FAC 11 ¶ 202.) This allegation is equally insufficient to state a valid claim for breach of 12 implied contract. 13 Accordingly, Mr. Terpin’s ninth claim is DISMISSED with prejudice. 14 F. Punitive Damages 15 Mr. Terpin seeks punitive damages in connection with his claims for deceit by 16 concealment (Claim 3), misrepresentation (Claim 4), negligence (Claim 5), negligent 17 supervision and training (Claim 6), and negligent hiring (Claim 7). (FAC ¶¶ 149, 156, 18 166, 179, 192.) AT&T argues that Mr. Terpin has not adequately pleaded that he is 19 entitled to punitive damages. (Mot. 19–21.) 20 AT&T advances two arguments in support of dismissal of Mr. Terpin’s claims 21 for punitive damages. First, AT&T argues that Mr. Terpin has not alleged that an 22 officer, director, or agent of AT&T committed or ratified an oppressive, fraudulent, or 23 malicious act. Second, AT&T argues that Mr. Terpin’s negligence claims are 24 ineligible for punitive damages. 25 By statute, where a plaintiff proves “by clear and convincing evidence that the 26 defendant has been guilty of oppression, fraud, or malice, the plaintiff, in addition to 27 the actual damages, may recover [punitive] damages.” Cal. Civ. Code § 3294(a). 28 Nevertheless, a corporate entity cannot commit willful and malicious conduct; instead, 1 “the advance knowledge and conscious disregard, authorization, ratification or act of 2 oppression, fraud, or malice must be on the part of an officer, director, or managing 3 agent of the corporation.” Id. § 3294(b); Taiwan Semiconductor Mfg. Co. v. Tela 4 Innovations, Inc., No. 14-CV-00362-BLF, 2014 WL 3705350, at *6 (N.D. Cal. July 5 24, 2014) (“[A] company simply cannot commit willful and malicious conduct—only 6 an individual can.”). Therefore, Mr. Terpin must plead that an officer, director, or 7 managing agent of AT&T committed or ratified an act of oppression, fraud, or malice. 8 Mr. Terpin alleges no facts showing that an officer, director, or managing agent 9 of AT&T knew about or ratified the alleged wrongful conduct of which he complains. 10 The FAC includes no allegations to suggest that the sole bad actor Mr. Terpin points 11 to—Jahmil Smith—“exercise[d] substantial discretionary authority over decisions that 12 ultimately determine[d] corporate policy.” Cruz v. HomeBase, 83 Cal. App. 4th 160, 13 167 (2000). Mr. Terpin alleges that high-ranking AT&T executives pledged in the 14 COBC to protect AT&T customers’ personal information, but fails to connect these 15 executives to any tortious conduct. (FAC ¶¶ 55–57.) Thus, Mr. Terpin has not alleged 16 sufficient facts regarding AT&T’s corporate misconduct to support a prayer for 17 punitive damages.5 Accordingly, Mr. Terpin’s request for punitive damages is 18 DISMISSED with leave to amend. 19 G. Declaratory Relief (Claim 1); Doe Defendants 20 AT&T moves to dismiss Mr. Terpin’s claim for declaratory relief on the basis 21 that Mr. Terpin’s other claims should not survive for the reasons above. (Mot. 18.) As 22 Mr. Terpin’s damages claims partially survive the Motion, Mr. Terpin’s request for 23 declaratory relief (Claim 1) survives as well. 24 In addition, the Court GRANTS AT&T’s motion to dismiss Mr. Terpin’s Doe 25 Defendants, with leave to amend in accordance with Local Rule 19-1. (See Mot. 18– 26 19); C.D. Cal. L.R. 19-1. 27

28 5 Consequently, the Court does not address the propriety of Mr. Terpin seeking punitive damages for his negligence claims. 1 V. CONCLUSION 2 For the reasons discussed above, the Court GRANTS, IN PART, and 3 || DENIES, IN PART, AT&T’s Motion to Dismiss (ECF No. 33). Mr. Terpin may 4 || amend the FAC to address the deficiencies identified above within twenty-one (21) 5 || days from the date of this Order. 6 7 IT ISSO ORDERED. 8 9 February 24, 2020 . 10 Wee a“

2 OTIS D. WRIGHT, II UNITED STATES DISTRICT JUDGE

14 15 16 17 18 19 20 21 22 23 24 25 26 27 28