Ortiz v. Perkins & Co

• Court: District Court, N.D. California
• Decided: November 2, 2022
• Docket: 4:22-cv-03506
• Status: Unknown

Opinion

1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 7 ALICE ORTIZ, Case No. 22-cv-03506-KAW

8 Plaintiff, ORDER GRANTING MOTION TO 9 v. DISMISS

10 PERKINS & CO, et al., Re: Dkt. No. 15 11 Defendants.

12 13 On June 14, 2022, Plaintiff Alice Ortiz filed the instant case against Defendant Perkins & 14 Co., alleging that Defendant failed to properly secure and safeguard Plaintiff’s information -- 15 including her full name, financial account information, and social security number -- on its 16 information network. (Compl. ¶ 1, Dkt. No. 1.) Pending before the Court is Defendant’s motion 17 to dismiss. (Def.’s Mot. to Dismiss, Dkt. No. 15.) 18 Having considered the parties’ filings, the relevant legal authorities, and the arguments 19 made at the October 6, 2022 hearing, the Court GRANTS Defendant’s motion to dismiss. 20 I. BACKGROUND 21 Defendant is an accounting firm who uses a vendor, Netgain, to store data in the cloud. 22 (Compl. ¶ 33; Def.’s Mot. to Dismiss, Exh. A (“Notice”).1 Around May 26, 2022, Defendant sent 23 1 Exhibit A is the Notice that Defendant sent to affected individuals, which is available on the 24 California Attorney General’s Office. Although the complaint does not attach the Notice to the complaint, the “incorporation by reference” doctrine “permits [a court] to take into account 25 documents whose contents are alleged in a complaint and whose authenticity no party questions, but which are not physically attached to the plaintiff’s pleading.” Knievel v. ESPN, 393 F.3d 26 1068, 1076 (9th Cir. 2005); see also United States v. Ritchie, 342 F.3d 903, 908 (9th Cir. 2003) (“Even if a document is not attached to a complaint, it may be incorporated by reference if the 27 plaintiff refers extensively to the document or the document forms the basis of the plaintiff’s 1 a Notice to Plaintiff, stating that between November 8, 2020 and December 3, 2020, an attacker 2 had accessed Netgain’s servers storing Defendant’s files, some of which were copied and stolen. 3 (Compl. ¶ 33; Notice at 1.) The attacker also encrypted files and demanded a ransom in exchange 4 for returning copies of the stolen files and an access key to the encrypted files. (Notice at 1.) 5 After Netgain paid the ransom, the attacker returned the stolen files and provided a decryption 6 key. (Compl. ¶ 33; Notice at 1.) The Notice noted that Defendant’s computer systems were not 7 impacted by the attack. (Notice at 1.) Defendant offered complimentary credit monitoring and 8 identity restoration, and also encouraged recipients to “remain vigilant against incidents of 9 payment card fraud or misuse, to review your account statements, and to monitor your credit 10 reports for suspicious activity.” (Notice at 2-3.) As a result of the data breach, Plaintiff alleges 11 that she spent and will continue to spend time dealing with the breach, including verifying the 12 legitimacy of the breach, exploring credit monitoring and identity theft insurance options, 13 monitoring her accounts, and seeking legal counsel. (Compl. ¶ 17.) Plaintiff further alleges that 14 she suffered lost time, annoyance, and anxiety as a result of cyber-criminals accessing her 15 information. (Compl. ¶ 19.) 16 On June 14, 2022, Plaintiff filed the operative complaint, alleging claims for: (1) 17 negligence, (2) breach of implied contract, (3) breach of the implied covenant of good faith and 18 fair dealing, and (4) unjust enrichment. On August 11, 2022, Defendant filed the instant motion to 19 dismiss. On August 25, 2022, Plaintiff filed her opposition. (Pl.’s Opp’n, Dkt. No. 18.) On 20 September 1, 2022, Defendant filed its reply. (Def.’s Reply, Dkt. No. 21.) 21 II. LEGAL STANDARD 22 A. Motion to Dismiss under Rule 12(b)(1) 23 A defendant may move to dismiss an action for lack of subject matter jurisdiction pursuant 24 to Federal Rule of Civil Procedure 12(b)(1). A Rule 12(b)(1) motion tests whether a complaint 25 alleges grounds for federal subject matter jurisdiction. A motion to dismiss for lack of subject 26 matter jurisdiction will be granted if the complaint on its face fails to allege facts sufficient to 27 establish subject matter jurisdiction. See Savage v. Glendale Union High Sch., 343 F.3d 1036, 1 face of the pleadings, but may review any evidence, such as affidavits and testimony, to resolve 2 factual disputes concerning the existence of jurisdiction." McCarthy v. United States, 850 F.2d 3 558, 560 (9th Cir. 1988). Once a party has moved to dismiss for lack of subject matter jurisdiction 4 under Rule 12(b)(1), the opposing party bears the burden of establishing the court’s jurisdiction. 5 See Chandler v. State Farm Mut. Auto. Ins. Co., 598 F.3d 1115, 1122 (9th Cir. 2010). 6 B. Motion to Dismiss under Rule 12(b)(6) 7 Under Federal Rule of Civil Procedure 12(b)(6), a party may file a motion to dismiss based 8 on the failure to state a claim upon which relief may be granted. A motion to dismiss under Rule 9 12(b)(6) tests the legal sufficiency of the claims asserted in the complaint. Navarro v. Block, 250 10 F.3d 729, 732 (9th Cir. 2001). 11 In considering such a motion, a court must "accept as true all of the factual allegations 12 contained in the complaint," Erickson v. Pardus, 551 U.S. 89, 94 (2007) (per curiam) (citation 13 omitted), and may dismiss the case or a claim "only where there is no cognizable legal theory" or 14 there is an absence of "sufficient factual matter to state a facially plausible claim to relief." 15 Shroyer v. New Cingular Wireless Servs., Inc., 622 F.3d 1035, 1041 (9th Cir. 2010) (citing 16 Ashcroft v. Iqbal, 556 U.S. 662, 677-78 (2009); Navarro, 250 F.3d at 732) (internal quotation 17 marks omitted). 18 A claim is plausible on its face when a plaintiff "pleads factual content that allows the 19 court to draw the reasonable inference that the defendant is liable for the misconduct alleged." 20 Iqbal, 556 U.S. at 678 (citation omitted). In other words, the facts alleged must demonstrate 21 "more than labels and conclusions, and a formulaic recitation of the elements of a cause of action 22 will not do." Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). 23 "Threadbare recitals of the elements of a cause of action" and "conclusory statements" are 24 inadequate. Iqbal, 556 U.S. at 678; see also Epstein v. Wash. Energy Co., 83 F.3d 1136, 1140 (9th 25 Cir. 1996) ("[C]onclusory allegations of law and unwarranted inferences are insufficient to defeat 26 a motion to dismiss for failure to state a claim."). "The plausibility standard is not akin to a 27 probability requirement, but it asks for more than a sheer possibility that a defendant has acted 1 liability, it stops short of the line between possibility and plausibility of entitlement to relief." 2 Iqbal, 556 U.S. at 678 (quoting Twombly, 550 U.S. at 557) (internal citations omitted). 3 Generally, if the court grants a motion to dismiss, it should grant leave to amend even if no 4 request to amend is made "unless it determines that the pleading could not possibly be cured by 5 the allegation of other facts." Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000) (citations 6 omitted). 7 III. DISCUSSION 8 A. Standing 9 Article III standing requires the demonstration of three elements: (1) the plaintiff suffered 10 an “injury in fact” that is concrete and particularized and actual or imminent, not conjectural or 11 hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is 12 likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision. 13 Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992). Absent this showing, the action 14 must be dismissed. See Steel Co. v. Citizens for a Better Env’t, 523 U.S. 83, 109-10 (1998). 15 Here, Plaintiff asserts the following injuries: (1) the increased risk of future fraud, and (2) 16 lost time from dealing with the data breach. (Pl.’s Opp’n at 5-6.) With respect to the increased 17 risk of future fraud, Defendant argues that per the Supreme Court’s recent decision in TransUnion 18 LLC v. Ramirez, “the mere risk of future harm, without more, cannot qualify as a concrete harm 19 sufficient to establish standing.” (Def.’s Mot. to Dismiss at 6 (citing 141 S. Ct. 2190, 2211).) 20 In TransUnion, the Supreme Court found that there was no standing where the credit 21 reporting company had mislabeled the plaintiffs as potential terrorists in the company’s internal 22 credit files, but had never provided those plaintiffs’ credit information to any third-party. 141 S. 23 Ct. at 2209. While the plaintiffs argued that the existence of the inaccurate information “in their 24 internal credit files exposed them to a material risk that the information would be disseminated in 25 the future to third parties and thereby cause them harm,” the Supreme Court found that “in a suit 26 for damages, the mere risk of future harm, standing alone, cannot qualify as a concrete harm--at 27 least unless the exposure to the risk of future harm itself causes a separate concrete harm.” Id. at 1 if an individual is exposed to a risk of future harm, time will eventually reveal whether the risk materializes in the form of actual 2 harm. If the risk of future harm materializes and the individual suffers a concrete harm, then the harm itself, and not the pre-existing 3 risk, will constitute a basis for the person’s injury and for damages. If the risk of future harm does not materialize, then the individual 4 cannot establish a concrete harm sufficient for standing[.] 5 Id. at 2211. 6 In her opposition, Plaintiff neither acknowledges nor addresses TransUnion, instead 7 relying on pre-TransUnion cases. (Pl.’s Opp’n at 5.) Specifically, Plaintiff cites Krottner v. 8 Starbucks Corp., in which the Ninth Circuit found standing could be established where “a plaintiff 9 faces a credible threat of harm, and that harm is both real and immediate, not conjectural or 10 hypothetical.” 628 F.3d 1139, 1143 (9th Cir. 2010). There, the Ninth Circuit found a credible 11 threat of harm where a laptop containing the unencrypted names, addresses, and social security 12 numbers of 97,000 employees was stolen. Id. Plaintiff also cites In re Zappos.com, Inc., which 13 affirmed Krottner and found adequate injury in fact because the information stolen in a data 14 breach could be used to commit identity theft. 888 F.3d 1020, 1027-28 (9th Cir. 2018). 15 Following TransUnion, the district courts have split on whether In re Zappos.com, Inc. and 16 Krottner remain good law. In I.C. v. Zynga, Inc., the district court found that “in light of 17 TransUnion’s rejection of risk of harm as a basis of standing for damages claims, the Court 18 questions the viability of Krottner and Zappos’s holdings finding standing on this very basis.” 19 I.C. v. Zynga, Inc., No. 20-cv-01539-YGR, 2022 U.S. Dist. LEXIS 112601, at *32 n.15 (N.D. Cal. 20 Apr. 29, 2022). In contrast, in Riordan v. Western Digital Corp., the district court found that 21 Krottner “provides a good point of contrast” to TransUnion’s concerns regarding speculative 22 allegations of harm. No. 5:21-cv-06074-EJD, 2022 U.S. Dist. LEXIS 101685, at *10 (N.D. Cal. 23 June 7, 2022). 24 The Court finds that by itself, the risk of increased future harm is not sufficient to establish 25 standing post-TransUnion. The Court, however, finds that the time spent dealing with the harm is 26 a cognizable injury where, as here, the information stolen could be used to commit identity theft. 27 See Clemens v. ExecuPharm Inc., No. 21-1506, -- F. 4th --, 2022 U.S. App. LEXIS 24808, at *14 1 context, where the asserted theory of injury is a substantial risk of identity theft or fraud, a plaintiff 2 suing for damages can satisfy concreteness as long as he alleges that the exposure to the 3 substantial risk caused additional, currently felt concrete harms. For example, if the plaintiff’s 4 knowledge of the substantial risk of identity theft caused him to presently experience emotional 5 distress or spend money on mitigation measures like credit monitoring services, the plaintiff has 6 alleged a concrete injury.”). This is consistent with TransUnion, which specifically noted the lack 7 of “present evidence that the class members were independently harmed by their exposure to the 8 risk itself--that is, that they suffered some other injury (such as an emotional injury) from the mere 9 risk that their credit reports would be provided to third-party businesses.” 141 S. Ct. at 2211. 10 In response, Defendant relies on Clapper v. Amnesty International, USA, in which the 11 Supreme Court explained that plaintiffs “cannot manufacture standing merely by inflicting harm 12 on themselves based on their fears of hypothetical future harm that is not certainly impending.” 13 568 U.S. 398, 416 (2013). There, however, the plaintiffs took action to avoid government 14 surveillance under § 1881a, but the plaintiffs had “no actual knowledge of the Government’s § 15 1881a targeting practices,” such that they could only “speculate and make assumptions about 16 whether their communications with their foreign contacts will be acquired under § 1881a.” Id. at 17 411. Moreover, the likelihood of surveillance “relie[d] on a highly attenuated chain of 18 possibilities,” requiring that the government target the plaintiffs’ foreign contacts, invoke its 19 authority under § 1881a rather than another method of surveillance, have the request approved by 20 the Foreign Intelligence Surveillance Court, and have the plaintiffs’ communications included in 21 the communications intercepted by the government. Id. at 410. In short, the plaintiffs could not 22 establish standing based on actions taken to avoid harm that was purely speculative. 23 The harm Plaintiff was trying to avoid here, however, is not speculative. As an initial 24 matter, the stolen information in this case included social security numbers, which courts have 25 recognized as creating a sufficient likelihood of future identity theft. See Greenstein v. Noblr 26 Reciprocal Exch., No. 21-cv-04537-JSW, 2022 U.S. Dist. LEXIS 30228, at *10 (N.D. Cal. Feb. 27 14, 2022) (finding that the revealing of “highly sensitive personal data, such as social security 1 Inc., No. 2:21-CV-02200, 2022 U.S. Dist. LEXIS 42765, at *8 (W.D. Ark. Mar. 10, 2022) (“Here, 2 unlike in TransUnion where the possibility TransUnion could disseminate the false reports was 3 speculative, there is no dispute that Plaintiff’s name and Social Security number were part of a 4 data breach and accessed by an unknown third party, and Plaintiff has demonstrated a sufficient 5 likelihood this information could cause future identity theft.”); contrast with Zynga, Inc., 2022 6 U.S. Dist. LEXIS 112601, at *29 (finding that associated costs and stress were conjectural because 7 the information stolen -- e-mail addresses, Zynga usernames and passwords, Facebook usernames, 8 phone numbers, and dates of birth -- could not be used to commit identity theft without names and 9 social security numbers). Moreover, in Remijas v. Neiman Marcus Group, LLC, the Seventh 10 Circuit found that time and money spent to protect from future identity theft and fraudulent 11 charges were actual injury. 794 F.3d 688, 692-94 (7th Cir. 2015). Distinguishing Clapper, the 12 Seventh Circuit found that “it is plausible to infer that the plaintiffs have shown a substantial risk 13 of harm from the . . . data breach. Why else would hackers break into a store’s database and steal 14 consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make 15 fraudulent charges or assume those consumers’ identities.” Id. at 693. Moreover,

16 An affected customer, having been notified by Neiman Marcus that her card is at risk, might think it necessary to subscribe to a service 17 that offers monthly credit monitoring. It is telling in this connection that Neiman Marcus offered one year of credit monitoring and 18 identity-theft protection to all customers for whom it had contact information and who had shopped at their stores between January 19 2013 and January 2014. It is unlikely that it did so because the risk is so ephemeral that it can safely be disregarded. 20 21 Id. at 694. 22 Such is the case here. This is not a situation where, like Clapper, the chance of the stolen 23 information being fraudulently used is so “ephemeral” that it is merely speculative. Rather, as 24 Defendant acknowledged before recommending that Plaintiff and other affected parties monitor 25 their accounts, “we still consider any data viewed or stolen by the attacker to be at risk.” (Notice 26 at 1, 3.) 27 In the alternative, Defendant argues that Plaintiff cannot demonstrate standing to pursue 1 at 5.) But injunctive relief is not limited only to preventing harm from a single incident; rather, a 2 plaintiff can seek prospective injunctive relief by “demonstrate[ing] that he has suffered or is 3 threatened with a concrete and particularized legal harm, coupled with a sufficient likelihood that 4 he will again be wronged in a similar way.” Bates v. UPS, 511 F.3d 974, 985 (9th Cir. 2007) 5 (emphasis added). The more fundamental problem that Defendant identifies, however, is that 6 here, it was not Defendant’s systems that were compromised, but Netgain’s. (Def.’s Mot. to 7 Dismiss at 5.) Plaintiff fails to explain in her opposition how Defendant taking measures such as 8 requiring internal personnel to run automated security monitoring, creating firewalls, conducting 9 regular database scanning and securing checks, or implementing tests of their employees’ 10 knowledge of data security would prevent Netgain from being breached in the future. 11 Accordingly, the Court finds that at the pleading stage, Plaintiff can establish standing 12 based on her lost time spent dealing with the data breach for damages purposes, but not injunctive 13 relief. The Court will give Plaintiff leave to amend the complaint to demonstrate injunctive relief 14 is appropriate. In the meantime, the Court considers whether Plaintiff’s claims are adequately 15 pled. 16 B. Negligence 17 Plaintiff’s first claim is for negligence. To plead negligence, Plaintiff must show that 18 Defendant “owed [Plaintiff] a legal duty, that it breached the duty, and that the breach was a 19 proximate or legal cause of [Plaintiff’s] injuries.” Merrill v. Navegar, Inc., 26 Cal. 4th 465, 477 20 (2001). 21 First, Defendant argues that Plaintiff fails to demonstrate actual harm or damages. (Def.’s 22 Mot. to Dismiss at 11.) As previously discussed, the Court finds that there were damages from the 23 time spent dealing with the data breach. Courts have found such lost time to be sufficiently 24 concrete and non-speculative. See In re Solara Med. Supplies, LLC Customer Data Sec. Breach 25 Litig., No. 3:19-cv-2284-H-KSC, 2020 U.S. Dist. LEXIS 80736, at *12 (S.D. Cal. May 7, 2020) 26 (“Increased time spent monitoring one's credit and other tasks associated with responding to a data 27 breach have been found by other courts to be specific, concrete, and non-speculative.”); Bass v. 1 Second, Defendant argues that Plaintiff has failed to demonstrate Defendant was the 2 proximate cause of any injury from the data breach because, again, it was not Defendant’s 3 computer system that was breached but Netgain’s. (Def.’s Mot. to Dismiss at 12.) Plaintiff, in 4 turn, argues that the mere fact that Defendant “collected her information, provided her information 5 to a third party, and sent her the letter informing her of the data breach” makes causation “self- 6 evident.” (Pl.’s Opp’n at 8.) The Court disagrees. While it is certainly possible that both 7 Defendant and Netgain may have breached some duty, it is far from a foregone conclusion. Did 8 Defendant knowingly choose a vendor with a history of data breaches? Did Defendant keep 9 information on the cloud server that it should not have? If so, what specific duties did this breach? 10 Plaintiff fails to explain with any specificity, instead pointing to a litany of generic data security 11 practices such as monitoring and restricting access to unsecured information, supervising financial 12 information, enforcing security policies, and implementing policies to detect data breaches. 13 (Compl. ¶ 79.) Plaintiff cannot simply rely on the breach of Defendant’s vendor to demonstrate 14 negligence by Defendant; Plaintiff needs to specifically explain the duties that Defendant 15 breached, and how that breach caused Plaintiff’s harm. The Court finds that Plaintiff fails to 16 adequately allege a negligence claim. 17 C. Breach of Implied Contract and the Covenant of Good Faith and Fair Dealing 18 Plaintiff brings a claim for breach of an implied contract, alleging that the parties “entered 19 into implied contracts for Defendant to implement data security adequate to safeguard and protect 20 the privacy of” Plaintiff’s financial information. (Compl. ¶ 94.) Specifically, Defendant required 21 Plaintiff to provide such information as a condition of receiving services from Defendant. 22 (Compl. ¶ 95.) 23 Plaintiff’s conclusory allegations are insufficient to demonstrate that there was an implied 24 contract; Plaintiff merely alleges that Defendant “assured reasonable security over” Plaintiff’s 25 information, but it is unclear where this assurance was located (e.g., in a user agreement, privacy 26 policy, or terms of services) or why this created a contract. (Pl.’s Opp’n at 8.) Indeed, as 27 Defendant points out, based on Plaintiff’s allegations it is unclear that the parties engaged in any 1 (Def.’s Mot. to Dismiss at 13.) Indeed, at the hearing, Plaintiff’s counsel stated that he did not 2 know the nature of the relationship between the parties. 3 Moreover, several courts have specifically found that consideration is required for an 4 implied contract claim regarding data security. For example, in Gardiner v. Walmart, the district 5 court rejected a similar allegation that the plaintiff “did not receive the benefit of his bargain with 6 [the d]efendants, through which he agreed to pay for goods with the understanding that his 7 payment information would be protected by Defendants.” No. 20-cv-04618-JSW, 2021 U.S. Dist. 8 LEXIS 75079, at *16 (N.D. Cal. Mar. 5, 2021). In rejecting the claim, the district court explained 9 that the plaintiff did not allege that the defendant represented that his “purchases included a sum 10 understood by the parties to be allocated toward customer data,” or “that the cost of the goods he 11 purchased . . . included some amount attributable to data security as required to support his benefit 12 of the bargain theory.” Id. at *17-18. Likewise, in In re Linkedin User Privacy Litigation, the 13 district court found that the complaint failed to allege that the plaintiffs “actually provided 14 consideration for the security services which they claim were not provided.” 932 F. Supp. 2d 15 1089, 1093 (N.D. Cal. 2013). While the plaintiffs had paid for a premium membership, “the 16 bargain is not for a particular level of security, but actually for the advanced networking tools and 17 capabilities to facilitate enhanced usage of LinkedIn’s services.” Id. Thus, the complaint “d[id] 18 not sufficiently demonstrate that included in [the p]laintiffs’ bargain for premium membership was 19 the promise of a particular (or greater) level of security that was not part of the free membership.” 20 Id.; see also Huynh v. Quora, Inc., No. 18-cv-07597-BLF, 2019 U.S. Dist. LEXIS 235733, at *27 21 (N.D. Cal. Dec. 19, 2019) (finding no breach of contract claim where the plaintiffs “ha[d] not 22 shown that they paid anything for the asserted privacy protections”). 23 Because Plaintiff fails to allege a contract, implied or otherwise, in which Defendant 24 agreed to provide data security, the Court finds that Plaintiff cannot establish a breach of contract 25 claim. Absent a contract, Plaintiff’s breach of the covenant of good faith and fair dealing claim 26 also fails. While doubtful, it is possible Plaintiff could point to specific representations from 27 which the Court may find an implied contract. Likewise, to the extent Plaintiff seeks to amend the 1 allegations will need to be consistent with existing case law. Accordingly, both these claims are 2 || DISMISSED without prejudice. 3 D. Unjust Enrichment 4 Finally, Plaintiff brings an unjust enrichment claim. An unjust enrichment claim requires 5 “receipt of a benefit and the unjust retention of the benefit at the expense of another.” Peterson v. 6 Cellco P'ship, 164 Cal. App. 4th 1583, 1593 (2008) (internal quotation omitted). Importantly, 7 “[t]he mere fact that a person benefits another is not of itself sufficient to require the other to make 8 || restitution therefor. There is no equitable reason for invoking restitution when the plaintiff gets 9 || the exchange which he expected.” Jd. (internal quotation omitted). 10 Plaintiff bases her unjust enrichment claim on Defendant’s alleged “failure to disclose its 11 lax data security practices at her expense because of her lost time, diminution in value of her PII, 12 || etc.” (Pl.’s Opp’n at 10.) Plaintiff, however, utterly fails to identify any benefit that Defendant 13 retained. The fact that Plaintiff lost time does not necessarily mean that Defendant gained from it. 14 || It is not apparent from the factual pleadings that Defendant gained anything from Plaintiff, 3 15 particularly if Plaintiff did not hire Defendant for any services. Accordingly, the unjust a 16 || enrichment claim is DISMISSED without prejudice. 2 17 IV. CONCLUSION Z 18 For the reasons stated above, the Court GRANTS Defendant’s motion to dismiss. Plaintiff 19 || may file an amended complaint within 21 days of the date of this order. If no amended complaint 20 || or notice of intent not to file an amended complaint is filed by that date, the Court will dismiss the 21 case pursuant to Federal Rule of Civil Procedure 41(b). See Edwards v. Marin Park, Inc., 356 22 || F.3d 1052, 1065 (9th Cir. 2004) (“The failure of the plaintiff eventually to respond to the court’s 23 ultimatum--either by amending the complaint or by indicating to the court that it will not do so--is 24 || properly met with the sanction of a Rule 41(b) dismissal.”). 25 IT IS SO ORDERED. 26 Dated: November 2, 2022 .

28 United States Magistrate Judge