Smallman v. MGM Resorts International

• Court: District Court, D. Nevada
• Decided: November 2, 2022
• Docket: 2:20-cv-00376
• Status: Unknown

Opinion

1 UNITED STATES DISTRICT COURT

2 DISTRICT OF NEVADA

3 SMALLMAN et al., ) 4 ) Plaintiffs, ) Case No.: 2:20-cv-00376-GMN-EJY 5 vs. ) ) ORDER 6 MGM Resorts International, ) 7 ) Defendant. ) 8 )

9 10 Pending before the Court is Defendant MGM Resorts International’s (“Defendant 11 MGM’s”) Motion to Dismiss, (ECF No. 103). Plaintiffs Ryan Bohlim, Duke Hwynn, Andrew 12 Sedaghatpour, Gennady Simkin, Robert Taylor, Michael Fossett, Victor Wukovits, Kerri 13 Shapiro, Julie Mutsko, John Dvorak, Larry Lawter, individually and on behalf of those 14 similarly situated (collectively “Plaintiffs”) filed a Response, (ECF No. 109), and Defendant 15 MGM filed a Reply, (ECF No. 117). 16 For the reasons discussed below, the Court GRANTS in part and DENIES in part 17 Defendant MGM’s Motion to Dismiss. 18 I. BACKGROUND 19 This case arises from a July 7, 2019, data breach of Defendant MGM’s network in which 20 hackers download the personally identifiable information (“PII”) of Defendant MGM guests 21 worldwide (“Data Breach”). (Consolidated Class Action Complaint (“CAC”) ¶¶ 1, 29, ECF No. 22 101). Plaintiffs are a consolidated class action of consumers whose PII was stolen in the Data 23 Breach. (Id.). Specifically, hackers accessed Plaintiffs name, address, phone number, email 24 address, and dates of birth (Id. ¶¶ 2, 29). Furthermore, certain Plaintiffs also had their driver’s 25 license number, passports number, and military identification number stolen. (Id.). 1 Plaintiffs allege that the stolen PII has been posted on the dark web for purchase on at 2 least three separate occasions. (Id. ¶ 46). Cybersecurity journalists have observed that the PII 3 of at least 10.6 million MGM guests are available on a dark web hacking forum. (Id ¶ 34). In a 4 letter to the North Dakota Attorney General on September 7, 2019, Defendant MGM noted that 5 the hacker “posted the data on a closed internet forum with the intent to sell the information for 6 financial gain.” (Id. ¶ 32). Plaintiffs posit that they now face a long-term heightened risk that 7 their PII will be sold or disseminated on the dark web. (Id. 47–65). 8 Defendant MGM has not disclosed how the hackers were able to obtain consumers PII. 9 (Id. ¶ 37). However, a Defendant MGM spokesperson revealed that the Data Breach may have 10 been caused by “unauthorized access to a cloud server.”1 (Id.) Further, Defendant MGM 11 disclosed to the North Dakota Attorney General that the hackers “exfiltrated data by exploiting 12 a compromised account.” (Id. ¶ 38). Despite the Data Breach occurring on July 7, 2019, 13 Defendant MGM did not notify affected consumers until nearly two months later, on 14 September 7, 2019. (Id. ¶ 44). Plaintiffs allege that Defendant MGM’s delayed response 15 exacerbated the risk of harm to Plaintiffs. (Id. ¶ 45). 16 Plaintiffs contend that Defendant MGM failed to implement reasonable data security 17 measures to protect their PII, maintain and monitor its server against intrusions, and retained 18 Plaintiffs PII for longer than necessary. (Id. ¶¶ 7, 77, 90–91). Additionally, Plaintiffs allege 19 that Defendant MGM failed to encrypt the PII stored on its server. (Id. ¶ 38). Furthermore, 20 Plaintiffs allege that Defendant MGM failed to adopt reasonable safety measures despite

21 knowing that the hotel industry is frequently targeted by cyber security attacks. (Id. ¶ 77–88). 22 Following the Data Breach, all Plaintiffs have experienced an increase in spam and 23 phishing phone calls, text messages, and emails. (Id. ¶¶ 10–20). Similarly, all Plaintiffs allege 24 25 1 See Details of 10.6 Million MGM Hotel Guests Posted on a Hacking Forum, ZDNet, Feb. 19, 2020, available at https://www.zdnet.com/article/exclusive-details-of-10-6-million-of-mgm-hotel-guests-posted-on-a-hacking- forum/ (quoting unnamed “MGM spokesperson”) (last visited Oct. 26, 2022). 1 that they have spent a greater amount of time monitoring their financial and other accounts. 2 (Id.). Additionally, all Plaintiffs contend that their PII is available on the dark web, and that 3 they have been forced to expend a significant amount of time and energy resetting passwords 4 and taking additional steps to protect their PII. (Id.). Plaintiffs posit that the value of their PII 5 has diminished due to its dissemination. (Id. ¶¶ 5, 100). Plaintiffs further contend they have 6 suffered “benefit of the bargain” damages because they paid MGM for services that were 7 “intended to be accompanied by adequate data security[] but were not.” (Id. ¶ 5, 111–12). 8 In addition to the alleged injuries set forth above, several Plaintiffs have asserted 9 additional harms. Specifically, multiple Plaintiffs contend that criminals have attempted to 10 make fraudulent purchases on their accounts. (Id. ¶¶ 13–14, 16). Other Plaintiffs assert that 11 criminals have perpetrated ransom attacks against them or attempted to sign into their personal 12 accounts. (Id. ¶ 11, 16, 19). Several Plaintiffs have taken the additional step of purchasing 13 security services to protect their PII. (Id. ¶¶ 12, 16, 20). 14 On April 4, 2021, Plaintiffs filed the present Consolidated Class Action Complaint 15 asserting claims for: (1) negligence; (2) negligent misrepresentation; (3) breach of implied 16 contract; (4) unjust enrichment; (5) violation of the Nevada Consumer Fraud Act, NRS § 17 41.600; (6) violation of the California Unfair Competition Law, Cal. Bus. & Prof. Code §§ 18 17200, et seq.; (7) violation of the California Consumers Legal Remedies Act, Cal. Civ. Code 19 §§ 1750, et seq.; (8) violation of the California Customer Records Act, Cal. Civ. Code §§ 20 1798.80, et seq.; (9) violation of the Connecticut Unfair Trade Practices Act, Conn. Gen. Stat. §

21 42-110a, et seq.; (10) violation of the Georgia Deceptive Trade Practices Act, Ga. Code. Ann. 22 §§ 10-1-370, et seq.; (11) violation of New York General Business Law, N.Y. Gen. Bus. Law § 23 349; (12) violation of the Ohio Deceptive Trade Practices Act, Ohio Rev. Code §§ 4165.01, et 24 seq.; (13) violation of the Oregon Unlawful Trade Practices Act, Or. Stat. §§ 646.605, et seq.; 25 and (14) violation of the Oregon Consumer Information Protection Act, Or. Stat. §§ 646A.600, 1 et seq. (Id. ¶¶ 143–340). On June 1, 2021, Defendant MGM filed the present Motion to 2 Dismiss. (See generally MTD, ECF No. 103). 3 II. LEGAL STANDARD 4 Dismissal is appropriate under Rule 12(b)(6) where a pleader fails to state a claim upon 5 which relief can be granted. Fed. R. Civ. P. 12(b)(6); Bell Atl. Corp. v. Twombly, 550 U.S. 544, 6 555 (2007). A pleading must give fair notice of a legally cognizable claim and the grounds on 7 which it rests, and although a court must take all factual allegations as true, legal conclusions 8 couched as factual allegations are insufficient. Twombly, 550 U.S. at 555. Accordingly, Rule 9 12(b)(6) requires “more than labels and conclusions, and a formulaic recitation of the elements 10 of a cause of action will not do.” Id. “To survive a motion to dismiss, a complaint must contain 11 sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its 12 face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Twombly, 550 U.S. at 570). “A 13 claim has facial plausibility when the plaintiff pleads factual content that allows the court to 14 draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. This 15 standard “asks for more than a sheer possibility that a defendant has acted unlawfully.” Id. 16 “Generally, a district court may not consider any material beyond the pleadings in ruling 17 on a Rule 12(b)(6) motion.” Hal Roach Studios, Inc. v. Richard Feiner & Co., 896 F.2d 1542, 18 1555 n.19 (9th Cir. 1990). “However, material which is properly submitted as part of the 19 complaint may be considered.” Id. Similarly, “documents whose contents are alleged in a 20 complaint and whose authenticity no party questions, but which are not physically attached to

21 the pleading, may be considered in ruling on a Rule 12(b)(6) motion to dismiss.” Branch v. 22 Tunnell, 14 F.3d 449, 454 (9th Cir. 1994). On a motion to dismiss, a court may also take 23 judicial notice of “matters of public record.” Mack v. S. Bay Beer Distrib., 798 F.2d 1279, 1282 24 (9th Cir. 1986). Otherwise, if a court considers materials outside of the pleadings, the motion 25 to dismiss is converted into a motion for summary judgment. Fed. R. Civ. P. 12(d). 1 If the court grants a motion to dismiss for failure to state a claim, leave to amend should 2 be granted unless it is clear that the deficiencies of the complaint cannot be cured by 3 amendment. DeSoto v. Yellow Freight Sys., Inc., 957 F.2d 655, 658 (9th Cir. 1992). Pursuant 4 to Rule 15(a), the court should “freely” give leave to amend “when justice so requires,” and in 5 the absence of a reason such as “undue delay, bad faith or dilatory motive on the part of the 6 movant, repeated failure to cure deficiencies by amendments previously allowed undue 7 prejudice to the opposing party by virtue of allowance of the amendment, futility of the 8 amendment, etc.” Foman v. Davis, 371 U.S. 178, 182 (1962). 9 III. DISCUSSION 10 Defendant MGM moves to dismiss all of Plaintiffs’ common law2 and statutory claims. 11 The Court will first examine Plaintiffs negligence claim. 12 A. NEGLIGENCE 13 Defendant MGM argues that Plaintiffs negligence claim cannot survive the economic 14 loss doctrine. (MTD 28:23–24). Alternatively, Defendant MGM contends that Plaintiffs have 15 failed to allege that Defendant MGM breached a legal duty or suffered cognizable damages. 16 (Id. 29:10–17). In rebuttal, Plaintiffs assert that their negligence claim survives the economic 17 loss doctrine because they allege both economic and non-economic losses. (Resp. 27:8–29:16, 18 ECF No. 109). Additionally, Plaintiffs argue that they sufficiently alleged Defendant MGM’s 19 deviation from industry standard data security procedure. (Id. 30:16–19). The Court will first 20 examine whether Plaintiffs negligence claim is barred by the economic loss doctrine.

21 /// 22 /// 23 /// 24

25 2 The parties do not dispute that Nevada substantive law controls the common law tort and contract-based in this action. (CAC ¶ 127); (MTD 21:23–22:3). 1 1. Economic Loss Doctrine 2 Here, Plaintiffs assert the economic loss doctrine does not apply because they allege 3 non-economic harms in the form diminished value to their PII and intangible damage to their 4 privacy caused by the Data Breach. (Resp. 27:18–27). 5 The Nevada Supreme Court has “applied the economic loss doctrine in product liability 6 cases, as well as in negligence cases unrelated to product liability.” Giles v. Gen. Motors 7 Acceptance Corp., 494 F.3d 865, 879 (9th Cir. 2007) (citing Nevada cases). “Under the 8 economic loss doctrine ‘there can be no recovery in tort for purely economic losses.” Urban 9 Outfitters, Inc. v. Dermody Operating Co., LLC, 572 F. Supp. 3d 977, 995 (D. Nev. 2021) 10 (quoting Calloway v. City of Reno, 993 P.2d 1259, 1263 (Nev. 2000) (economic losses are not 11 recoverable in negligence absent personal injury or damage to property other than the defective 12 entity itself.). “Thus, the doctrine provides that certain economic losses are properly remediable 13 only in contract.” Peri & Sons Farms, 933 F. Supp. 2d 1279, 1283–84 (D. Nev. 2013). Nevada 14 has defined the economic loss doctrine as “the loss of the benefit of the user’s bargain including 15 pecuniary damage for all inadequate value, the cost of repair and replacement of the defective 16 product, or consequent loss of profits, without any claim of personal injury or damage to other 17 property. Id. (citation omitted). Therefore, the economic loss doctrine “does not bar actions 18 seeking damage for pecuniary losses that are ‘accompan[ied by] personal injury or property 19 damage.” Id. (quoting Terracon Consultants Western, Inc. v. Mandalay Resort Grp., 206 P.3d 20 81, 86 (Nev. 2009).

21 In the data breach context, courts within the Ninth Circuit have found that an 22 individual’s loss of control over the use of their identity due to a data breach and the 23 accompanying impairment in value of PII constitutes non-economic harms. See Flores-Mendez 24 v. Zoosk, Inc., No. 20-04929, 2021 WL 308543, at *3 (N.D. Cal. Jan. 30, 2021) (“Plaintiffs 25 allege their loss of time, risk of embarrassment, and enlarged risk of identity theft as harms and 1 so do not allege pure economic loss.”); Mehta v. Robinhood Financial LLC, No. 21-cv-01013, 2 2021 WL 6882377, at *6 (N.D. Cal. May 6, 2021) (finding that the plaintiffs did not allege 3 solely economic loss where they alleged harms derived from the “loss of control over their use 4 of their identity” and right to privacy); Stasi v. Immediata Health Grp. Corp., 501 F. Supp. 3d 5 898, 913 (S.D. Cal. 2020) (concluding that the plaintiffs alleged noneconomic harms in the 6 form of the privacy injury they suffered, irrespective of whether they subsequently suffered 7 identity fraud). Indeed, it is difficult to conceive how the dissemination of an individual’s PII 8 does not necessarily diminish their control over their digital and physical identity. Such an 9 invasion implicates non-economic harms. Accordingly, the Court finds that the economic loss 10 doctrine does not bar Plaintiffs’ negligence claim because they allege both economic and non- 11 economic harms.3 12 2. Breach of Duty 13 Defendant MGM also argues that Plaintiffs failed to allege that Defendant MGM 14 breached their owed duty of care. (MTD 29:10–17). In response, Plaintiffs contend that have 15 alleged specific deficient security practices employed by Defendant MGM that led to the 16 breach. (Resp. 29:27–30:22). 17 Under Nevada law, “[t]o prevail on a negligence claim, a plaintiff must establish four 18 elements: (1) the existence of a duty of care, (2) breach of that duty, (3) legal causation, and (4) 19 damages.” Sanchez ex rel. Sanchez v. Wal-Mart Stores, Inc., 125 Nev. 818, 824 (2009). 20 Plaintiffs allege that Defendant MGM breached their duty of care in their manner of collecting,

21 maintaining, and controlling their customers’ sensitive personal and financial information. 22 (CAC ¶ 7). Specifically, Plaintiffs contend that Defendants breached this duty by retaining 23 Plaintiffs PII for longer than necessary (Id. ¶¶ 7, 91), “fail[ing] to encrypt the PII stores on its 24

25 3 Because Plaintiffs have sufficiently pled non-economic losses, the Court need not consider Plaintiffs remaining arguments regarding the economic loss doctrine. 1 server” (Id. ¶ 40), deviating from industry best practices as laid in the Federal Trade 2 Commission and National Institute of Standards and Technology guidelines, (Id. ¶¶ 66–76), 3 and otherwise “fail[ing] to adopt reasonable safeguard to protect Class members’ PII (Id. ¶ 4 87).” At this stage in the pleading, Plaintiffs have sufficiently alleged that Defendants breached 5 the duty of care owed to them. 6 3. Cognizable Harm 7 Defendant MGM further argues that Plaintiffs failed to allege a cognizable harm. (MTD 8 29:10–17). In rebuttal, Plaintiffs argue they alleged cognizable damages in the form of: (1) 9 diminished value of their PII; (2) benefit of the bargain damages; (3) increased risk of identity 10 theft and fraud; (4) and lost time and expenditures mitigating the effects of the Data Breach. 11 (Resp. 13:21–23). The Court will first examine whether Plaintiffs’ diminished value of PII 12 constitutes a cognizable harm. 13 a. Benefit of the Bargain Damages 14 Defendant MGM contends that Plaintiffs benefit of the bargain theory fails as a matter 15 of law because Defendant MGM did not affirmatively represent that adequate data security was 16 included in the cost of hotel rooms. (MTD 25:3– 10); (Reply 9:15–25, ECF No. 117). In 17 rebuttal, Plaintiffs contend that at the motion to dismiss stage, they are not required to 18 specifically allege what portion of their hotel payments were designated for data security. 19 (Resp. 19:27– 20:7). Instead, Plaintiffs posit that it is sufficient for them to generally allege 20 that part of the price they paid to Defendant MGM was intended to provide adequate data

21 security, and that had they known Defendant MMG utilized deficient data security practices, 22 they would have paid less for their rooms. (Id. 18:25–19:26). 23 In data breach cases, courts are divided on the level of detailed factual allegation 24 required to show that data security was part of the bargain. Many district courts within this 25 Circuit have accepted more general allegations that data security was expected and was part of 1 the bargain. See In re Yahoo! Inc. Customer Data Sec. Breach Litig., 313 F.Supp.3d 1113, 1130 2 (N.D. Cal. 2018) (concluding that plaintiff's “allegations are sufficient to allege that he suffered 3 benefit-of-the-bargain losses” because he “pleads that he has paid $ 19.95 each year since 4 December 2007 for Yahoo's premium email service,” which was supposed to be “secure,” and 5 he would not have signed up “had he known that Yahoo's email service was not as secure as 6 [Yahoo] represented”); In re Anthem, Inc. Data Breach Litig., 162 F.Supp.3d 953, 992, 995 7 (N.D. Cal. 2016) (adopting “loss of benefit of the bargain” theory of “actual harm” for New 8 York plaintiffs who alleged they had contracted for “reasonable and adequate security 9 measures” that Anthem failed to deliver, causing plaintiffs to overpay for their health 10 insurance); In re Anthem, Inc. Data Breach Litig., No. 15-md-2617, 2016 WL 3029783, at *12– 11 13 (N.D. Cal. May 27, 2016) (concluding same for California plaintiffs' breach-of-contract 12 claim, which required “appreciable and actual” damages); In re Facebook Privacy Litig., 192 F. 13 Supp. 3d 1053, 1059 (N.D. Cal. 2016) (accepting benefit-of-the bargain damages based on 14 allegations that the plaintiffs gave up something of value in exchange for access to Facebook 15 and Facebook's promises relating to privacy, that Facebook breached the contract by violating 16 its privacy terms, and that Facebook thus deprived the plaintiffs of their benefit of the bargain); 17 Svenson v. Google Inc., No. 13-cv-04080, 2015 WL 1503429, at *4 (N.D. Cal. Apr. 1, 2015) 18 (accepting benefit-of-the-bargain damages based on allegations that the plaintiff and putative 19 class members paid Google for services that included protecting confidential information, that 20 the services received “were worth quantifiably less than the services [the plaintiffs] agreed to

21 accept,” and that the plaintiffs would not have purchased the services had they known that the 22 services they received included insufficient data protection); In re LinkedIn User Privacy Litig., 23 No. 5:12-cv-03088, 2014 WL 1323713, at *6 (N.D. Cal. Mar. 28, 2014) (accepting 24 overpayment damages based on allegations that the plaintiff bought services from the defendant 25 because it represented the services as secure, that the defendant's services were not in fact 1 secure, and that the plaintiff thus overpaid for the defendant's services as a result of the 2 defendant's misrepresentations). 3 Defendant MGM relies upon a line of cases which required more specific factual 4 allegations showing how data security was a part of the bargain or how much of the money 5 spent was for data security. See Ables v. Brooks Bros. Grp., No. 17-4309, 2018 WL 8806667, at 6 *7 (C.D. Cal. June 7, 2018); Gardiner v. Walmart, Inc., No. 20-cv-04618, 2021 WL 4992539, 7 at *5 (N.D. Cal. July 28, 2021); Jackson v. Lowes Hotels, Inc., No. 18-827, 2019 WL 6721637, 8 at *2 (C.D. Cal. July 24, 2019). The Court considers, but does not find persuasive, these cases 9 “requiring allegations of a particular sum of the purchase price being explicitly allocated for 10 data security. That is requiring too much.” In re Intel Corp. CPU Marketing, Sales Practices 11 and Products Liability Litigation, No. 3:18-2828, 2020 WL 1495304, at *8 (D. Or. Mar. 27, 12 2020). Instead, the Court finds “more persuasive the line of cases that accept at the pleading 13 stage more general factual allegations about the plaintiff’s expectations for data security and the 14 contours of the parties’ bargain.” Id. 15 Here, Plaintiffs pled that they “overpaid for hotel services that should have been—but 16 were not—accompanied by reasonable data security.” (CAC ¶ 111). Plaintiffs contend that 17 “part of the price consumers paid to [Defendant] MGM was intended to be used to provide 18 adequate data security . . . .” (Id. ¶ 113). Plaintiffs further allege that had Defendant MGM 19 disclosed its deficient security policies, they would either have paid less for the room, or not 20 purchased a room from Defendant MGM. (Id. ¶¶ 10–20, 114, 118(b)). The Court finds that at

21 this stage of the proceeding, Plaintiffs have sufficiently alleged benefit of the bargain damages. 22 b. Diminished Value of PII 23 Defendant MGM contends that diminution in value of PII does not constitute a 24 compensable harm. (MTD 11:3–6). Alternatively, Defendant MGM argues that Plaintiffs have 25 not alleged that they have been impaired from selling their own PII. (Reply 9:3–10). In 1 rebuttal, Plaintiffs allege that diminution in value of PII is a viable theory of damages, and that 2 the Data Breach diminished the value of Plaintiffs PII. (Resp. 61:16–62:18). 3 “Diminution in value of personal information can be a viable theory of damages.” 4 Pruchnicki v. Envision Healthcare Corp., 439 F. Supp. 3d 1226, 1234 (D. Nev. 2020), affirmed 5 845 Fed. App’x 613 (9th Cir. 2021). Defendant MGM contends that to obtain damages under 6 this theory, Plaintiffs “must establish both the existence of a market for [his] personal 7 information and an impairment of [his] ability to participate in that market.” (Reply 8:9–9:14); 8 see Svenson v. Google Inc., No. 13-cv-04080, 2016 WL 8943301, at *8 (N.D. Cal. Dec. 21, 9 2016). Under this formulation of the test, Plaintiffs must prove that they intended to sell their 10 own PII. Id.; Pruchicki, 439 F. Supp. 3d at 1235 (examining whether there was specific 11 allegations that plaintiff was “unable to sell” her own PII in assessing any diminution of the 12 value of the PII). However, these pleading requirements, that Plaintiffs must establish both the 13 existence of a market for their PII and an impairment of their ability to participate in that 14 market, is not supported by Ninth Circuit precedent and other district courts in this Circuit have 15 rejected them. See In re: Anthem, 2016 WL 3029783, at *15 (“These statements [in the case 16 law] appear to require a plaintiff to allege that there was either an economic market for their PII 17 or that it would be harder to sell their own PII, not both.”) (emphasis in original); Svenson v. 18 Google¸ 2015 WL 1503429, at *5 (N.D. Cal. April 1, 2015) (“The Ninth Circuit’s holding does 19 not require [this] type of explication . . .”) (emphasis in original); In re Zappos.com, Inc., 108 F. 20 Supp. 3d 949, 954 rev’d on other grounds by In re Zappos.com, Inc., 888 F.3d 1020 (9th Cir.

21 2018) (rejecting plaintiffs’ claim that the Zappos security deprived them of the “substantial 22 value” of their personal information where they did not allege they attempted to sell their 23 information and were rebuffed because of a lower price-point attributable to the security 24 breach). 25 1 Here, Plaintiffs sufficiently allege details about the existence of an economic market for 2 selling stolen PII, including the fact that PII can be bought and sold at identifiable prices on 3 established markets. (CAC ¶¶ 101–104). Moreover, Plaintiffs have shown that a market exists 4 for their PII because their information has already been posted for sale on “multiple dark web 5 sites.” (Id. ¶¶ 47, 104). The “value of consumer [PII] is not derived solely (or even 6 realistically) by its worth in some imagined marketplace where the consumer actually seeks to 7 sell it to the highest bidder, but rather in the economic benefit the consumer derives from being 8 able to purchase goods and services remotely and without the need to pay in cash or a check.” 9 In re Marriott Int’l, Inc., Customer Data Sec. Breach Litig., 440 F. Supp. 3d 447, 462 (D. Mar. 10 Feb. 21, 2020). Put another way, the Data Breach devalued Plaintiffs’ PII by interfering with 11 their fiscal autonomy. Any past and potential future misuse of Plaintiffs’ PII impairs their 12 ability to participate in the economic marketplace. (CAC ¶ 109). Accordingly, the Court finds 13 that Plaintiffs’ have stated a cognizable theory of damages as a matter of law. 14 c. Increased Risk of Identity Theft and Fraud 15 Defendant MGM contends that the dissemination of the PII at issue is not the type of 16 particularly sensitive personal information that creates a credible threat of fraud or identity 17 theft. (MTD 27:20–28:7). In rebuttal, Plaintiffs argue that an imminent risk of harm is 18 evidenced by the fact that their PII has already been posted on the dark web for sale on several 19 occasions. (Resp. 20:9–22:14). 20 The Court finds that the rightful determination is “not to look at the minutia of what

21 information has been taken — such as credit card information — or social security numbers — 22 but to specifically determine whether the data taken ‘gave hackers the means to commit fraud 23 or identity theft.’” Bass v. Facebook, Inc., 394 F. Supp. 3d 1024, 1034 (N.D. Cal. 2019) 24 (quoting Zappos, 888 F.3d at 1027–29)). “The information taken . . . need not be sensitive to 25 weaponize hackers in their quest to commit further fraud or identity theft.” Bass, 394 F. Supp. 1 3d at 1034. “Imminent injury in fact can be established through information similar in function 2 to [a] social security number[ ],” which “derives its value in that it is immutable.” Id. 3 Here, Plaintiffs have alleged that their PII has already been posted for sale on the dark 4 web. (Id. ¶ 46). Moreover, multiple Plaintiffs contend that criminals have attempted to make 5 fraudulent purchases on their accounts. (Id. ¶¶ 13–14, 16). Other Plaintiffs assert that criminals 6 have perpetrated ransom attacks against them or attempted to sign into their personal accounts. 7 (Id. ¶ 11, 16, 19). It is difficult to reconcile Defendant MGM’s argument that the PII at issue 8 does not provide hackers with the ability to commit fraud or identity theft when the PII has 9 already been posted for sale or used in attempt identity theft attacks. Instead, the Court finds it 10 is evident that the PII stolen here will “provide further ammo” for hackers to commit identity 11 fraud or threat in the future. Bass, 395 F. Supp. 3d at 1034. 12 Furthermore, as the United States Court of Appeals for the Seventh Circuit 13 acknowledged, “[w]hy else would hackers break into a store's database and steal consumers' 14 private information? Presumably, the purpose of the hack is, sooner or later, to make 15 fraudulent charges or assume those consumers’ identities.” Remijas v. Neiman Marcus Grp., 16 LLC, 794 F.3d 688, 693 (7th Cir. 2015); see also Galaria v. Nationwide Mut. Ins. Co., 663 F 17 App’x 384, 388 (6th Cir. 2016). (“Where a data breach targets personal information, a 18 reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent 19 purposes alleged in Plaintiffs’ complaints.”). Accordingly, Plaintiffs have sufficiently shown 20 that the PII stolen creates a substantial risk of future harm.

21 d. Lost Time & Expenditures 22 Defendant MGM contend that Plaintiffs lost time monitoring their accounts does not 23 constitute cognizable damages. (MTD 27:7–10). Moreover, Defendant MGM posits that the 24 Plaintiffs who did purchase identity protection services cannot allege damages because these 25 prophylactic measures were not reasonable and necessary. (MTD 26:9–27:6). In response, 1 Plaintiffs argue that lost time and out-of-pocket expenses both constitute viable theory of 2 damages. (Resp. 22:16–23:22). 3 In Pruchnicki v. Envision Healthcare Corp., this Court held that “tangible, out-of-pocket 4 expenses are required in order for lost time spent monitoring credit to be cognizable as 5 damages.” 439 F. Supp. 3d 1226, 1233 (D. Nev. 2020), affirmed 845 Fed. App’x 613 (9th Cir. 6 2021). “In data breach cases involving negligence claims, district courts have found it 7 sufficient to allege out-of-pocket expenses in purchasing identity theft protection to show 8 damages.” Stasi v. Immediata Health Grp. Corp., 501 F. Supp. 3d 898, 918 (S.D. Cal. 2020); 9 see Castillo v. Seagate Tech., LLC, No. 16-cv-01958, 2016 WL 9280242, at *4 (N.D. Cal. Sept. 10 14, 2016) (“Those who have incurred such out-of-pocket expenses [such as purchasing identity 11 protection services] have pleaded cognizable injuries[.]”). 12 Here, all Plaintiffs assert they have all lost time monitoring their personal accounts and 13 sifting through phishing messages. (CAC. ¶¶ 10–20). Lost time alone does not establish 14 compensable damages. See Pruchnicki, 845 Fed. App’x at 614; Stasi, 501 F. Supp. 3d at 918. 15 However, several Plaintiffs have expended money to mitigate the risk of harm posed by the 16 data breach. (Id. ¶¶ 12, 16, 20). As to the Plaintiffs who expended money on mitigating 17 measures, Defendant MGM additionally argues that Plaintiffs “cannot show expenditures on 18 credit monitoring or other prophylactic measures are reasonable, much less necessary.” (MTD 19 26:19–21). The Court disagrees with Defendant MGM that such prophylactic actions were not 20 reasonable and necessary. As noted above, Plaintiffs have alleged that their PII has been posted

21 on the dark web or has already been misused. (CAC ¶¶ 11–19). Plaintiffs have sufficiently 22 alleged that the hacker’s intent was not benign, and that purchasing prophylactic measures was 23 necessary to mitigate any future risk of harm. See, e.g., Stasi, 2020 WL 6799437, at *9–11 24 (finding that credit monitoring was warranted where the information involved was not the type 25 courts have recognized as enabling identity theft, such as financial information or Social 1 Security numbers); Solara, 2020 WL 2214152, at *4 (finding that credit monitoring was 2 reasonable where PII was stolen); Castillo, 2016 WL 9280242, at *4 (finding that purchase of a 3 subscription to a premium credit monitoring service was warranted); Corona, 2015 WL 4 3916744, at *4-5 (applying California's medical monitoring test in Potter to conclude that the 5 theft of employees’ PII warranted credit monitoring). Accordingly, the Court dismisses 6 Plaintiffs’ negligence claim to the extent it alleges damages based solely on lost time. The 7 negligence claims of those Plaintiffs who purchased identity protection services may proceed. 8 B. NEGLIGENT MISREPRESENTATION 9 Defendant MGM contends that Plaintiffs’ negligent misrepresentation claim is barred by 10 the economic loss doctrine because there is no “special relationship” between Defendant MGM 11 and Plaintiffs. (MTD 30:2–18). Defendant MGM further argues that Plaintiffs’ claim fails 12 because a cognizable negligent misrepresentation claim under Nevada law requires an 13 affirmative false statement, whereas Defendant MGM is guilty, at most, of an omission. (Id. 14 30:19–30:28). In rebuttal, Plaintiffs argue that a fiduciary-like relationship existed between 15 Defendant MGM and Plaintiffs because Plaintiffs entrusted Defendant MGM with their 16 confidential PII. (Resp. 31:3–31:21). Additionally, Plaintiffs argue that contrary to Defendant 17 MGM’s assertion, an omission can constitute negligent misrepresentation under Nevada law. 18 (Id. 31:22–32:18). However, before an omission can constitute negligent misrepresentation, a 19 special relationship must exist between the parties such that the defendant had a duty to speak. 20 See Copper Sands Homeowners Ass’n v. Copper Sands Realty, LLC, No. 2:10-cv-00510, 2012

21 WL 934294, at *4 (D. Nev. Mar. 20, 2012) (“Nevada also recognizes negligent 22 misrepresentation by nondisclosure when the defendant had a duty to speak. However, such a 23 duty generally only exists when there is a special relationship between the parties.”) (citing In 24 re Agribiotech, Inc., 291 F. Supp. 2d 1186, 1191–92 (D. Nev. 2003); Weinstein v. Mortg. 25 Capital Assoc., Inc., No. 2:10-cv-01551, 2011 WL 90085, at *7 (D. Nev. Jan. 11, 2011) (same). 1 The Court has already determined that the economic loss doctrine does not preclude Plaintiffs 2 claim. Accordingly, the Court will solely examine whether a special relationship existed 3 between Plaintiffs and Defendant MGM such that Defendant MGM’s alleged omission can 4 constitute negligent misrepresentation. 5 a. Special Relationship 6 “The Nevada Supreme Court has held that a special relationship may exist where ‘one 7 party interposes confidence in the other because of that person’s position and the other party 8 knows of this confidence.’” Bond Mfg. Co., Inc. v. Ashley Furniture Indus., Inc., No. 2:17-cv- 9 1522, 2018 WL 1511717, at *7 (D. Nev. Mar. 27, 2018) (quoting Mackintosh v. Matthews & 10 Co., 855 P.2d 549, 553 (Nev. 1993). “[T]he existence of a special relationship is a factual 11 question.” Mackintosh v. Cal. Fed. Sav. & Loan Ass’n, 935 P.2d 1154, 1160 (1997) (per 12 curiam). For example, “[t]he Nevada Supreme Court has recognized such a ‘special 13 relationship’ between real estate agents/buyers, insurers/insureds/, trustees/beneficiaries, and 14 attorneys/clients,” such that nondisclosure becomes “the equivalent of fraudulent concealment.” 15 Peri & Sons Farms, Inc. v. Jain Irr., Inc., 933 F. Supp. 2d 1279, 1292 (D. Nev. 2013) (quoting 16 Nevada Power Co., 819 F. Supp. at 1416 n.3). “On the other hand, ‘a straightforward vendor- 17 vendee relationship,’ or an association characterized by ‘routine, arms-length dealings’ will not 18 suffice to establish a special relationship.’” Silver State Broad., LLC v. Crown Castle MU, LLC, 19 No. 2:18-cv-00734, 2018 WL 6606064, at *3 (D. Nev. Dec. 17, 2018) (quoting Nevada Power 20 Co., 891 F. Supp. at 1417); see also Weingartner v. Chas Home Fin., LLC, 702 F. Supp. 2d

21 1276, 1288 (D. Nev. 2010). 22 Here, “[Defendant MGM] collected names, addresses, phone numbers, email addresses, 23 dates of birth, and for some class members their driver’s license numbers, passport numbers, or 24 military ID numbers[.]” (Resp. 31:11–21). The Court recognizes that the transmittal of the PII 25 at issue is not typical of many standard ordinary daily transactions. However, the Court 1 declines to conclude that the transmittal of PII alone necessarily transforms an arms-length 2 business relationship into a special or fiduciary-like relationship. See In re Ambry Genetics 3 Data Breach Litig., 567 F. Supp. 3d 1130, 1145–46 (C.D. Cal. 2021) (“Plaintiffs simply allege 4 that Defendants collected Plaintiffs’ private information so Defendants could prove their 5 genetic testing to screen for and diagnose diseases. This is not a situation where the parties have 6 a special relationship.”); In re Premera Blue Cross Customer Data Sec. Breach Litig., 198 F. 7 Supp. 3d 1183, 1203 (D. Or. 2016) (explaining that a fiduciary relationship was not created 8 solely because the defendant required plaintiffs to disclose their PII as part of their transaction); 9 Fero v. Excellus Health Plan, 236 F. Supp. 3d 735, 773–74 (W.D.N.Y. 2017) (finding that the 10 plaintiffs negligent misrepresentation failed because no special relationship existed where the 11 plaintiffs “allege[d] that a special relationship existed because the Excellus Defendants had 12 exclusive knowledge about their data security policies, and plaintiffs provided their personal 13 information and received assurances about the Excellus Defendants’ data security”); Attias v. 14 CareFirst, Inc., 365 F. Supp. 3d 1, 24 (D.D.C. 2019) (noting that despite defendant insurer 15 requiring the “plaintiffs to provide [PII],” the plaintiffs failed to “allege a relationship beyond 16 that envisioned in every day interactions with a health insurance provider that would give rise 17 to either a common law duty to safeguard private information or a fiduciary duty”). 18 Compared to the categories of special relationships approved by the Nevada Supreme 19 Court, the nature of the relationship here is not what has historically been considered special in 20 character. See Peri & Sons Farms, Inc., 933 F. Supp. 2d at 1292. Defendant MGM’s alleged

21 abdication of its duty to adequately protect Plaintiffs’ PII may support a claim of breach of 22 duty, but it is insufficient to establish a special relationship. Instead, Plaintiffs entered an arms- 23 length business relationship with Defendant MGM, which other courts have found to be 24 insufficient to create a special relationship at law despite Plaintiffs entrusting Defendant MGM 25 with their PII as part of the relationship. See Silver State Broad., LLC, 2018 WL 6606064, at 1 *3. In the absence of a special relationship, Plaintiffs negligent misrepresentation to the extent 2 it is based on an omission, fails as a matter of law. Accordingly, the Court dismisses Plaintiffs’ 3 negligent misrepresentation claim with prejudice. 4 C. BREACH OF IMPLIED CONTRACT 5 Defendant MGM asserts that Plaintiffs’ claim for breach of implied contract fails 6 because Plaintiffs “cannot plead the nature and scope of any implied contract.” (MTD 31:10– 7 11). Specifically, Defendant MGM argues that Plaintiffs’ conclusory allegations that 8 Defendant MGM agreed to protect Plaintiffs PII when they purchased a hotel room neither 9 constitutes the formation of an implied contract, nor shows it was breached if one is found. (Id. 10 31:12–32:15). In rebuttal, Plaintiffs contend that the formation of an implied contract is a 11 question of fact that the Court should decline to address on a Rule 12(b)(6) motion. (Resp. 12 32:20–33:2). Alternatively, Plaintiffs posit that the parties entered into an implied contract 13 during the “reservation and/or hotel check-in process” when Plaintiffs provided Defendant 14 MGM with their PII and Defendant MGM impliedly promised to protect that information. (Id. 15 33:4–35:20). 16 Nevada law requires the plaintiff in a breach of contract action to show: (1) the existence 17 of a valid contract; (2) a breach by the defendant; and (3) damage as a result of the breach. 18 Mizrahi v. Wells Fargo Home Mortg., 2010 WL 2521742, at *3 (D. Nev. June 16, 2010) (citing 19 Saini v. Int’l Game Tech., 434 F. Supp. 2d 913, 919–20 (D. Nev. 2006). Although the terms of 20 an implied contract are manifested by conduct rather than written words as in an express

21 contract, both “are founded upon an ascertainable agreement.” Smith v. Recrion Corp., 541 22 P.2d 663, 664–65 (Nev. 1975). To form an enforceable contract requires the following: (1) 23 offer and acceptance, (2) meeting of the minds, and (3) consideration. May v. Anderson, 119 24 P.3d 1254, 1257 (Nev. 2005). 25 1 The Court finds that Plaintiffs have adequately stated a claim for breach of implied 2 contract. Specifically, Plaintiffs allege that they “were required to” provide their PII to 3 Defendant MGM as a condition of staying at its hotels. (CAC ¶¶ 8, 93). Thus, Plaintiffs 4 provided their PII to Defendant MGM for lodging, with the understanding that Defendant 5 MGM, while it held the information, would take adequate measures to protect it. (Id. ¶¶ 185– 6 86). In terms of consideration, it is undisputed that Plaintiffs paid for their hotel rooms. These 7 alleged actions plausibly demonstrate that Plaintiffs manifested their assent to Defendant 8 MGM’s privacy statements. See In re Marriot, 440 F. Supp. at 486 (finding that plaintiffs 9 sufficiently alleged an implied contract claim where the Marriot required the plaintiffs to 10 provide their PII in order to stay at the hotel). Although Plaintiffs did not allege that Defendant 11 MGM made any explicit promises “as to the ongoing protection of [their PII], it is difficult to 12 imagine how, in our day and age of data and identity theft, the mandatory receipt of . . . 13 sensitive personal information would not imply the recipient’s assent to protect [the] 14 information sufficiently.” Castillo v. Seagate Tech., LLC, No. 16-cv-01958, 2016 WL 9280242, 15 at *9 (N.D. Cal. Sept. 14, 2016); see In re Ambry Genetics Data Breach Litig., 567 F. Supp. 16 1130, 1143–44 (C.D. Cal. Oct. 18, 2021) (finding that plaintiffs adequately stated a breach of 17 implied contract despite defendants not expressly agreeing to protect their PII where 18 “[p]laintiffs allege[d] that they gave their [PII] to defendants for purposes of obtaining genetic 19 testing, with the understanding that defendants would take adequate measures to protect the 20 information); In re Target Corp. Customer Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1171

21 (D. Minn. 2014) (concluding that the plaintiffs had sufficiently pleaded “an implied contract in 22 which plaintiffs agreed to use their credit or debit cards to purchase goods at Target and Target 23 agreed to safeguard plaintiffs’ personal and financial information”); Gordon v. Chipotle 24 Mexican Grill, Inc., 344 F. Supp. 3d 1231, 1247–48 (D. Col. 2018) (same). For the reasons set 25 forth above, Plaintiffs have adequately alleged damages as a result of Defendant 1 MGM’s breach. Accordingly, the Court finds that Plaintiffs have adequately pled their implied 2 contract claims.4 3 D. UNJUST ENRICHMENT 4 Defendant MGM argues that Plaintiffs’ unjust enrichment claim fails for two reasons. 5 First, Defendant MGM contends that Plaintiffs’ claim is “barred by virtue of Plaintiffs’ 6 inability to plead a lack of legal remedies.” (MTD 32:25). Second, Defendant posits that 7 “Plaintiffs fail to plead facts sufficient to state an unjust enrichment claim.” (Id. 33:12). In 8 rebuttal, Plaintiffs argue that Defendant MGM has been unjustly enriched because Plaintiffs 9 paid for a hotel room and adequate PII protection. (Resp. 37:16–24). Plaintiffs contend they 10 only received the hotel room. (Id.) 11 In Nevada, the elements of an unjust enrichment claim are: “(1) a benefit conferred on 12 the defendant by the plaintiff; (2) appreciation of the benefit by the defendant; and (3) 13 acceptance and retention of the benefit by the defendant; (4) in circumstances where it would 14 be inequitable to retain the benefit without payment.” Ames v. Caesars Ent. Corp., No. 2:17-cv- 15 02910, 2019 WL 144163, at *5 (D. Nev. April 1, 2019) (quoting Leasepartners Corp., Inc. v. 16 Robert L. Brooks Tr. 942 P.2d 182, 187 (Nev. 1997). 17 It is undisputed that unjust enrichment and disgorgement are equitable remedies. See 18 Small v. Univ. Med. Ctr. of S. Nevada, No. 2:13-cv-00298, 2016 WL 4157309, at *3 (D. Nev. 19 Aug. 3, 2016) (“Nevada recognizes the general rule that an equitable claim, like unjust 20 enrichment, is not available where the plaintiff has a full and adequate remedy at law.”);

21 Sunlighten, Inc. v. Finnmark Designs, LLC, No. 2:20-cv-00127, 2022 WL 980233, at *8 (D. 22 Nev. Mar. 31, 2022) (“Disgorgement is an equitable remedy . . . .”). In Sonner v. Premier 23 Nutrition Corp., the Ninth Circuit held that “federal courts must apply equitable principles 24

25 4 The Court additionally finds that Plaintiffs have adequately pled damages and breach for the reasons set forth above. 1 derived from federal common law to claims for equitable restitution under the California Unfair 2 Competition Law (“UCL”) and California Consumer Legal Remedies Act (“CLRA”). 971 F.3d 3 834 (9th Cir. 2020). “That holding, the Ninth Circuit explained, flowed from the general 4 principle that ‘a federal court must apply traditional equitable principles before awarding 5 restitution,’ an equitable remedy.” Zeiger v. WellPet LLC, 526 F. Supp. 3d 652, 686–87 (N.D. 6 Cal. 2021) (quoting Sonner, 971 F.3d at 841). Thus, the Ninth Circuit “affirmed the dismissal 7 of the plaintiff’s UCL and CLRA claims for equitable restitution because the plaintiff failed to: 8 (i) allege she lacked an adequate remedy at law, and (ii) show she lacked an adequate remedy at 9 law for damages under [the] CLRA.” Souter v. Edgewell Pers. Care Co., No. 20-cv-1486, 2022 10 WL 4850000, at *12 (S.D. Cal. Feb. 16, 2022) (citing Sonner, 971 F.3d at 844–45). Under 11 Sonner, Plaintiffs must show that they lack an adequate remedy at law for their unjust 12 enrichment claim to proceed. 13 Plaintiffs argue that Sonner is inapplicable to the instant action for three reasons. First, 14 Plaintiffs posit that Sonner only applies later in proceedings. (Resp. 36:22–37:12). Second, 15 Plaintiffs contend that the scope of Sonner is limited to claims arising from California’s UCL 16 and CLRA. (Id. 36:26–37:5). Lastly, Plaintiffs argue that under Fed. R. Civ. P 8(d)(2), they 17 can plead their unjust enrichment claim in the alternative to their implied contract claim. (Resp. 18 36:13–21). The Court will first address Plaintiffs argument that Sonner does not apply at the 19 motion to dismiss stage. 20 The Court agrees with Plaintiffs that the circumstances examined in Sonner arose late in

21 the case on the eve of trial; the Court disagrees, however, that Sonner’s language suggests it 22 reasoning applies only late in a case’s life cycle and not at the pleading stage.5 Indeed, district 23 24 5 Plaintiffs also argue Sonner is distinguishable because the plaintiff in Sonner attempted to avoid a jury trial by voluntarily dismissing her CLRA damages claim. In contrast, Plaintiffs have not engaged in legal 25 gamesmanship. Sonner, 971 F.3d at 838; (Resp. 42:20–43:1). However, the Ninth Circuit recently clarified that “Sonner’s holding applies to equitable claims when there is a viable CLRA damages claim, regardless of whether the plaintiff has tried to avoid the bar to equitable jurisdiction through gamesmanship. Nothing in Sonner’s 1 court’s relying on Sonner have not made this distinction in applying Sonner’s reasoning at the 2 pleading stage. See Forrett v. Gourmet Nut, Inc., No. 22-cv-02405, 2022 WL 6768217, at *5 3 (N.D. Cal. Oct. 11, 2022) (dismissing plaintiff’s unjust enrichment claim, despite plaintiff’s 4 arguments “that courts allow plaintiffs to plead equitable relief in the alternative to legal relief 5 and that the adequacy of a remedy at law is not properly decided at the motion to dismiss 6 stage”); In re ZF-TRW Airbag Control Units Prod. Liab. Litig., No. 19-02905, 2020 WL 7 522484, at *71 (C.D. Cal. Feb. 9, 2022) (noting that “[n]othing in Sonner limits its precedential 8 value” to late in a case, and rejecting plaintiffs argument that Sonner was inapplicable because 9 the case was at the pleading stage) (quoting Zaback v. Kellog Sales Co., No. 3:20-cv-00268, 10 2020 WL 6381987, at *4 (S.D. Cal. Oct. 29, 2020)); Zaback, 2020 WL 6381987, at *4 11 (collecting cases). 12 Plaintiffs further argue that the Ninth Circuit’s decision in Sonner is limited to equitable 13 restitution under California’s UCL and CLRA and thereby does not apply to Plaintiffs’ unjust 14 enrichment claim under Nevada law. (Resp. 35:26–36:5). However, the Sonner court explicitly 15 held “that state law cannot circumscribe a federal court’s equitable powers even when state law 16 affords the rule of decision.” Sonner, 971 F.3d at 843; see Audrey Heredia v. Sunrise Senior 17 Living LLC, No. 8:18-cv-01974, 2020 WL 819159, at *4 (C.D. Cal. Feb. 10, 2021) (finding that 18 Sonner’s holding regarding an inadequate remedy at law applies to all claims for equitable 19 relief). Therefore, the Court finds that Sonner applies to the instant action. 20 Plaintiffs additionally argue that pursuant to Fed. R. Civ. P. 8(d)(2), they may plead their

21 unjust enrichment claim in the alternative to their legal claims. (Resp. 36:13–21). Specifically, 22 Plaintiffs contend that their unjust enrichment claim may be brought as an alternative claim to 23 their claim for breach of implied contract. Under Fed. R. Civ. P. 8(d)(2), “[a] party may set out 24

25 reasoning suggested that its holding was limited to cases in which a party had voluntarily dismissed a damages claim to avoid a jury trial.” Guzman v. Polaris, 49 F.4th 1308, 1313 (9th Cir. 2022). 1 two or more statements of a claim or defense alternatively or hypothetically, either in a single 2 count or defense or in separate ones. If a party makes alternative statements, the pleading is 3 sufficient if any one of them is sufficient.” Plaintiffs are correct that under this rule, they may 4 plead unjust enrichment in the alternative to legal claims. However, “[t]he issue is not whether 5 a pleading may seek distinct forms of relief in the alternative, but rather whether a prayer for 6 equitable relief states a claim if the pleading does not demonstrate the inadequacy of a legal 7 remedy. On that point, Sonner holds that it does not.” Sharma v. Volkswagen AG, 524 F. Supp. 8 3d 891, 907 (N.D. Cal. 2021) (citing Sonner, 971 F.3d at 844); see Goldstein v. Gen. Motors 9 LLC, No. 19-cv-1778, 2022 WL 484995, at *6 (S.D. Cal. Feb. 16, 2022) (explaining that 10 Sonner “made clear that a claim for equitable relief” plead in the alternative under Fed. R. Civ. 11 P. 8 “may be dismissed if the plaintiff does not establish that there is no adequate remedy at 12 law”); In re Intel Corp., 2021 WL 1198299, at *11 (applying Sonner and dismissing the 13 plaintiffs unjust enrichment claim because they failed to allege they lacked an adequate remedy 14 at law); Shay v. Apple Inc., No. 20-cv-1629, 2021 WL 1733385, at *5 (S.D. Cal. May 3, 2021) 15 (same). Accordingly, the Court finds that Plaintiffs must allege that there is no adequate 16 remedy at law for their unjust enrichment claim to proceed. 17 As stated, Defendant MGM argues that Plaintiffs unjust enrichment claim fails because 18 they cannot show a lack of legal remedies. (MTD 32:25–33:11). In rebuttal, Plaintiffs argue 19 they do not have an adequate remedy at law because Defendant MGM “continues to retain 20 [Plaintiffs’] PII while exposing the PII to a risk of future data breaches while in [Defendant]

21 MGM’s possession.” (Id. ¶ 203). Plaintiffs further contend that Defendant MGM should not be 22 permitted to retain the monetary benefits it accrued from its transactions with Plaintiffs, and 23 that Defendant MGM should be forced to disgorge any profits it received from Plaintiffs. (Id. 24 ¶¶ 200, 205). As to the former, the Court recognizes that Defendant MGM’s continued 25 retention of Plaintiffs’ PII poses a risk of prospective harm. The issue, however, is that the 1 remedy ultimately sought by Plaintiffs is money damages. Plaintiffs seek retrospective 2 damages for the past harm derived by Plaintiffs overpayment for hotel rooms and prospective 3 damages for the continued profit Defendant MGM derives from their use of Plaintiffs PII.6 The 4 Court is unable to conclude that Plaintiffs’ alleged injuries cannot be remedied by money 5 damages when that is the precise remedy requested. (CAC ¶¶ 203–05). Plaintiffs have not 6 alleged, even in the alternative, that they do not have adequate legal remedies. Therefore, 7 Plaintiffs’ unjust enrichment claims are dismissed, with leave to amend. 8 E. NEVADA CONSUMER FRAUD ACT 9 Defendant MGM asserts that Plaintiffs’ Nevada Consumer Fraud Act (“NCFA”) claim 10 fails because they have not alleged a cognizable injury caused by the Data Breach.7 (MTD 34: 11 24–25). Alternatively, Defendant MGM argues that Plaintiffs failed to plead their claims with 12 sufficient particularity under the heightened standard of Fed. R. Civ. P. 9(b). (Id. 34:26–35:1). 13 As an initial matter, Plaintiffs argue that the heightened standard of Fed. R. Civ. Pro 9(b) is 14 inapplicable because they only allege negligence-based conduct rather than intentional fraud. 15 (Resp. 37:25–38:10). Even if Rule 9(b) is applicable, however, Plaintiffs assert that their 16 allegations satisfy the heightened pleading standard by describing the “specific data security 17 practices [Defendant] MGM neglected, explains what [Defendant] MGM should have done, 18 describes how [Defendant] MGM knew it was a prime target for hackers, and explains that 19 [Defendant] MGM should have disclosed its deficient practices when it collected Plaintiffs’ 20 information at booking and check-in.” (Id. 38:18–25).

21 22

23 6 In contrast, a claim for injunctive relief to prevent future harm would seek a remedy qualitatively different from 24 money damages: an order requiring Defendant MGM to timely delete and cease to use or share Plaintiffs’ PII or implement reasonable data security requirements to prevent any future data breaches. 25 7 For the reasons set forth above, the Court finds that Plaintiffs have alleged a cognizable injury. 1 “Fraud claims must meet a heightened pleading standard under [Fed. R. Civ. P. 9(b)], 2 which requires a party to “state with particularity the circumstances constituting fraud.” 3 Brandstorm, 2020 WL 1469687, at *2. “Claims of consumer fraud brought, brought under 4 NRS § 41.600, ‘must satisfy NRCP 9(b)’s heightened pleading standards.”8 Cage v. Cox 5 Communic’n, Inc., No. 2:16-cv-01708, 2017 WL 153629, at *2 (D. Nev. April 27, 2017) 6 (quoting Davenport v. Homecomings Fi., LLC, 2014 WL 1318964, at *2 (D. Nev. Mar. 31, 7 2014); see Allstate Ins. Co. v. Belsky, No. 2:15-cv-02265, 2017 WL 7199651, at *7 (D. Nev. 8 Mar. 31, 2017) (“Consumer fraud claims brought under [NRS § 41.600] are subject to Rule 9 9(b)’s heightened pleading requirements.”); Bank of New York Mellon, 2022 WL 4290308, at 10 *5 (same). 11 NRS § 41.600 provides that “[a]n action may be brought by any person who is a victim 12 of consumer fraud.” Id. “Consumer fraud’ is defined as “a deceptive trade practice as defined 13 in NRS § 598.0915 to 598.025, inclusive.” Id. § (2)(e). A claim under NRS § 41.600 “requires 14 a ‘victim of consumer fraud to prove that (1) an act of consumer fraud by the defendant (2) 15 caused (3) damage to the plaintiff.’” Whittum v. Acceptance Now, No. 2:18-cv-01574, 2019 16 WL 4781846, at *3 (D. Nev. Sept. 30, 2019) (quoting Sattari v. Wash. Mut., 475 Fed. App’x 17 648, 648 (9th Cir. 2011). 18 NRS § 598.0923(1)(b) in turn provides that, “a person engages in a ‘deceptive trade 19 practice’ when in the course of his or her business or occupation he or she knowingly . . . [f]ails 20 to disclose a material fact in connection with the sale or lease of goods or services.” The Court

21 of Appeals of Nevada has explained that a “knowing[]’ act or omission . . . does not require that 22 the defendant intend to deceive with the act or omission, or even know of the prohibition 23 24 8 “Both courts within the District of Nevada and the Nevada Supreme Court have applied Rule 9(b)’s heightened pleading standard to consumer fraud/deceptive trade practices under Nevada law.” Urban Outfitters, Inc. v. 25 Dermody Operating Co., LLC, No. 3:21-cv-00109, 2022 WL 4134127, at *3 (D. Nev. Sept. 12, 2022). “While these courts apply two different sets of civil procedure rules—state and federal—to fraud-based claims, the courts’ analyses are virtually identical.” Id. at *3 n.2. 1 against the act or commission, but simply that the defendant is aware that the facts exist that 2 constitute the act or omission.” Poole v. Nevada Auto Dealership Invs., LLC, 449 P.3d 479, 483 3 (Ct. App. Nev. 2019). 4 As a preliminary matter, Defendant MGM relies on Soffer v. Five Mile Capital Partners, 5 LLC, for the proposition that fraud by omission requires an affirmative duty to disclose to 6 constitute a violation of NRS § 598.0923(1)(b). No. 12-cv-1407, 2013 WL 638832, at *10 (D. 7 Nev. Feb. 19, 2013); (MTD 35:19–36:3). However, Soffer involved a claim for common law 8 fraud, as opposed to Plaintiffs instant statutory fraud claim. Soffer, 2013 WL 638832, at *10. 9 As the Supreme Court of Nevada recently observed, “[s]tatutory offenses that sound in fraud 10 are separate and distinct from common law fraud.”9 Leigh-Pink v. Rio Props, LLC, 512 P.3d 11 322, 328 (Nev. 2022) (quoting Betsinger v. D.R. Horton, Inc., 232 P.3d 433, 436 (Nev. 2010). 12 Therefore, Defendant MGM has not shown that fraud by omission under NRS § 598.0923(1)(b) 13 requires an affirmative duty to disclose. 14 Here, Plaintiffs’ allegations meet the requirements of Fed. R. Civ. P. 9(b). Plaintiffs 15 allege that Defendant MGM knew its data security practices were deficient and that the hotel 16 industry is a frequent target of sophisticated cyberattacks, (CAC ¶¶ 78, 208). Despite this 17 knowledge, Plaintiffs allege that Defendant MGM declined to disclose any facts regarding its 18 cybersecurity when it sold hotel rooms to Plaintiffs. The Court finds that Defendant MGM’s 19 data security, or lack thereof, is a material fact connected to the sale of hotel rooms. At this 20 stage in the pleading, Plaintiffs sufficiently allege that Defendant MGM’s failure to disclose its

21 22 23 9 Defendant MGM also relies on Taddeo v. Taddeo, No. 2:08-cv-01463, 2011 WL 4074433 (D. Nev. Sept. 13, 2011). In Taddeo, this Court noted that “[t]he suppression or omission of a material fact is ‘equivalent to a false 24 representation, since it constitutes an indirect representation that such fact does not exist.” Id. at *6 n.3 (quoting Nelson v. Heer, 163 P.3d 420, 426 (Nev. 2007)). It is unclear to the Court how Taddeo demonstrates that NRS § 25 598.0923(1)(b) requires an affirmative duty for an omission to constitute fraud. To the contrary, Taddeo indicates that omission can constitute a fraudulent representation. 1 data security deficiency or vulnerability to Plaintiffs constitutes a “knowing” omission. Poole, 2 449 P.3d at 483. 3 Additionally, Plaintiffs allege that Defendant MGM failed to implement reasonable 4 security measures to protect its servers, including encrypting consumer’s PII, (Id. ¶¶ 7, 38, 40, 5 66–77), retained Plaintiffs PII for longer than necessary, (Id. ¶¶ 90–94), and that Plaintiffs were 6 damaged as a result of the Data Breach. (Id. ¶¶ 95–125). These damages include loss of the 7 benefit-of-the bargain, money spent mitigating harms, diminished value of PII, and identity 8 theft in the form of unauthorized charges and accounts.10 (Id.). Accordingly, the Court finds 9 that Plaintiffs have adequately pled a claim under NRS §§ 41.600 and 598.0923(b)(1). 10 Furthermore, pursuant to NRS § 598.0923(1)(c), a person also engages in a “deceptive 11 trade practice” when he or she knowingly “[v]iolates a state or federal statute or regulation 12 relating to the sale or lease of goods or services.” Because Plaintiffs have adequately pled 13 violations of NRS §§ 41.600 and 598.0923(b)(1), the Court declines to dismiss Plaintiffs NCFA 14 claims. 15 F. CALIFORNIA STATUTORY LAW CLAIMS 16 Plaintiffs Ryan Bohlim, Duke Hwynn, Andrew Sedaghatpour, and Gennady Simkin 17 (collectively “California Plaintiffs”) seek injunctive relief, in addition to damages, pursuant to 18 their California statutory law claims. (CAC ¶¶ 10–13, 233–34, 250, 266). Because the 19 California Plaintiffs seek injunctive relief, Defendant MGM contends that pursuant to Sonner, 20 the Court should dismiss the California Plaintiffs’ California statutory law claims.11

21 Here, the California Plaintiffs sufficiently plead an inadequate remedy at law with 22 respect to Defendant MGM’s alleged continuing unlawful conduct. The California Plaintiffs 23 remedy at law, money damages, is retrospective. An injunction is prospective. While damages 24 25 10 The Court finds that these damages equally apply to all of Plaintiffs statutory claims.

11 For the reasons set forth above, the Court finds that Sonner applies to the instant action. 1 would compensate the California Plaintiffs for past harms, an injunction would ensure that the 2 California Plaintiffs and other consumers can rely on Defendant MGM’s representations in the 3 future. See Brooks v. Thomson Reuters Corp., No. 21-cv-01418, 2021 WL 3621837, at *11 4 (N.D. Cal. Aug. 16, 2021) (declining to apply Sonner to bar UCL claims for prospective 5 injunctive relief because “the prospect of paying damages is sometimes insufficient to deter a 6 defendant from engaging in an alleged unlawful, unfair, or fraudulent business practice”); 7 Stewart v. Kodiak Cakes, LLC, 537 F. Supp. 3d 1103, 1160 (S.D. Cal. Apr. 29, 2021) (finding 8 the plaintiffs allegations of future harm based on defendant’s continued deceptive marketing 9 statements as sufficient to show a lack of adequate remedy at law at the motion to dismiss 10 stage). Accordingly, damages are not an adequate remedy for the prospective harm caused by 11 Defendant MGM’s continued retention of the California Plaintiffs PII. 12 The Court will first examine whether the California Plaintiffs have sufficiently pled a 13 claim under the UCL. 14 a. Unfair Competition Law 15 The California UCL prohibits “unfair competition” and defines the term as a “business 16 act or practice” that is (1) “fraudulent,” (2) “unlawful,” or (3) “unfair.” Bus. & Prof. Code § 17 17200. Each prong of the UCL provides “a separate and distinct theory of liability[.]” Kearns 18 v. Ford Motor Co., 567 F.3d 1120, 1127 (9th Cir. 2009). To have standing to pursue a UCL 19 claim, the California Plaintiffs must show that they “lost money or property” because of 20 Defendant MGM’s conduct. Cal. Bus. & Prof. Code § 17204; see In re Facebook, Inc.,

21 Consumer Privacy User Profile Litig., 402 F. Supp. 3d 767, 804 (N.D. Cal. 2019). 22 /// 23 /// 24 /// 25 /// 1 a. Standing 2 To establish standing under the UCL, “[a] plaintiff must show he personally lost 3 money or property because of his own actual and reasonable reliance on the allegedly unlawful 4 business practice.” In re iPhone Application Litig., 844 F. Supp. 3d 1040, 1071 (N.D. Cal. 5 2012) (citing Kwikset Corp. v. Superior Court, 246 P.3d 877, 885 (Cal. 2011). However, “there 6 are innumerable ways in which economic injury from unfair competition may be shown.” 7 Kwikset Corp., 246 P.3d at 885–86. For example, “[a] plaintiff may (1) surrender in a 8 transaction more, or acquire in a transaction less, than he or she otherwise would have; (2) have 9 a present or future property interest diminished; (3) be deprived of money or property to which 10 he or she has a cognizable claim; or (4) be required to enter into a transaction, costing money or 11 property, that would otherwise have been unnecessary.” Id. (citation omitted).” 12 In In re Anthem, the court found that the plaintiffs’ allegations that they lost the benefit 13 of their bargain was sufficient to satisfy the economic injury requirement for standing under the 14 UCL, explaining that this type of loss “mirrors the California Supreme Court's determination in 15 Kwikset that a plaintiff who has ‘surrender[ed] in a transaction more, or acquire[d] in a 16 transaction less, than he or she otherwise would have’ may bring a UCL claim.” 162 F. Supp. 17 3d 953, 985 (N.D. Cal. 2016) (quoting Kwikset, 246 P.3d at 885); see also In re Adobe Sys., 18 Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1224 (N.D. Cal. 2014) (holding plaintiffs had UCL 19 standing where “[f]our of the six Plaintiffs allege they personally spent more on Adobe 20 products than they would had they known Adobe was not providing the reasonable security

21 Adobe represented it was providing”); In re LinkedIn User Privacy Litig., No. 12-cv-3088-EJD, 22 2014 WL 1323713, *4 (N.D. Cal. Mar. 28, 2014) (holding benefit-of-the-bargain losses 23 “sufficient to confer . . . statutory standing under the UCL.”) 24 Here, the California Plaintiffs’ loss of money or property is in the form of the allegedly 25 overinflated cost of the hotel rooms they purchased as a result of Defendant MGM’s omissions 1 regarding the adequacy of data security policies. (Resp. 43:21–27). The California Plaintiffs 2 allege that had Defendant MGM disclosed its deficient security policies, they would either have 3 paid less for the room, or not purchased a room from Defendant MGM. (CAC ¶¶ 10–20, 114, 4 118(b)); see, e.g., Kwikset Corp., 246 P. 3d at 890 (writing that a plaintiff can establish UCL 5 standing by alleging that the consumer “would not have bought the product but for” the unfair 6 business practice or by alleging that the consumer “paid more than he or she actually valued the 7 product”). Therefore, the California Plaintiffs have sufficiently alleged a loss of money or 8 property as a result of the UCL violation. As the California Plaintiffs have pleaded their UCL 9 claim under all three prongs, the Court will first address whether the California Plaintiffs have 10 sufficiently alleged a claim under the fraudulent prong. 11 b. Fraud Prong 12 Defendant MGM contends that its alleged omission cannot constitute fraudulent conduct 13 under the UCL because they were not obligated to disclose their security practices to Plaintiffs. 14 (MTD 38:8–24). In response, the California Plaintiffs claim that Defendant MGM was 15 obligated to disclose its security practices because it had exclusive knowledge of the fact that 16 its security practices were beneath industry standards, and that this fact was material. (CAC ¶¶ 17 169–170, 235, 244(a), 243–245). 18 Claims stated under the fraud prong of the UCL are subject to the particularity 19 requirements of Fed. R. Civ. P. 9(b). See Kearns, 567 F. 3d at 1125. For an omission to be 20 actionable under the UCL, “the omission must be contrary to a representation actually made by

21 the defendant, or an omission of fact the defendant was obliged to disclose.” Daugherty v. Am. 22 Honda Motor Co., 144 Cal. App. 4th 824, 835 (2006); see also Berryman v. Merit Prop. Mgmt., 23 Inc., 152 Cal. App. 4th 1544, 1557 (2007) (“[A] failure to disclose a fact one has no affirmative 24 duty to disclose is [not] ‘likely to deceive’ anyone within the meaning of the UCL.” (quoting 25 Daughter, 144 Cal. App. 4th at 838). There are four circumstances in which a duty to disclose 1 may arise: “(1) when the defendant is the plaintiff’s fiduciary; (2) when the defendant has 2 exclusive knowledge of material facts not known or reasonably accessible to the plaintiff; (3) 3 when the defendant actively conceals a material fact from the plaintiff; [or] (4) when the 4 defendant makes partial representations that are misleading because some other material fact 5 has not been disclosed.” Collins v. eMachines, Inc., 202 Cal. App. 4th 249, 255 (2011). “[A] 6 fact is deemed ‘material,’ and obligates an exclusively knowledgeable defendant to disclose it, 7 if a ‘reasonable [consumer]’ would deem it important in determining how to act in the 8 transaction at issue.” Id. at 256 (citing Engalla v. Permanente Med. Grp., Inc., 15 Cal. 4th 951, 9 977 (1997). 10 The California Plaintiffs have adequately pled a duty to disclose based upon Defendant’s 11 exclusive knowledge of the alleged inadequacy of its security measures. See In re Solara, 202 12 WL 2214152, at *10 (finding that the plaintiffs adequately alleged a fraudulent omission UCL 13 claim where they pled “a duty to disclose based upon [d]efendant’s exclusive knowledge of the 14 alleged inadequacy of its security measures); In re Carrier IQ, Inc., 78 F. Supp. 3d 1051, 1113– 15 14 (N.D. Cal. 2015) (“Finally, Plaintiffs have alleged that the information regarding the Carrier 16 IQ Software was in the exclusive knowledge of Defendants. These allegations are sufficient to 17 plausible allege that Defendants had exclusive knowledge of a material fact that they had a duty 18 to disclose but chose to omit.”). Accordingly, the Court declines to dismiss the California 19 Plaintiffs’ fraudulent omission UCL claim. 20 c. Unfair Prong

21 Defendant MGM argues that the California Plaintiffs’ conclusory assertion that it failed 22 to implement and maintain reasonable data security measures is insufficient to satisfy the unfair 23 prong of the UCL. (MTD 38:1–3). 24 The unfair prong of the UCL creates a cause of action for a business practice that is 25 /// 1 unfair even if not proscribed by some other law. See In re Yahoo! Inc. Customer Data Sec. 2 Breach Litig., 2017 WL 3727318, at *23 (citing Korea Supply Co. v. Lockheed Martin Corp., 3 29 Cal. 4th 1134, 1143 (2003)). “The UCL does not define the term ‘unfair’ . . . [and] the 4 proper definition of ‘unfair’ conduct against consumers ‘is currently in flux’ among California 5 courts.” Id. 6 Some California courts apply a balancing approach, which requires courts to “weigh the 7 utility of the defendant’s conduct against the gravity of the harm to the alleged victim.” Davis, 8 691 F.3d at 1169 (internal quotation marks omitted). Other California courts have held that 9 “unfairness must be tethered to some legislatively declared policy or proof of some actual or 10 threatened impact on competition.” Lozano v. AT&T Wireless Servs., Inc., 504 F.3d 718, 735 11 (9th Cir. 2007) (internal quotation marks omitted). These tests are typically referred to as the 12 “balancing test” and the “tethering test.” 13 The California Plaintiffs “may proceed with a UCL claim under the balancing test by 14 either alleging immoral, unethical, oppressive, unscrupulous or substantially injurious conduct 15 by Defendant[] [MGM] or by demonstrating that Defendant [MGM’s] conduct violated an 16 established public policy.” In re Anthem, 162 F. Supp. 3d at 990. In In re Adobe, the court 17 observed that various California statutes—including several statutes upon which Plaintiffs rely 18 here—reflect “California’s public policy of protecting consumer data.” Id. at 1227. Based on 19 the California Plaintiffs allegations, Defendant MGM’s actions violated this public policy by 20 purportedly utilizing substandard data security practices. Whether Defendant MGM’s public

21 policy violation is outweighed by the utility of their conduct under the balancing test is a 22 question more appropriately resolved at a later stage of this litigation. See Mehta v. Robinhood 23 Fin. LLC, No. 21-cv-01013, 2021 WL 6882377, at *12 (N.D. Cal. May 6, 2021) (“At the 24 motion to dismiss stage, the Court cannot say that the benefit from Robinhood’s business 25 practices of allegedly emphasizing growth and profit over protecting their customers’ personal 1 and financial information and failing to implement industry-standard security measures 2 outweighs the harms.”); In re Anthem, 162 F. Supp. 3d at 990 (holding, on a motion to dismiss, 3 that “[w]hether Defendants’ public policy violation is outweighed by the utility of their conduct 4 under the balancing test is a question to be resolved at a later stage in this litigation”); In re 5 iPhone Application Litig., 844 F. Supp. 2d at 1073 (same). Accordingly, based on the 6 balancing test alone, the Court denies Defendant MGM’s motion to dismiss the California 7 Plaintiffs’ UCL claim under the unfair prong. 8 d. Unlawful Prong 9 “The unlawful prong of the UCL prohibits anything that can properly be called a 10 business practice and that at the same time is forbidden by law.” In re iPhone Application 11 Litig., 844 F. Supp. 2d at 1072 (citing Cel-Tec Commc’ns, Inc. v. L.A. Cellular Tel. Co., 973 12 P.3d 527, 540 (Cal. 1999) (internal quotation marks omitted). Section 17200 of the Business 13 and Professions Code permits injured customers to “borrow” violations of other laws and treat 14 them as unfair competition that is independently actionable. Id. 15 The Court has already considered the adequacy of the California Plaintiffs’ allegations 16 under the fraud and unfair prongs of the UCL. Accordingly, the Court finds that the California 17 Plaintiffs have sufficiently pled “unlawful” conduct in violation of the UCL.12 18 G. CALIFORNIA CONSUMER LEGAL REMEDIES ACT 19 As with the California Plaintiffs claim for fraud by omission under the UCL, Defendant 20 MGM again asserts that the California Plaintiffs California Consumers Legal Remedies Act

21 (“CLRA”) fails because they failed to plead that Defendant MGM had a duty to disclose. 22 (MTD 38:25–39:6). 23

24 12 As addressed below, the Court finds that the California Plaintiffs additionally alleged cognizable claims under 25 the California Consumers Legal Remedies Act, Cal. Civ. Code § 1770, and California Customer Records Act, Cal. Civ. Code §§ 1798.90. Therefore, the unlawful prong is alternatively satisfied based on violations of these statutes. 1 The CLRA prohibits “unfair methods of competition and unfair or deceptive acts or 2 practices.” Cal. Civ. Code § 1770. To state a claim under CLRA §§ 1770(a)(5) and (7), a 3 plaintiff must allege: “(1) a misrepresentation; (2) reliance on that misrepresentation; and (3) 4 damages caused by that misrepresentation.” In re Sony PS3 Other OS Litig., 551 F. App’x 916, 5 920 (9th Cir. 2014). “CLRA claims are governed by the ‘reasonable consumer’ test, under 6 which a plaintiff must allege that ‘members of the public are likely to be deceived.’” Id. 7 (quoting Williams v. Gerber Prods. Co., 552 F.3d 934, 938 (9th Cir. 2008)). 8 The CLRA applies the same standard as the UCL for determining whether a defendant 9 engaged in fraud by omission. See Barrett v. Apple Inc., 523 F. Supp. 3d 1132, 1149 (N.D. Cal. 10 2021) (applying the same standard for an actionable duty to disclose under the UCL and 11 CLRA); Stewart v. Electrolux Home Prod., Inc., 304 F. Supp. 3d 894, 906 (E.D. Cal. 2018) 12 (“Generally, the standard for deceptive practices under the fraudulent prong of the UCL applies 13 equally to claims for misrepresentation under the CLRA.”). 14 The Court has already considered the adequacy of the California Plaintiffs’ fraudulent 15 omission UCL claim. Accordingly, the Court declines to dismiss Plaintiffs’ fraudulent 16 omission CLRA claim for the reasons set forth above. 17 H. CALIFORNIA CUSTOMER RECORDS ACT 18 Defendant MGM contends that the California Plaintiffs California Customer Records 19 Act (“CRA”) claim fails because their allegations do no explain how Defendant MGM took 20 insufficient measures to protect customer’s PII. (MTD 39:7–17); (Reply 23:11–18). In

21 response, the California Plaintiffs contend they asserted detailed allegations of how Defendant 22 MGM failed to maintain reasonable security practices, including a failure to encrypt PII. (Resp. 23 46:3–47:2). 24 The CRA “regulates businesses with regard to treatment and notification procedures 25 1 relating to their customers’ personal information.” Corona, 2015 WL 3916744, at *6; Civ. 2 Code §§ 1798.90. The California Plaintiffs allege that Defendant Violated § 1798.81.5(b) of 3 the CRA. This provision provides, in relevant part, that “[a] business that owns, licenses, or 4 maintains personal information about a California resident shall implement and maintain 5 reasonable security procedures and practices appropriate to the nature of the information, to 6 protect the personal information from unauthorized access . . . .” Cal. Civ. Code. § 7 1798.81.5(b). “Personal information” is defined to include a person’s name “in combination 8 with . . . credit or debit card number, in combination with any required security code, access 9 code, or password that would permit access to an individual’s financial account.” Id. § 10 1798.81.5(d)(1)(A)(iii). 11 The Court finds that the California Plaintiffs adequately alleged that Defendant MGM 12 failed to maintain reasonable cybersecurity practices as required by the CRA. Specifically, the 13 California Plaintiffs allege that Defendant MGM failed to encrypt the PII stored on its server in 14 violation of industry practice. (CAC ¶ 38); see In re Mednax Servs., Inc., Customer Data Sec. 15 Breach Litig., No. 21-02994, 2022 WL 1468057, at *21 (S.D. Fla. May 10, 2022) (finding, on a 16 motion to dismiss, that the plaintiffs sufficiently alleged a claim under the CRA by alleging that 17 their “PII [was] maintained and/or exchanged in unencrypted email accounts, in violation of 18 industry practice”). Moreover, the California Plaintiffs contend that Defendant MGM retained 19 their PII for longer than was necessary. (CAC ¶¶ 7, 77, 90–91). Accordingly, the Court 20 declines to dismiss the California Plaintiffs CRA claim.13

21 /// 22 /// 23 /// 24 25 13 Defendant MGM also argues in a single sentence that the California Plaintiffs failed to plead the requisite damages needed to sustain a CRA claim. (Reply 23:16–18). However, for the reasons set forth above, the Court finds that the California Plaintiffs’ alleged cognizable damages. 1 I. CONNETICUIT UNFAIR TRADE PRACTICES ACT 2 Defendant MGM alleges that Plaintiff Robert Taylor’s (“Connecticut Plaintiff’s) claim 3 under Connecticut’s Unfair Trade Practices Act (“CUPTA”) fails because the Connecticut 4 Plaintiff have not alleged an unfair or deceptive practice. (MTD 39:19–40:3). The Connecticut 5 Plaintiff, in response, contend that the “unfair or deceptive practice at issue” is Defendant 6 MGM’s failure to implement adequate safeguards and notify the Connecticut class 7 representative of its inadequate security. 8 The CUPTA provides: “No person shall engage in unfair methods of competition or 9 deceptive acts or practices in the conduct of any trade or commerce.” Conn. Gen. St. § 10 42-110b(a). “Any person who suffers any ascertainable loss of money or property, real or 11 personal, as a result of the use or employment of a method, act or practice prohibited by section 12 42-110b, may bring an action” to recover actual damages, punitive damages, and equitable 13 relief. Conn. Gen. St. 42-110g(a). 14 Here, the Connecticut Plaintiff sufficiently alleged that Defendant MGM knew or should 15 have known about its allegedly inadequate data security practices and the risk of a data breach. 16 The Connecticut Plaintiff alleges that Defendant MGM (1) knew it was a target for hackers, (2) 17 was aware that its data security practices were inadequate, and (3) failed to disclose to the 18 Connecticut Plaintiff when he purchased a hotel room that they did not employ reasonable 19 safeguards to protect Plaintiffs’ PII. (CAC ¶¶ 38–41, 66–77, 78–87, 162–177, 270(a)–(e)). The 20 Connecticut Plaintiff alleges he relied on these omissions and “would not have stayed at MGM

21 properties or would have paid less than he did for his rooms” had he known of Defendant 22 MGM’s allegedly inadequate security practices. (Id. ¶ 14). Therefore, the Court declines to 23 dismiss the Connecticut Plaintiffs CUPTA claim.14 24

25 14 The Court finds that Plaintiffs have adequately alleged unfair or deceptive acts that adequately satisfy Rule 9(b). 1 J. GEORGIA DECEPTIVE TRADE PRACTICES ACT 2 Defendant MGM contends that Plaintiff Michael Fossett’s (“Georgia Plaintiff’s) claim 3 under Georgia’s Uniform Deceptive Trade Practices Act (“GUDTPA”) fails pursuant to Sonner 4 because GUDTPA only provides equitable remedies, and the Georgia Plaintiff cannot show a 5 lack of legal remedies. (MTD 40:4–10); (Reply 24:1–7). In rebuttal, the Georgia Plaintiff 6 contend that Sonner does not bar his claim because injunctive relief is necessary to 7 prospectively protect against future data breaches. (Resp. 48:2–22). 8 For the reasons set forth above, the Georgia Plaintiff has plausibly alleged the 9 inadequacy of remedies at law with respect to their claims for injunctive relief. The Georgia 10 Plaintiff sufficiently alleged that monetary damages for past harm are an inadequate remedy for 11 the future harm an injunction is designed to prevent. Accordingly, the Court declines to 12 dismiss the Georgia Plaintiff’s GUDTPA claim. 13 K. NEW YORK GENERAL BUSINESS LAW 14 Plaintiff Kerri Shapiro (“New York Plaintiff”) alleges claims under the New York 15 General Business Law (“GBL”), N.Y. Gen. Bus. §§ 349, et seq. Section § 349(a) of the GBL 16 prohibits “[d]eceptive acts or practices in the conduct of any business, trade or commerce or in 17 the furnishing of any service.” N.Y. Gen. Bus. § 349(a). To state a § GBL claim, the New 18 York Plaintiff must allege (1) that defendant’s “act or practice was consumer-oriented,” (2) that 19 the act or practice “was misleading in a material way,” and (3) that plaintiff “suffered injury as 20 a result of the deceptive act.” Stutman v. Chem Bank, 731 N.E.2d 608, 611 (N.Y. 2000). “[T]o

21 qualify as a prohibited act under the statute, the deception of a consumer must occur in New 22 York.” Goshen v. Mut. Life Ins. Co. of New York, 774 N.E.2d 1190, 1995 (N.Y. 2002). 23 To begin with, the parties dispute whether Rule 9(b)’s pleading requirements apply to 24 the GBL claim. (MTD 34:3–17). Several federal courts have held that Rule 9(b)’s pleading 25 requirements do not apply to GBL claims. See, e.g., Pelman ex rel. Pelman v. McDonald’s 1 Corp., 396 F.3d 508, 511 (2d Cir. 2005) (“[B]ecause a private action under § 3499 is not 2 subject to the pleading-with-particularity requirements of Rule 9(b), Fed. R. Civ. P., but need 3 only meet the bare-bones notice-pleading requirements of Rule 8(a), Fed. R. Civ. P.”); Greene 4 v. Gerber Prod. Co., 262 F. Supp. 3d 38, 67 (E.D.N.Y. 2017) (same). The Court declines to 5 decide this issue however, because the New York Plaintiff’s allegations meet the requirements 6 of Fed. R. Civ. P. 8(a) or 9(b). 7 Foremost, the New York Plaintiff alleges that she is a “resident of New York.” (CAC ¶ 8 17). The New York Plaintiff further alleges that she transacted with Defendant MGM by 9 “making hotel reservations from New York and paying any necessary room deposits form New 10 York.” (Id. ¶ 296). The New York Plaintiff asserts that Defendant MGM’s deceptive acts or 11 practices including failing to implement reasonable security and privacy measures, failing to 12 identify and remediate foreseeable privacy risks, misrepresenting that it would protect the 13 Plaintiffs’ PII, and failing to comply with statutory duties regarding the security and privacy of 14 Plaintiffs’ personal information, including duties imposed by the FTC Act, 15 U.S.C. § 45. (Id. 15 ¶¶ 295–96). The New York Plaintiff claims that these acts affected the public interest and 16 consumers at large, and that the New York class representative suffered damages as a result of 17 Defendant MGM’s alleged practices. (Id. ¶¶ 300–05). Based on the foregoing, the New York 18 Plaintiff has adequately pled that the alleged deception took place in New York, that Defendant 19 MGM misrepresented their security and privacy measures, and that she suffered an injury as 20 result of this deception. Therefore, the Court declines to dismiss the New York Plaintiff’s GBL

21 claim. 22 /// 23 /// 24 /// 25 /// 1 L. OHIO DECEPTIVE TRADE PRACTICES ACT 2 Defendant MGM argues that the Ohio Trade Practices Act. (“ODTPA”) does not 3 provide a cause of action for consumers like Plaintiff Julie Mutsko (“Ohio Plaintiff”). (MTD 4 40:25–41:4). In rebuttal, the Ohio Plaintiff contend that there a split of authority on the issue of 5 whether individual consumers have standing to assert a claim under the ODTPA, and that this 6 Court should find that individual consumers have standing. (Resp. 49:23–50:24). 7 The ODTPA gives standing to bring a civil action to a “person who is likely to be 8 damaged by a person who commits a deceptive trade practice” or a “person who is injured by a 9 person who commits a deceptive trade practice.” Ohio Rev. Code § 4165.03(A)(1)-(2). ODTPA 10 defines a “person” as “an individual, corporation, government, governmental subdivision or 11 agency, business trust, estate, trust, partnership, unincorporated association, limited liability 12 company, two or more of any of the foregoing having a joint or common interest, or any other 13 legal or commercial entity.” Ohio Rev. Code § 4165.01(D). 14 Here, the Court adopts the reasoning of the United States District Court for the Northern 15 District of Ohio in Hamilton v. Ulta Beauty and finds that Plaintiffs do not have standing to 16 pursue a claim under ODTPA. See Hamilton v. Ulta Beauty, No. 5:18-cv-754, 2018 WL 17 3093527, at *3 (N.D. Ohio June 21, 2018) (“A broad majority of the courts to directly address 18 this issue have held that the ODTPA does not give consumers standing.”). The Hamilton court 19 explained that there are three reasons why ODTPA does not provide for consumer standing. 20 First, “Ohio courts look to the federal Lanham Act when interpreting the ODTPA, and the

21 Lanham Act does not give a consumer right of action.” Id. at *3. Second, the definition of 22 “person” in the ODTPA qualifies the list of individuals and entities with the phrase “or any 23 other legal or commercial entity,” thereby implying that an individual “may not bring suit as a 24 non-commercial consumer.” Id. Third, the Hamilton court recognized that the Ohio Consumer 25 Sales Practice Act (“OSCPA”) already “provides for consumer standing and prohibits virtually 1 the same practices as the ODTPA.” Id. The court thereby reasoned that OSCPA would be 2 rendered superfluous if ODTPA also provided consumer standing. Id. 3 This Court sides with the majority of courts that have found that consumers do not have 4 standing under ODTPA, as the OCSPA would be rendered superfluous if consumers could sue 5 under ODTPA.15 Accordingly, the Court dismisses the Ohio Plaintiff’s ODTPA claim with 6 prejudice. 7 M. OREGON UNLAWFUL TRADE PRACTICES ACT 8 Defendant MGM moves to dismiss Plaintiff John Dvorak’s (“Oregon Plaintiff’s) Oregon 9 Unlawful Trade Practices Act (“OUTPA”) claim, arguing that he has not alleged an “unlawful” 10 trade practice or have pled fraud with the requisite particularity required under Rule 9(b). 11 (MTD 41:6–12). 12 Several courts have applied Rule 9(b)’s heightened pleading to OUTPA. See Martell v. 13 General Motors LLC, 492 F. Supp. 3d 1131, 1146 (D. Or. 2020) (applying Rule 9(b)’s 14 heightened pleading standard to the plaintiffs’ OUTPA claim); Ahern v. Apple Inc., 411 F. 15 Supp. 3d 541, 559 (N.D. Cal. 2019) (same); Vinci v. Hyundai Motor Am., No. 17-0997, 2018 16 WL 6136828, at **11–12 (C.D. Cal. April 10, 2018) (same). The OUTPA imposes liability for 17 “unlawful trade practice[s]” specified in the statute. See Or. Rev. Stat. § 646.608(1)(e), (g), (i). 18 Specifically, OUTPA § 646.608(1)(e) provides “[a] person engages in an unlawful practice if in 19 the course of a the person’s business” they “represent[] . . . goods or services have . . . 20 characteristics, . . . benefits . . . or qualities that the . . . goods or services do not have . . . .”

22 15 In contrast, Plaintiffs cite two cases finding that consumers have standing under the ODTPA. See Schumacher 23 v. State Auto. Mut. Ins. Co., 47 F. Supp. 3d 618, 630–32 (S.D. Ohio 2014) (determining that consumers have standing to sue under the ODTPA while acknowledging that most courts deciding the issue have interpreted the 24 statute as providing standing only for commercial entities); Bower v. Int'l Bus. Machines, Inc., 495 F. Supp. 2d 837, 844 (S.D. Ohio 2007) (interpreting consumers to fall within the definition of “persons” under the ODTPA). 25 In Hamilton, the court noted that “these decisions represent a minority view among the state and federal courts to consider this issue.” Hamilton, 2018 WL 3093527, at *3. 1 OUTPA § 646.608(1)(g) in turn states that a person engages in an unlawful practice by 2 representing that “goods or services are of a particular standard, quality, or grad . . . . if the . . . 3 goods or services are of another.” A plaintiff bringing an OUTPA claim must prove “(1) the 4 defendant committed an unlawful trade practice; (2) plaintiff suffered an ascertainable loss of 5 money or property; and (3) plaintiff’s injury (ascertainable loss) was the result of the unlawful 6 trade practice.” Pearson v. Philip Morris, Inc., 357 P.3d 3, 28 (Or. 2015). 7 Under the first element, the Oregon Plaintiff alleges that Defendant MGM knew or 8 should have known about its allegedly inadequate data security practices and the risk of a data 9 breach and that its alleged failures and omissions were material and relied upon by consumers. 10 (CAC ¶¶ 38–41, 66–77, 78–87, 162–177, 270(a)–(e)). At this stage in the pleadings, the Court 11 finds that this satisfies the first element. Pursuant to the second element, the Oregon Plaintiff 12 posits he suffered damages in the form of include loss of the benefit-of-the bargain, money 13 spent mitigating harms, diminished value of PII, and attempted identity theft. (Id. ¶¶ 19, 95– 14 125). Turning to the third element, the Oregon Plaintiff contends he would not have stayed at 15 Defendant MGM’s property or would have paid less for the room had he known about 16 Defendant MGM’s deficient data security. (Id. ¶ 19). 17 Additionally, Defendant MGM argues that dismissal of the OUTPA is warranted 18 because a portion of the Oregon Plaintiff’s claim is based on violation of Oregon’s Consumer 19 Information Act (“OCIPA”), which Defendant MGM contends does not provide a private right 20 of action. (MTD 41:13–22). The Oregon Plaintiff, in rebuttal, contends that a private right of

21 action can be inferred. (Resp. 52:8–53:12). 22 The Oregon Court of Appeals has found that under OCIPA, “only the state can prosecute 23 trade practices declared unlawful by ORS 646.607.” Horton v. Nelson, 288 P.3d 967, 971–72 24 (Or. App. 2012); see Advanced Steel Recovery, LLC v. X-Body Equip., Inc., No. 2:16-cv-00148, 25 at *7 (D. Nev. Feb. 9, 2022) (“In addition, ‘only the [state of Oregon] can prosecute trade 1 practices declared unlawful by ORS 646.607.” (quoting Horton, 288 P.3d at 971–72)). Under 2 the statute, the Director of Oregon’s Department of Consumer and Business Services may only 3 order compensation to consumers after a showing is made that a “private civil action would be 4 so burdensome or expensive as to be impractical.” Or. Stat. § 646.24. Despite the Oregon 5 Court of Appeals decision in Horton, one district court has found that this “implies that private 6 civil actions are available.” In re Target Corp. Data Sec. Breach Litigation, 66 F. Supp. 3d 7 1154, 1167 (D. Minn. 2014). In Oregon, however, “[i]n general, an individual has no private 8 remedy for a statutory violation unless the statute expressly provides one.” Praegitzer Indus., 9 Inc. v. Rollins Burdick Hunter of Oregon, Inc., 880 P2d 479, 481 (Or. Ct. App. 1994). Here, 10 the statute does not expressly provide a private remedy for a statutory violation, and the Court 11 declines to find one. See Patton v. Experian Data Corp., No. 27-01559, 2018 WL 6190349, at 12 *10 (C.D. Cal. Jan 23, 2018) (dismissing Oregon UDTPA claim predicated on an alleged 13 violation of CIPA because no private right of enforcements exists under the CIPA). 14 Accordingly, the Court dismisses the Oregon Plaintiff’s OUTPA claim with prejudice to the 15 extent it is based on a violation of OCIPA. 16 N. OREGON CONSUMER INFORMATION PROTECTION ACT 17 For the reasons set forth above, the Court finds that OCIPA does not provide the Oregon 18 Plaintiff with a private cause of action. Accordingly, the Court dismisses the Oregon Plaintiff’s 19 OCIPA claim with prejudice. 20 The Ninth Circuit “ha[s] held that in dismissing for failure to state a claim under Rule

21 12(b)(6) ‘a district court should grant leave to amend even if no request to amend the pleading 22 was made, unless it determines that the pleading could not possibly be cured by the allegation 23 of other facts.’” Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000) (quoting Doe v. United 24 States, 58 F.3d 494, 497 (9th Cir. 1995)). 25 1 Here, the Court finds that Plaintiffs’ negligence claim to the extent it alleges damages 2 based solely on lost time, negligent misrepresentation, ODPTA, and OCIPA claims cannot be 3 cured by the inclusion of other facts. Accordingly, the Court dismisses these claims without 4 leave to amend. Plaintiffs’ unjust enrichment is dismissed with leave to amend. 5 IV. CONCLUSION 6 IT IS HEREBY ORDERED that Defendant MGM’s Motion to Dismiss, (ECF No. 7 ECF No. 103), is GRANTED in part and DENIED in part. 8 DATED this __2___ day of November, 2022. 9 10 ___________________________________ Gloria M. Navarro, District Judge 11 UNITED STATES DISTRICT COURT 12 13 14 15 16 17 18 19 20 21 22 23 24 25