Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 1 of 48 1 2 3 4 5 6 Ann Marie Mortimer (SBN 169077) amortimer@hunton.com Jason J. Kim (SBN 221476) kimj@hunton.com Kirk A. Hornbeck (SBN 241708) khornbeck@hunton.com HUNTON & WILLIAMS LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 Telephone: (213) 532-2000 Facsimile: (213) 532-2020 7 8 9 Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 10 11 12 13 14 Samuel A. Danon (admitted pro hac vice) sdanon@hunton.com John J. Delionado (admitted pro hac vice) jdelionado@hunton.com HUNTON & WILLIAMS LLP 1111 Brickell Avenue, Suite 2500 Miami, Florida 33143 Telephone: (305) 810-2500 Facsimile: (305) 810-2460 Attorneys for Defendants Yahoo! Inc. and Aabaco Small Business, LLC 15 UNITED STATES DISTRICT COURT 16 NORTHERN DISTRICT OF CALIFORNIA - SAN JOSE DIVISION 17 18 IN RE: YAHOO! CUSTOMER DATA SECURITY BREACH LITIGATION CASE NO.: 16-MD-02752-LHK 19 DEFENDANTS YAHOO! INC. AND AABACO SMALL BUSINESS, LLC’S: 20 (1) NOTICE OF MOTION AND MOTION TO DISMISS; AND (2) MEMORANDUM OF POINTS AND AUTHORITIES IN SUPPORT THEREOF 21 22 23 24 25 26 27 [Request for Judicial Notice and [Proposed] Order filed concurrently herewith] Date: Time: Courtroom: Judge: August 24, 2017 1:30 p.m. 8, 4th Floor Hon. Lucy H. Koh 28 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 2 of 48 1 TO ALL PARTIES AND THEIR COUNSEL OF RECORD: 2 PLEASE TAKE NOTICE THAT, on August 24, 2017, at 1:30 p.m., or as soon thereafter 3 as this matter may be heard before the Honorable Lucy H. Koh, in Courtroom 8 of the United States 4 District Court of California, located at 280 South First Street, 4th Floor, San Jose, California 95113, 5 Defendants Yahoo! Inc. (“Yahoo”) and Aabaco Small Business, LLC (“Aabaco”) (together, 6 “Defendants”) will and hereby do move this Court for an order dismissing Plaintiffs’ Consolidated 7 Class Action Complaint (the “Complaint”) in its entirety. 8 9 Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 10 This Motion is made on multiple grounds under Rules 12(b)(1) and 12(b)(6) of the Federal Rules of Civil Procedure: First, each of Plaintiffs’ claims fails because they have not and cannot plausibly allege any 11 injury or damages, much less injury or damages that are traceable to Defendants’ alleged conduct— 12 requisite elements of Article III standing and each of the claims. 13 Second, Plaintiffs fail to state a claim under California’s unfair competition laws, as they 14 have not pled any unlawful, unfair, or fraudulent conduct on the part of Defendants. Nor can they 15 obtain the remedies sought. 16 Third, Plaintiffs fail to state a claim under the Consumer Legal Remedies Act (“CLRA”). 17 Plaintiffs are not “consumers” under the statute, as they did not “purchase or lease” a covered 18 “good” or “service” under the CLRA. Plaintiffs also have failed to plead fraudulent conduct on the 19 part of Yahoo, much less with the requisite degree of particularity. 20 Fourth, Plaintiffs fail to state a claim under the Customer Records Act (“CRA”). As an 21 initial matter, the non-California resident Plaintiffs lack statutory standing under the CRA. 22 Similarly, CRA notice was not required in connection with the alleged 2013 Breach, as the CRA did 23 not cover “online account” information at that time. Likewise, the CRA does not apply to the 24 Forged Cookie Breach, as it did not expose any covered information. Moreover, Plaintiffs fail to 25 allege notification-delay damages—rather, Plaintiffs merely purport to allege damages resulting 26 from the alleged breaches themselves. Plaintiffs’ requested statutory penalties under Section 27 1798.84(c) of the Civil Code are unavailable, as those penalties are limited to alleged violations of 28 1 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 3 of 48 1 California’s “Shine the Light” law (which Plaintiffs do not plead). Last, Plaintiffs plead no basis for 2 injunctive relief in connection with alleged harms flowing from past breaches. 3 Fifth, Plaintiffs fail to state a claim under the Stored Communications Act (“SCA”), as 4 Defendants did not “knowingly” divulge Plaintiffs’ alleged information; Plaintiffs admit it was 5 stolen by third parties. Similarly, the alleged Forged Cookie Breach falls outside the ambit of the 6 SCA, as none of the information contained in the cookies included covered “content.” 7 Sixth, Plaintiffs fail to state a claim under Online Privacy Protection Act (“OPPA”), which 8 does not provide a private right of action. Beyond that, OPPA applies only to California residents, 9 which excludes Essar, the Ridolfos, Garg, Rivlin, Granot and Neff. And the only two remaining 10 Plaintiffs fail to state a claim nonetheless because they are not “consumers”—they did not “purchase 11 or lease” anything from Yahoo. 12 Seventh, Plaintiffs fail to state a claim under any of their contract theories. They have not 13 alleged a breach of any express or implied terms; nor can they use an implied covenant theory to 14 impose new obligations on Defendants. Even still, Plaintiffs cannot plead the requisite damages, as 15 any consequential damages flowing from the alleged breaches are barred under the terms of service 16 to which Plaintiffs agreed. 17 18 19 20 21 Eighth, Plaintiff Brian Neff fails to state a claim for fraudulent inducement, as he fails to plead any actionable fraud or reliance, much less with the requisite particularity. Ninth, Plaintiffs’ negligence theories—negligent misrepresentation and negligence—fail under the economic loss rule. Tenth, Plaintiffs cannot bring claims on behalf of the Australia, Venezuela and Spain Classes, 22 as those individuals are bound by terms of service that require them to bring their claims under 23 different laws and in different fora. 24 Finally, Plaintiffs have not pled entitlement to declaratory relief. Their conclusory assertions 25 that provisions in Defendants’ respective terms of service are “unconscionable and unenforceable” 26 are just that. 27 28 2 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 4 of 48 1 This Motion will be based upon this Notice of Motion and Motion, the accompanying 2 Memorandum of Points and Authorities, the Request for Judicial Notice filed concurrently herewith, 3 the pleadings and papers on file, and upon such oral argument as may be made at the hearing. 4 5 6 7 8 Dated: May 22, 2017 HUNTON & WILLIAMS LLP By: /s/ Ann Marie Mortimer Ann Marie Mortimer Attorneys for Defendants Yahoo! Inc. and Aabaco Small Business, LLC 9 10 Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 3 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 5 of 48 1 TABLE OF CONTENTS 2 I. INTRODUCTION ................................................................................................................ 1 3 II. STATEMENT OF ISSUES TO BE DECIDED ..................................................................... 3 4 III. FACTUAL BACKGROUND ............................................................................................... 3 5 IV. LEGAL ARGUMENT .......................................................................................................... 7 6 A. Plaintiffs Fail To Meet Their Threshold Burden Under Article III. ............................ 7 7 1. Plaintiffs Fail To Allege Injury-In-Fact Sufficient To Show Standing. ........... 8 8 2. Plaintiffs Fail To Plead Facts Sufficient For Traceability. .............................. 9 9 a. There Is No Causal Connection Between The Information Stolen And The Injuries Claimed...................................................... 10 b. Plaintiffs Have Failed To Plead Facts To Link Breaches From 2013 And 2014 To Injury Today, And Other Causes Exist. .............. 12 c. Yahoo Is Not Liable For Theft Of Publicly Available Information. ..................................................................................... 13 10 Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 11 12 13 14 15 B. Plaintiffs’ Claims Fail Under Rule 12(b)(6). ............................................................ 13 1. Plaintiffs Fail To State A Claim For A UCL Violation. ................................ 14 16 a. Plaintiffs’ Allegations Do Not Establish An “Unlawful” Act. ........... 14 17 b. Plaintiffs Fail To Show “Unfair” Or “Fraudulent” Conduct. ............. 14 18 c. Plaintiffs Cannot Plead Reliance Necessary For Their UCL Claim. .............................................................................................. 16 d. Plaintiffs Are Not Entitled To The Remedies Sought. ....................... 17 19 20 21 2. Plaintiffs’ Consumer Legal Remedies Act Claim Fails. ................................ 17 22 3. Plaintiffs’ Customer Records Act Claim Fails. ............................................. 18 23 a. The Non-California Plaintiffs Lack Standing. ................................... 18 24 b. CRA Notice Was Not Required For The 2013 Breach. ..................... 19 25 c. The CRA Does Not Apply To The “Forged Cookie Breach.” ........... 21 26 d. Plaintiffs Fail To Allege Damages Resulting From Any Allegedly Delayed Notice. ............................................................... 22 e. Plaintiffs Have No Basis To Recover Statutory Penalties.................. 22 27 28 4. Plaintiffs’ Stored Communications Act Claim Fails. .................................... 23 i NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 6 of 48 1 5. Plaintiffs’ Online Privacy Protection Act Claim Fails. ................................. 24 2 6. Plaintiffs’ Express Contract Claim Fails. ...................................................... 25 3 7. Plaintiffs’ Implied Contract Claim Fails. ...................................................... 28 4 8. Plaintiffs’ Implied Covenant Claim Fails. .................................................... 28 5 9. Plaintiff Brian Neff’s Fraudulent Inducement Claim Fails. ........................... 30 6 10. Foreign Plaintiffs Cannot Assert A California Negligence Claim, And Negligence Is Barred By The Economic Loss Doctrine. ............................... 31 11. Foreign Plaintiffs’ Claims Should Be Dismissed For Forum Non Conveniens. ................................................................................................. 33 12. Plaintiffs’ Declaratory Relief Claim Fails. ................................................... 34 7 8 9 10 V. CONCLUSION .................................................................................................................. 35 Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ii NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 7 of 48 TABLE OF AUTHORITIES 1 2 Page(s) 3 Cases 4 Acceler-Ray, Inc. v. IPG Photonics Corp., 2017 WL 1196835 (N.D. Cal. Mar. 31, 2017) ........................................................................... 33 5 6 In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197 (N.D. Cal. 2014) ................................................................................... 7, 22 7 8 9 10 Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Aguilera v. Pirelli Armstrong Tire Corp., 223 F.3d 1010 (9th Cir. 2000)................................................................................................... 27 In re Anthem, Inc. Data Breach Litig., 162 F. Supp. 3d 953 (N.D. Cal. 2016) ................................................................................ passim Antman v. Uber Techs., Inc., 2015 WL 6123054 (N.D. Cal. Oct. 19, 2015)................................................................. 10, 12, 18 Ashcroft v. Iqbal, 556 U.S. 662 (2009) ................................................................................................................. 13 Atl. Marine Constr. Co., Inc. v. U.S. Dist. Ct. for W. Dist. of Tex., 134 S. Ct. 568 (2013)...........................................................................................................33, 34 Attias v. CareFirst, Inc., 199 F. Supp. 3d 193 (D.D.C. 2016)........................................................................................... 10 Avidity Partners, LLC v. State, 221 Cal. App. 4th 1180 (2013).................................................................................................. 29 Avila v. Countrywide Home Loans, 2010 WL 5071714 (N.D. Cal. Dec. 7, 2010) ............................................................................. 14 In re Barnes & Noble Pin Pad Litig., 2016 WL 5720370 (N.D. Ill. Oct. 3, 2016)................................................................................ 22 Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007) ................................................................................................................. 13 Biggins v. Wells Fargo & Co., 266 F.R.D. 399 (N.D. Cal. 2009) .............................................................................................. 34 Boorstein v. CBS Interactive, Inc., 222 Cal. App. 4th 456 (2013).................................................................................................... 22 Buckland v. Threshold Enters., Ltd., 155 Cal. App. 4th 798 (2007).................................................................................................... 18 iii NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 8 of 48 1 2 3 4 5 6 Buena Vista, LLC v. New Res. Bank, 2010 WL 3448561 (N.D. Cal. Aug. 31, 2010)........................................................................... 15 Cannon v. Wells Fargo Bank, N.A., 917 F. Supp. 2d 1025 (N.D. Cal. 2013) ..................................................................................... 31 Careau & Co. v. Sec. Pac. Bus. Credit, Inc., 222 Cal. App. 3d 1371 (1990)................................................................................................... 29 Cetacean Cmty. v. Bush, 386 F.3d 1169 (9th Cir. 2004)..................................................................................................... 7 7 8 9 10 Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 11 Chamberlan v. Ford Motor Co., 2003 WL 25751413 (N.D. Cal. Aug. 6, 2003)........................................................................... 17 City of Pontiac Policemen’s & Firemen’s Ret. Sys. v. UBS AG, 752 F.3d 173 (2d Cir. 2014)...................................................................................................... 15 Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013)................................................................................................................ 9 12 13 14 15 16 Claridge v. RockYou, Inc., 785 F. Supp. 2d 855 (N.D. Cal. 2011) ....................................................................................... 17 Corona v. Sony Pictures Entm’t, Inc., 2015 WL 3916744 (C.D. Cal. June 15, 2015) ........................................................................... 22 DaimlerChrysler Corp. v. Cuno, 547 U.S. 332 (2006) ................................................................................................................... 7 17 18 19 20 21 22 23 24 25 26 27 28 Darnaa, LLC v. Google, Inc., 2015 WL 7753406 (N.D. Cal. Dec. 2, 2015) ............................................................................. 35 Darnaa, LLC v. Google Inc., 2017 WL 679404 (N.D. Cal. Feb. 21, 2017) ............................................................................. 30 Davidson v. Apple, Inc., 2017 WL 976048 (N.D. Cal. Mar. 14, 2017) ............................................................................. 34 Day v. City of Fontana, 25 Cal. 4th 268 (2001) .............................................................................................................. 19 DB Healthcare, LLC v. Blue Cross Blue Shield of Ariz., Inc., 852 F.3d 868 (9th Cir. 2017)..................................................................................................... 18 Dix v. Nova Benefit Plans, LLC, 2015 WL 12859221 (C.D. Cal. Apr. 28, 2015).......................................................................... 31 Doe v. Schwarzenegger, 2007 WL 601977 (N.D. Cal. Feb. 22, 2007) ............................................................................. 21 iv NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 9 of 48 1 2 3 4 5 6 Dugas v. Starwood Hotels & Resorts Worldwide, Inc., 2016 WL 6523428 (S.D. Cal. Nov. 3, 2016) ...................................................................... passim Dugas v. Starwood Hotels & Resorts Worldwide, Inc., 2016 WL 8469592 (S.D. Cal. Dec. 7, 2016).............................................................................. 11 Duqum v. Scottrade, Inc., 2016 WL 3683001 (E.D. Mo. July 12, 2016) ............................................................................ 13 Durell v. Sharp Healthcare, 183 Cal. App. 4th 1350 (2010).................................................................................................. 16 7 8 9 10 Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 11 Emery v. Visa Internat. Serv. Ass’n, 95 Cal. App. 4th 952 (2002) ..................................................................................................... 15 In re Facebook Internet Tracking Litig., 140 F. Supp. 3d 922 (N.D. Cal. 2015) ....................................................................................... 21 In re Facebook Privacy Litig., 791 F. Supp. 2d 705 (N.D. Cal. 2011) ....................................................................................... 14 12 13 14 15 16 Fernandez v. Leidos, Inc., 127 F. Supp. 3d 1078 (E.D. Cal. 2015) ................................................................................. 8, 13 Ferrington v. McAfee, Inc., 2010 WL 3910169 (N.D. Cal. Oct. 5, 2010).............................................................................. 18 In re Firearm Cases, 126 Cal. App. 4th 959 (2005).................................................................................................... 15 17 18 19 20 21 22 23 24 25 26 27 28 Food Safety Net Servs. v. Eco Safe Sys. USA, Inc., 209 Cal. App. 4th 1118 (2012).................................................................................................. 28 Fred Briggs Distrib. Co. v. Cal. Cooler, Inc., 1993 WL 306157 (9th Cir. Aug. 11, 1993)................................................................................ 18 Frenzel v. AliphCom, 76 F. Supp. 3d 999 (N.D. Cal. 2014) ......................................................................................... 17 Frezza v. Google Inc., 2012 WL 5877587 (N.D. Cal. Nov. 20, 2012)........................................................................... 28 Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167 (2000) ................................................................................................................. 10 Garcia v. UnionBanCal Corp., 2006 WL 2619330 (N.D. Cal. Sept. 12, 2006) .......................................................................... 18 In re Google Android Consumer Privacy Litig., 2013 WL 1283236 (N.D. Cal. Mar. 26, 2013) ............................................................................. 8 v NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 10 of 48 1 2 3 4 5 6 Hadley v. Kellogg Sales Co., 2017 WL 1065293 (N.D. Cal. Mar. 21, 2017) ........................................................................... 14 People ex rel. Harris v. Delta Air Lines, Inc., 247 Cal. App. 4th 884 (2016).................................................................................................... 25 Herskowitz v. Apple Inc., 940 F. Supp. 2d 1131 (N.D. Cal. 2013) ..................................................................................... 30 In re Horizon Healthcare Servs., Inc. Data Breach Litig., 2015 WL 1472483 (D.N.J. Mar. 31, 2015)................................................................................ 12 7 8 9 10 Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 11 Hougue v. City of Holtville, 2008 WL 1925249 (S.D. Cal. Apr. 30, 2008) ............................................................................ 29 In re iPhone Application Litig., 844 F. Supp. 2d 1040 (N.D. Cal. 2012) ................................................................................17, 24 J&J Sports Prods., Inc. v. Sally & Henry’s Doghouse Bar & Grill LLC, 2016 WL 1323464 (S.D. Cal. Apr. 4, 2016) .............................................................................. 35 12 13 14 15 16 Kearns v. Ford Motor Co., 567 F.3d 1120 (9th Cir. 2009)........................................................................................ 13, 14, 15 Khoury v. Maly’s of Cal., Inc., 14 Cal. App. 4th 612 (1993) ..................................................................................................... 14 King v. Conde Nast Publ’n, 554 F. App’x 545 (9th Cir. 2014).............................................................................................. 23 17 18 19 20 21 22 23 24 25 26 27 28 Kwikset Corp. v. Superior Court, 51 Cal. 4th 310 (2011) .............................................................................................................. 14 Lewis v. YouTube, LLC, 244 Cal. App. 4th 118 (2015)...............................................................................................28, 34 In re LinkedIn User Privacy Litig., 932 F. Supp. 2d 1089 (N.D. Cal. 2013) ....................................................................................... 9 Long v. Insight Commc’ns of Cent. Ohio, LLC, 804 F.3d 791 (6th Cir. 2015)..................................................................................................... 23 Low v. LinkedIn Corp. (“Low I”), 2011 WL 5509848 (N.D. Cal. Nov. 11, 2011)............................................................................. 8 Low v. LinkedIn Corp. (“Low II”), 900 F. Supp. 2d 1010 (N.D. Cal. 2012) ............................................................................ 7, 16, 25 Lujan v. Defs. of Wildlife, 504 U.S. 555 (1992) ................................................................................................................... 7 vi NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 11 of 48 1 2 3 4 5 6 Madrid v. Perot Sys. Corp., 130 Cal. App. 4th 440 (2005).................................................................................................... 17 Markborough Cal., Inc. v. Superior Court, 227 Cal. App. 3d 705 (1991)................................................................................................28, 35 Martinez v. Bank of Am., Corp., 2012 WL 3647434 (E.D. Cal. Aug. 23, 2012) ........................................................................... 18 McClung v. Emp’t Dev. Dept., 34 Cal. 4th 467 (2004) .............................................................................................................. 20 7 8 9 10 Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 11 Miller v. Hearst Commc’ns Inc., 554 F. App’x 657 (9th Cir. 2014).............................................................................................. 22 Minkler v. Apple, Inc., 65 F. Supp. 3d 810 (N.D. Cal. 2014) ....................................................................................31, 32 Muskovich v. Crowell, 1996 WL 707008 (S.D. Iowa Aug. 30, 1996) ............................................................................ 23 12 13 14 15 16 Nedlloyd Lines B.V. v. Superior Courts, 3 Cal. 4th 459 (1992) ................................................................................................................ 32 Newcal Indus., Inc. v. Ikon Office Sol., 513 F.3d 1038 (9th Cir. 2008)................................................................................................... 15 Northstar Fin. Advisors Inc. v. Schwab Invs., 135 F. Supp. 3d 1059 (N.D. Cal. 2015) ..................................................................................... 28 17 18 19 20 21 22 23 24 25 26 27 28 O’Connor v. Uber Techs., Inc., 2013 WL 6354534 (N.D. Cal. Dec. 5, 2013) ............................................................................. 28 Obodai v. Indeed, Inc., 2013 WL 1191267 (N.D. Cal. Mar. 21, 2013) ........................................................................... 24 Opperman v. Path, Inc., 87 F. Supp. 3d 1018 (N.D. Cal. 2014) ....................................................................................... 16 Perez v. Wells Fargo Bank, N.A., 2011 WL 3809808 (N.D. Cal. Aug. 29, 2011)........................................................................... 29 PhotoThera, Inc. v. Oron, 2007 WL 4259181 (S.D. Cal. Dec. 4, 2007).............................................................................. 35 Poublon v. C.H. Robinson Co., 846 F.3d 1251 (9th Cir. 2017)................................................................................................... 34 Resnick v. AvMed, 693 F.3d 1317 (11th Cir. 2012) ................................................................................................. 10 vii NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 12 of 48 1 2 3 4 5 6 Sams v. Yahoo!, Inc., 2011 WL 1884633 (N.D. Cal. May 18, 2011) ........................................................................... 24 In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14 (D.D.C. 2014) .........................................................................................13, 14 Smith & Hawken, Ltd. v. Gardendance, Inc., 2004 WL 2496163 (N.D. Cal. Nov. 5, 2004)............................................................................. 15 Smith, Valentino & Smith, Inc. v. Superior Court, 17 Cal. 3d 491 (1976) ............................................................................................................... 31 7 8 9 10 Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 11 In re Sony Gaming Networks & Customer Data Sec. Breach Litig. (“Sony I”), 903 F. Supp. 2d 942 (S.D. Cal. 2012) ............................................................................ 16, 18, 32 In re Sony Gaming Networks & Customer Data Sec. Breach Litig. (“Sony II”), 996 F. Supp. 2d 942 (S.D. Cal. 2014) ............................................................................ 22, 31, 34 Strumlauf v. Starbucks Corp., 192 F. Supp. 3d 1025 (N.D. Cal. 2016) ..................................................................................... 32 12 13 14 15 16 Sybersound Records, Inc. v. UAV Corp., 517 F.3d 1137 (9th Cir. 2008)................................................................................................... 14 Tall v. Ryan, 1990 WL 68849 (9th Cir. May 23, 1990) .................................................................................. 13 Tapia v. Superior Court, 53 Cal. 3d 282 (1991) ............................................................................................................... 21 17 18 19 20 21 22 23 24 25 26 27 28 In re Target Corp. Data Sec. Breach Litig., 66 F. Supp. 3d 1154 (D. Minn. 2014)...................................................................................27, 35 In re Tobacco II Cases, 46 Cal. 4th 298 (2009) .............................................................................................................. 16 Unchageri v. Carefirst of Maryland, Inc., 2016 WL 8255012 (C.D. Ill. Aug. 23, 2016) ............................................................................. 12 Welborn v. Internal Revenue Serv., 2016 WL 6495399 (D.D.C. Nov. 2, 2016) ................................................................................ 11 Whalen v. Michaels Stores, Inc., 2017 WL 1556116 (2d Cir. May 2, 2017) ................................................................................... 9 Willingham v. Glob. Payments, Inc., 2013 WL 440702 (N.D. Ga. Feb. 5, 2013) ................................................................................ 23 Worix v. MedAssets, Inc., 857 F. Supp. 2d 699 (N.D. Ill. 2012) ......................................................................................... 23 viii NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 13 of 48 1 2 3 4 5 6 In re Yahoo Mail Litig., 2016 WL 4474612 (N.D. Cal. Aug. 25, 2016)........................................................................... 25 Young v. Facebook, Inc., 790 F. Supp. 2d 1110 (N.D. Cal. 2011) ..................................................................................... 27 In re Zappos.com, Inc., 108 F. Supp. 3d 949 (D. Nev. 2015) ........................................................................................... 8 In re Zappos.com, Inc., 2013 WL 4830497 (D. Nev. Sept. 9, 2013) ............................................................................... 35 7 8 Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 9 In re Zappos.com, Inc., 2016 WL 2637810 (D. Nev. May 6, 2016) .................................................................................. 8 10 In re Zynga Privacy Litig., 750 F.3d 1098 (9th Cir. 2014)................................................................................................... 24 11 Statutes 12 18 U.S.C. § 2702 ............................................................................................................................ 23 13 Cal. Bus. & Prof. Code § 22575 ..................................................................................................... 25 14 Cal. Bus. & Prof. Code § 22577 ..................................................................................................... 25 15 Cal. Civ. Code § 1761 .................................................................................................................... 17 16 Cal. Civ. Code § 1798.80 ............................................................................................................... 18 17 18 Cal. Civ. Code § 1798.81 ............................................................................................................... 18 Cal. Civ. Code § 1798.82 ............................................................................................................... 18 19 Cal. Gov. Code § 9080 ................................................................................................................... 20 20 21 22 23 Rules Fed. R. Civ. P. 9 ...................................................................................................................... 2, 7, 13 Fed. R. Civ. P. 12 .................................................................................................................... passim 24 25 26 27 28 ix NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 14 of 48 1 Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 2 MEMORANDUM OF POINTS AND AUTHORITIES I. INTRODUCTION 3 This litigation arises out of one of the most organized, sophisticated and relentless criminal 4 attacks in cybercrime history, sponsored by the Russian Federal Security Service (the successor of 5 the infamous “KGB”), and executed by a veritable “who’s who” of cybercriminals, including 6 members of the FBI’s “Most Wanted” list and Interpol’s Red Notice. This was no ordinary security 7 breach, but a full-fledged, state-sponsored cyber assault designed to evade Yahoo! Inc.’s (“Yahoo”) 8 security measures, avoid Yahoo’s detection systems, and adapt and evolve to meet Yahoo’s security 9 defenses and upgrades. With Yahoo’s cooperation and assistance, the Department of Justice 10 (“DOJ”) was able to identify and indict the perpetrators, the first time foreign government officials 11 have ever been charged in the United States for cybercrime. After the indictment, the United States 12 Attorney for this very District stated: “We commend Yahoo … for providing exemplary cooperation 13 while zealously protecting [its] users’ privacy.”1 14 The crime perpetrated against Yahoo and its users was not a simple failure in security, as 15 Plaintiffs have suggested, but rather a triumph of criminal persistence, ultimately thwarted only by 16 dogged law enforcement investigation and Yahoo’s cooperation. Plaintiffs nevertheless attempt to 17 turn this criminal intrusion on its head and make Yahoo responsible for these sophisticated criminal 18 acts because it allegedly “represented and warranted to Plaintiffs and Class Members that its PII 19 databases were secure and that customers’ PII would remain private.” Compl. ¶ 34. But Plaintiffs 20 can make this assertion only by wrenching Yahoo’s clear statements wholly out of context. Indeed, 21 as is widely understood by Internet users, no security system is hack-proof, and Yahoo specifically 22 warned its users that the Internet is not “100% secure” and that all security measures are limited. In 23 a world in which information stored, transmitted and shared across the Internet is constantly 24 vulnerable to criminal intrusion and security breaches by multiple sources, the burden is on 25 Plaintiffs, at the very least, to plausibly demonstrate concrete injuries that were actually caused by 26 27 28 1 Request for Judicial Notice (“RJN”), Exh. J, at 2, https://www.justice.gov/opa/pr/us-chargesrussian-fsb-officers-and-their-criminal-conspirators-hacking-yahoo-and-millions. 1 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 15 of 48 1 Yahoo and not some other source. Plaintiffs do not do this, and their claims fail for multiple distinct 2 reasons. Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 3 First, Plaintiffs have not satisfied their threshold burden of demonstrating Article III 4 standing. To start, Plaintiffs have failed to plead actual, plausible and concrete injuries caused by 5 Yahoo. Reimbursed expenses, loss of personal identifying information (“PII”) value and other 6 highly individualized “harms” are not sufficient to support standing. Moreover, the alleged harms 7 Plaintiffs claim stem from information disseminated by Plaintiffs to third parties, not information 8 collected and stored by Yahoo on its network, and Plaintiffs fail to draw any causal connection 9 between the highly individualized injuries alleged (from the filing of fraudulent tax returns to 10 various financial frauds) and the Yahoo breaches, as opposed to the numerous other potential causes 11 of the events. Among other things, Plaintiffs fail to allege their passwords or security questions were 12 decrypted or unhashed, their security questions were correlated to their email addresses, or their 13 accounts were subject to specific cookie forgery that would allow access to those accounts. Instead, 14 Plaintiffs’ allegations are riddled with factual blanks and filled with causal holes. This dooms all of 15 Plaintiffs’ claims under Rule 12(b)(1). 16 Second, the Complaint should be dismissed in its entirety under Rule 12(b)(6). As an initial 17 matter, Plaintiffs fail to meet the heightened pleading standard that governs their Unfair Competition 18 Law (“UCL”), Consumers Legal Remedies Act (“CLRA”) and fraud-based claims. Similarly, 19 Plaintiffs fail to plead any unlawful, unfair, or fraudulent conduct on the part of Defendants, as 20 required by the UCL, and they cannot obtain the remedies sought thereunder. Likewise, Plaintiffs 21 are not “consumers” who “purchased” or “leased” a covered “good” or “service” under the CLRA. 22 Additionally, Plaintiffs’ Customer Records Act (“CRA”) claim is limited to California residents, and 23 fails even as to that limited sliver of a putative class because, among other things, no notice was 24 required for the 2013 breach, no damages were specifically attributable to any alleged breach- 25 notification delay, and Plaintiffs have no claim for statutory damages related to the “Shine the Light” 26 provision of the CRA, which Plaintiffs do not even allege applies here. Plaintiffs’ other statutory 27 claims are likewise flawed. Plaintiffs have failed to plead a willful and intentional disclosure 28 sufficient to state a claim under the Stored Communications Act (“SCA”), and the Online Privacy 2 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 16 of 48 1 Protection Act (“OPPA”) has no private right of action. Plaintiffs cannot allege a breach of any 2 specific express or implied contractual promise, and cannot use the implied covenant to rewrite 3 Yahoo’s Terms of Service and create a promise of absolute security. Plaintiffs’ claim for negligence 4 is brought on behalf of foreign nationals who should not be part of this lawsuit, and it is barred by 5 the economic loss doctrine in any event. Lastly, Plaintiffs’ declaratory relief claim consists of bare 6 legal conclusions and attempts to create a claim out of an anticipated legal defense. For all of these 7 reasons and more, Plaintiffs’ Complaint fails. 8 II. 9 Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 10 STATEMENT OF ISSUES TO BE DECIDED 1. Whether Plaintiffs’ Complaint demonstrates the requisite injury-in-fact and causation sufficient to confer Article III standing; 11 2. Whether Plaintiffs’ Complaint otherwise states plausible claims for relief; 12 3. Whether the foreign Plaintiffs are barred from pursuing their negligence claim under 13 California law and in this forum. 14 III. FACTUAL BACKGROUND Yahoo provides free2 web-based email services to its consumer users, subject to certain 15 16 Terms of Service (“TOS”) which define the relationship between Yahoo and its users, and which 17 expressly disclaim the very legal theories Plaintiffs advance here. The TOS repeatedly and 18 expressly disavows any representation that transmission over the Internet is, or could be, totally 19 secure. Instead, Defendants’ TOS and incorporated Privacy Policies explained that any use of the 20 services would be “AT YOUR OWN RISK” and on an “AS IS” and “AS AVAILABLE” basis, they 21 expressly disclaim any warranties to the contrary, including that transmission using the services 22 would be “SECURE,”3 and they explicitly warn that “[n]o data transmission over the Internet or 23 24 2 25 26 27 28 Only Plaintiffs Neff and Rivlin claim to have paid fees to Defendants. Neff paid fees solely in connection with his alleged use of Defendants’ small business services. The TOS to which Neff agreed is near-identical in all material respects to the TOS that governs Yahoo’s relationship with its free users, including the same or similar warranty disclaimers and admonitions regarding security limitations. And Rivlin allegedly paid for an email forwarding service only, which was not alleged to have been impacted by the data breaches in any way. 3 Compl., Exh. 1, at 91 § 19(a) & (b); Compl., Exh. 2, at 171 § 12(a) & (d). 3 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 17 of 48 1 information storage technology can be guaranteed to be 100% secure,”4 and that all security 2 measures, including the “SECURITY MECHANISMS IN THE SERVICES HAVE INHERENT 3 LIMITATIONS.”5 Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 4 • The “2014 Breach”: In late 2014, a copy of certain user account information was stolen 5 from Yahoo’s networks in a state-sponsored attack by Russia, originally targeting the emails of 6 “Russian journalists, U.S. and Russian government officials and private-sector employees of 7 financial, transportation and other companies.”6 Yahoo took remedial actions in response; among 8 other things, it notified 26 specifically targeted users and consulted with law enforcement.7 In late 9 July 2016, a hacker claimed to have obtained certain Yahoo user data, and, on August 1, 2016, the 10 media reported a hacker’s claim that he had obtained certain user account details associated with 200 11 million Yahoo users from “2012 most likely.” J. Cox, “Yahoo ‘Aware’ Hacker Is Advertising 200 12 Million Supposed Accounts on Dark Web,” Vice Motherboard, (Aug. 1, 2016), available at 13 http://motherboard.vice.com/read/yahoo-supposed-data-breach-200-million-credentials-dark-web. 14 After investigating the claim with the assistance of outside forensic experts, Yahoo was unable to 15 substantiate the claim. However, Yahoo’s internal security personnel intensified an ongoing broad 16 review of Yahoo’s network and data security, including a review of historical information related to 17 the potential exfiltration of user records. Based upon this investigation, Yahoo disclosed that the 18 2014 intrusion impacted additional users and information, including in some instances names, email 19 addresses, telephone numbers, dates of birth, hashed passwords (most encrypted with bcrypt8), and 20 some encrypted or unencrypted security questions and answers. There was no evidence that any 21 unprotected passwords or payment-card data was accessed from any network system, and this type 22 of financial data is not routinely collected or stored by Yahoo in connection with its free email 23 24 4 RJN, Exh. A, at 1, https://policies.yahoo.com/us/en/yahoo/privacy/topics/security/. 25 5 Compl., Exh. 2, at 171 § 12(c). 6 Supra note 1. 7 RJN, Exh. G, at 48, Yahoo! Inc., Annual Report (Form 10-K), 47 (Mar. 1, 2017). 26 27 28 8 Yahoo notified users that the stolen information did not include unprotected passwords, and that the vast majority were encrypted with bcrypt, now considered an industry standard. RJN, Exh. E, at 1, https://investor.yahoo.net/releasedetail.cfm?ReleaseID=990570. 4 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 18 of 48 1 services. 9 On September 22, 2016, Yahoo provided notice to potentially affected users and took 2 additional steps to secure user accounts—e.g., recommending that users change their passwords and 3 invalidating unencrypted security questions and answers.10 Within days of Yahoo’s announcement, 4 the first of 31 lawsuits were filed in federal court, all of which were consolidated into this MDL. 5 Plaintiffs refer to this as the “2014 Breach.” Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 6 In conjunction with Yahoo’s internal security review, and understanding the sophistication of 7 the intrusion itself, Yahoo’s Board of Directors also commissioned an internal investigation by an 8 Independent Committee to better understand the scope of the intrusion, and Yahoo’s detection and 9 response to it. In its March 1, 2017 10-K, with the benefit of a full forensic investigation and a 10 thorough independent investigation of the intruder activity in 2014 and following, the Company 11 disclosed the Committee’s conclusion that, as of December 2014, Yahoo’s “information security 12 team understood that [an] attacker had exfiltrated copies of user database backup files” in connection 13 with the 2014 Breach.11 The focus of the information security team during 2014 was on expelling 14 the Russian intruders from Yahoo’s network systems, and it is “unclear whether and to what extent 15 such evidence of exfiltration was effectively communicated and understood outside the information 16 security team,” and the Committee “did not conclude that there was an intentional suppression of 17 relevant information.”12 And although certain aspects of the intrusion were detected by the 18 information security team earlier, as the DOJ noted, it took a “highly complicated investigation of a 19 very complex threat” to uncover and appreciate the full scope of the intrusion. 13 20 • The “Forged Cookie Breach”: As part of the investigation into the 2014 Breach, Yahoo 21 discovered that the same Russian state-sponsored actors behind the 2014 Breach also created cookies 22 for a specific subset of the Yahoo user population, which may have been used to access certain 23 users’ accounts or account information in 2015 and 2016. Plaintiffs refer to this as the “Forged 24 25 9 RJN, Exh. H, at 44, Yahoo! Inc., Quarterly Report (Form 10-Q), 43 (May 9, 2017). 26 10 Supra note 8. 27 11 Supra note 7. 28 12 Id. 13 Supra note 1. 5 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 19 of 48 1 Cookie Breach,” but do not specifically allege any named Plaintiff was impacted by, or received 2 notice of, the Forged Cookie Breach. 3 • 4 law enforcement of a separate and earlier breach by unrelated criminal intruders. Additional 5 investigation with outside forensic experts determined that this breach likely occurred in or around 6 August 2013. As with the previously announced breach, this intrusion did not implicate “unhashed” 7 passwords in clear text,14 payment card data, or bank account information that Plaintiffs otherwise 8 did not disclose themselves to third parties.15 Nonetheless, Yahoo notified users of the need to 9 change their passwords.16 Plaintiffs refer to this breach as the “2013 Breach” and specifically allege 10 that it was “too late” to improve security after this breach. 17 Compl. ¶ 56. Hunton & Williams LLP 11 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 The “2013 Breach”: After the September announcement, Yahoo received evidence from Although Plaintiffs suggest Yahoo could have, and should have, detected and understood the 12 full scope of these criminal intrusions earlier, they ignore both the stealth and sophistication of the 13 perpetrators. As the DOJ emphasized, the criminal activity “targeted” Yahoo, was “beyond the 14 pale,” and, because of the involvement of Russia, was not a “fair fight” and, as importantly, not a 15 fight Yahoo could “win alone.”18 Moreover, in the face of a “very complex threat,” the DOJ 16 publicly “commend[ed] Yahoo … for their sustained and invaluable cooperation in the investigation 17 aimed at obtaining justice for, and protecting the privacy of their users.”19 Indeed, former Acting 18 Assistant Attorney General Mary B. McCord personally “thank[ed] Yahoo …, whose customers 19 were targeted, and who cooperated with us.”20 20 21 22 14 At the time, many of those passwords would have been “hashed” using the MD5 algorithm. The “hashing” process converted the passwords into unreadable strings of characters. 23 15 RJN, Exh. F, at 1, https://investor.yahoo.net/releasedetail.cfm?ReleaseID=1004285. 24 16 Id. 25 17 The 2013, 2014 and Forged Cookie Breaches are referred to collectively as the “Data Breaches.” 18 26 Supra note 1, at 1; RJN, Exh. K, at 2, https://www.justice.gov/opa/speech/acting-assistantattorney-general-mary-b-mccord-delivers-remarks-press-conference. 27 19 28 20 Supra note 1, at 1-2. RJN, Exh. K, at 2, https://www.justice.gov/opa/speech/acting-assistant-attorney-general-mary-bmccord-delivers-remarks-press-conference. 6 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 20 of 48 Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 1 IV. LEGAL ARGUMENT 2 Plaintiffs’ claims fail at the outset for lack of standing. Plaintiffs fail to allege the sort of 3 concrete and particularized harms necessary to show injury-in-fact. And even if Plaintiffs could 4 establish injury-in-fact (and they cannot), Plaintiffs fail to trace those alleged “injuries” to 5 Defendants’ conduct. There are no facts showing how the alleged disclosure of—in many cases, 6 non-specified—information resulted in Plaintiffs’ alleged injuries. Plaintiffs’ pleading problems, 7 however, do not end with their inability to establish standing. Each of their claims also fails to set 8 forth plausible bases for relief under Rule 12(b)(6), and certain foreign Plaintiffs’ claims also must 9 be dismissed under the forum non conveniens doctrine. 10 A. 11 When a party moves under Rule 12(b)(1) for lack of subject-matter jurisdiction, “the Plaintiffs Fail To Meet Their Threshold Burden Under Article III. 12 opposing party bears the burden of establishing the court’s jurisdiction.” In re Adobe Sys., Inc. 13 Privacy Litig., 66 F. Supp. 3d 1197, 1208 (N.D. Cal. 2014) (quotations omitted). “A suit brought by 14 a plaintiff without Article III standing is not a ‘case or controversy,’ and an Article III federal court 15 therefore lacks subject-matter jurisdiction over the suit.” Cetacean Cmty. v. Bush, 386 F.3d 1169, 16 1174 (9th Cir. 2004). A plaintiff bears the burden of establishing: (1) a concrete injury-in-fact (2) 17 that is fairly traceable to defendant’s challenged conduct and (3) likely to be redressed by a favorable 18 decision. Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61 (1992). Embedded in Article III standing 19 is the requirement that the complained-of harm is causally connected to the alleged wrongdoing and 20 fairly traceable to the defendant’s conduct, not the “independent action of some third party not 21 before the court.” Id. at 560 (quotations and citations omitted). “Article III standing is also claim- 22 and relief-specific, such that a plaintiff must establish Article III standing for each of her claims and 23 for each form of relief sought.” Adobe, 66 F. Supp. 3d. at 1218 (citing DaimlerChrysler Corp. v. 24 Cuno, 547 U.S. 332, 352 (2006)). Importantly, “Article III’s standing requirements are mandatory 25 and separate from any statutory standing requirements.” Id. Thus, a “plaintiff may satisfy the 26 injury-in-fact requirements to have standing under Article III,” but nonetheless lack the requisite 27 statutory standing to be “able to assert a cause of action successfully.” Low v. LinkedIn Corp. (“Low 28 7 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 21 of 48 1 II”), 900 F. Supp. 2d 1010, 1020 (N.D. Cal. 2012) (quotations omitted). Plaintiffs fail to establish 2 Article III standing for any claims, much less every claim. 1. 3 To establish standing, a plaintiff must first demonstrate an “injury-in-fact that is concrete and 4 5 particularized, as well as actual and imminent.” Low v. LinkedIn Corp. (“Low I”), 2011 WL 6 5509848, at *2 (N.D. Cal. Nov. 11, 2011) (dismissing data disclosure case due to lack of standing). 7 Plaintiffs fail to make this threshold showing and instead take a scattershot approach by alleging 8 highly individualized, but overly hypothetical alleged harms: Hunton & Williams LLP 9 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 Plaintiffs Fail To Allege Injury-In-Fact Sufficient To Show Standing. • Loss of value of PII: Plaintiffs generally claim that the Data Breaches caused the loss of 10 value of various types of personal information because unspecified information was allegedly for 11 sale on the “Dark Web” and otherwise has value to criminals. Compl. ¶¶ 145, 157, 184, 188, 195. 12 However, loss of “PII value” due to disclosure has been held to be “too abstract and hypothetical to 13 support Article III standing.” Low I, 2011 WL 5509848, at *2; see also Fernandez v. Leidos, Inc., 14 127 F. Supp. 3d 1078, 1089 (E.D. Cal. 2015) (“Plaintiff has not shown he has standing to bring his 15 claims based on his allegation that he has been deprived of the value of his PII/PHI.”). Nor have 16 Plaintiffs alleged that they have attempted to monetize, or are foreclosed from monetizing, their own 17 PII as a result of the Data Breaches. In re Google Android Consumer Privacy Litig., 2013 WL 18 1283236, at *4 (N.D. Cal. Mar. 26, 2013) (“Plaintiffs also do not allege they attempted to sell their 19 personal information, that they would do so in the future, or that they were foreclosed from entering 20 into a value for value transaction relating to their PII, as a result of the Google Defendants’ 21 conduct.”). And the claimed devaluation of their PII alone does not qualify as a concrete injury 22 sufficient to meet the requirements of standing. In re Zappos.com, Inc., 108 F. Supp. 3d 949, 954 23 (D. Nev. 2015) (rejecting plaintiffs’ attempt to establish standing by arguing that data breach 24 resulted in devaluation of personal information). 25 • Lost/Unwanted Emails: Plaintiffs also complain that they both lost emails and received 26 unwanted emails. Neither qualifies as a concrete, particularized injury for Article III purposes. 27 Fernandez, 127 F. Supp. 3d at 1087 (no standing based on lost medical records); In re Zappos.com, 28 Inc., 2016 WL 2637810, at *3 (D. Nev. May 6, 2016) (no standing where data breach plaintiffs 8 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 22 of 48 1 alleged “that their email accounts were ‘accessed by hackers and used to send unwanted 2 advertisements to people in [their] address book[s]’”). Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 3 • Reimbursed Expenses: No Plaintiff alleges unreimbursed fraudulent charges, which is a 4 necessary predicate of concrete harm. In fact, one Plaintiff, Abitol (Compl. ¶ 19), admits he was 5 reimbursed for funds that had been improperly wired from his bank account. This undercuts any 6 claim of actual injury. Dugas v. Starwood Hotels & Resorts Worldwide, Inc., 2016 WL 6523428, at 7 *4 (S.D. Cal. Nov. 3, 2016) (reimbursed losses do not constitute an “actual injury” for purposes of 8 standing). Plaintiffs’ failure to allege actual, unreimbursed fraudulent charges is fatal to their claim 9 of injury and defeats standing. See Whalen v. Michaels Stores, Inc., 2017 WL 1556116, at *2 (2d 10 Cir. May 2, 2017) (affirming dismissal of data breach case for lack of Article III standing when 11 plaintiff alleged no unreimbursed fraudulent charges). 12 • Other “Harms”: Plaintiffs allege a number of other purported injuries that do not qualify as 13 concrete injuries. For example, the “mere violation of a consumer protection statute [does not] 14 establish a ‘concrete’ injury.” Dugas, 2016 WL 6523428, at *6. Plaintiffs also allege additional 15 totally idiosyncratic and highly speculative harms, including fear that a terrorist may impersonate 16 him (Compl. ¶ 11) and fear that Flickr photos will be “exposed” (id. ¶ 14), both of which fall well 17 short of the mark to qualify as a concrete, particularized injury. Clapper v. Amnesty Int’l USA, 133 18 S. Ct. 1138, 1150 (2013) (“We decline to abandon our usual reluctance to endorse standing theories 19 that rest on speculation about the decisions of independent actors. … [R]espondents’ speculative 20 chain of possibilities does not establish that injury based on potential future [activity] is certainly 21 impending or is fairly traceable.”). Similarly, Robles claims hackers “stole business ideas from her 22 e-mail account.” Compl. ¶ 17. But that bare allegation lacks sufficient substance and specificity to 23 show injury-in-fact. See, e.g., Whalen, 2017 WL 1556116, at *2 (affirming dismissal of data breach 24 case for lack of standing, in part, based on vague allegations of injury unsupported by facts). 25 2. Plaintiffs Fail To Plead Facts Sufficient For Traceability. 26 Plaintiffs must plausibly plead facts sufficient to connect the causal dots between the 27 information actually exposed in the alleged breach and the harm they claimed to have suffered, such 28 “that the injury is fairly traceable to the challenged action of the defendant.” In re LinkedIn User 9 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 23 of 48 1 Privacy Litig., 932 F. Supp. 2d 1089, 1092 (N.D. Cal. 2013) (citing Friends of the Earth, Inc. v. 2 Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 180-81 (2000)). In this case, even if the tax return 3 fraud and other “harms” alleged by Plaintiffs qualified as “concrete” and “actual” injuries, Plaintiffs 4 would still have to show the injuries were caused by, and are traceable to, the Data Breaches. Not 5 even the DOJ’s 47-count indictment against the hackers alleged the varied misuse of Yahoo user 6 information that Plaintiffs claim here. The mere fact of a criminal intrusion into Yahoo’s network 7 and some alleged privacy harm to users of Yahoo’s services is not sufficient to demonstrate 8 standing. Cf. Resnick v. AvMed, 693 F.3d 1317, 1326 (11th Cir. 2012) (“pleadings must include 9 allegations of a nexus between the [identity theft] beyond allegations of time and sequence”). This 10 is especially true here given the numerous potential causes of the alleged injuries and the temporal 11 distance between the Data Breaches and some of these alleged harms. 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 a. There Is No Causal Connection Between The Information Stolen And The Injuries Claimed. Plaintiffs fail to plead the causal nexus necessary to demonstrate traceability. As a starting point, the information allegedly disclosed was not collected or stored by Yahoo on its network. Instead, the only source of this information through Yahoo—if accessed by the intruders at all—was Plaintiffs’ own pre-breach communications. But Yahoo and this Court are left to guess how (if at all) the purported harms alleged could be traceable to the Data Breaches, since Plaintiffs fail to plead facts sufficient to link the harm to these breaches rather than, for instance, the pre-breach activities of Plaintiffs, those with whom Plaintiffs communicated, or other breaches unrelated to Yahoo. See Antman v. Uber Techs., Inc., 2015 WL 6123054, at *11 (N.D. Cal. Oct. 19, 2015) (allegation that hacker attempted to open credit card in plaintiff’s name did not create standing where no allegation that Social Security number was target of breach); Attias v. CareFirst, Inc., 199 F. Supp. 3d 193, 201 (D.D.C. 2016) (alleged tax return fraud was not fairly traceable to data breach when complaint did not allege Social Security numbers were exposed). To the extent Social Security numbers or any other specific personal information were communicated via Yahoo email at all, it was sent out over the Internet to undisclosed recipients, at undisclosed times, with undisclosed frequency, and at risk with each transmission of disclosure from any source and via the medium over which it was sent. 28 10 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 24 of 48 1 Nor have Plaintiffs alleged facts suggesting the harms of which they complain can be isolated 2 to the Data Breaches. In all instances, Plaintiffs’ references to “PII and financial information” are as 3 intentionally broad as they are vague, and lack the factual underpinnings to causally connect this 4 information—whatever it is—and any resulting harm caused by its use to the Data Breaches. 5 Plaintiffs’ failure to allege that the information stolen as a result of the Data Breaches is the same 6 information necessary to cause the injuries alleged undermines their ability to trace the harm alleged 7 to the Data Breaches, and defeats any claim of Article III standing. Welborn v. Internal Revenue 8 Serv., 2016 WL 6495399, at *9 (D.D.C. Nov. 2, 2016) (plaintiffs “must allege facts that indicate that 9 the information stolen … is the same type of information used to commit their injuries”). Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 10 For example, Dugas and the Ridolfos allege numerous fraudulent charges on various credit 11 cards. Compl. ¶¶ 12, 13. However, Dugas has made the judicial admission that his credit card 12 information was exposed in a different data breach. RJN, Exh. L, at 5-6, Dugas v. Starwood Hotels 13 & Resorts Worldwide, Inc., 2016 WL 8469592, ¶ 23 (S.D. Cal. Dec. 7, 2016) (Second Am. Class 14 Action Compl. alleging credit card compromise causing Dugas to seek new card issuance and 15 account updates). His conclusory allegation that he suffered financial fraud as a result of the Data 16 Breaches here must therefore be disregarded. Moreover, Dugas fails to allege that any credit card 17 information was stored on the Yahoo network or specifically disclosed by him via Yahoo email, 18 much less that sufficient information necessary to perpetrate credit card fraud was somehow 19 accessible as part of the Data Breaches. Compl. ¶ 12. Similarly, the Ridolfos generally allege that 20 they have information in their Yahoo accounts concerning “general banking, credit card 21 management and communications, [and] mortgage finance,” but likewise fail to identify what 22 information they have, where they have it, whether they themselves released that information (and 23 how), how any specific information sufficient to conduct credit card fraud was accessible as part of 24 the Data Breaches, and who else had access to this information. Id. ¶ 13. Likewise, although Dugas 25 and Essar both seek to hold Yahoo liable for alleged tax return fraud, neither claims their Social 26 Security numbers―much less any other specific data element needed in combination to commit tax 27 return fraud―were either among the hacked data, or otherwise contained in any of their Yahoo 28 accounts and accessed by hackers. Id. ¶¶ 11-12. Given that “[t]ax-related identity theft occurs when 11 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 25 of 48 1 someone uses a stolen Social Security number to file a tax return claiming a fraudulent refund,” the 2 failure to allege exposure of Social Security numbers is fatal. RJN, Exh. I, at 1, IRS Taxpayer Guide 3 to Identity Theft (available at https://www.irs.gov/uac/taxpayer-guide-to-identity-theft) (emphasis 4 added). Additionally, Heines alleges that her Yahoo account contained “information relating to her 5 account with Direct Express, the payment service through which she receives her Social Security 6 benefits,” yet she makes no allegation that the account contained information sufficient to divert her 7 monthly disability allowance fraudulently, or how such a diversion could have taken place as a result 8 of the Data Breaches. Compl. ¶ 10; see also In re Horizon Healthcare Servs., Inc. Data Breach 9 Litig., 2015 WL 1472483, at *8 (D.N.J. Mar. 31, 2015) (even if certain information from breached 10 system could be cobbled together with information from other sources to commit fraud, alleged 11 harm was not fairly traceable to breach), vacated on other grounds, In re Horizon Healthcare Servs. 12 Inc. Data Breach Litig., 846 F.3d 625 (3d Cir. 2017). 13 Plaintiffs’ generalized, non-specific allegations will not do. Antman is instructive. In that 14 case, when the plaintiff alleged “disclosure only of his name and drivers’ license information,” the 15 court found “[i]t is not plausible that a person could apply for a credit card without a Social Security 16 number.” Antman, 2015 WL 6123054, at *11. Even though the plaintiff also “alludes to the 17 disclosure of unspecified ‘other personal information;’ this is insufficient” to show traceability. Id.; 18 see also Unchageri v. Carefirst of Maryland, Inc., 2016 WL 8255012, at *7 (C.D. Ill. Aug. 23, 2016) 19 (denying motion to amend to cure lack of standing when alleged harm not fairly traceable to health 20 insurance database breach: “Plaintiff does not allege or explain how the allegedly unauthorized 21 charges can be traced to the challenged action of Defendants, and not simply the result of an 22 independent action of some third party not before the Court. This is an important point because 23 nowhere in the Complaint or the proposed Amended Complaint does Plaintiff allege credit card or 24 financial information was stolen.”). 25 26 27 28 b. Plaintiffs Have Failed To Plead Facts To Link Breaches From 2013 And 2014 To Injury Today, And Other Causes Exist. The time elapsed between the Data Breaches and the alleged injuries makes pleading facts plausibly showing traceability and causation more critical. For example, Plaintiffs Essar and Corso claim to have been affected by the 2014 Breach, with purported injuries occurring two or three years 12 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 26 of 48 1 later (in 2016 through 2017, and in 2016, respectively). Compl. ¶¶ 11, 18. Even more tenuous, the 2 Ridolfos and Rivlin claim to be affected by the 2013 Breach, yet allege injuries with a wider gap in 3 time (also occurring in 2016 through 2017, and in 2016, respectively). Id. ¶¶ 13, 15. Neff also 4 alleges facts suggesting he was potentially affected by the 2013 Breach, yet claims to have suffered 5 injuries in 2016. Id. ¶ 20. Other Plaintiffs (Garg, Granot) fail to allege any dates at all for the 6 alleged injuries. Id. ¶¶ 14, 16. Moreover, still other Plaintiffs fail to allege they received any breach 7 notice at all from Yahoo (Dugas, Granot, Robles). Id. ¶¶ 12, 16-17. These wide time gaps 8 underscore Plaintiffs’ failure to plead facts sufficient to show causal relatedness and attenuate the 9 causal chain beyond the bounds of plausible traceability required by Article III. See, e.g., Duqum v. 10 Scottrade, Inc., 2016 WL 3683001, at *4 (E.D. Mo. July 12, 2016) (finding lack of temporal 11 connection when more than two years passed since the original data breach). c. 12 13 Yahoo Is Not Liable For Theft Of Publicly Available Information. Nor can Plaintiffs manufacture a traceable injury by complaining about unsolicited mail or 14 advertisements. Compl. ¶¶ 11, 14-16. No Plaintiff has alleged that his or her email address (as well 15 as certain other data elements) was not publicly available and therefore “would have been difficult 16 for marketers [or other persons] to locate absent the assistance of the data thief.” In re Sci. 17 Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 33 (D.D.C. 2014) 18 (no traceability for publicly available phone number); see Fernandez, 127 F. Supp. 3d at 1086 (no 19 traceability between data breach and increased email and advertisements). 20 B. Plaintiffs’ Claims Fail Under Rule 12(b)(6). 21 To survive dismissal under Rule 12(b)(6), Plaintiffs must establish a “plausible” basis for 22 relief. Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007); Ashcroft v. Iqbal, 556 U.S. 662, 678 23 (2009). And they must do so without the need for the Court to “fill in the blanks” left open by 24 deficient allegations. Tall v. Ryan, 1990 WL 68849, at *1 (9th Cir. May 23, 1990). Allegations are 25 not “plausible” if they are “merely consistent with” a defendant’s liability or establish no “more than 26 a sheer possibility” of liability. Iqbal, 556 U.S. at 678. Moreover, because several of Plaintiffs’ 27 claims also sound in fraud, they must meet Rule 9(b)’s heightened pleading standards. Kearns v. 28 13 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 27 of 48 1 Ford Motor Co., 567 F.3d 1120, 1125 (9th Cir. 2009). Plaintiffs have failed to plead the who, what, 2 when, where, and how of any allegedly fraudulent conduct with particularity. Id. at 1124. 3 Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 4 1. Plaintiffs Fail To State A Claim For A UCL Violation. To state a UCL claim, Plaintiffs must plead “with reasonable particularity the facts 5 supporting the statutory elements of the violation.” Khoury v. Maly’s of Cal., Inc., 14 Cal. App. 4th 6 612, 619 (1993). Plaintiffs also must demonstrate actual injury caused by the alleged violation. 7 Plaintiffs do not, because they have not pled a loss of money or property, and the injuries alleged are 8 either reimbursed (forged credit and tax returns, fraudulent credit card charges) or otherwise not 9 compensable. Compl. ¶ 135; see also Kwikset Corp. v. Superior Court, 51 Cal. 4th 310, 322 (2011); 10 supra Section IV(A); In re Sci. Applications, 45 F. Supp. 3d at 26 (“The cost of credit monitoring 11 and other preventative measures, therefore, cannot create standing.”). Similarly, because the 12 consumer Plaintiffs paid no money to use Yahoo’s free services, there is nothing to refund. In re 13 Facebook Privacy Litig., 791 F. Supp. 2d 705, 714 (N.D. Cal. 2011) (personal information does not 14 constitute property under UCL); Dugas, 2016 WL 6523428, at *11 (general averments of 15 unauthorized credit card charges, mitigation/monitoring costs, time spent responding to unauthorized 16 charges, and loss of PII value do not amount to loss of money or property under UCL). 17 Accordingly, Plaintiffs’ UCL claims fail for lack of injury alone. 18 19 20 21 22 23 24 25 26 a. Plaintiffs’ Allegations Do Not Establish An “Unlawful” Act. Plaintiffs do not properly plead “unlawful” conduct. Plaintiffs claim Yahoo’s practices were unlawful because they allegedly violated the CLRA, CRA, SCA and OPPA. Compl. ¶¶ 134, 221. As shown below, however, Plaintiffs’ claims under those statutes fail, and Plaintiffs’ “unlawful” theory dies with it. Sybersound Records, Inc. v. UAV Corp., 517 F.3d 1137, 1152-53 (9th Cir. 2008) (dismissal of UCL claim proper because alleged conduct was not independently unlawful); Avila v. Countrywide Home Loans, 2010 WL 5071714, at *6 (N.D. Cal. Dec. 7, 2010) (dismissing UCL claim premised on violation of law for which plaintiff failed to state claim). b. Plaintiffs Fail To Show “Unfair” Or “Fraudulent” Conduct. Plaintiffs’ claims of “unfair” and “fraudulent” conduct are one and the same, and fail for the 27 same reasons. Hadley v. Kellogg Sales Co., 2017 WL 1065293, at *20 (N.D. Cal. Mar. 21, 2017) 28 14 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 28 of 48 1 (“[W]here the unfair business practices alleged under the unfair prong of the UCL overlap entirely 2 with the business practices addressed in the fraudulent and unlawful prongs of the UCL, the unfair 3 prong of the UCL cannot survive if the claims under the other two prongs of the UCL do not 4 survive.”). Plaintiffs claim Defendants are liable for stating on their websites that “‘protecting our 5 systems and our users’ information is paramount to ensuring [Defendants’] users enjoy a secure user 6 experience and maintaining our users’ trust’ and by representing that it had ‘physical, electronic, and 7 procedural safeguards that comply with federal regulations to protect personal information about 8 you.’” Compl. ¶¶ 128, 215. But those bare, generalized and “conclusory allegations do not support 9 a claim” under the “unfair” prong that “Defendants’ actions offend[] an established public policy or 10 that they are immoral, unethical, oppressive, unscrupulous or substantially injurious to consumers.” 11 Buena Vista, LLC v. New Res. Bank, 2010 WL 3448561, at *6 (N.D. Cal. Aug. 31, 2010) (quotations 12 omitted); see also Smith & Hawken, Ltd. v. Gardendance, Inc., 2004 WL 2496163, at *6 (N.D. Cal. 13 Nov. 5, 2004). Plaintiffs cite no “established public policy” that Defendants violated by virtue of 14 being the targeted victim of a state-sponsored hack. Moreover, while the criminals who broke into 15 Defendants’ systems certainly engaged in conduct that is “immoral, unethical, oppressive, 16 unscrupulous or substantially injurious,” the same is not true of Defendants, which themselves were 17 the victims of a crime. See, e.g., Emery v. Visa Internat. Serv. Ass’n, 95 Cal. App. 4th 952, 964 18 (2002) (plaintiff could not “impose liability on VISA because it failed to stop lottery merchants from 19 improperly using its mark”); In re Firearm Cases, 126 Cal. App. 4th 959, 985 (2005) (defendants 20 “did not control the wrongful acts [in question] or encourage others to engage in questionable acts”). 21 Plaintiffs also fail to plead “fraudulent” conduct with particularity. Kearns, 567 F.3d at 22 1125. At most, the complained-of statements are aspirational goals, not specific and enforceable 23 promises. Defendants’ desire to place a “high priority” on user trust is non-actionable, and “[i]t is 24 well-established that general statements about reputation, integrity, and compliance with ethical 25 norms are inactionable ‘puffery’ …” City of Pontiac Policemen’s & Firemen’s Ret. Sys. v. UBS AG, 26 752 F.3d 173, 183 (2d Cir. 2014). Because Defendants made no specific or absolute promise of 27 100% security, the statements at issue must be seen as non-actionable puffery. See Newcal Indus., 28 Inc. v. Ikon Office Sol., 513 F.3d 1038, 1053 (9th Cir. 2008). Even if these statements could be 15 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 29 of 48 1 interpreted as more, Plaintiffs have failed to allege how the mere fact of a data breach proves them 2 “fraudulent” (or “unfair”). Plaintiffs fail to specify: (1) the “safeguards” or “federal regulations” to 3 which they refer; (2) how those “safeguards” failed to comply with “federal regulations;” or (3) how, 4 if at all, Defendants knew the same when they made the alleged representations. In re Anthem, Inc. 5 Data Breach Litig., 162 F. Supp. 3d 953, 991 (N.D. Cal. 2016). To the extent Plaintiffs attempt to 6 craft actionable fraud from the alleged failure to disclose potential security vulnerabilities, 7 Defendants’ express statements that the network is not “100% secure” and has “inherent limitations” 8 negate any such claim, or any obligation to further qualify or disclose potential vulnerabilities. 9 Opperman v. Path, Inc., 87 F. Supp. 3d 1018, 1052 (N.D. Cal. 2014); In re Sony Gaming Networks 10 & Customer Data Sec. Breach Litig. (“Sony I”), 903 F. Supp. 2d 942, 969-70 (S.D. Cal. 2012) 11 (dismissing UCL claim based on similar disclosures). 12 13 c. Plaintiffs Cannot Plead Reliance Necessary For Their UCL Claim. Plaintiffs’ failure to plausibly plead actual reliance is also fatal to their UCL claim sounding 14 in fraud. In re Tobacco II Cases, 46 Cal. 4th 298, 326 (2009). Plaintiffs fail to meet that 15 requirement on two fronts. First, although Plaintiffs reference generalized statements made in 16 Defendants’ Privacy Policies and on the “Security at Yahoo” webpage (see, e.g., Compl. ¶ 128 n.74), 17 they “never allege that they were aware of the privacy policy [or the “Security at Yahoo” webpage], 18 let alone saw or read it.” Low II, 900 F. Supp. 2d at 1027. As this Court has held, the “lack of 19 allegations that a plaintiff had read an alleged false representation” justifies dismissal. Id. (citing 20 Durell v. Sharp Healthcare, 183 Cal. App. 4th 1350, 1363 (2010) (the “[complaint] does not allege 21 Durell ever visited Sharp’s Web site or even that he ever read the Agreement for Services.”)). 22 “Without an allegation that Plaintiffs were somehow aware of contents of [Yahoo]’s privacy policy 23 [or the “Security at Yahoo” webpage], … Plaintiffs cannot allege [Defendants’] misrepresentations 24 were an immediate cause of the injury-causing conduct.” Id. (quotations omitted). 25 Second, even if Plaintiffs had read these statements on Defendants’ websites, they still would 26 not be able to establish reliance (or falsity). Defendants’ TOS disclaimed any notion that their 27 “SERVICES OR SOFTWARE WILL BE UNINTERRUPTED, TIMELY, SECURE OR ERROR- 28 FREE.” Compl., Exh. 1, at 91 § 19(b); id., Exh. 2, at 171 § 12 (d) (emphasis added). On top of that, 16 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 30 of 48 1 Yahoo disclosed that its services would not be “100% secure,” and Aabaco warned that its 2 “SECURITY MECHANISMS IN THE SERVICES HAVE INHERENT LIMITATIONS.” RJN, 3 Exh. A, at 1; Compl., Exh. 2, at 171 § 12(c).21 4 d. Plaintiffs additionally fail to plead any entitlement to the relief they seek. Restitution—not Hunton & Williams LLP 5 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 Plaintiffs Are Not Entitled To The Remedies Sought. 6 damages—is the only monetary relief available under the UCL. Madrid v. Perot Sys. Corp., 130 7 Cal. App. 4th 440, 452 (2005); Chamberlan v. Ford Motor Co., 2003 WL 25751413, at *9 (N.D. 8 Cal. Aug. 6, 2003) (disallowing recovery because plaintiffs “ha[d] not alleged that they paid any 9 money to Defendant”). Because the consumer Plaintiffs paid no money to use Yahoo’s free email 10 services, there is nothing to refund under a restitution theory. Id. Plaintiffs likewise cannot plead 11 entitlement to injunctive relief, as they have failed to establish redressability. An “order requiring 12 [Yahoo] to enhance [its] cybersecurity in the future (or an equivalent declaratory judgment) will not 13 provide any relief for past injuries or injuries incurred in the future because of a data breach that has 14 already occurred.” Dugas, 2016 WL 6523428, at *8 (emphasis added). 2. 15 Plaintiffs claim Yahoo violated the CLRA when it “represented to Plaintiffs and the other 16 17 18 19 20 21 22 23 24 25 26 27 Plaintiffs’ Consumer Legal Remedies Act Claim Fails. Class members that its PII databases were secure and that customers’ PII would remain private.” Compl. ¶ 142. Plaintiffs are wrong on the facts and the law. First, Yahoo accounts are free, so Plaintiffs are not “consumers” under the CLRA.22 They did not “purchase or lease” from Yahoo as required under the statute. Claridge v. RockYou, Inc., 785 F. Supp. 2d 855, 864 (N.D. Cal. 2011). Second, Yahoo provides a web-based, software driven, email platform, and as such does not provide a “good” or a “service” within the meaning of the CLRA. In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1070 (N.D. Cal. 2012). By definition, “goods” are statutorily limited to “tangible chattels,” and “services” are specifically defined as “work, labor, and services … furnished in connection with sale or repair of [tangible chattels].” Cal. Civ. Code § 1761(a)-(b). Plainly, Yahoo 21 Plaintiff Neff also cannot obtain injunctive relief because he admits he stopped using the service. Compl. ¶ 20; Frenzel v. AliphCom, 76 F. Supp. 3d 999, 1015 (N.D. Cal. 2014). 22 28 Plaintiff Neff does not bring a CLRA claim. Nor could he, as he did not use any Yahoo services for “personal, family, or household purposes.” Cal. Civ. Code § 1761(d). Rather, Neff used them “in connection with his online insurance agency business.” Compl. ¶ 20. 17 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 31 of 48 1 accounts do not qualify, since email accounts are not “tangible chattel,” and Yahoo does not provide 2 any work or services in support of any tangible chattel. Ferrington v. McAfee, Inc., 2010 WL 3 3910169, at *19 (N.D. Cal. Oct. 5, 2010) (“software [is] … not a service for purposes of the 4 CLRA”). Finally, Plaintiffs do not claim to have read or relied on the allegedly misleading 5 statements as a pre-condition of using Yahoo’s free services. Buckland v. Threshold Enters., Ltd., 6 155 Cal. App. 4th 798, 810 (2007) (“[P]laintiffs asserting CLRA claims … must establish they 7 actually relied on the relevant representations or omissions.”), rev’d on other grounds by Kwikset, 51 8 Cal. 4th 310. And if they had, they would have seen Yahoo’s express disclosures that its services 9 are not 100% secure. 3. 10 a. Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 11 14 15 16 17 18 19 20 21 22 23 24 25 The Non-California Plaintiffs Lack Standing. Non-California residents lack statutory standing to bring claims under the CRA (Cal. Civ. 12 13 Plaintiffs’ Customer Records Act Claim Fails. Code § 1798.80, et seq.). See, e.g., Sony I, 903 F. Supp. 2d at 973 (dismissing CRA claim with prejudice and stating, “Plaintiffs try once again to save the claims of non-resident Plaintiffs, [but] the Breach Act is clear that it applies only to ‘ensure the personal information [of] California residents [is] protected.’”) (citing Cal. Civ. Code § 1798.81.5(a)); see also Antman, 2015 WL 6123054, at *5 (§ 1798.82 has procedures for notifying California residents); Martinez v. Bank of Am., Corp., 2012 WL 3647434, at *9 (E.D. Cal. Aug. 23, 2012); Garcia v. UnionBanCal Corp., 2006 WL 2619330, at *1 (N.D. Cal. Sept. 12, 2006); Cal. Civ. Code § 1798.82(a) (limiting notification to a “breach in the security of the data to a resident of California”) (emphasis added). This statutory limitation cannot be enlarged by, or confused with, the application of California law to the claims of non-residents. Fred Briggs Distrib. Co. v. Cal. Cooler, Inc., 1993 WL 306157 (9th Cir. Aug. 11, 1993) (rejecting argument that contractual California choice-of-law provision overrides jurisdictional limitations in statute restricting claims to California residents only). Here, only two Plaintiffs (Heines and Dugas (Compl. ¶¶ 10, 12)) allege they are California residents.23 The remainder of the non-resident 26 27 28 23 Statutory standing is “properly viewed as a dismissal for failure to state a claim rather than a dismissal for lack of subject[-]matter jurisdiction.” DB Healthcare, LLC v. Blue Cross Blue Shield of Ariz., Inc., 852 F.3d 868, 873 (9th Cir. 2017) (quotations omitted). 18 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 32 of 48 1 Plaintiffs who assert CRA claims (Essar, the Ridolfos, Garg, Rivlin, Granot and Neff (Compl. ¶¶ 11, 2 13-16, 20)) lack statutory standing, and their claims must be dismissed. b. Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 3 CRA Notice Was Not Required For The 2013 Breach. 4 CRA notice was not required for California residents potentially affected by the 2013 5 Breach—a conclusion that can be reached by examining the CRA as it existed in 2013 and as 6 amended in 2014. 24 In construing the CRA, the Court’s “fundamental task … is to ascertain the 7 intent of the lawmakers so as to effectuate the purpose of the statute.” Day v. City of Fontana, 25 8 Cal. 4th 268, 272 (2001). Words must be given their usual and ordinary meaning unless the 9 statutory terms are ambiguous. Id. “In such circumstances, [the court] select[s] the construction that 10 comports most closely with the apparent intent of the Legislature, with a view to promoting rather 11 than defeating the general purpose of the statute.” Id. During the time of the 2013 Breach, the plain 12 language of the CRA narrowly defined “personal information” under Section 1798.82(h), and it did 13 not include “online account” information: 15 [A]n individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: 16 (1) Social security number. 14 (2) Driver’s license number or California Identification Card number. 17 (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. 18 19 (4) Medical information. 20 (5) Health insurance information. 21 That narrow construction is supported by a later amendment to that same provision (effective 22 January 1, 2014), which amended the definition of “personal information” to include online 23 accounts, such as Defendants’ services here. 24 Specifically, the Legislature amended the CRA’s “definition of personal information, by 25 adding certain information that would permit access to an online account.” See RJN, Exh. M, at 1 26 (Legis. Counsel’s Dig., Sen. Bill No. 46 (2012-2013 Reg. Sess.) (emphasis added) (acknowledging 27 24 28 Neither Heines nor Dugas specifically claim they were affected by the 2013 Breach—Heines alleges to have received notice of the 2014 breach only (Compl. ¶ 10), and Dugas does not allege that he received notice regarding any of the Data Breaches (id. ¶ 12). 19 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 33 of 48 1 that usernames and passwords of online accounts fall outside of 2013 CRA); RJN, Exh. N, at 1-2 2 (Assem. Com. Jud., Analysis of Sen. Bill No. 46 (2012-2013 Reg. Sess.) as amended April 15, 3 2013); RJN, Exh. O, at 1 (Privacy Rights Clearinghouse Letter to Sen. Corbett dated April 16, 2013) 4 (“Some of the most prominent breaches reported by the media in recent years have included data 5 elements such as usernames and passwords, not covered by California’s data breach law.”) 6 (emphasis added). The legislative record states that, “[d]espite the rise in online banking, shopping 7 and other financial transactions, … private businesses are not required to give notification of a data 8 breach when a user name, security question or password are compromised.” RJN, Exh. P, at 1 9 (Assem. App. Com., Analysis of Sen. Bill No. 46 (2012-2013 Reg. Sess.) as amended April 15, 10 2013) (emphasis added); see also RJN, Exh. Q, at 1 (Assem. Jud. Com., Mand. Info. Worksheet, 11 Sen. Bill No. 46 (2012-2013 Reg. Sess.) as amended April 15, 2013) (“Though notification 12 requirements already exist whenever unencrypted Social Security numbers or driver’s license 13 numbers are stolen, for example, no similar protection exists when passwords and usernames, in 14 combination with security questions/answers, are improperly changed or accessed.”). 15 This Court may consider the amendment to the CRA—as well as the foregoing legislative 16 materials and history concerning that amendment—to determine the Legislature’s original intent in 17 enacting the CRA. See McClung v. Emp’t Dev. Dept., 34 Cal. 4th 467, 473 (2004) (“[A] declaration 18 of a later Legislature as to what an earlier Legislature intended is entitled to consideration.”); see 19 also Cal. Gov. Code § 9080(a) (“[L]egislative records relating to bills, resolutions, or proposed 20 constitutional amendments before the Legislature provide evidence of legislative intent that may be 21 important in the subsequent interpretation of laws enacted in the Legislature.”). And when the Court 22 considers those materials, along with the language of the statute as it existed in 2013, they compel 23 one conclusion only—CRA notice was not required at the time of the 2013 Breach because 24 Plaintiffs’ claim concerns “online account information,” which was not covered by the CRA at the 25 time of the 2013 Breach. 26 In particular, the Complaint alleges that “hackers stole the names, email addresses, telephone 27 numbers, birth dates, passwords, and security questions of Yahoo account holders.” Compl. ¶ 1. 28 This stolen information concerned customers’ online accounts with Yahoo, not their “financial” 20 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 34 of 48 1 accounts. Indeed, Plaintiffs admit that “Yahoo asserts that the Breaches did not expose credit card 2 data.” Id. ¶ 58. Accordingly, the 2013 Breach involved the compromise of information regarding 3 “online accounts,” which was not in the operative version of the CRA during the 2013 Breach. 4 Plaintiffs cannot retroactively apply the amended version of the CRA to their claims. A 5 “new statute is presumed to operate prospectively absent an express declaration of retrospectivity or 6 a clear indication that the electorate, or the Legislature, intended otherwise.” See, e.g., Doe v. 7 Schwarzenegger, 2007 WL 601977, at *1 (N.D. Cal. Feb. 22, 2007) (quoting Tapia v. Superior 8 Court, 53 Cal. 3d 282, 287 (1991)). And there has been no express declaration of retrospectivity 9 here. The CRA breach notice claim concerning the 2013 Breach therefore should be dismissed. c. 10 The CRA notice requirement does not apply to the Forged Cookie Breach because it does not Hunton & Williams LLP 11 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 The CRA Does Not Apply To The “Forged Cookie Breach.” 12 involve exposure of the statutory data elements of “personal information” under Section 13 1798.82(h)(2).25 Although Plaintiffs do not explain how the “forged cookie” process works, they do 14 allege that the “attackers in this case … were able to forge these authentication cookies, which 15 granted them access to targeted accounts without needing to supply the account’s password.” 16 Compl. ¶ 68.26 Section 1798.82(h)(2), however, requires breach notification of “online accounts” for 17 specific data elements: a “user name or email address, in combination with a password or security 18 question and answer that would permit access to an online account.” Plaintiffs do not allege that the 19 cookies contained any of those data elements, either alone or in combination. Although Plaintiffs do 20 ask the Court to take several inferential leaps to assert potential Yahoo account access, they do not 21 allege access using the statutorily-identified data elements. 22 23 24 25 26 27 28 25 A “‘cookie’ is a small text file that a server creates and sends to a browser, which then stores the file in a particular directory on an individual’s computer.” In re Facebook Internet Tracking Litig., 140 F. Supp. 3d 922, 926 (N.D. Cal. 2015). “A cookie contains a limited amount of information which can relate to the browser or to a specific individual.” Id. “When an individual using a web browser contacts a server—often represented by a particular webpage or internet address—the browser software checks to see if that server has previously set any cookies on the individual’s computer.” Id. “If the server recognizes any valid, unexpired cookies, then the computer ‘sends’ those cookies to the server.” Id. “After examining the information stored in the cookie, the server knows if it is interacting with a computer with which it has interacted before.” Id. 26 Again, as a foundational matter, what Plaintiffs fail to allege also is key: no California-resident Plaintiff specifically claims to have been affected by the Forged Cookie Breach. Compl. ¶¶ 10, 12. 21 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 35 of 48 1 2 3 4 5 6 7 8 9 10 Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 11 12 13 14 15 16 17 18 19 20 21 22 23 24 d. Plaintiffs Fail To Allege Damages Resulting From Any Allegedly Delayed Notice. Even if a Plaintiff is a California resident and notice were required, the CRA claim nevertheless fails. Delay in notification is not enough to state a claim under the CRA. Instead, Plaintiffs must “allege that the damages flowed from the delay, and not just that the damage flowed from the intrusion.” In re Sony Gaming Networks & Customer Data Sec. Breach Litig. (“Sony II”), 996 F. Supp. 2d 942, 1010 (S.D. Cal. 2014) (emphasis added) (dismissing breach-notification delay claim on similar grounds); see also Dugas, 2016 WL 6523428, at *7 (dismissing CRA claims under Rules 12(b)(1) and 12(b)(6) where “Plaintiff has failed to trace any harm from … delayed notification or to demonstrate a nexus between the alleged harm flowing from the delayed notification and Defendants’ actions”); Corona v. Sony Pictures Entm’t, Inc., 2015 WL 3916744, at *9 (C.D. Cal. June 15, 2015) (“Plaintiffs have not alleged direct economic damages resulting from Sony’s alleged failure to timely notify.”); Adobe, 66 F. Supp. 3d at 1217-18 (dismissing Section 1798.82 claim when plaintiffs failed to allege any incremental harm purportedly suffered as a result of a notification delay); In re Barnes & Noble Pin Pad Litig., 2016 WL 5720370, at *8 (N.D. Ill. Oct. 3, 2016) (dismissing CRA claim because plaintiff failed to “allege that her injuries were caused by the delay between the time she was notified of the breach and the time she contends she should have been notified.”). Here, Plaintiffs have not pled facts showing how they were injured specifically as a result of Defendants’ purported notification delay. Rather, they at most allege damages that flow from the Data Breaches themselves, not from any lack of notice. Compl. ¶ 157 (addressing alleged harm from the compromise, not an alleged delay). Plaintiffs’ failure to do so requires dismissal of the CRA claim. Boorstein v. CBS Interactive, Inc., 222 Cal. App. 4th 456, 466-67 (2013). e. Plaintiffs Have No Basis To Recover Statutory Penalties. Even if Plaintiffs could allege sufficient notification-delay damages, they request statutory 25 penalties under Section 1798.84(c) that are inapplicable here. Compl. ¶ 158. Section 1798.84(c) 26 expressly limits the availability of statutory penalties to violations of Section 1798.83. Section 27 1798.83 is California’s “Shine the Light” Law and concerns how a covered entity may “disclose 28 customers’ personal information to third parties for direct marketing purposes.” Miller v. Hearst 22 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 36 of 48 1 Commc’ns Inc., 554 F. App’x 657, 658 (9th Cir. 2014); King v. Conde Nast Publ’n, 554 F. App’x 2 545, 546 (9th Cir. 2014). Plaintiffs, however, do not claim a violation of Section 1798.83 or that the 3 Data Breaches concern disclosures to third parties for direct marketing purposes. Rather, Plaintiffs 4 limit their allegations to claimed violations of Section 1798.82, which addresses data breach 5 notification. Therefore, Plaintiffs’ request for statutory penalties under Section 1798.84(b) should be 6 dismissed. Finally, the same reasons that injunctive relief should be denied as stated in the UCL 7 section apply equally here. The relief is unspecified and would impermissibly affect only past harm. 8 Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 9 4. Plaintiffs’ Stored Communications Act Claim Fails. Plaintiffs concede (Compl. ¶¶ 162, 166) that the SCA requires that Yahoo and Aabaco 10 “knowingly divulged” protected information. 18 U.S.C. § 2702 (emphasis added). But they admit 11 “hackers stole” the information in question, not that Yahoo disclosed it to them or anyone else. See, 12 e.g., Compl. ¶ 1. At most, Plaintiffs claim Yahoo allegedly failed to take “commercially reasonable 13 steps to safeguard” “sensitive” customer information. Id. ¶¶ 165, 170. But reasonableness is not the 14 standard. As a matter of law, even “‘reckless’ or ‘negligent’ conduct is not sufficient.” Long v. 15 Insight Commc’ns of Cent. Ohio, LLC, 804 F.3d 791, 797 (6th Cir. 2015). Therefore, in cases where 16 the defendant is the victim of the disclosure—rather than the perpetrator of it—courts routinely 17 dismiss SCA claims for lack of willfulness. See, e.g., Willingham v. Glob. Payments, Inc., 2013 WL 18 440702, at *12 (N.D. Ga. Feb. 5, 2013) (dismissing SCA claim, in part, because hacked entity did 19 not knowingly divulge information); Worix v. MedAssets, Inc., 857 F. Supp. 2d 699, 703 (N.D. Ill. 20 2012) (dismissing SCA claim in data breach case and stating that the “SCA requires proof that the 21 defendant ‘knowingly divulge[d]’ covered information, not merely that the defendant knowingly 22 failed to protect the data … And the failure to take reasonable steps to safeguard data does not, 23 without more, amount to divulging that data knowingly.”); Muskovich v. Crowell, 1996 WL 707008, 24 at *5 (S.D. Iowa Aug. 30, 1996) (employer whose failure to implement safeguards had resulted in 25 data breach did not “knowingly divulge” because “[a]wareness of a ‘possibility’ does not rise to the 26 level of a ‘substantial certainty’ required for liability under the [SCA]”). Because Plaintiffs admit 27 Yahoo did not knowingly or voluntarily disclose information, their SCA claim fails. 28 23 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 37 of 48 Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 1 Moreover, the SCA distinguishes between “content” and “transactional” information, and a 2 plaintiff must plausibly plead the intentional disclosure of the former to state a claim. However, 3 Plaintiffs allege no facts showing that the information contained in the cookies or the “names, email 4 addresses, telephone numbers, birth dates, passwords,27 and security questions” (Compl. ¶ 1) alleged 5 to have been stolen qualify as “contents,” as opposed to other transactional or otherwise 6 automatically generated data. No Plaintiff specifically claims to have been affected by the Forged 7 Cookie Breach. Regardless, the information at issue in the Forged Cookie Breach such as “user 8 identification information, records of session times and durations and temporarily assigned network 9 addresses … is not considered to be content-based.” Obodai v. Indeed, Inc., 2013 WL 1191267, at 10 *3 (N.D. Cal. Mar. 21, 2013) (quotations omitted); see also In re Zynga Privacy Litig., 750 F.3d 11 1098, 1106 (9th Cir. 2014) (“‘contents’ … does not include record information regarding the 12 characteristics of the message that is generated in the course of the communication.”); iPhone, 844 13 F. Supp. 2d at 1061 (dismissing SCA claim and finding data at issue “is generated automatically, 14 rather than through the intent of the user, and therefore does not constitute ‘content’”). None of the 15 information Plaintiffs allege was stolen from Yahoo as part of the Data Breaches qualifies as 16 “content” within the meaning of the SCA. Nor is it sufficient if the stolen information allowed a 17 hacker to piece together data and then access a customer’s personally identifiable information. 18 Zynga, 750 F.3d at 1107 (“There is no language in [the SCA] equating ‘contents’ with personally 19 identifiable information. Thus, an allegation that Facebook and Zynga disclosed personally 20 identifiable information is not equivalent to an allegation that they disclosed the contents of a 21 communication.”). Because the allegations do not include facts that the stolen information contained 22 “contents” of a communication, Plaintiffs’ SCA claim fails for this reason as well. Sams v. Yahoo!, 23 Inc., 2011 WL 1884633, at *7 (N.D. Cal. May 18, 2011) (dismissing SCA claim when plaintiff 24 alleged only the disclosure of “non-content-based information”). 5. 25 Plaintiffs’ Online Privacy Protection Act (“OPPA”) claim is fatally deficient. First, “the 26 27 Plaintiffs’ Online Privacy Protection Act Claim Fails. OPPA itself does not provide for a private action or public prosecution for any violation of its 28 27 Yahoo’s announcement specified that unprotected passwords were not stolen. Supra note 15. 24 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 38 of 48 1 provisions.” People ex rel. Harris v. Delta Air Lines, Inc., 247 Cal. App. 4th 884, 891 (2016) 2 (addressing case brought by the State of California). Accordingly, Plaintiffs cannot assert a 3 standalone OPPA claim. Second, to the extent Plaintiffs want to bootstrap a UCL claim to an 4 alleged OPPA violation, Plaintiffs cannot extend that claim beyond California residents. OPPA 5 governs “an operator of a commercial Web site or online service that collects personally identifiable 6 information through the Internet about individual consumers residing in California who use or visit 7 its commercial Web site.” Cal. Bus. & Prof. Code § 22575 (emphasis added); see also Cal. Bus. & 8 Prof. Code § 22577 (defining regulated “operator” as one that “collects and maintains personally 9 identifiable information from a consumer residing in California”) (emphasis added). Here, only two 10 Plaintiffs (Heines and Dugas (Compl. ¶¶ 10, 12)) are California residents. The remaining Plaintiffs 11 are non-California residents and therefore lack statutory standing. Finally, even for the two 12 California residents seeking to assert an OPPA violation as a predicate to a UCL claim, the attempt 13 fails. Like the CLRA, OPPA is limited to “consumers” only, and neither Heines nor Dugas claim 14 they “purchase[d] or lease[d], any goods, services, money, or credit for personal, family, or 15 household purposes” from Yahoo. Compl. ¶¶ 10, 12; Cal. Bus. & Prof. Code § 22577(d). This is 16 unsurprising because “Yahoo operates Yahoo Mail as a free web-based email service.” In re Yahoo 17 Mail Litig., 2016 WL 4474612, at *1 (N.D. Cal. Aug. 25, 2016). Any California resident who used 18 Yahoo’s free services cannot be an OPPA “consumer.”28 Accordingly, no Plaintiff has a viable 19 OPPA claim, either independently or as a predicate to a UCL claim. 6. 20 Plaintiffs’ Express Contract Claim Fails. To state a claim for breach of contract, Plaintiffs must plead facts showing “the contract, 21 22 plaintiffs’ performance (or excuse for nonperformance), defendant’s breach, and damage to plaintiff 23 therefrom.” Low II, 900 F. Supp. 2d at 1028 (quotations omitted). Plaintiffs reason from the fact of 24 the intrusion itself to the faulty conclusion that Defendants somehow breached their “promises” that 25 they would not willingly share Plaintiffs’ personal information, and that they would attempt to 26 27 28 28 Similarly, even if Neff (a Texas citizen who purports to sue on behalf of a “small business user class”) were a California resident and paid for Yahoo services, his claims would fail for another independent reason: any plaintiff who solely alleges use of Yahoo’s business products is not a “consumer” under this definition because business purposes are not “personal, family, or household purposes.” Cal. Bus. & Prof. Code § 22577(d). 25 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 39 of 48 1 safeguard that information. Plaintiffs cannot, however, cherry-pick sentences and phrases from 2 Defendants’ public statements to stitch together a contract claim: 3 • “We are committed to ensuring your information is protected and apply safeguards in accordance with applicable law.” • “Yahoo does not rent, sell, or share personal information about you with other people or non-affiliated companies except to provide products or services you’ve requested, when we have your permission, or under [certain inapplicable circumstances].” • “We limit access to personal information about you to employees who we reasonably believe need to come into contact with that information to provide products or services to you or in order to do their jobs.” • “We have physical, electronic, and procedural safeguards that comply with federal regulations to protect personal information about you.” 4 5 6 7 8 9 Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 10 11 Compl. ¶ 179(a)-(d); see also id. ¶ 181(a)-(c) (alleging that Aabaco’s Privacy Policy contained 12 similar “promises”). Plaintiffs contend Yahoo and Aabaco broke those unilateral “promises” 13 because they “did not have proper safeguards ‘in accordance with applicable law’ to protect 14 Plaintiffs and Class members’ ‘Personal Information,’ and did not limit access to that information to 15 the specified individuals or entities.” Id. ¶ 182. Plaintiffs likewise claim Yahoo and Aabaco 16 “violated their commitment to maintain the confidentiality and security of the PII of Plaintiffs and 17 the class members, and failed to comply with their own policies and applicable laws, regulations, 18 and industry standards relating to data security.” Id. Plaintiffs’ allegations fall far short. 19 First, Plaintiffs grossly mischaracterize Defendants’ statements. Yahoo and Aabaco never 20 guaranteed Plaintiffs a completely secure, hack-proof environment. To the contrary, Yahoo 21 explained that any use of the services would be “AT YOUR OWN RISK” and on an “AS IS” and 22 “AS AVAILABLE” basis, it expressly disclaimed any warranties to the contrary, including that its 23 services would be “SECURE,” and it warned Plaintiffs that “no data transmission over the Internet 24 or information storage technology can be guaranteed to be 100% secure.” Compl., Exh. 1, at 91 § 25 19(a) & (b); RJN, Exh. 2. Aabaco similarly warned users that use of its services would be “AT 26 YOUR OWN RISK,” “AS IS” and “AS AVAILABLE,” it disclaimed any warranties that its services 27 would be “SECURE,” and it expressly warned users that any “SECURITY MECHANISMS IN THE 28 SERVICES HAVE INHERENT LIMITATIONS.” Compl., Exh. 2, at 171 § 12(a), (c) & (d). Those 26 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 40 of 48 1 statements are the polar opposite of the promises Plaintiffs claim were made. This alone defeats 2 Plaintiffs’ contract claim. Young v. Facebook, Inc., 790 F. Supp. 2d 1110, 1117 (N.D. Cal. 2011). Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 3 When Defendants’ Privacy Policies, TOS and corresponding disclosures are read in the 4 proper light, Plaintiffs cannot show a breach. They also plead no facts showing how Defendants: 5 (1) failed to “apply safeguards in accordance with applicable law” (Compl. ¶ 179(a)); (2) “rent[ed], 6 s[old], or share[d] personal information” about Plaintiffs (id. ¶¶ 179(b), 181(a)); (3) granted “access 7 to personal information about [Plaintiffs]” to individuals who are not Yahoo employees (id. ¶¶ 8 179(c), 181(b)); or (4) implemented “physical, electronic, and procedural safeguards” that did not 9 “comply with federal regulations” (id. ¶¶ 179(d), 181(c)). Neither Yahoo nor Aabaco affirmatively 10 rented, sold, or shared Plaintiffs’ personal information. Moreover, even “[i]f the breach of the 11 parties’ contract is [Yahoo and Aabaco]’s alleged failure to comply with federal law,” Plaintiffs 12 nonetheless fail to “plead the federal law or laws with which [Yahoo and Aabaco] allegedly did not 13 comply” or how. In re Target Corp. Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1177 (D. Minn. 14 2014); Anthem, 162 F. Supp. 3d at 982. 15 Second, on top of the reasons stated in Section IV(A), Plaintiffs cannot establish the damages 16 element of their claim. Aguilera v. Pirelli Armstrong Tire Corp., 223 F.3d 1010, 1015 (9th Cir. 17 2000) (contract claims require “appreciable and actual damage.”). The limitation of liability 18 provisions in Defendants’ TOS bar the precise damages Plaintiffs seek—damages they claim to be 19 consequential to the Data Breaches. Compl. ¶ 184. Here, Yahoo’s TOS contains a limitation of 20 liability clause, which provides: 21 “YOU EXPRESSLY UNDERSTAND AND AGREE THAT YAHOO … SHALL NOT BE LIABLE TO YOU FOR ANY PUNITIVE, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES (EVEN IF YAHOO HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), RESULTING FROM: … UNAUTHORIZED ACCESS TO OR ALTERATION OF YOUR TRANSMISSIONS OR DATA … OR … ANY OTHER MATTER RELATING TO THE YAHOO SERVICE.” Compl., Exh. 1, at 91. 22 23 24 25 26 Similarly, Aabaco’s TOS contains an even broader limitation of liability clause: 27 “TO THE MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW, YOU EXPRESSLY UNDERSTAND AND AGREE THAT THE COMPANY … SHALL NOT BE LIABLE, UNDER ANY CIRCUMSTANCES OR LEGAL THEORIES WHATSOEVER, FOR 28 27 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 41 of 48 1 2 ANY INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES …” Compl., Exh. 2, at 172. Because Plaintiffs plead no facts showing those provisions are unenforceable—only legal 3 4 5 6 7 8 9 10 conclusions—they foreclose the damages element of Plaintiffs’ contract claim. See Compl. ¶ 234. Indeed, these very types of limitations provisions are routinely enforced under California law, particularly where, as here, the service offered is free or at a low cost to the subscriber. Food Safety Net Servs. v. Eco Safe Sys. USA, Inc., 209 Cal. App. 4th 1118, 1126 (2012); Lewis v. YouTube, LLC, 244 Cal. App. 4th 118, 125 (2015) (enforcing limitation of liability provisions for free service) (citing Markborough Cal., Inc. v. Superior Court, 227 Cal. App. 3d 705, 714 (1991)). For these reasons, Plaintiffs’ express contract claim fails. 7. Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 11 Plaintiffs admit their implied contract claim is wholly duplicative of their express contract 12 13 14 15 16 17 18 19 20 21 claim. Compl. ¶ 186. That duplication requires dismissal. O’Connor v. Uber Techs., Inc., 2013 WL 6354534, at *10 (N.D. Cal. Dec. 5, 2013). In addition, to plausibly allege that an implied contract existed beyond the express terms to which the parties agreed, Plaintiffs had to “elaborate upon the nature and scope of the implied contract in the pleadings,” rather than simply declare one existed. Anthem, 162 F. Supp. 3d at 982-83; Frezza v. Google Inc., 2012 WL 5877587, at *4 (N.D. Cal. Nov. 20, 2012).29 They did not. Finally, as with their express contract claim, Plaintiffs cannot overcome the limitation of liability provisions in Defendants’ TOS, or their failure to plead actual, concrete damage specifically caused by the alleged breach of any purported implied contract. Lewis, 244 Cal. App. 4th at 125-26. Accordingly, the implied contract claim fails. 8. 22 23 24 25 Plaintiffs’ Implied Contract Claim Fails. Plaintiffs’ Implied Covenant Claim Fails. Plaintiffs’ implied covenant claim suffers multiple infirmities, and it should be dismissed. As an initial matter, the claim stands and falls alongside Plaintiffs’ express contract claim. Northstar Fin. Advisors Inc. v. Schwab Invs., 135 F. Supp. 3d 1059, 1089 (N.D. Cal. 2015). Because Plaintiffs’ express contract claim fails, so too does their implied covenant claim. 26 27 29 28 To the extent Plaintiffs claim Defendants implicitly warranted against unauthorized access to their accounts, that claim is flatly refuted by Defendants’ explicit disclaimer of any such warranties. Compl., Exh. 1, at 91; id., Exh. 2, at 171. 28 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 42 of 48 Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 1 Nor can Plaintiffs add terms to any express agreements under an implied covenant theory. 2 Avidity Partners, LLC v. State, 221 Cal. App. 4th 1180, 1204 (2013) (as a matter of law, the 3 “implied covenant of good faith and fair dealing does not impose substantive terms and conditions 4 beyond those to which the parties actually agreed”). Plaintiffs, however, seek to do precisely that 5 here. They claim Defendants breached the implied covenant of good faith and fair dealing by: “(a) 6 using password encryption standards that were long known to be unsafe; (b) taking no serious action 7 in response to past breaches; (c) falling well behind industry standards of cybersecurity; and (d) 8 under-investing in cybersecurity resources despite assurances to its users to the contrary.” Compl. ¶ 9 193. Plaintiffs, however, cite no provisions in any agreement wherein Defendants promised to: (1) 10 employ specific password encryption standards; (2) employ specific protocols in cases of suspected 11 or confirmed breaches; (3) employ a particular set of cybersecurity standards; or (4) invest a 12 particular sum of time or money in any “cybersecurity resources.” Plaintiffs cannot rewrite the 13 contract to impose these extra-contractual duties by way of an implied covenant claim. And to the 14 extent Plaintiffs attempt simply to buttress their contract claims by alleging violation of the implied 15 covenant, it must fail on that basis as well. Careau & Co. v. Sec. Pac. Bus. Credit, Inc., 222 Cal. 16 App. 3d 1371, 1395 (1990) (dismissing implied covenant claim that relies on same facts and alleged 17 damages as contract claim). 18 Further, Plaintiffs cannot show “bad faith.” To do so, Plaintiffs must show Defendants 19 committed a “conscious and deliberate act, which unfairly frustrate[d] the purposes of the parties’ 20 written contract.” Hougue v. City of Holtville, 2008 WL 1925249, at *4 (S.D. Cal. Apr. 30, 2008) 21 (quotations omitted). Plaintiffs cannot make that showing for two reasons. First, Plaintiffs do not 22 “identify the specific contractual provision that was frustrated.” Perez v. Wells Fargo Bank, N.A., 23 2011 WL 3809808, at *18 (N.D. Cal. Aug. 29, 2011). Plaintiffs claim they “were to benefit through 24 the use of Defendants Yahoo and Aabaco’s services.” Compl. ¶ 192. But Plaintiffs did use those 25 services, and nowhere do they allege that the Data Beaches deprived them of services due to 26 Defendants’ bad faith. Second, Plaintiffs fail to show how Defendants consciously and deliberately 27 prevented such use. Instead, they claim Defendants engaged in bad faith by failing to assume a host 28 29 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 43 of 48 1 of extra-contractual duties. Id. ¶ 193. But, as stated above, those allegations cannot form the basis 2 for a “bad faith” claim. 3 Finally, as with Plaintiffs’ other contract theories, they cannot overcome the limitation of 4 liability provisions in Defendants’ TOS. See, e.g., Darnaa, LLC v. Google Inc., 2017 WL 679404, at 5 *8 (N.D. Cal. Feb. 21, 2017) (limitation of liability provision barred implied covenant claim). The 6 claim should be dismissed. 9. 7 Neff30 fails to state a fraudulent inducement claim, much less with the requisite particularity. 8 Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 9 Plaintiff Brian Neff’s Fraudulent Inducement Claim Fails. To do so, Neff had to show: (1) a misrepresentation; (2) knowledge of the falsity; (3) intent to 10 defraud, i.e., to induce reliance; (4) justifiable reliance; and (5) resulting damage. Herskowitz v. 11 Apple Inc., 940 F. Supp. 2d 1131, 1147 (N.D. Cal. 2013). He did not. 12 First, Neff broadly claims Defendants “made numerous representations, in advertising and in 13 the Privacy Policy, regarding the supposed secure nature of their small business services.” Compl. ¶ 14 198. Neff, however, fails to allege that he actually reviewed any portions of that “advertising,” the 15 “Terms of Service,” or the “Privacy Policies.” That alone is fatal. Second, Neff does not plead falsity. He claims Defendants’ non-specified “representations” 16 17 were “false because Yahoo and Aabaco utilized outdated encryption protocols, and failed to disclose 18 that they did not use reasonable, industry-standard means, to safeguard against hacking and theft of 19 customer PII.” Compl. ¶ 198. But Neff does not: (1) identify the particular “encryption protocols” 20 or “industry standards” to which he refers; or (2) establish when, where and how Defendants 21 promised to employ particular encryption protocols or conform to particular industry standards. 22 Neff also fails to establish the falsity of any such representations when made. He claims he signed 23 up for his Aabaco service in September of 2009. Id. ¶ 20. But he does not allege which “encryption 24 protocols” Defendants used in September of 2009, how those “protocols” failed to meet a particular 25 “industry standard” in September of 2009, or the factual basis for his claim that Defendants knew the 26 same in September of 2009. 27 28 30 Only Neff brought claims on behalf of the Small Business Users Class. Compl. ¶ 20. 30 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 44 of 48 1 Third, as stated above, Defendants openly disclosed that use of the services would be “AT 2 YOUR OWN RISK” and on an “AS IS” and “AS AVAILABLE” basis, they expressly disclaimed 3 any warranties to the contrary, including that the “SERVICES WILL … BE … SECURE,” and they 4 disclosed that the “SECURITY MECHANISMS IN THE SERVICES HAVE INHERENT 5 LIMITATIONS.” Compl., Exh. 2, at 171 § 12(a), (c) & (d). In light of those disclaimers, Neff 6 cannot show falsity or reliance. See, e.g., Minkler v. Apple, Inc., 65 F. Supp. 3d 810, 821 (N.D. Cal. 7 2014) (“Plaintiff has failed to identify any specific statement by Apple that expressly indicates that 8 Apple Maps would always work flawlessly and without error.”); Dix v. Nova Benefit Plans, LLC, 9 2015 WL 12859221, at *7 (C.D. Cal. Apr. 28, 2015) (“A plaintiff cannot claim justifiable reliance 10 where, as here, ‘disclaimers … are more than sufficient to put a reasonably prudent [plaintiff] on 11 notice that the [information] contained [in a document] should be verified by the [plaintiff’s] 12 independent’ investigation.”) (citations omitted). 10. 13 14 15 16 The Court also should dismiss the negligence claim brought by the Australia, Venezuela and Spain class representatives (the “Foreign Plaintiffs”) under California law, 31 which mandates that the laws of New South Wales, Florida and Ireland, respectively, govern those claims exclusively. 32 17 18 19 20 21 22 Foreign Plaintiffs Cannot Assert A California Negligence Claim, And Negligence Is Barred By The Economic Loss Doctrine. Under California law, choice-of-law provisions are presumptively valid and broadly construed to encompass tort claims. Cannon v. Wells Fargo Bank, N.A., 917 F. Supp. 2d 1025, 1051-52 (N.D. Cal. 2013); Smith, Valentino & Smith, Inc. v. Superior Court, 17 Cal. 3d 491, 494 (1976) (“[C]hoice of law provisions are usually respected by California courts.”). Here, the Foreign Plaintiffs contracted with “various foreign Yahoo subsidiaries, many of which had differing Terms of Service.” Compl. ¶ 122. The Australia UTOS states that “the TOS and the relationship between 23 24 31 25 Because the Foreign Plaintiffs originally filed their individual claims in California, California choice-of-law rules apply. Sony II, 996 F. Supp. 2d at 977 (federal court sitting in diversity “must apply the choice-of-law rules of each state where the individual actions were originally filed.”). 26 32 27 28 In addition to the ATOS, the Foreign Plaintiffs were bound by Yahoo’s UTOS, which is incorporated by reference into the ATOS. The Israel Class is excluded from the definition of “Foreign Plaintiffs” because the UTOS and ATOS stipulates that California law applies to persons using Israeli services, and that exclusive jurisdiction and venue is limited to Santa Clara County, or the Northern District of California. Infra note 34, at 10. 31 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 45 of 48 1 you and Yahoo shall be governed by the laws of New South Wales without regard to its conflict of 2 law provisions.”33 The Australia ATOS includes even stricter language, requiring that “the laws of 3 New South Wales govern not only the interpretation of this ATOS … but also apply to all other 4 claims, including claims regarding consumer protection laws, unfair competition laws, and in tort.” 5 (Emphasis added).34 The Venezuela ATOS and UTOS contain language identical to the Australia 6 agreements, except they require application of Florida law.35 Finally, the Spain ATOS, which the 7 UTOS incorporates by reference, states that “the laws of Ireland govern this ATOS and any non- 8 contractual obligations arising out of it.” 36 (Emphasis added). Thus, the Foreign Plaintiffs’ 9 negligence claim exists only “because of” the UTOS and ATOS into which they entered. Nedlloyd 10 Lines B.V. v. Superior Courts, 3 Cal. 4th 459, 469-70 (1992). Accordingly, the UTOS and ATOS 11 agreements should be enforced, and the negligence claim dismissed. 12 But even if the Foreign Plaintiffs could assert a claim for negligence under California law, 13 the claim would still fail. Under California law, Plaintiffs’ claims for negligent misrepresentation 14 (including the negligent misrepresentation claim brought by Neff)37 and negligence are barred by the 15 economic loss rule because the claimed damages are not “accompanied by some form of physical 16 harm (i.e., personal injury or property damage).” Sony I, 903 F. Supp. 2d at 961; see also Strumlauf 17 v. Starbucks Corp., 192 F. Supp. 3d 1025, 1036 (N.D. Cal. 2016); Minkler, 65 F. Supp. 3d at 820; 18 Dugas, 2016 WL 6523428, at *12.38 Plaintiffs’ failure to allege such harm warrants dismissal. 19 20 21 22 33 RJN, Exh. B, at 1, https://policies.yahoo.com/au/en/yahoo/terms/utos/index.htm. 23 34 RJN, Exh. C, at 9, https://policies.yahoo.com/xw/en/yahoo/terms/product-atos/comms/index.htm. 35 Id. at 5; RJN, Exh. D, at 7, https://policies.yahoo.com/e2/es/yahoo/terms/utos/index.htm. 36 Supra note 34, at 5. 24 25 26 27 28 37 Neff’s negligent misrepresentation claim mirrors his fraudulent inducement claim, and, as a consequence, it suffers the same infirmities. It should be dismissed for the same reasons. 38 Indeed, the Foreign Plaintiffs likely crafted their claim as one sounding in negligence, as opposed to contract, in a misguided attempt to avoid the various TOS to which they agreed, which require them to bring their claims under different laws and in different fora. The economic loss rule, however, prevents that very tactic—i.e., recasting contract claims as tort claims. 32 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 46 of 48 1 2 3 4 5 6 7 8 9 10 Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 11. Foreign Plaintiffs’ Claims Should Be Dismissed For Forum Non Conveniens. The Foreign Plaintiffs should be dismissed from this lawsuit for the additional, independent reason that they agreed to litigate their claims elsewhere. The same TOS that requires the Foreign Plaintiffs to bring their negligence claim under the laws of different jurisdictions also compels each to bring his or her claims in those jurisdictions. See supra, notes 33-36. As a consequence, under the doctrine of forum non conveniens, the Foreign Plaintiffs should be dismissed from this lawsuit. Under a traditional forum non conveniens analysis where there is no forum selection clause, courts must evaluate the convenience of the parties (i.e., private interest factors) and various public interest factors. Atl. Marine Constr. Co., Inc. v. U.S. Dist. Ct. for W. Dist. of Tex., 134 S. Ct. 568, 581 (2013). But where, as here, the parties’ contract contains a valid forum selection clause, that “clause [should be] given controlling weight in all but the most exceptional cases.” Id. (quotations omitted). Thus, a forum selection clause changes the forum non conveniens analysis in three ways: (1) the plaintiff’s forum choice merits no weight; (2) the court does not consider the parties’ private interests and deems those factors to weigh entirely in favor of the preselected forum; and (3) the agreed-upon forum need not apply the law of the court where the suit was filed. Id. at 581-82. “As a consequence, a district court may consider arguments about public-interest factors only.” Id. at 582. “Because those factors will rarely defeat a transfer motion, the practical result is that forum-selection clauses should control except in unusual cases.” Id. In sum, the Foreign Plaintiffs have a “heavy burden to show that this is the exceptional or unusual case.” Acceler-Ray, Inc. v. IPG Photonics Corp., 2017 WL 1196835, at *5 (N.D. Cal. Mar. 31, 2017). They cannot meet that burden. The Foreign Plaintiffs cannot remotely show the public interest factors merit disregarding the contractual terms—i.e., the administrative difficulties flowing from court congestion, the local interest in having localized controversies decided at home, and the interest in having the trial in a forum that is at home with the law. Atl. Marine, 134 S. Ct. at 581 n.6. California has little to no interest in hearing disputes brought by citizens of Australia, Spain and Venezuela, particularly when those individuals agreed to litigate in fora in or closer to their respective residences. Courts in Australia, Ireland and Florida unquestionably are more familiar with the laws of their respective jurisdictions, and no one disputes that the Northern District of California has one of the most heavily 33 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 47 of 48 1 congested dockets in the country. In the end, this is not an “unusual case” where “public-interest 2 factors overwhelmingly disfavor a transfer.” Id. at 583. The Foreign Plaintiffs should be dismissed 3 from this lawsuit so they can bring their negligence claims where they belong—in the jurisdictions 4 to which they agreed. Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 5 12. Plaintiffs’ Declaratory Relief Claim Fails. 6 The declaratory relief claim should be dismissed. To start, Plaintiffs claim five provisions of 7 Defendants’ respective TOS are “unconscionable and unenforceable.” Compl. ¶ 234. Although the 8 burden is on Plaintiffs to establish both procedural and substantive unconscionability, Plaintiffs here 9 plead no facts to support either prong. Poublon v. C.H. Robinson Co., 846 F.3d 1251, 1260 (9th Cir. 10 2017) (party opposing contractual enforcement bears the burden to establish procedural and 11 substantive unconscionability). Nor can they. At most, Plaintiffs have offered nothing save 12 “threadbare recitals” and “bald assertions.” This does not pass pleading muster. Biggins v. Wells 13 Fargo & Co., 266 F.R.D. 399, 412 (N.D. Cal. 2009) (allegation that contractual terms are “onerous 14 to the point of being unconscionable” is “a bare legal conclusion unsupported by facts”). 15 Nor could Plaintiffs plead sufficient facts. Indeed, their very request ignores the fact that 16 Defendants expressly disclaimed any warranty about the security of their services, and this Court 17 recently enforced a similar disclaimer in Davidson v. Apple, Inc., 2017 WL 976048 (N.D. Cal. Mar. 18 14, 2017). As in Davidson, Defendants “disclaimed all implied warranties in accordance with 19 California law because [they] stated in clear language and capitalized formatting” that they were 20 expressly disclaiming “all warranties of any kind, whether express or implied, including, but not 21 limited to the implied warranties of title, merchantability, fitness for a particular purpose and non- 22 infringement.” Id. at *15; see also Compl., Exh. 1, at 91; accord Sony II, 996 F. Supp. 2d at 983 23 (dismissing warranty claims “based on the disclaimer in the PSN User Agreement and the PSN 24 Privacy Policy”). As in Davidson, Plaintiffs make “no allegations that Plaintiffs did not see or 25 understand the [TOS]’s implied warranty disclaimer, or that Plaintiffs were surprised by the 26 disclaimer’s terms.” Davidson, 2017 WL 976048 at *15. Plus, as stated above, “[l]imitation of 27 liability clauses have long been recognized as valid in California.” Lewis, 244 Cal. App. 4th at 125 28 34 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK Case 5:16-md-02752-LHK Document 94 Filed 05/22/17 Page 48 of 48 1 (quotations omitted); Markborough, 227 Cal. App. 3d at 714; Darnaa, LLC v. Google, Inc., 2015 2 WL 7753406, at *3 (N.D. Cal. Dec. 2, 2015). 3 Further, the vague allegation that the disputed provisions are “precluded” by unspecified 4 “federal and state law” (Compl. ¶ 234) is insufficient. See Anthem, 162 F. Supp. 3d at 982 (claim 5 failed based on unspecific allegations that defendants “were required to comply with ‘federal and 6 state laws and regulations, including HIPAA, and industry standards’”); Target, 66 F. Supp. 3d at 7 1177 (finding if data breach claim is based on “Target’s alleged failure to comply with federal law, 8 … Plaintiffs must plead the federal law or laws with which Target allegedly did not comply”). Hunton & Williams LLP 550 South Hope Street, Suite 2000 Los Angeles, California 90071-2627 9 Finally, this claim merely anticipates an affirmative defense under Yahoo and Aabaco’s 10 respective TOS, duplicates Plaintiffs’ contractual clauses of actions, and is therefore improper. J&J 11 Sports Prods., Inc. v. Sally & Henry’s Doghouse Bar & Grill LLC, 2016 WL 1323464, at *2 (S.D. 12 Cal. Apr. 4, 2016); PhotoThera, Inc. v. Oron, 2007 WL 4259181, at *3 (S.D. Cal. Dec. 4, 2007); In 13 re Zappos.com, Inc., 2013 WL 4830497, at *5 (D. Nev. Sept. 9, 2013) (“The Court dismisses this 14 [data breach declaratory relief] claim, as it is on its face duplicative of the causes of action elsewhere 15 directly asserted.”). 16 V. 17 18 CONCLUSION For these reasons, the Court can and should dismiss Plaintiffs’ entire Complaint. Because the stated defects are irremediable, the dismissal should be with prejudice. 19 20 21 22 23 Dated: May 22, 2017 HUNTON & WILLIAMS LLP By: /s/ Ann Marie Mortimer Ann Marie Mortimer Attorneys for Defendants Yahoo! Inc. and Aabaco Small Business, LLC 24 25 26 27 28 35 NOTICE OF MOTION AND MOTION TO DISMISS COMPLAINT, Case No. 16-MD-02752-LHK