District Court (Cal.) Allows Data Breach Claim to Proceed

In In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., No. 3:19-cv-2284-H-KSC, 2020 U.S. Dist. LEXIS 80736 (S.D. Cal. May 7, 2020), Judge Huff allowed a data breach claim to proceed. The facts were as follows:

On November 13, 2019, Solara Medical Supplies, LLC (“Solara”) notified its customers of a security incident that may have compromised the information related to certain individuals associated with Solara. This class action seeks redress for that incident. On November 29, 2019, Plaintiff Juan Maldonado filed a complaint alleging various common law and other state law causes of action. (Doc. No. 1.) On January 7, 2020, the Court consolidated the Maldonado matter with two other pending actions related to the same security incident. (Doc. No. 10.) On January 23, 2020, Plaintiffs filed their Consolidated Class Action Complaint. (Doc. No. 24.) Plaintiffs seek to represent a nationwide class of all persons “whose Personal and Medical Information was compromised by the Data Breach.” (Doc. No. 24 ¶147.) Alternatively, Plaintiffs propose representing subclasses based on state or on the type of personal and medical information compromised. (Id. ¶¶152-153.)

Judge Huff allowed the negligence claim to survive the “economic loss” rule.

Generally, purely economic losses are not recoverable in tort. Seely v. White Motor Co., 63 Cal. 2d 9, 16-17, 45 Cal. Rptr. 17, 403 P.2d 145 (1965). “[T]he economic loss rule prevent[s] the law of contract and the law of tort from dissolving one into the other.” Robinson Helicopter Co. v. Dana Corp., 34 Cal. 4th 979, 988, 22 Cal. Rptr. 3d 352, 102 P.3d 268 (2004) (quotation omitted). The rule serves to “limit liability in commercial activities that negligently or inadvertently go awry.” Id. at 991 n.7, 22 Cal.Rptr.3d 352, 102 P.3d 268. “Economic loss consists of damages for inadequate value, costs of repair and replace of the defective product or consequent loss of profits—without any claim of personal injury or damages to other property.” Id. at 272 (Cal. 2004) (internal quotation marks omitted). Here, Plaintiffs have alleged they have lost time responding to the Breach as well as suffering from increased anxiety and so do not allege purely economic losses. (Doc. No. 24 ¶¶ 102, 108, 116, 129, 135, and 141.) The economic loss rule therefore does not apply. See Bass v. Facebook, Inc., 394 F.Supp. 3d 1024, 1039 (N.D. Cal. 2019). Since Plaintiffs have pled non-economic losses, the Court need not consider the remaining two exceptions to the economic loss doctrine. Defendant also argues that the negligence [*12]  cause of action should be dismissed for “the independent reason that plaintiffs are unable to allege” that the Breach caused them cognizable, non-speculative harm. (Doc. No. 31 at 14.) Plaintiffs argue that they have articulated specific “non-general damages in their costs and lost time caused by the breach.” (Doc. No. 32 at 15.) The Court agrees. Increased time spent monitoring one’s credit and other tasks associated with responding to a data breach have been found by others courts to be specific, concrete, and non-speculative. See Bass, 394 F. Supp 3d at 1039; Corona v. Sony Pictures Entertainment, Inc., No. 14-CV-09600, 2015 U.S. Dist. LEXIS 85865, 2015 WL 3916744, at *4 (C.D. Cal. June 15, 2015). The Court denies Defendant’s motion to dismiss Plaintiffs’ negligence cause of action.

Judge Huff found that privacy notices formed the basis for a breach of contract claim.

Plaintiffs argue that Solara’s “Notice of Privacy Practices” and “Patient Bill of Rights” form the basis for their express contract claim. (Doc. No. 32 at 7-8.) Solara’s Notice of Privacy Practices states that: Solara Medical Supplies . . . is committed to protecting your privacy and understands the importance of safeguarding your personal health information. We are required by federal law to maintain the privacy of health information that identifies you or that could be used to identify you . . . . (Doc. No. 24 ¶37.) And Solara’s Patient Bill of Rights enumerates the following rights: The Client Bill of Rights is designed to recognize, promote, and protect, an individual’s right to be treated with dignity and respect within the health care system. . . . As our client you have the right to . . . Confidentiality of your records and Solara Medical Supplies, LLC policy for accessing and disclosure of records. (Id. ¶38.) Plaintiffs allege that these documents form the basis for their express breach of contract claim and that every Plaintiff was provided with a copy of both documents. (Id.) In reviewing a Rule 12(b)(6) motion to dismiss, this Court must accept as true all facts alleged in the complaint and draws all reasonable inferences in favor of the claimant. See Retail Prop. Trust v. United Bhd. of Carpenters & Joiners of Am., 768 F.3d 938, 945 (9th Cir. 2014). Accordingly, the Court declines to dismiss Plaintiffs’ express [*16]  breach of contract claim.

Judge Huff found that the Plaintiffs stated a CRA claim.

Defendant moves to dismiss Plaintiffs’ California Records Act Claim (“CRA”). (Doc. No. 31 at 14.) The CRA “regulates businesses with regard to treatment and notification procedures relating to their customers’ personal information.” Corona v. Sony Pictures Ent’mt, 2015 U.S. Dist. LEXIS 85865, 2015 WL 3916744, at *6 (C.D. Cal. June 15, 2015). Plaintiffs allege that Defendant violated § 1798.82 of the CRA. This provision provides, in relevant part: A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person . . . . Cal. Civ. Code § 1798.82(a). The statute requires that disclosure “shall be made in the most expedient time possible and without unreasonable delay.” Id. The statute also describes the information that must be included in the security breach notification and the form that the security breach notification must take. See § 1798.82(d). To allege a “cognizable injury” arising from Defendant’s alleged failure to timely notify Plaintiffs of the Data Breach, Plaintiffs must allege “incremental harm suffered as a result of the alleged delay in notification,” as opposed to harm from the Data Breach itself. Dugas v. Starwood Hotels & Resorts Worldwide, Inc., 2016 U.S. Dist. LEXIS 152838, 2016 WL 6523428, at *7 (S.D. Cal. Nov. 3, 2016); see also In re Sony Gaming Networks, 996 F. Supp. 2d 942, 1010 (S.D. Cal Jan. 21, 2014) (“[A] plaintiff must allege actual damages flowing from the unreasonable delay (and not the intrusion itself) in order to recover actual damages”). Where Plaintiffs have failed to allege injury arising from a Defendant’s “delayed notification,” courts have dismissed § 1798.82 claims. See, e.g., Dugas, 2016 U.S. Dist. LEXIS 152838, 2016 WL 6523428, at *7 (dismissing § 1798.82 claim because Plaintiff did not allege “what, if any, concrete harm resulted from Defendants’ alleged failure to promptly notify [its] customers of the data breach”); In re Sony Gaming Networks, 996 F. Supp. 2d at 1010 (dismissing § 1798.82 claim where plaintiffs “failed to allege how” a ten-day delay in notification caused plaintiffs’ injuries). Defendant argues that the CRA claim should be dismissed because Plaintiffs fail to allege damages as a result of the alleged delay in notification. (Doc. No. 31 at 14.) Plaintiffs argue that “Solara waited nearly five months after discovering the breach” to notify them and that this delay prevented Plaintiffs from taking steps to protect their personal information from identify theft. (Doc. No. 32 at 23.) Plaintiffs have adequately alleged incremental harm as a result of Solara’s five-month delay in notification. See In re Yahoo! Inc. Customer Data Security Breach Litig., 2017 U.S. Dist. LEXIS 140212, 2017 WL 37277318 (N.D. Cal. Aug. 30, 2017) (finding incremental harm adequately pled in a data breach case when plaintiffs plausibly alleged that they could not take mitigation steps based upon delay). Defendant’s arguments are better suited for a motion for summary judgment when the record is more fully developed. As a result, the Court declines to dismiss Plaintiffs’ CRA claim at this time.

Finally, Judge Huff found that the Plaintiffs stated a loss of money or property under the UCL sufficient to establish standing.

In order to establish standing for a UCL claim, Plaintiffs must show that they personally lost money or property “as a result of the unfair competition.” Cal. Bus. & Prof. Code § 17204; Kwikset Corp. v. Sup. Ct., 51 Cal. 4th 310, 330, 120 Cal. Rptr. 3d 741, 246 P.3d 877 (2011). The California Supreme Court has explained standing. There are innumerable ways in which economic injury from unfair competition may be shown. A plaintiff may (1) surrender in a transaction more, or acquire in a transaction less, than he or she otherwise would have; (2) have a present or future property interest diminished; (3) be deprived of money or property to which he or she has a cognizable [*26]  claim; (4) be required to enter into a transaction, costing money or property, that would otherwise have been unnecessary. Id. at 323. Defendant argues that “Plaintiffs fail to allege actual lost money or property.” (Doc. No. 31 at 15.) Plaintiffs respond that they have all experienced injury under the UCL in two legally cognizable ways. First, Plaintiffs “acquired less in their transactions with Solara than they would have if Solara had sufficiently protected their Personal Information.” (Doc. No. 32 at 16-17.) Second, Plaintiffs lost “their legally protected interest in their Personal Information” as a result of the breach. (Id.) Plaintiffs first theory of damages is sufficient to establish standing under the UCL. Courts in California have consistently held that benefit of the bargain damages represents economic injury for purposes of the UCL. See In re Adobe Sys., Inc. Privacy Litig., 66 F.Supp.3d 1197, 1224 (N.D. Cal. 2014) (finding standing under the UCL because “[f]our of the six [p]laintiffs allege they personally spent more on Adobe products than they would had they known Adobe was not providing the reasonable security Adobe represented it was providing.”); In re LinkedIn User Privacy Litig., 2014 U.S. Dist. LEXIS 42696, 2014 WL 1323713, *4 (N.D. Cal. Mar. 28, 2014) (finding that benefit of the bargain losses are “sufficient to confer . . . statutory standing under the UCL.”). Taken together, Kwikset, In re Adobe, and In re LinkedIn demonstrate that benefit of the bargain losses, as alleged in the consolidated amended complaint, constitute economic injury cognizable under the UCL. Here, Plaintiffs have all pled that “they acquired less in their transactions with Solara than they would have if Solara had sufficiently protected their Personal Information.” (Doc. No. 24 ¶¶78-95.) These allegations are enough to establish standing for purposes of the UCL.