Ruling on Defendant’s Motion to Dismiss (Aviva Kirsten v. Cal. Pizza Kitchen, Inc., No. 2:21-cv-09578-DOC-KES (C.D. Cal. July 29, 2022), Judge David O. Carter of the Central District of California held:

Defendant argues that Plaintiffs’ CCPA claim fails because Plaintiffs provide no facts to maintain that Defendant failed to maintain reasonable security procedure and practices. Mot. at 20. However, Defendant does not
dispute that unauthorized parties can access Plaintiffs’ PII on the internet. In similar data breach situations, other district courts in this circuit have held that when plaintiffs alleged that defendants allowed unauthorized parties on the internet to access plaintiffs’ PII, plaintiffs plausibly alleged that defendant failed to maintain reasonable security procedures. See Stasi v. Inmediata Health Grp. Corp., 501 F. Supp. 3d 898, 924 (S.D. Cal. 2020) (finding CCPA claim plausible because defendant admitted plaintiffs’ PII was accessible on the internet); Mehta v. Robinhood Fin. LLC, No. 21-cv-01013-SVK, 2021 U.S. Dist. LEXIS 253782, at *25 (N.D. Cal. 2021) (same); but see Razuki v. Caliber Home Loans, Inc., No. 17cv1718-LAB (WVG), 2018 U.S. Dist. LEXIS 196070, at *5 (S.D. Cal. Nov. 14, 2018). Accordingly, the Court DENIES the Motion with respect to the CCPA claim.