District Court (Cal.) Says Security Breach Leads to No Compensable Claim

Razuki’s second amended complaint failed to state a claim for negligence because his vague allegations of damages were impossible for the Court to evaluate. Dkt. 27 at 3. The Court made it clear that Razuki’s negligence claim was essentially indistinguishable from Krottner v. Starbucks Corporation, 406 F. App’x 129, 131 (9th Cir. 2010), in which the Ninth Circuit found the risk of identity theft following a data breach sufficient to supply an injury-in-fact for standing, but insufficient to support actual damages for negligence. Id. at 2-3. In his TAC, Razuki’s newly alleged damages include diminution in value of his personal data, overpayments to Caliber, and continued risk to his financial information. Dkt. 30 at ¶ 51. First, his claim alleging continued risk of harm is still insufficient because it stems from the danger of future harm. See Dkt. 27 at 2. Second, his claim alleging diminution of value of his personal data fails to allege enough facts to establish how his personal information is less valuable as a result of the breach. On a similar data breach claim, the court in Sony Gaming Networks and Customer Data Security Breach Litigationfound that plaintiffs alleging diminution of value must show how “[p]laintiffs have suffered an appreciable, non-speculative harm.” 996 F. Supp. 2d 942, 971 (S.D. Cal. 2014). Here, Razuki’s allegations about damages still remain too conclusory and vague to satisfy the pleading standard in a complex, large-scale, data-breach class action. Finally, Razuki alleges that he and the class members overpaid Caliber for financial services during or after the breach. However, it is unclear what payments were made to Caliber and for what services these alleged payments were made. For example, Razuki does not provide any information to show that he paid a premium for Caliber to provide reasonable and adequate security measures. In short, Razuki still has not adequately pled damages that could support a negligence claim.

Razuki claims “Defendant knew of higher-quality security protocols available to them” but failed to implement these measures, in violation of the California Customer Records Act. Dkt. 30 at ¶ 23, 74-75. This claim fails because it is precisely the type of “threadbare” claim Iqbal warns of. SeeAshcroft v. Iqbal, 556 U.S. 662, 678-79 (2009) (“Rule 8 … does not unlock the doors of discovery for a plaintiff armed with no more than conclusions.”). Razuki makes a conclusory statement that Caliber knew of higher-quality security measures, but he does not support that conclusion with any facts about Caliber’s protocols or actions it took when choosing appropriate security measures. All section 1798.81.5 requires is that a business “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Cal. Civ. Code § 1798.81.5. Razuki could have identified what made Caliber’s security measures unreasonable by comparison to what other companies are doing, but simply knowing of higher-quality security measures is not sufficient to state a claim.  Further, Razuki’s TAC says that “Caliber’s misconduct also included its decision not to comply with industry standards for the safekeeping and maintenance of the personal and financial information of Plaintiff and the other Class members.” Dkt. 30 at ¶ 47. The Court has already acknowledged that it may be difficult to definitively show Caliber’s practices were insufficient prior to discovery, but again, he needs something more than what he’s pleading now. What facts lead him to believe Caliber didn’t comply with industry standards? What are other companies doing that Caliber isn’t? These are basic questions that Razuki could plead to plausibly show Caliber’s conduct was unlawful. Instead, it appears he’s simply recited a few buzz words with the hope that he may be able to figure out later what, if anything, Caliber has done wrong. . . .  Razuki’s other theory of liability under the CRA is that Caliber violated Section 1798.82. This provision requires that a business notify its customers of a data breach “in the most expedient time possible and without reasonable delay.” Cal. Civ. Code § 1798.82(a). Razuki claims Caliber didn’t notify him of the breach until five months after the breach. Dkt. 30 at ¶ 26, 74. While in a vacuum this may seem to be a long time between breach and notification, all that section 1798.82requires is that the notification be without “reasonable delay.” Razuki does not allege facts that suggest this time frame is without “reasonable delay.” He also fails to establish that even if there was unreasonable delay, the delay caused any alleged injury. As other courts in this Circuit have recognized, a Plaintiff alleging a violation of 1798.82 must show that the delay in notification led to incremental harm, which Plaintiff plainly has not shown here. See, e.g., In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1218 (N.D. Cal. 2014) (“Plaintiffs have not alleged any injury traceable to Adobe’s alleged failure to notify customers of the 2013 data breach in violation of Section 1798.82, because [p]laintiffs do not allege that they suffered any incremental harm as a result of the delay.”) (emphasis in original). His claim under 1798.82 fails