In Thomas v. Kimpton Hotel & Rest. Grp., No. 19-cv-01860-MMC, 2020 U.S. Dist. LEXIS 114170 (N.D. Cal. June 30, 2020), Judge Chesney dismissed part(s) of a data breach claim.  The facts were as follows:

In the operative complaint, the Third Amended Complaint (“TAC”), plaintiffs allege Kimpton, an entity that “own[s] or manage[s]” a number of hotels (see TAC ¶ 1), contracted with Sabre Corporation (“Sabre”) “to provide a reservation system” (see TAC ¶ 3).2 Plaintiffs further allege they booked hotel reservations at Kimpton hotels (see TAC ¶ 2), and, in so doing, provided Sabre with their “private identifiable information” (“PII”) (see TAC ¶¶ 11, 13, 15), including “full name, credit and debit card account numbers, card expiration dates, card verification codes, emails, phone numbers, full addresses and other . . . information” (see TAC ¶ 8), which PII was subsequently “accessed by hackers” who “obtained credentials” for Sabre’s “Central Reservations system” and “used those credentials to access customer data” (see TAC ¶¶ 6, 12, 14, 16). According to plaintiffs, if Sabre had “employed multiple levels of authentication,” rather than “single factor authorization,” the “breach” would not have occurred. (See FAC ¶ 6.)

Judge Chesney held that the Sabre-Kimpton contract provided not beneficiary status on the Plaintiffs.

Here, the Second Claim for Relief, as pleaded, is futile, as it is subject to dismissal for failure to state a claim. At the outset, the Court notes the TAC fails to include any facts to support a finding that customers of Kimpton hotels, such as plaintiffs, were intended third-party beneficiaries of the contract by which Sabre agreed to operate a reservation system for Kimpton. See Balsam v Tucows Inc., 627 F.3d 1158, 1161 (9th Cir. 2010) (holding, under California law, “third party qualifies as a beneficiary under a contract if the parties intended to benefit the third party and the terms of the contract make that intent evident”; affirming dismissal, where nothing in contract indicated parties to agreement “intended to benefit, or confer any rights upon, [plaintiff]”). Moreover, the TAC lacks factual allegations to support plaintiffs’ conclusory assertion that Kimpton “breached” its contract with Sabre by “failing to comply with the PCI DSS [Payment Card Industry Data Security Standards].” (See TAC ¶¶ 81-83.) Although it would appear plaintiffs are basing the claim on Sabre’s alleged use of “single factor” as opposed to “multi-factor” authorization (see TAC ¶ 3), the TAC includes no facts to support a finding that Kimpton was contractually obligated to require Sabre to do so. See Frances T. v. Village Green Owners Ass’n, 42 Cal. 3d 490, 512-13 (1986) (holding “rights and responsibilities of contracting parties are determined by the terms of their contract”; affirming dismissal of breach of contract claim, based on defendant’s failure to “install additional lighting,” where plaintiff failed to allege contract included provision requiring defendant to so act).

Judge Chesney also held that no UCL claim would lie.

Plaintiffs base their claim on Kimpton’s alleged violations of two statutes: (1) California Civil Code § 1798.81.5 (see TAC ¶ 97), which statute requires a “business that owns, licenses, or maintains personal information about a California resident” to “implement and maintain reasonable security procedures and practices” to “protect the personal information from unauthorized access,” see Cal. Civ. Code. § 1798.81.5(b); and (2) 15 U.S.C. § 45 (see TAC ¶¶ 98-101), which statute prohibits “[u]nfair methods of competition in or affecting commerce” and “unfair or deceptive acts or practices in or affecting commerce,” see 15 U.S.C. § 45(a)(1). The remedies available to a plaintiff under § 17200 are “limited”; specifically, a plaintiff may only seek injunctive relief and/or restitution. See Korea Supply Co. v. Lockheed Martin Corp., 29 Cal. 4th 1134, 1152 (2003). Kimpton argues plaintiffs have failed to allege any facts to support either a claim for injunctive relief or a claim for restitution. As set forth below, the Court agrees. As Kimpton notes, the TAC does not make clear the nature of the injunctive relief sought. In their opposition, plaintiffs describe their need for injunctive relief as follows: “[T]here exists a hazard — [Kimpton’s] data security measures — which, if not ameliorated, will likely result in additional damages to [p]laintiffs . . . [;] there is a real risk that [Kimpton] will move forward with its plainly inadequate security features{;] [and] [Kimpton] has not represented that it has instituted multi-factor authentication, and its single-factor system poses a significant risk of continuing harm.” (See Pls.’ Opp. at 18:2-7.) As the TAC does not allege Kimpton itself has inadequate data security measures, but, rather, that Sabre’s measures were inadequate, the Court understands plaintiffs to be asserting they intend to seek an injunction requiring Kimpton to cause Sabre to institute multi-factor authentication. To have standing to seek injunctive relief, however, the plaintiff must show the existence of a “real or immediate threat that the plaintiff will be wronged again,” see City of Los Angeles v. Lyons, 461 U.S. 95, 111 (1983), and, here, plaintiffs do not allege facts from which the Court can infer they face, by reason of Sabre’s alleged inadequate data security system, a real or immediate threat of another breach.5 Consequently, plaintiffs have not shown they are entitled to injunctive relief. As to restitution, plaintiffs, in their opposition, clarify that they’re seeking to recover the price they paid for Kimpton hotel rooms. Plaintiffs appear to base their claim to restitution on their allegation that they would not have stayed at a Kimpton hotel had they known of “the improper security” (see TAC ¶¶ 11, 13, 15), i.e., that Sabre employed inadequate data security measures in connection with on-line bookings. A claim for restitution is dependent, however, on a plaintiff’s showing his entitlement to “the return of the excess of what the plaintiff gave the defendant over the value of what the plaintiff received.” See Cortez v. Purolator Air Filtration Products Co., 23 Cal. 4th 163, 174 (2000). Here, plaintiffs do not allege facts to support a finding that the hotel rooms for which they paid were in any manner inadequate, that some portion of the room charges were attributable to data security, or that some other basis exists upon which to support a finding that they did not receive the value paid for the hotel rooms. Consequently, plaintiffs have not shown they are entitled to restitution.