In Holly v. Alta Newport Hosp., Inc., No. 2:19-cv-07496-ODW (MRWx), 2020 U.S. Dist. LEXIS 195652 (C.D. Cal. Oct. 21, 2020), Judge Wright dismissed a data breach class action because the class representative could not demonstrate compensable loss.
Holly alleges that she suffered “emotional harm and distress and has been injured in her mind and body.” (SAC ¶ 49.) She also alleges that she “experienced fear of identity theft, embarrassment, generalized anxiety . . . emotional pain and upset” and was “injured in her health, strength and activity, sustaining injury to her nervous system and person, all of which injuries have caused and continue to cause [Holly] great mental, physical, emotional and nervous pain and suffering.” (Id. ¶¶ 50-51.) Additionally, Holly asserts that she and other class members have suffered damages, including increased risk of identity theft and identity fraud, improper disclosure of personal information, value of time and expenses spent mitigating and remediating the increased risk of identity theft and identity fraud, and the decreased value of their personal information. (Id. ¶¶ 52-53, 81-84, 89-91, 97.) However, these are the very same allegations the Court has already rejected as “conclusory and vague” and “not sufficient to establish that Holly suffered actual damages to support her breach of contract and negligence claims.” (Order 11.) Nevertheless, the Court again discusses why each fails. As with her FAC, Holly’s bare allegation of increased risk of identity theft in the SAC is “too speculative to satisfy the pleading requirement” to show actual damages. See Svenson v. Google Inc., 65 F. Supp. 3d 717, 725 (N.D. Cal. 2014); Patton v. Experian Data Corp., No. SACV 15-1871 JVS (PLAx), 2016 U.S. Dist. LEXIS 60590, 2016 WL 2626801, at *4 (C.D. Cal. May 6, 2016) (finding that in a data breach case, “[T]he plaintiff must show that there is a ‘credible,’ ‘real and immediate’ threat of identity theft to establish an injury-in-fact” and actual damages (quoting Krottner v. Starbucks Corp., 628 F.3d 1139, 1140 (9th Cir. 2010)). Moreover, Holly provides only legal conclusions concerning the future risk of identity theft, instead of factual support as the Court previously directed. (See Order 11-12.) Thus, she again fails to sufficiently plead damages concerning the future risk of identity theft. See Iqbal, 556 U.S. at 665-66 (finding that “[w]hile legal conclusions can provide the complaint’s framework, they must be supported by factual allegations.”). Next, “[a]lthough actual damages can include emotional distress, a plaintiff must support her claim for pain and suffering with something more than [her] own conclusory allegations, such as specific claims of genuine injury.” Sion v. SunRun, Inc., No. 16-CV-05834-JST, 2017 U.S. Dist. LEXIS 35730, 2017 WL 952953, at *2 (N.D. Cal. Mar. 13, 2017) (internal quotation marks omitted). Here, Holly’s identical allegations concerning her physical, mental, and emotional pain are once again “too sparse and conclusory to support” her claims for damages. See id.; see also Burnell v. Marin Humane Soc’y, No. 14-cv-05635-JSC, 2015 U.S. Dist. LEXIS 150607, 2015 WL 6746818, at *19 (N.D. Cal. Nov. 5, 2015) (dismissing intentional infliction of emotional distress claim where complaint lacked “any facts pertaining to the nature and extent of [p]laintiffs’ emotional or mental suffering”). Thus, Holly fails to establish actual damages regarding her negligent infliction of emotional distress claim. Similarly, Holly fails again to provide any supporting factual allegations for how any credit monitoring was reasonable and necessary. See Ruiz, 380 F. App’x at 691 (finding plaintiff’s negligence claim failed because plaintiff offered no evidence on the amount of time and money spent on the credit monitoring despite making a bare assertion to that effect). Finally, as the Court previously explained in the prior Order, Holly’s claim concerning the decreased value of personal data fails because it lacks supporting facts. See Razuki v. Caliber Home Loans, Inc., No. CV 17-1718-LAB (WVGx), 2018 U.S. Dist. LEXIS 196070, 2018 WL 6018361, at *1 (S.D. Cal. Nov. 5, 2018) (finding plaintiff’s damages allegations insufficient to support a negligence claim where plaintiff claimed diminished value of his personal data but “fail[ed] to allege enough facts to establish how his personal information is less valuable as a result of the breach”). Therefore, Holly’s conclusory allegations concerning any mitigation or remediation efforts and decreased value of person data fail. Other than the above vague and insufficient allegations, Holly offers only legal conclusions from various data theft cases to support her claims of damages, stating that she has suffered harm similar to the plaintiffs in those cited cases. (See, e.g., SAC ¶ 50 (claiming that Plaintiff experienced “fear of identity theft, embarrassment, generalized anxiety and stress about future identity theft, emotion pain and upset as provided under Krottner v. Starbucks Corp., 628 F.3d 1139 [9th Cir. 2010]”); see also id. ¶ 8 (“Plaintiff HOLLY alleges that similar to the reasoning in Stephen Adkins v. Facebook [Case Number 18-05982-WHA, N.D., Ca.] . . . she has alleged an injury in fact and has standing to sue in this matter, even where there is no evidence that the information has been misused.”)). Holly must allege more than legal conclusions and vague statements to establish actual damages to support her breach of contract and negligence claims. However, Holly fails to sufficiently allege that her own facts pertaining to damages are similar to the cited cases, and therefore, the conclusory allegations of similarity are insufficient. See Burns v. HSBC Bank, No. EDCV 12-1748-JGB (OPx), 2013 U.S. Dist. LEXIS 200123, 2013 WL 12136377 at *5 (C.D. Cal. Aug. 26, 2013) (“[V]ague and [*13] conclusory allegations regarding damages are insufficient to survive a motion to dismiss.”). The Court granted Holly leave to amend her FAC to cure its many deficiencies, but Holly has simply realleged verbatim the majority of the FAC. Accordingly, the Court again finds Holly’s conclusory and vague allegations insufficient to establish that she suffered actual damages as a result of the data breach. Further, the SAC is a copy-and-paste of the FAC, demonstrating Holly’s inability or unwillingness to cure the deficient allegations. See Carrico v. City & Cnty. of San Francisco, 656 F.3d 1002, 1008 (9th Cir. 2011) (finding plaintiffs’ failure to propose “any specific allegations that might rectify” the deficiencies in the complaint as a demonstration of their “inability” or “unwillingness” to make the necessary amendments); see also Eminence Capital, LLC v. Aspeon, Inc., 316 F.3d 1048, 1051-52 (9th Cir. 2003) (finding that district courts should consider “repeated failure to cure deficiencies by amendments previously allowed” in denying leave to amend). Therefore, Hospital’s Motion to Dismiss Holly’s breach of contract and negligence claims is GRANTED without leave to amend.