Judge Larry Alan Burns of the Northern District of California addressed four different arguments on a Motion to Dismiss a CCPA cause of action.

Holding No. 1:  allegations that a business failed to utilize alleged industry technology was sufficient to plead a failure to implement and maintain reasonable security measures.

[Defendant] argues that the CCPA doesn’t impose a duty to issue debit cards with EMV chips. (Dkt. 84-1 at 29). “The CCPA does not ‘impose[ ]’ a new duty, but rather incorporates ‘existing law requir[ing] a business … to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.’ ” (Id. (quoting S. Judiciary Comm. Rep. on A.B. 375 (June 25, 2018), at 5 (citing Cal. Civ. Code § 1798.81.5(b), (e)) (emphasis added))). Because there is no existing duty for financial institutions to issue debit cards with EMV chips, BANA had no duty to issue EDD cards with chips. (Id. at 29–30). In response, Plaintiffs point to Dugas v. Starwood Hotels & Resorts Worldwide, Inc., No. 16-cv-14-GPC-BLM, 2016 WL 6523428 (S.D. Cal. Nov. 3, 2016).9 (Dkt. 90 at 25–26). In Dugas, the court held the plaintiff “sufficiently alleged, at the pleading stage, a legal duty and a corresponding breach” based on the defendant’s alleged failure to use industry-standard encryption. 2016 WL 6523428, at *10–11.
BANA attempts to distinguish Dugas, arguing that case “involved an alleged failure to maintain reasonable cybersecurity practices after the plaintiff provided personal identifying information to the defendant—it did not recognize any separate duty to issue chip cards.” (Dkt. 92 at 19). While BANA is technically correct that Dugas didn’t recognize a duty to issue debit cards with EMV chips, that argument largely misses the point. Plaintiffs cite Dugas to support the proposition that, at the pleading stage, allegations the defendant failed to utilize industry-standard encryption are sufficient to allege a legal duty and corresponding breach. (Dkt. 90 at 25–26); Dugas, 2016 WL 6523428, at *11.

Here, the MCC alleges BANA acknowledges EMV chip technology is the industry-standard for debit card security. (See generally MCC ¶¶ 56–69 (discussing BANA’s implementation of EMV chips)). Specifically, the MCC alleges that BANA’s website states that EMV chip technology “has been around for over 20 years and is the credit and debit card security standard in many countries around the world.” (Id. ¶ 68). Despite BANA’s prior history with EMV chips, the EDD Debit Cards it issued included the much less secure magnetic stripes. (Id. ¶ 69). As in Dugas, because Plaintiffs allege that BANA “failed to employ reasonable security measures to protect [their personal information], such as the utilization of industry-standard encryption[, such as EMV chips], the Court finds that Plaintiff[s] [have] sufficiently alleged a legal duty and a corresponding breach at this stage.” See Dugas, 2016 WL 6523428, at *11; see also In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 966 (S.D. Cal. 2014) (holding that plaintiffs adequately pled a breach of duty to provide reasonable security by alleging they gave personal information to Sony as part of commercial transaction and that Sony failed to employ reasonable security measures to protect the information, including failing to use industry-standard encryption).

Additionally, BANA argues that Plaintiffs “have not alleged facts to show that they suffered any ‘unauthorized access … as a result of’ the use of the magnetic strip [sic] cards.” (Dkt. 84-1 at 30 n.18). This argument ignores the MCC’s allegations that: (1) Plaintiffs’ cards were susceptible to skimming (a process by which a physical device collects information on a card’s magnetic stripe); (2) at least one Class Plaintiff alleges her card was skimmed; and (3) cards with EMV chips are less susceptible to this form of attack. (See MCC ¶ 61; see also, e.g., id. ¶ 187 (Lindsay McClure alleges her account was the subject of fraudulent charges after her EDD Debit Card was skimmed)). These alleged facts are sufficient to support the inference that Plaintiffs’ personal information was “subject to an unauthorized access and exfiltration, theft, or disclosure” as a result of the use of magnetic stripes. See Cal. Civ. Code § 1798.150(a)(1). BANA’s motion to dismiss Plaintiffs’ CCPA claim is DENIED to the extent that claim is based on BANA issuing debit cards without EMV chips. (See MCC ¶ 553(a)).

Holding No. 2: conclusory allegations about data collection, storage, and transmission aren’t sufficient without additional facts.
[Defendant] argues that Plaintiffs’ theory that BANA violated the CCPA by “collecting,” “transmitting,” and “storing” Plaintiffs’ personal information in an inadequately secure manner lacks sufficient factual support to state a plausible claim. (Dkt. 84-1 at 29). The MCC alleges: “On information and belief, Bank of America collected, stored, and/or transmitted Plaintiffs’ and Class Members’ personal information in a nonencrypted and nonredacted form or in some other form that permitted unauthorized third parties to access that information in violation of the CCPA.” (MCC ¶ 511; see also id. ¶¶ 55–58). Plaintiffs point to Class Plaintiff Stephanie Smith’s allegation that her EDD benefits were fraudulently transferred from her account, even though she never used her debit card and kept it at home in a locked safe, arguing that allegation is sufficient to infer BANA “collect[ed],” “transmitt[ed],” and “stor[ed]” Plaintiffs’ personal information in an inadequately secure manner. (See Dkt. 90 at 27 (citing MCC ¶¶ 58, 200)). The Court disagrees that these bare allegations are sufficient to state a claim. While Smith’s allegations certainly suggest a possibility that inadequately secure collection, transmission, and storage may be the reason Smith’s data was stolen, they aren’t the only or even the most plausible inference supported by the allegations. See Iqbal, 556 U.S. at 678, 129 S.Ct. 1937 (holding that the plausibility standard “asks for more than a sheer possibility that a defendant has acted unlawfully”); In re Century Aluminum Co. Sec. Litig., 729 F.3d 1104, 1108 (9th Cir. 2013) (“When faced with two possible explanations, only one of which can be true and only one of which results in liability, plaintiffs cannot offer allegations that are ‘merely consistent with’ their favored explanation but are also consistent with the alternative explanation…. Something more is needed, such as facts tending to exclude the possibility that the alternative explanation is true.”) (citation omitted). BANA’s motion to dismiss Plaintiffs’ CCPA claim is GRANTED to the extent that claim is based on BANA “collecting,” “transmitting,” and “storing” Plaintiffs’ personal information in an inadequately secure manner. (See MCC ¶ 553(b)–(d)).
Holding No. 3:  conclusory allegations without facts about subcontractor security practices are insufficient.
[Defendant] again argues that Plaintiffs’ theory that BANA violated the CCPA by failing to ensure its subcontractors maintained the confidentiality of Plaintiffs’ personal information lacks sufficient factual support to state a plausible claim. (Dkt. 84-1 at 29). In support of this theory, the MCC alleges that BANA:
Fail[ed] to take reasonable steps to ensure that its subcontractors and their employees and agents, including [customer service representatives] and other Call Center agents, maintained the confidentiality of Cardholders’ personal information, including by failing to ensure that all such agents were subject to background checks before or after being hired and failing to provide such agents proper training and supervision regarding their handling and maintaining the confidentiality of Cardholders’ personal information, and by failing to secure Cardholders’ personal information from unnecessary and unauthorized access by subcontractors’ employees and others.
(MCC ¶ 553(e); see also id. ¶ 55 (substantially the same)). The Court agrees that these allegations are specific and concrete, and sufficient to state a claim. (Dkt. 90 at 27). The allegations—particularly the allegation that BANA failed to ensure its agents were subjected to background checks—are sufficient to allege that BANA failed “to implement and maintain reasonable security procedures and practices.” Cal. Civ. Code § 1798.150; see also Dugas, 2016 WL 6523428, at *11. BANA’s motion to dismiss Plaintiffs’ CCPA claim is DENIED to the extent that claim is based on BANA’s failure to ensure its subcontractors maintained the confidentiality of Plaintiffs’ personal information.
Holding No. 4:  allegations that a magnetic strip is “easily readable” combined with facts of actual skimming are sufficient to plead “nonenrcypted or nonredacted” information was compromised.
[Defendant] BANA also argues that the MCC fails to plead facts showing that the personal information at issue here was “nonencrypted or nonredacted,” a necessary condition for liability under the CCPA. See Cal. Civ. Code § 1798.150(a)(1). However, the MCC alleges that the information contained on magnetic stripes is “easily readable” and that, after a successful skimming attack, recipients of the information can “use the information [from the magnetic stripe] to clone the consumer’s card, conduct unauthorized transactions, and access the bank account connected to the card.” (MCC ¶ 61). The allegation that at least one Class Plaintiff’s information was stolen and used following a skimming attack strongly supports an inference that Plaintiffs’ information was readable or useable immediately after a skimming attack. (See, e.g., id. ¶ 187). These allegations are sufficient to state a claim that Plaintiffs’ personal information was “nonencrypted or nonredacted.” See § 1798.150(a)(1).
In re Bank of Am. California Unemployment Benefits Litig., No. 21-MD-2992-LAB-MSB, 2023 WL 3668535, at *13–15 (S.D. Cal. May 25, 2023).