After Yahoo! Inc. suffered three data breaches in a span of four years, plaintiffs brought a putative class action lawsuit against the internet service provider and a subsidiary (collectively, “Yahoo”), alleging defendants failed to use appropriate safeguards to protect users’ personal information despite their representations that such information was secure. The breaches included a 2013 hack allegedly due to outdated encryption technology, which affected all three billion user accounts and exposed both personal information and email contents; a 2014 “spear phishing” breach that affected 500 million accounts and led to the sale of users’ personal information on the dark web but was not made public for two years; and a breach in 2015 or 2016 in which hackers used forged “cookies” to access user accounts. Plaintiffs emphasized that Yahoo should have been on notice of its data security issues because of prior security failures, including a 2012 breach that allegedly compromised hundreds of thousands of user accounts and was purportedly designed to highlight the company’s security vulnerabilities.
Plaintiffs brought their claims on behalf of four putative classes, including small business users, paid users, account holders located in Israel, and users located in the United States, with an additional California subclass. Numerous earlier lawsuits arising from the breaches had previously been consolidated in the U.S. District Court for the Northern District of California; after the court granted in part defendants’ motion to dismiss, the operative complaint was filed in December 2017. Plaintiffs alleged thirteen causes of action under California law, including breach of contract, breach of implied contract, breach of the implied covenant of good faith and fair dealing, misrepresentation, violation of the California Unfair Competition Law (“UCL”), and claims under the California Customer Records Act (“CRA”) and the California Consumers Legal Remedies Act (“CLRA”).
Defendants again moved to dismiss, and, last month, the court granted the motion in part. As with most data breach class actions, this one raised the issue of standing — specifically, for purposes of the UCL. In particular, with regard to claims under the unfair and unlawful prongs, defendants argued plaintiffs did not establish that they had “lost money or property,” as required for UCL standing. The court partially agreed, dismissing the UCL claims of certain plaintiffs who alleged only that they were at risk for — as opposed to had suffered — identity theft, holding that the threat of future harm did not suffice to establish standing. However, the court refused to dismiss the claims of the plaintiff representing paid users, who alleged he expected to receive secure email services and would not have paid for his account in the absence of such assurances. Relying on the California Supreme Court’s decision in Kwikset Corp. v. Superior Court and the holding of the Northern District of California in In re Anthem, Inc. Data Breach Litigation, the court found these benefit of the bargain losses established standing for purposes of the UCL.
The court went on to dispose of the majority of defendants’ other arguments in favor of dismissal. First, it rejected defendants’ contention that plaintiffs’ claims for deceit by concealment and negligence were barred by the economic loss rule, in light of the parties’ special relationship, and refused to dismiss the concealment claim based on defendants’ arguments that plaintiffs failed to plead reliance or damages. The court also declined to dismiss plaintiffs’ contract-based claims, finding plaintiffs sufficiently alleged the limitation of liability clause in Yahoo’s Terms of Service was unconscionable, and subsequently refused to dismiss plaintiffs’ declaratory relief claim as duplicative of the contract claims because it sought different relief —namely, a declaration that certain provisions of the contract are unconscionable, which would clarify the parties’ rights and govern their ongoing interactions, rather than simply damages for past harms.
The court additionally rejected defendants’ arguments that it was not subject to the CLRA because its email was neither a “good” nor a “service” subject to the Act and that plaintiffs failed to plead reliance for purposes of that claim. However, it dismissed plaintiffs’ claims under two provisions of the CRA, despite finding injury in fact sufficient for standing. The court held plaintiffs failed to allege when Yahoo had learned of the 2013 breach for purposes of a provision requiring expedient notification, while the statute’s prior definition of personal information precluded plaintiffs’ claim under a provision requiring businesses to maintain reasonable measures to protect such information.
Finally, the court dismissed plaintiffs’ claims for punitive damages with regard to their good faith and fair dealing and CRA claims, finding such damages were unavailable as a matter of law, but refused to dismiss the punitive damages claims with regard to plaintiffs’ negligence, misrepresentation, and deceit by concealment causes of action.
Thus, although defendants’ motion succeeded in part, Yahoo’s data breach saga continues.
In re Yahoo! Inc. Customer Data Security Breach Litigation, No. 16-MD-02752-LHK (Mar. 9, 2018).