The U.S. District Court for the Southern District of California recently dismissed a consumer’s putative class action lawsuit against a mortgage lending and servicing company for purported damages sustained as a result of a security breach wherein his personal information was compromised, and the hackers attempted to open credit cards in his name.
Although the Court previously concluded that the consumer had standing to bring his claims under Article III of the Constitution, it held that the consumer failed to state causes of action for negligence and violations of various California laws.
A copy of the opinion in Razuki v. Caliber Home Loans, Inc. is available at: Link to Opinion.
A consumer on behalf of himself and others similarly situated, sued a mortgage lender and servicer after its customer database was hacked, and confidential customer information, such as social security numbers, was compromised.
The consumer claimed that he suffered monetary and emotional distress damages as a result of a cybercriminal’s attempts to open credit cards in his name, as a result of the mortgage company’s inadequate security and failure to timely notify its customers of the breach.
The consumer filed suit against the mortgage company in the Superior Court of California, San Diego County, alleging causes of action for: (i) negligence; (ii) violation(s) of California Constitution (Art. I, § I); (iii) violation(s) of the California Customer Records Act (Civ. Code § 1798.80); (iv) violation(s) of the California Consumers Legal Remedies Act (Cal. Civ. Code § 1750), and; (v) violation(s) of the California Unfair Competition Law (Cal. Bus. & Prof. Code § 17200).
The mortgage company removed the action to United States District Court for the Southern District of California under the Class Action Fairness Act, and moved to dismiss the consumer’s complaint for lack of standing and failure to state a claim.
First, in an earlier decision (available here), the federal trial court rejected the mortgage company’s arguments that increased risk of identity theft is not an injury in fact for Article III standing, citing the Ninth Circuit’s recent holding that data breach victims sufficiently pleaded “an injury in fact based on a substantial risk that … hackers will commit identity fraud” and established a reasonable inference of causation by alleging that their identity was stolen and exploited. In re Zappos.com, Inc.,888 F.3d 1020, 1029 (9th Cir. 2018).
In addition, the court held that the mortgage company’s argument that the consumer failed to allege it possessed his data at the time of the breach or that it was actually stolen was undermined by its admission that it sent notices to customers who may have been affected by the breach — which the consumer received– and in any event, was waived because it was raised for the first time in the mortgage company’s reply brief. Thus, the motion to dismiss for lack of standing was denied.
But here, the Court found the alleged negligence damages “too conclusory and vague to satisfy the pleading standard,” even though the consumer could allege the necessary elements for Article III standing, citing the Ninth Circuit case of Krottner v. Starbucks, where the plaintiff consumer similarly alleged that personal information was misused, but the Court couldn’t find “loss related to the attempt to open a bank account in his name.” Krottner v. Starbucks Corp., 406 F. App’x 129, 131 (9th Cir. 2010).
Although the Starbucks court found the risk of identity theft following a data breach sufficient to supply an injury-in-fact for standing, the Starbucks consumer plaintiff’s claims were insufficient to support actual damages for a negligence claim because the injuries “stem from the danger of future harm.” Here, the consumer alleged he would suffer a continued risk of harm to his “personal data,” but the court concluded the alleged damage was insufficient because it really is a potential “future harm.” Second, his claim alleging diminution of value of his personal data fails to allege enough facts to establish how his personal information is less valuable as a result of the breach.
Similarly, the Court also found the allegation the consumer “overpaid [mortage company] for financial services during or after the breach” as too vague because the consumer failed to “provide any information to show that he paid a premium for [mortgage company] to provide reasonable and adequate security measures.”
The consumer also argued that the mortgage company’s breach of data violated his right to privacy under Art. I, Section I of the California Constitution. However, the loss of personal data through insufficient security fails to constitute “a serious invasion of privacy” that is “an egregious breach of the social norms underlying the privacy right” necessary to meet the standard of actionable conduct under the California Constitution. Hill v. Nat’l Collegiate Athletic Assn., 7 Cal. 4th 1, 37, 40 (1994); In re iPhone Application Litig.,844 F. Supp. 2d 1040, 1063 (N.D. Cal. 2012) (“Even negligent conduct that leads to theft of highly personal information, including social security numbers, does not approach the standard of actionable conduct under the California Constitution and thus does not constitute a violation of Plaintiffs’ right to privacy.” ). Accordingly, these claims, too, were dismissed, with leave to amend.
Next, the Court considered the consumer’s claims that the mortgage company failed to comply with the Customer Records Act (CRA), Civ. Code § 1798.80, which requires businesses to protect customers’ personal information by maintaining “reasonable security procedures,” and if a data breach occurs, to notify affected customers “without unreasonable delay” §§ 1798.81.5, 82.
The consumer argued that the mortgage company waived its argument by failing to address this claim, but the Court found just the opposite and that the consumer failed to address the mortgage company’s arguments that dismissal was warranted for failure to allege injury, and for conclusory allegations about security, data disposal, and notification. Thus, the claim was deemed abandoned and dismissed with leave to amend. See, e.g., Shull v. Ocwen Loan Servicing, LLC, 2014 WL 1404877, at *2 (S.D. Cal. Apr. 10, 2014).
Following amendment by the consumer, the Court also dismissed the CRA claim with prejudice and without leave to amend. The Court noted that, although the CRA requires businesses to notify customers of a data breach “in the most expedient time possible and without reasonable delay” (Cal. Civ. Code § 1798.82(a)), courts have required plaintiffs to “show that the delay in notification led to incremental harm.” The consumer did not do so here.
Moreover, the CRA requires businesses to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Cal. Civ. Code § 1798.81.5. The Court held that the consumer “could have identified what made [mortgage company’s] security measures unreasonable by comparison to what other companies are doing, but simply knowing of higher-quality security measures is not sufficient to state a claim.”
The consumer’s claims under the Consumers Legal Remedies Act (CLRA) asserted that the mortgage company violated various provisions of Cal. Civ. Code § 1770(a)’s ban on unfair business practices that result “in the sale or lease of goods or services to any consumer.”
As you may recall, the CLRA defines “services” as “work, labor, and services for other than a commercial or business use, including services furnished in connection with the sale or repair of goods.” § 1761.
Here, the Court accepted the mortgage company’s argument that home loans do not qualify as “the sale of a service” under the CLRA, citing California Supreme Court authority that “ancillary services that insurers provide to actual and prospective purchasers of life insurance” do not count as a “service” under the CLRA because the activity centers on a “contractual obligation to pay money.” Fairbanks v. Superior Court, 46 Cal. 4th 56, 61, 65 (2009). Thus, the consumer’s CLRA claims were dismissed, but without leave to amend.
Lastly, the consumer claimed that the mortgage company violated California’s Unfair Competition Law (UCL), Cal. Bus. & Prof. Code § 17200, by supposedly engaging in unfair business practices by failing to provide sufficient security for his data.
Here, the Court noted that the consumer’s complaint failed to explain which theory he was advancing under the UCL. Although his opposition brief suggested the consumer relied upon his CLRA and CRA claims as predicates for an unlawful theory, because those causes of action failed to state a claim, and because the consumer failed to sufficiently allege “lost money or property,” as required, the consumer’s Unfair Competition Law claim also failed to state a cause of action and was dismissed with leave to amend.
The consumer amended his UCL claim, but the Court held the amendments were insufficient, and this time dismissed the UCL claim with prejudice. The Court noted that a UCL plaintiff must “have suffered an `injury in fact’ and `lost money or property as a result of such unfair competition.'” The consumer argued that he met this element because funds were withdrawn without his consent from his bank account. However, the Court noted, the consumer’s bank quickly reversed the transaction, and therefore the consumer suffered no “injury in fact,” as required.
Accordingly, the motion to dismiss the consumer’s putative class action lawsuit was granted with prejudice and without leave to amend.