Beyer v. Symantec Corp.

• Decision Date: 21 September 2018
• Docket Number: Case No. 18-cv-02006-EMC
• Citation: 333 F.Supp.3d 966
• Parties: Montgomery BEYER, Plaintiff, v. SYMANTEC CORPORATION, Defendant.
• Court: U.S. District Court — Northern District of California

333 F.Supp.3d 966

Montgomery BEYER, Plaintiff,

v.SYMANTEC CORPORATION, Defendant.

Case No. 18-cv-02006-EMC

United States District Court, N.D. California.

Signed September 21, 2018

Cassidy Kim, Noah M. Schubert, Robert C. Schubert, Willem F. Jonckheer, Schubert Jonckheer & Kolbe LLP, San Francisco, CA, for Plaintiff.

Laurence F. Pulgram, Ciara Nicole Mittan, Tyler Griffin Newby, Fenwick & West LLP, San Francisco, CA, Molly Roberta Melcher, Fenwick & West LLP, Mountain View, CA, for Defendant.

ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT'S MOTION TO DISMISS

Docket No. 17

EDWARD M. CHEN, United States District Judge

I. INTRODUCTION

Plaintiff Montgomery Beyer (hereafter "Beyer") brings the instant action alleging that certain network security software products sold by Defendant Symantec Corporation (hereafter "Symantec"), specifically network security software products sold or licensed to consumers under the Norton brand ("Norton Products") and to businesses under the Symantec brand ("Enterprise Products," and together with the Norton Products, the "Affected Products"), contained critical defects. See Docket No. 1 ("Compl.") ¶¶ 1-2. Beyer's allegations arise out of a report by Google Inc.'s team of expert cybersecurity analysts, Project Zero, which detail alleged vulnerabilities in a component of Symantec's software, the AntiVirus Decomposer Engine. Id. ¶¶ 2, 25. Beyer argues that Symantec advertises that the Affected Products "protects against the latest online threats" or "protects against viruses, spyware, hackers, rootkits, identity theft, phishing scams, and fraudulent Web sites" while knowing that its products suffered from a core decomposer engine defect that exposed entire computer operating systems to various security vulnerabilities. Id. ¶¶ 20-24. Beyer further argues that Symantec failed to disclose that it did not implement patches for third-party source code that it used throughout its product line, and various Symantec misrepresentations and omissions form the basis for his causes of action. Id.

Beyer asserts five causes of action, namely (i) a California Consumer Legal Remedies Act ("CLRA") claim, Cal. Civ. Code §§ 1750, et seq. , (ii) a California Song-Beverly Consumer Warranty Act claim, Cal. Civ. Code §§ 1790, et seq. , (iii) a California False Advertising Law ("FAL") claim, Cal. Bus. & Prof. Code §§ 17500, et seq. , (iv) a California Unfair Competition Law ("UCL") claim, Cal. Bus. & Prof. Code §§ 17200, et seq. , and (v) a claim for "Quasi-Contract/Unjust Enrichment." Id. ¶¶ 51-96. Beyer purports to represent a nationwide class combining persons who purchased and/or licensed an Affected Product between December 21, 2005 and September 19, 2016. Id. ¶¶ 1, 42-50. Beyer further asserts a consumer subclass for purposes of the claims under the CLRA and the Song-Beverly Act. Id. ¶ 43.

Symantec has moved to dismiss for (i) failure to plead the facts and circumstances of the alleged fraud with particularity under Fed. R. Civ. P. 9(b), (ii) failure to state a claim under Fed. R. Civ. P. 12(b)(6), and (iii) lack of Article III standing under Fed. R. Civ. P. 12(b)(1). For the following reasons, the Court DISMISSES without prejudice the CLRA, FAL, UCL, and unjust enrichment claims as to the Third Software. The Court also DISMISSES Beyer's Song-Beverly Act claim without prejudice. The Court otherwise DENIES the motion to dismiss. The motion to strike is also DENIED.

II. FACTUAL AND PROCEDURAL BACKGROUND

The complaint alleges the following:

Symantec produces and sells security software under the Symantec and Norton brands. Both the Symantec and Norton products contain a key component called the AntiVirus Decomposer Engine. This component unpacks compressed executable files so that they can be scanned for malicious code. Id. ¶ 2. On June 28, 2016, Google's Project Zero team released a report on alleged vulnerabilities in the AntiVirus Decomposer Engine. Id. ¶¶ 2, 25.

Beyer alleges that Project Zero discovered that the AntiVirus Decomposer Engine was defectively designed so that it unpacked files in the computer operating system's privileged core, which lies at the core of the computing environment and has unrestricted access to and writing permissions for the computer's files ("High Privilege Defect"). Id. ¶ 25. Specifically, Beyer alleges this Engine scanned for malicious files by unpacking and examining compressed executable files within the kernel or the root, which resulted from Symantec unnecessarily assigning the highest privilege levels to the file scanning and analysis function. Id. The exposure of potentially malicious files in this high-privilege environment opened the operating systems up to corruption. Id. ¶ 3. As such, Beyer suggests that Symantec violated a key cybersecurity best practice, the principle of least privilege, which states that software should operate using the least amount of privilege necessary to complete the task. Id. ¶ 26; see also id. ¶ 35-36 (it appears that Symantec also prescribes the best practice of "run[ning] the principle of least privilege where possible to limit the impact of exploit by threats" as far back as 2007.). Beyer further alleges that Symantec exposed users' computers to a "critical vulnerability" by failing to implement industry-standard security measures such as "sandboxing," i.e. , opening files in an isolated virtual environment separate from critical processes and programs. Id. ¶ 27. Beyer also alleges that Symantec relied on third party open source code to design this Engine but had failed to update the open source code for at least seven years, resulting in vulnerabilities that caused "total information disclosure" and "total compromise of system integrity" ("Outdated Source Code Defect"). Id. ¶¶ 29-30. As a result, Beyer alleges that Symantec sold software that did not conform to cybersecurity best practices, did not reasonably protect users' computer systems against online threats, and made users' computer systems more susceptible to cyberattacks than they would have otherwise been without the software. Id. ¶ 7.

Beyer alleges he purchased five Norton Products containing these defects. See Compl. ¶¶ 10, 20-24. He seeks recovery for the second and third purchases only. See Docket No. 22 ("Opp"), at 8 n.3. Beyer made his second purchase "in March 2009," when he bought Norton 360 Premier, v. 2.0 ("Second Software"). Id. ¶ 21. Beyer alleges that prior to making his purchase he reviewed the product page on Symantec's website, which represented that Norton 360 Premier, v. 2.0, " ‘defends you against a broad range of online threats’ through key technologies, including antivirus, antispyware, rootkit detection, and automatic updates," and "provides ‘enhanced protection’ through ‘industry leading virus, spyware and firewall protection.’ " Id. He does not expressly allege that he relied on any of these statements. Id.

"That same year," Beyer purchased another Norton 360 Premier, v. 2.0, from Best Buy ("Third Software"). Id. ¶ 22. Prior to doing so, he "reviewed the relevant product page on Best Buy's website" and "relied on similar representations that the Third Software ‘[p]rotects against viruses, spyware, rootkits, identity theft, phishing scams, and fraudulent Web sites.’ " Id. Beyer does not allege that Symantec was responsible for the publication of these representations as opposed to, e.g. , Best Buy. However, he does allege that, "[t]o the best of his knowledge, Mr. Beyer also reviewed and relied upon the various comparable representations and statements on the software's packaging and box in connection with the purchase." Id. Plaintiff also generally alleges that "Plaintiff and the Consumer Subclass relied to their detriment on Defendant's misrepresentations and omissions in purchasing and licensing the Norton Products." Compl. ¶ 62.

III. DISCUSSION

A. Article III Standing as to the Enterprise Products

To satisfy Article III's case or controversy requirement, a plaintiff must demonstrate that he or she has suffered an injury in fact, that the injury is traceable to the defendant's conduct, and that the injury can be redressed by a favorable decision. See Fortyune v. Am. Multi-Cinema, Inc. , 364 F.3d 1075, 1081 (9th Cir. 2004). Here, Beyer purchased Norton Products and brings a putative class comprising anyone who purchased a Norton or Enterprise Product that contained critical defects. See Compl. ¶¶ 1-2, 42. Beyer alleges that both Norton Products and Enterprise Products incorporate the AntiVirus Decomposer Engine and were affected by the alleged security flaws. Id. ¶ 3. Symantec submits that Enterprise Products differ in that they permit the user to centrally manage the security and data on multiple machines. See Docket No. 17 ("Mot.") at 31 (citing Pulgram Decl., Ex. D). Symantec thus contends that there is no similarity in the potential injury, the essential element of the inquiry for Article III standing. See id.

However, this does not necessary deprive Beyer of standing to bring class allegations for purchasers of the Enterprise Products. The ability to centrally manage security data does not gainsay the fundamental defect in the way the Symantec products were designed. The same alleged defects exist in both lines of products. Compl. ¶ 3.

This Court, like others in the Northern District, has held that a plaintiff may proceed on class claims against unpurchased products if they are "substantially similar" to products he has purchased. Swearingen v. Late July Snacks LLC , No. 13-cv-4324-EMC, 2017 WL 4641896, at *5 (N.D. Cal. Oct. 16, 2017) (quoting Astiana v. Dreyer's Grand Ice Cream, Inc. , No. C-11-2901 EMC, 2012 WL 2990766 (N.D. Cal. July 20, 2012) ).

In Astiana , the plaintiffs challenged food labels on Dreyer's ice cream products, some of which they had not purchased. In that case,

Plaintiffs are challenging the same kind of food products (i.e. , ice cream) as well as the same labels for all of the products—i.e. , "All Natural Flavors" for the

...