Foster v. Essex Prop., Inc.
| Decision Date | 20 January 2017 |
| Docket Number | Case No. 5:14-cv-05531-EJD |
| Court | U.S. District Court — Northern District of California |
| Parties | MARK FOSTER, et al., individually and on behalf of all others similarly situated, Plaintiffs, v. ESSEX PROPERTY, INC., Defendant. |
Plaintiffs Mark and Akiko Foster ("Plaintiffs") bring this putative class action against Defendant Essex Property Trust, Inc. ("Essex") asserting various state law claims arising out of a data breach. Federal jurisdiction arises pursuant to 28 U.S.C. § 1332(d). Presently before the court is Essex's Motion to Dismiss Plaintiffs' First Amended Complaint ("FAC"). Dkt. No. 28. Having carefully considered the parties' briefing, the Motion to Dismiss will be granted for the reasons explained below.
Essex is a real estate trust that develops, redevelops, and manages multifamily communities in Northern California, Southern California, and the Seattle Metro areas. FAC, Dkt. No. 27, at ¶ 16. Plaintiffs are a married couple that previously leased an apartment from Defendant. Id. at ¶ 8. Plaintiffs allege that during the application process "required by Essex prior to leasing a property from it," they provided Essex with "sensitive personal and financial information," or "PII," which category of information includes "customer names, mailing addresses, email addresses, and birth dates, as well as credit and debit card numbers, employment information, including salaries, social security numbers and other personal information." Id. at ¶¶ 1, 3, 9. Plaintiffs also provided Essex with authorization to perform a credit check on each of their credit histories. Id. at ¶ 9. They allege that Essex then kept their PII on its computer systems, servers and databases "in perpetuity, regardless of whether a consumer terminated his or her relationship with Essex." Id. at ¶ 4.
Although the dates are not revealed, the FAC suggests that Essex sustained one or more security breaches to its computer network after it received Plaintiffs' PII. Id. at ¶ 2. Plaintiffs contend that as a result of the breach, their PII was revealed to "cyber criminals." Id. at ¶¶ 2, 5. They believe these individuals then "made unauthorized charges on their credit cards and exposed them to a greater risk of identity theft and fraud." Id. at ¶ 10. The FAC contains an itemized list of the unauthorized charges made to Mark Foster's credit card, which Plaintiffs allege were the result of Essex's failure to employ "reasonable, industry-standard, or appropriate security measures" to protect sensitive information. Id. at ¶¶ 10, 19.
Essex moved to dismiss Plaintiffs' original complaint, which motion the court granted for failure to prove standing. Plaintiffs then filed the FAC and assert the following claims: (1) violation of the Unfair Competition Law, California Business and Professions Code § 17200 et seq.; (2) violation of the Consumer Legal Remedies Act, California Civil Code § 1750 et seq.; (3) violation of California Civil Code § 1798.80 et seq; and (4) negligence.
Although Essex brings this motion under two sections of Federal Rule of Civil Procedure 12, only one requires discussion.
A motion brought under Rule 12(b)(1) challenges subject matter jurisdiction, and may be either facial or factual. Wolfe v. Strankman, 392 F.3d 358, 362 (9th Cir. 2004). A "factual" attack, like the one presented here, "contests the truth of the plaintiff's factual allegations, usually by introducing evidence outside the pleadings." Leite v. Crane Co., 749 F.3d 1117, 1121 (9th Cir. 2014). "If the moving party converts 'the motion to dismiss into a factual motion by presenting affidavits or other evidence properly brought before the court, the party opposing the motion must furnish affidavits or other evidence necessary to satisfy its burden of establishing subject matterjurisdiction.'" Wolfe, 392 F.3d at 362. The court may review this evidence without converting the motion into a motion for summary judgment." Safe Air for Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir. 2004). Because it is presumed "that federal courts lack jurisdiction unless the contrary appears affirmatively from the record, the party asserting federal jurisdiction when it is challenged has the burden of establishing it." DaimlerChrysler Corp. v. Cuno, 547 U.S. 332, 342 n.3 (2006) (quoting Renne v. Geary, 501 U.S. 312, 316 (1991) (internal quotation marks and citation omitted)).
Standing can be properly challenged through a Rule 12(b)(1) motion. White v. Lee, 227 F.3d 1214, 1242 (9th Cir. 2000). Since standing is "an indispensable part of the plaintiff's case, each element must be supported in the same way as any other matter on which the plaintiff bears the burden of proof." Lujan v. Defenders of Wildlife, 504 U.S. 555, 561 (1992).
Essex again argues that Plaintiffs failed to establish standing to assert their claims. The court agrees.
The constitutional standing doctrine "functions to ensure, among other things, that the scarce resources of the federal courts are devoted to those disputes in which the parties have a concrete stake." Friends of the Earth, Inc. v. Laidlaw Envtl. Servs., Inc., 528 U.S. 167, 191 (2000). It "is a doctrine rooted in the traditional understanding of a case or controversy" and "limits the category of litigants empowered to maintain a lawsuit in federal court to seek redress for a legal wrong." Spokeo v. Robins, 136 S. Ct. 1540, 1547 (2016). Standing to sue is also a jurisdictional requirement that cannot be waived. City of Los Angeles v. Cty. of Kern, 581 F.3d 841, 845 (9th Cir. 2009).
Generally, the inquiry critical to determining the existence of standing under Article III of the Constitution is "'whether the litigant is entitled to have the court decide the merits of the dispute or of particular issues.'" Allen v. Wright, 468 U.S. 737, 750-51 (1984) (quoting Warth v. Seldin, 422 U.S. 490, 498 (1975)). Three basic elements must be satisfied: (1) an "injury in fact,"which is neither conjectural or hypothetical, (2) causation, such that a causal connection between the alleged injury and offensive conduct is established, and (3) redressability, or a likelihood that the injury will be redressed by a favorable decision. Lujan, 504 U.S. at 560-61. If the plaintiff fails to establish these elements, "an Article III federal court therefore lacks subject matter jurisdiction over the suit [and i]n that event, the suit should be dismissed under Rule 12(b)(1)." Cetacean Cmty. v. Bush, 386 F.3d 1169, 1174 (9th Cir. 2004).
"In a class action, standing is satisfied if at least one named plaintiff meets the requirements." Bates v. United Parcel Serv., Inc., 511 F.3d 974, 985 (9th Cir. 2007). "The plaintiff class bears the burden of showing that the Article III standing requirements are met." Id.
The court now examines the FAC and the parties' arguments with the above authority in mind.
Through a factual challenge to standing, Essex first argues that Plaintiffs were not injured as a result of the security breaches to Essex's computer network because their credit card and other personal information was not stored on the system. Essex submitted two declarations in support of that argument. In the first, the former Senior Manager of IT for Essex, Kevin Moller, states that Essex's internal computer system was the only one subject to the security breach announced in September, 2014. Decl. of Kevin Moller, Dkt. No. 28, at ¶ 3. He also states that "[n]o credit card information for any residents at Essex properties was stored on Essex's internally-hosted system in the regular course of business," and that Plaintiffs' resident information was never transferred to or stored on Essex's internally-hosted system. Id. at ¶ 5. Based on these two facts, Moller concludes that "it is not possible that the cyber-attack on the Essex internal network led to or facilitated any alleged unauthorized charges on [Plaintiffs'] credit cards." Id. at ¶ 7. In addition, Moller concludes that the security breach of Essex's internal system "could not have resulted in the disclosure of personal information about [Plaintiffs] because there is no personal information about [Plaintiffs] that is or was stored on the system that was the subject" of the breach. Id. at ¶ 11.
In the second declaration, Essex's Customer Care and Collections Manager, Lisa Demeter, reviewed Plaintiffs' rental file and determined that Plaintiffs did not provide their credit or debit card information with their rental applications, and that Plaintiffs paid the application fee and holding deposit with a check. Decl. of Lisa Demeter, Dkt. No. 29, at ¶ 4. Demeter also determined that Plaintiffs never paid rent using a credit and debit card, and any information obtained from a credit check or suitability screening of Plaintiffs was printed out and placed in a paper file and "never stored or retained on Essex's computer system." Id. at ¶¶ 10, 14.
These declarations undermine the allegations critical to Plaintiffs' Article III standing. Specifically, the descriptions of what information was collected from Plaintiffs, and what does and does not exist on Essex's internal computer system, contradict the factual claims that Essex induced Plaintiffs to provide it with credit card information and kept Plaintiffs' PII on the network that was ultimately breached. Since Moller and Demeter state that Plaintiffs' credit card information was never collected and that their PII was never stored on the internal computer system in any event, the allegation that cyber criminals obtained Plaintiff's PII through a breach of Essex's internal system is factually impossible. Essex, therefore, has presented enough evidence to contest the truth of the FAC's standing allegations. See Safe Air for Everyone, 373 F.3d at 1039 (...
To continue reading
Request your trial