In re Capital One Consumer Data Sec. Breach Litig.

• Decision Date: 18 September 2020
• Docket Number: MDL No. 1:19md2915 (AJT/JFA)
• Citation: 488 F.Supp.3d 374
• Court: U.S. District Court — Eastern District of Virginia
• Parties: IN RE: CAPITAL ONE CONSUMER DATA SECURITY BREACH LITIGATION This Document Relates to Consumer Cases

488 F.Supp.3d 374

IN RE: CAPITAL ONE CONSUMER DATA SECURITY BREACH LITIGATION

This Document Relates to Consumer Cases

MDL No. 1:19md2915 (AJT/JFA)

United States District Court, E.D. Virginia, Alexandria Division.

Signed September 18, 2020

ORDER

Anthony J. Trenga, United States District Judge

Defendants Capital One and Amazon have filed Motions to Dismiss the Amended Corrected Representative Complaint. [Doc. 386] ("Capital One Motion"); [Doc. 394] ("Amazon Motion") (the "Motions").¹ For the reasons stated herein, the Motions are GRANTED in part and DENIED in part as follows:

1. As to Count 1 (negligence), the negligence claims under the laws of Washington are dismissed; and the Motions are otherwise denied;

2. As to Count 2 (negligence per se ), the negligence per se claims under the laws of California, Florida, Texas, Virginia, and Washington are dismissed; and the Motions are otherwise denied;

3. As to Count 3 (unjust enrichment), the Motions are denied;

4. As to Count 4 (declaratory judgment), the Motions are denied;

5. As to Count 5 (breach of confidence), the breach of confidence claims under the laws of California, New York, Texas, Virginia, and Washington are dismissed; and the Motions are otherwise denied;

6. As to Count 6 (breach of contract), the Capital One Motion is denied;

7. As to Count 7 (breach of implied contract), the Capital One Motion is denied;

8. As to Count 8 (California Unfair Competition Law), the Motions are denied;

9. As to Count 9 (California Consumer Legal Remedies Act), the Motions are denied;

10. As to Count 10 (Florida Deceptive and Unfair Trade Practices Act), the claim against Capital One is dismissed as abandoned; and the Motions are otherwise denied;

11. As to Count 11 (New York General Business Law (Count 11), the Motions are denied;

12. As to Count 12 (Texas Deceptive Trade Practices Act—Consumer Protection Act (Count 12), the Motions are denied;

13. As to Count 13 (Virginia Personal Information Breach Notification Act), the Motions are denied;

14. As to Count 14 (Washington Data Breach Notification Act), the Motions are denied; and

15. As to Count 15 (Washington Consumer Protection Act), the Motions are denied.

I. BACKGROUND

The following facts are alleged in Plaintiff's Amended Corrected Representative Consumer Class Action Complaint [Doc. 826] ("Amended Complaint" or "Am. Compl."), which are accepted as true for purposes of this Order.² See Bell Atl. Corp. v. Twombly , 550 U.S. 544, 555-56, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007).

On July 29, 2019, Capital One announced it had experienced a data breach of Capital One's Amazon Web Services ("AWS") cloud environment where Capital One was storing consumers' confidential personal information ("PII") (the "Data Breach"). The Data Breach was the result of a well-known vulnerability of the AWS cloud to an SSRF attack. See id. ¶¶ 2, 46-61. Over 100 million people in the United States and six million people in Canada were affected. Am. Compl. ¶¶ 1, 62. Amazon has described the Data Breach through this alleged SSRF breach as follows:

As Capital One outlined in their public announcement, the attack occurred due to a misconfiguration error at the application layer of a firewall installed by Capital One, exacerbated by permissions set by Capital One that were likely broader than intended. After gaining access through the misconfigured firewall and having broader permission to access resources, we believe a SSRF attack was used (which is one of several ways an attacker could have potentially gotten access to data once they got in through the misconfigured firewall).

Id. ¶ 70.

Despite the sophisticated nature of the hack, id. ¶ 72, Defendants were well-aware of the AWS cloud's vulnerabilities to unauthorized access through a SSRF attack, Id. ¶¶ 46-49. Nevertheless, Capital One chose to place and aggregate its most sensitive consumer information on these susceptible servers and behind AWS's flawed firewall, Id. ¶¶ 44, 47-50, and in an attempt to protect against this vulnerability, Capital One and Amazon jointly developed a product called Cloud Custodian, whose purpose was to address the SSRF threat by encrypting data on the AWS servers. Id. ¶¶ 56-58. But these efforts were inadequate to secure Capital One customers' data. Id. ¶ 58. Indeed, if an unauthorized individual were able to gain access to a credential in the AWS cloud environment, known technically as an "Identity Access Management" role, the credential would allow the unauthorized individual broad access beyond the firewall protecting the cloud and automatic decryption of the data stored in the cloud. Id. ¶¶ 47-54, 58-61. In other words, once in the AWS server environment, any individual could access, in Capital One's internal servers an aggregated collection of customers' PII (a data lake), the precise vulnerability exploited to exfiltrate Capital One's customer data in the Data Breach. See id. ¶¶ 65-73.

The Data Breach's occurrence is well documented. Capital One's logs showed a hacker's connections or attempted connections to the AWS server in March and April 2019. However, it was not until July 17, 2019, approximately four months after the Data Breach, that Capital One received an e-mail through its responsible disclosure program raising the possibility that someone had stolen data stored in Capital One's AWS cloud environment. Id. ¶¶ 64-65. Shortly thereafter, the person accused of perpetrating the attack, former AWS systems engineer Paige Thompson, was arrested and indicted in federal court. As alleged in the criminal complaint, Thompson gained unauthorized access to Capital One's AWS environment primarily by exploiting a Web Application Firewall ("WAF") that monitored traffic to and from Capital One's AWS cloud environment. Id. ¶¶ 65, 67. By exploiting the WAF, Thompson was able to retrieve, access, and exfiltrate data from a portion of the AWS Simple Storage Service buckets in Capital One's AWS environment. Id. ¶ 67. Thompson ultimately stole approximately 1.75 terabytes of data on March 22-23, 2019. In addition to the access on March 22, 2019 and 23, 2019, Thompson had also scanned, probed, or accessed Capital One's network on five (5) further instances over a three-month period: March 4, March 12, April 2, April 19, and May 26, 2019.

Id. ¶ 74. And as further detailed in the criminal complaint, on April 21, 2019, Thompson publicly posted on Github instructions on how she carried out the SSRF attack. Id.³ Thompson then posted openly on Twitter and on public Slack channels over the course of several months that she found huge files of data intended to be secured on various AWS cloud servers—including the cloud server for Capital One. Id. ¶¶ 78-82.

Plaintiffs seek to represent a putative nationwide class of all individuals whose personal information was compromised in the Data Breach, id. ¶ 146, as well as statewide subclasses of affected individuals in California, Florida, New York, Texas, Virginia, and Washington, id. ¶ 148. Plaintiffs allege that, as a result of the Data Breach, they suffered various harms including mitigation efforts or expenses (such as time and money spent placing credit freezes on their accounts, setting up credit alerts, and purchasing credit monitoring), diminution in the value of their personal information, and increased risk of future identity theft or other fraud. See Am. Compl. ¶¶ 18-27, 142. Plaintiffs also allege they "did not receive the benefit of their bargain" because, had they known the "truth" about Capital One's "data security practices," they would not have applied for Capital One credit cards or been willing to pay as much as they did for Capital One's services. Id. ¶ 145. Finally, a subset of seven Plaintiffs—plaintiffs Behar, Gershen, Palencia, Spacek, Sharp, Tada, and Zielicke—allege that they "experienced identity theft and fraud," id. ¶¶ 20, 21, 23, 27, or have identified unauthorized activity on their accounts, such as unauthorized charges or attempts to open new accounts after the Data Breach, id. ¶¶ 19, 24, 26.

In its Amended Complaint, Plaintiffs asserts the following seven (7) causes of action on behalf of a putative nationwide class of all persons whose PII was compromised in the Data Breach: (1) negligence (Count 1); (2) negligence per se (Count 2); (3) unjust enrichment (Count 3); (4) declaratory judgment (Count 4);⁴ (5) breach of confidence (Count 5); (6) breach of implied contract (Count 6); and (7) breach of contract (Count 7).⁵ Am. Compl. ¶¶ 160-229. The Amended Complaint also asserts claims under California, Florida,⁶ New York, Texas, and Washington consumer protection statutes and Virginia and Washington data breach notification statutes (Counts 8-15). Id. ¶¶ 230-310.

II. LEGAL STANDARD

A Rule 12(b)(6) motion to dismiss tests the legal sufficiency of the complaint. See Randall v. United States , 30 F.3d 518, 522 (4th Cir. 1994) ; Republican Party of N.C. v. Martin , 980 F.2d 943, 952 (4th Cir. 1993). A claim should be dismissed "if, after accepting all well-pleaded allegations in the plaintiff's complaint as true ... it appears certain that the plaintiff cannot prove any set of facts in support of his claim entitling him to relief." Edwards v. City of Goldsboro , 178 F.3d 231, 244 (4th Cir. 1999) ; see also Trulock v. Freeh , 275 F.3d 391, 405 (4th Cir. 2001). In considering a motion to dismiss, "the material allegations of the complaint are taken as admitted," Jenkins v. McKeithen , 395 U.S. 411, 421, 89 S.Ct. 1843, 23 L.Ed.2d 404 (1969) (citations omitted), and the court may consider exhibits attached to the complaint, Fayetteville Investors v. Commercial Builders, Inc. , 936 F. 2d 1462, 1465 (4th Cir. 1991). Moreover, "the complaint is to be liberally construed in favor of plaintiff." Id. ; see also Bd. of Trustees v. Sullivant Ave. Properties, LLC , 508 F. Supp. 2d 473, 475 (E.D. Va. 2007).

In addition, a motion to dismiss must be assessed in light of Rule 8's liberal pleading standards, which require only "a short and plain...