Schmitt v. SN Servicing Corp., 21-cv-03355-WHO

Decision Date09 August 2021
Docket Number21-cv-03355-WHO
CourtU.S. District Court — Northern District of California
PartiesDESIREE SCHMITT, et al., Plaintiffs, v. SN SERVICING CORPORATION, AN ALASKA CORPORATION, Defendant.

ORDER DENYING IN PART AND GRANTING IN PART MOTION TO DISMISS WITH LEAVE TO AMEND

Re: Dkt. No. 14

William H. Orrick United States District Judge

Plaintiffs Desiree Schmitt and James Furth bring this lawsuit against defendant SN Servicing Corporation (SNSC) on behalf of a nationwide class of impacted borrowers for claims arising out of a data breach incident that occurred on SNSC's system in late 2020. On SNSC's motion to dismiss, I find that although plaintiffs can assert California law claims as Ohio residents given allegations that SNSC's principal place of business is in California and that they were harmed by critical decisions SNSC made in California, they fail to plausibly plead the elements of those claims. The negligence claim fails because they do not allege that SNSC had a legal duty to protect the kind of information that was revealed in the data breach. For the same underlying reason, the invasion of privacy claim fails because they do not to allege a serious invasion of a protected privacy interest. And the conclusory allegations they provide are insufficient to state a claim for violation of California's Unfair Competition Law (“UCL”), Cal. Bus. & Prof. Code § 17200 et seq. For the “unlawful” prong, they simply allege that SNSC violated five statutes, without pleading with particularity how the facts of this case pertain to each specific statute and whether the statute can form a basis for a UCL claim. For the “unfair” prong, they do not sufficiently plead policy considerations based on California privacy statutes to satisfy either the “tethering test” or the “balancing test”. Accordingly, SNSC's motion to dismiss is DENIED in part and GRANTED in part with leave to amend.

BACKGROUND

SNSC is a financial services corporation that specializes in servicing of residential, small balance commercial, consumer and unsecured loans. Complaint (“Compl.”) [Dkt No. 1-1] ¶ 16. It is incorporated in Alaska, with a principal place of business in Eureka, California. Id. ¶ 3. Plaintiffs Desiree Schmitt and James Furth are residents of Ohio and were customers of SNSC's services. Id. ¶¶ 1-2.

On or about October 14, 2020, a ransomware-threat group known as “Mount Locker” (the “Unauthorized Party) deployed ransomware into SNSC's system and successfully acquired a number of digital files maintained by SNSC (hereinafter the “data breach” incident). Id. ¶ 62. According to a third-party cybersecurity forensics investigator hired by SNSC, the exfiltration of data from SNSC by the Unauthorized Party ended on or about October 15, 2020. Id. ¶ 17. Plaintiffs allege that the Unauthorized Party was able to exfiltrate the “personal and financial information” of approximately 20, 155 borrowers, including citizens of the State of California. Id. ¶¶ 18-19. Despite learning of the data breach on or around October 15, 2020, SNSC did not send a “Data Beach Notification” letter to plaintiffs and class members until January 14, 2021. Id. ¶ 20; see id., Ex. 1.[1]

The Data Breach Notification letter, which Schmitt and Furth claim they received, states that “the preliminary investigation revealed that the data acquired by the Unauthorized Party includes March 2018 billings statements and fee notices that contain the borrower's personal and financial information including, among other information, borrower names, addresses, loan numbers, balance information, and billing information such as charges assessed, owed, and/or paid.” Id. ¶¶ 22, 40, 45. The Data Breach Notification letter further states that “SNSC is still in the process of conducting an investigation of the incident to determine if additional personal and financial information pertaining to [plaintiffs] was exfiltrated.” Id. ¶¶ 40, 45. In a separate January 14, 2021 letter to the New Hampshire Attorney General, SNSC stated that “it had hired a third party e-discovery vendor to conduct a ‘data mining' review of the documents that were identified to have been exfiltrated to determine whether additional personal and financial information was compromised.” Id.

Plaintiffs allege that personal and financial information is “such a valuable commodity to identity thieves that once information has been compromised, criminals often trade the information on the ‘cyber black-market' for years.” Id. ¶ 34. Accordingly, they contend, there is a “strong probability” that their stolen information is, or soon will be, on the cyber black-market, placing them and other class members “at an increased risk of fraud and identity theft for many years into the future.” Id. ¶ 35. As a result of the data breach, and as recommended by the Data Breach Notification letter, plaintiffs assert that they must now be “vigilant and review their credit reports for incidents of identity theft, and educate themselves about security freezes, fraud alerts, and other steps to protect themselves against identity theft.” Id. ¶ 24.

In particular, Schmitt alleges that she “purchased credit monitoring with Lifelock at an annual cost of more than $200.00, as well as LastPass password manager, which is a monthly password manager and password vault application subscription service that costs $3.00 per month, and YubiKey password protection at a cost of more than $90.00.” Id. ¶ 41. Furth contends that he too “purchased Lifelock identify protection at an annual cost of $99.48” after the data breach. Id. ¶ 46. Both claim that they have “spent time and energy protecting and monitoring [their] identity and credit” and will have to “spend additional time and energy in the future continuing to monitor and protect [their] identity and credit.” Id. ¶¶ 42, 47. Schmitt alleges that she “spent at least 10 hours changing hundreds of passwords related to her business and personal accounts.” Id. ¶ 42. Both allege that they “suffered anxiety, emotional distress, and loss of privacy” as a result of the data breach. Id. ¶¶ 42, 47.

Plaintiffs claim that SNSC started to undertake the “basic steps” recognized in the industry to protect their and other class members' personal and financial information only after an Unauthorized Party was able to exfiltrate a large amount of data. Id. ¶ 23. As the Data Breach Notification letter indicates, SNSC began bolstering its cybersecurity posture after the data breach incident “by replacing email filtering tools, malware software, and Internet monitoring tools with more robust solutions that utilizes AI to detect and block known and newly introduced malware, and block all inbound and outbound Internet, email, and network traffic to foreign countries.” Id. Because of SNSC's failure to “create, maintain, and/or comply with necessary cybersecurity requirements, ” plaintiffs allege that SNSC “was unable to protect borrower's information and confidentiality, and protect against obvious and readily foreseeable threats to information security and confidentiality or unauthorized access to personal and financial information, resulting in the Data Breach.” Id. ¶ 27.

Plaintiffs filed this lawsuit in San Francisco County Superior Court on March 12, 2021, bringing the following three claims on behalf a nationwide class of borrowers impacted by the data breach: (i) negligence; (ii) invasion of privacy; and (iii) relief under the “unlawful” and “unfair” prongs of the UCL. On May 5, 2021, SNSC removed the action to this court and subsequently filed a motion to dismiss for failure to state a claim. Notice of Removal [Dkt. No. 1]; Defendant SN Servicing Corporation's Motion to Dismiss Plaintiffs' Complaint [Dkt. No. 14].

LEGAL STANDARD

Under Federal Rule of Civil Procedure 12(b)(6), a district court must dismiss a complaint if it fails to state a claim upon which relief can be granted. To survive a Rule 12(b)(6) motion to dismiss, the plaintiff must allege “enough facts to state a claim to relief that is plausible on its face.” See Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). A claim is facially plausible when the plaintiff pleads facts that “allow the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” See Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citation omitted). There must be “more than a sheer possibility that a defendant has acted unlawfully.” Id. While courts do not require “heightened fact pleading of specifics, ” a plaintiff must allege facts sufficient to “raise a right to relief above the speculative level.” See Twombly, 550 U.S. at 555, 570.

In deciding whether the plaintiff has stated a claim upon which relief can be granted, the court accepts the plaintiff's allegations as true and draws all reasonable inferences in favor of the plaintiff. See Usher v. City of Los Angeles, 828 F.2d 556, 561 (9th Cir. 1987). However, the court is not required to accept as true “allegations that are merely conclusory, unwarranted deductions of fact, or unreasonable inferences.” See In re Gilead Scis. Sec. Litig., 536 F.3d 1049, 1055 (9th Cir. 2008).

DISCUSSION
I. CALIFORNIA CLAIMS BY NON-CALIFORNIA PLAINTIFFS

While California has a presumption against extraterritorial application of its own law, Sullivan v. Oracle Corp., 51 Cal.4th 1191, 1207 (2011), “state statutory remedies may be invoked by out-of-state parties when they are harmed by wrongful conduct occurring in California.” In re iPhone 4S Consumer Litig. No. C 12-1127 CW, 2013 WL 3829653, at *7 (N.D. Cal. Jul. 23, 2013) (quoting Norwest Mortg., Inc. v. Superior Ct., 72 Cal.App.4th 214, 224-225 (1999)). To determine whether sufficient wrongful conduct occurred in California, courts consider where the defendant does business,...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT