Opinion
Case No. 13-cv-01834-JST
08-23-2013
KATHLEEN HASKINS, Plaintiff, v. SYMANTEC CORPORATION, Defendant.
ORDER GRANTING MOTION TO
DISMISS
ECF No. 22
Before the Court is Defendant Symantec Corporation's ("Symantec") Motion to Dismiss Plaintiff's First Amended Complaint ("Motion"). ECF No. 22. The Court has carefully considered the papers filed in support of the motion and finds the matter appropriate for resolution without oral argument. See Civil L.R. 7-1(b). The hearing scheduled for August 29, 2013 is therefore VACATED.
I. BACKGROUND
A. Factual Background
The Court accepts the following allegations as true for the purpose of resolving Defendant's motion to dismiss. Cahill v. Liberty Mutual Ins. Co., 80 F.3d 336, 337-38 (9th Cir. 1996).
Symantec provides security, storage, and systems management to consumers, small businesses, and large global organizations through its antivirus, data management utility and enterprise software products. First Amended Complaint ("FAC"), ECF No. 17, ¶ 3. In 2006, hackers infiltrated Symantec's network and stole the source code for the 2006 versions of pcAnywhere, Norton SystemWorks, Norton Antivirus Corporate Edition and Norton Internet Security (which Plaintiff identifies in the FAC the "Compromised Symantec Products"). Id. ¶ 18. The stolen Symantec source code includes instructions written in various computer programming languages, and comments made by engineers to explain the design of the software. Id. ¶ 12. According to Plaintiff, the source code is considered the "crown jewel" of the software, and Symantec's "most precious asset." Id. ¶ 13. "Symantec suspected in 2006 its network had been breached and its source code stolen," and did not disclose the breach or source code theft until the hackers revealed the breach in January 2012. Id. ¶ 2. By not disclosing the breach and presenting the "Compromised Symantec Products" as if no such breach occurred, Plaintiff and Class Members were "[led] to believe the Compromised Symantec Products were secure and completely functional as advertised." Id. Therefore, Plaintiff alleges that the "Compromised Symantec Products" were not fully secure and functional as advertised. Id. ¶ 29.
The Court also uses this term throughout this order for ease of discussion. This does not reflect any judgment by the Court regarding the appropriateness of the label.
Plaintiff Kathleen Haskins ("Plaintiff") purchased Symantec's Norton Antivirus software online directly from Symantec during late 2007 or early 2008 and renewed the software annually. Id. ¶ 8. Plaintiff's version of Norton Antivirus "contained all or a portion of the compromised 2006 source code." Id. Plaintiff alleges that she purchased Norton Antivirus "for the reasons advertised" and points to two statements on Symantec's website that allegedly advertise a fully functional Symantec product:
Symantec is "a global leader in providing security, storage and systems management solutions" to consumers, small businesses and large global organizations to "secure and manage their information against more risks at more points, more completely and efficiently than any other company" through its antivirus, data management utility and enterprise software products. Symantec's product "focus is to eliminate risks to information, technology and processes independent of the device, platform, interaction or location."Id. ¶¶ 8-9. As a result, "Plaintiff did not receive the fully functional Symantec data and system security software for which she paid." Id.
B. Procedural Background
Plaintiff brings this proposed class action against Symantec on behalf of herself and a proposed class ("Proposed Class") of individuals who "purchased, leased and/or licensed pcAnywhere, Norton SystemWorks (Norton Utilities and Norton GoBack), Norton Antivirus Corporate Edition and Norton Internet Security software that contain all or a portion of the 2006 version of the source codes for such products." FAC ¶ 1. Plaintiff alleges that because Symantec failed to disclose the security breach, Plaintiff and the Proposed Class were deprived of the benefit of their bargain because they did not receive a fully functional Symantec product. FAC ¶ 2. Plaintiff asserts the following five claims against Symantec: (1) Violations of the Consumer Legal Remedies Act, California Civil Code § 1750, et seq. ("CLRA"); (2) Unfair Competition, California Business and Professions Code §17200, et seq. ("UCL"); (3) Breach of Contract (4) Breach of Warranty; and (5) Money Had and Received. FAC, ¶¶ 41-71.
Symantec has filed a Motion to Dismiss on the grounds that Plaintiff lacks Article III standing, that Plaintiff has not pled her fraud-based claims with sufficient particularity to satisfy Rule 9(b) of the Federal Rules of Civil Procedure, and that each of Plaintiff's claims fail to state a claim upon which relief can be granted.
C. Jurisdiction
Plaintiff asserts, and Symantec does not deny, that Plaintiff is a citizen of Texas and that Symantec is a Delaware corporation with its principal place of business in California. FAC ¶¶ 8-9. Therefore, assuming that Plaintiff has standing, see Part II, infra., the Court would have subject-matter jurisdiction over this action pursuant to the Class Action Fairness Act ("CAFA"), 28 U.S.C. § 1332(d), because there are 100 or more Class Members, at least one Class Member is a citizen of a state diverse from Symantec's citizenship, and the matter in controversy exceeds $5,000,000 exclusive of interest and costs.
D. Legal Standard
A motion to dismiss under Federal Rule of Civil Procedure 12(b)(1) tests the subject matter jurisdiction of the Court. When subject matter jurisdiction is challenged, "the party seeking to invoke the court's jurisdiction bears the burden of establishing that jurisdiction exists." Scott v. Breeland, 792 F.2d 925, 927 (9th Cir.1986); see also Kokkonen v. Guardian Life Ins. Co. of Am., 511 U.S. 375, 377 (1994). "Article III's case-or-controversy requirement . . . provides a fundamental limitation on a federal court's authority to exercise jurisdiction . . . [and] 'the core component of standing is an essential and unchanging part of the case-or-controversy requirement of Article III.'" Nuclear Info. & Res. Serv. v. Nuclear Regulatory Comm'n, 457 F.3d 941, 949 (9th Cir. 2006) (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992)).
To establish Article III standing, plaintiffs must satisfy three elements: (1) "injury in fact — an invasion of a legally protected interest which is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical"; (2) causation — "there must be a causal connection between the injury and the conduct complained of — the injury has to be fairly traceable to the challenged action of the defendant, and not the result of the independent action of some third party not before the court; and (3) redressability — "it must be likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision." Lujan, 504 U.S. at 560-61 (internal quotation marks and citations omitted).
Although Plaintiff asserts her claims on behalf of a class, she must allege that she personally suffered an injury. See Lierboe v. State Farm Mut. Auto. Ins. Co., 350 F.3d 1018, 1022 (9th Cir. 2003) ("if none of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class."). "That a suit may be a class action . . . adds nothing to the question of standing, for even named plaintiffs who represent a class 'must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.'" Simon v. E. Kentucky Welfare Rights Org., 426 U.S. 26, 40, n. 20 (1976) (quoting Warm v. Seldin, 422 U.S. 490, 502 (1975)).
II. ANALYSIS
The Court addresses Article III standing before turning to any of Symantec's alternative grounds for dismissal, since "jurisdiction [must] be established as a threshold matter." Steel Co. v. Citizens for a Better Environment, 523 U.S. 83, 95 (1988).
Symantec argues that Plaintiff fails to adequately allege injury-in-fact for three reasons. First, since Plaintiff has not alleged that she has actually suffered from any security breach as a result of purchasing a compromised product, Symantec argues that Plaintiff has only alleged a conjectural or hypothetical possibility of injury. But Plaintiff does not claim that her injury stems from any current or future security breach; she argues instead that she "was deprived of the benefit of her bargain; to wit, although Plaintiff paid for an uncompromised version of the Norton Antivirus software, she received a compromised version of the Product . . . [and thus,] lost money on the purchase of the product." FAC, ¶ 8.
Second, Symantec argues that Plaintiff cannot show that she was deprived of the benefit of the bargain because she has not identified any representations on which she relied when she purchased Norton Antivirus. This is an argument that Plaintiff has failed to state a claim rather than an argument about Plaintiff's standing. Plaintiff argues that the facts, as pled, establish that she has suffered harm from the purchase of Symantec's Norton Antivirus product. If she is right, she has a viable claim, and if she is wrong, she does not. But there is nothing about her relationship to the purported injury that renders the Court without jurisdiction to determine the question. The purpose of standing doctrine is to ensure that "plaintiff's claims arise in a 'concrete factual context' appropriate to judicial resolution" and that "the suit has been brought by a proper party." Arakaki v. Lingle, 477 F.3d 1048, 1059 (9th Cir. 2007) (quoting Valley Forge Christian Coll. v. Ams. United For Separation of Church & State, Inc., 454 U.S. 464, 472 (1982)). The 'injury-in-fact' analysis is not intended to be duplicative of the analysis of the substantive merits of the claim.
In its motion, Symantec makes essentially the same arguments about 'injury in fact' that it makes regarding Plaintiff's failure to state a claim. Compare Motion, at 7:23-8:9 with id., at 14:23-15:26, 16:16-25, 20:19-22:16.
Finally, Symantec argues that Plaintiff does not have standing because the software she purchased, Norton Antivirus, is not one of the products Plaintiff identified as a "Compromised Symantec Product[]." This is a valid standing argument, since "the injury in fact test . . . requires that the party seeking review be himself among the injured." Lujan, 504 U.S. at 563.
The FAC states that hackers "stole the source code for the 2006 versions of pcAnywhere, Norton SystemWorks (Norton Utilities and Norton GoBack), Norton Antivirus Corporate Edition and Norton Internet Security," and the Proposed Class is comprised of persons and entities that purchased those four products. FAC, ¶¶ 1-2. But Plaintiff purchased a different product: Norton Antivirus. Id., ¶ 9.
The FAC fails to make clear the relationship between Norton Antivirus and the "Compromised Symantec Products." Plaintiff alleges that Norton Antivirus "contained all or a portion of the compromised 2006 source code." Id., ¶ 9. Later, the complaint states that the hacker group "posted . . . confidential documentation pertaining to Norton Antivirus source code," "posted what they claimed was the complete source code tree file for Norton Antivirus -- although it was later taken down," and "published . . . a detailed technical overview of Norton Anti-Virus." Id., ¶¶ 15-17. These are the only allegations in the complaint that relate to Norton Antivirus. The gravamen of the complaint is that the products forming the basis of Plaintiff's causes of action are the four specifically identified "Compromised Symantec Products." Id., ¶ 1-3, 20-24, 26, 30-31, 42, 47, 51, 59, 62-64, 66, 68-69, 71. And Plaintiff does not allege that she purchased any of those four products.
In her opposition to Symantec's motion to dismiss, Plaintiff states that "Plaintiff purchased one of the Products and challenges Symantec's business practice(s) common to all Products." Plaintiff's Opposition to Defendant Symantec Corporation's Motion to Dismiss Plaintiff's First Amended Class Action Complaint, ECF No. 28, at 9:6-8. This does not resolve the ambiguity. The opposition brief mints a new definition of "Products": Symantec's "flagship computer products that provide antivirus and security protection." Id., at 1:2-3. This definition, presumably crafted to encompass Norton Antivirus as well as the identified "Compromised Symantec Products," does not appear in the complaint. Plaintiff also submits a printout from Symantec's website in which Symantec indicates that Norton Antivirus was among the products compromised by the security breach. Exh. 1 to Declaration of Timothy Blood, ECF No. 28-1. This does not change the fact that Plaintiff's complaint revolves around four products that do not include Norton Antivirus.
Since the information on the website is referred to in paragraph 20 of the FAC, the Court GRANTS Plaintiff's request to take judicial notice of the website printout. ECF No. 29. See United States v. Ritchie, 342 F.3d 903, 908 (9th Cir. 2003). Since the Court does not need to refer to documents submitted by Symantec in order to resolve this motion, the Court does not act on Symantec's request for judicial notice at this time. ECF No. 22.
To be clear, the Court is not suggesting that there is any standing-related problem with Plaintiff seeking to represent a class whose members purchased different products than she did. See Clancy v. The Bromley Tea Co., Case No. 12-CV-03003-JST, 2013 WL 4081632, at *3-6 (N.D. Cal. Aug. 9, 2013) (concluding that as long as a named plaintiff has individual standing to bring claims regarding products he actually purchased, the question of whether a proposed class can bring claims related to other products is properly addressed at the class certification stage). But Plaintiff cannot assert standing on her own behalf without clearly alleging that the product she purchased was among those that form the basis of her claim. Plaintiff has not demonstrated her standing to bring this action, and the complaint must be dismissed.
However, the Court notes that it is hard to imagine how Plaintiff, the purchaser of one product, can represent a class who are defined by having purchased four other products.
--------
"[A] judge who concludes that subject matter jurisdiction is lacking has no power to rule alternatively on the merits of a case." Wages v. I.R.S., 915 F.2d 1230, 1234 (9th Cir. 1990). Therefore, the Court will not proceed to address the other grounds on which Symantec has moved to dismiss the complaint. However, if Plaintiff chooses to file an amended complaint, she should make whatever amendments she thinks necessary in light of the arguments raised by Symantec in its motion to dismiss.
IV. CONCLUSION
Plaintiff's complaint is DISMISSED WITHOUT PREJUDICE. Plaintiff has leave to file a second amended complaint if she can allege additional facts that overcome the deficiencies identified in this order. If she chooses to amend the complaint, Plaintiff is ORDERED to file the second amended complaint within twenty-one days of the date of this order. Failure to meet this deadline will result in dismissal with prejudice pursuant to Rule 41(b) of the Federal Rules of Civil Procedure.
IT IS SO ORDERED.
_____________
JON S. TIGAR
United States District Judge