Opinion
21cv6147 (DLC) 21cv6199 (DLC) 21cv6257 (DLC) 21cv6902 (DLC)
02-24-2022
IN RE WASTE MANAGEMENT DATA BREACH LITIGATION.
For plaintiffs: Gregory Haroutunian Michael Anderson Berry Arnold Law Firm Rachele R. Byrd Matthew Moylan Guiney Wolf Haldenstein Adler Freeman & Herz LLP Lori Gwen Feldman George Gesten McDonald PLLC Karen Nadine Wilson Wilson & Brown, PLLC Michael Joseph Benke Casey Gerry Jeffrey Scott Goldenberg Goldenberg Schneider LPA Joseph Michael Lyon The Lyon Firm Terence Coates Markovits, Stock & DeMarco, LLC Todd Seth Garber Finkelstein, Blankinship, Frei-Pearson & Garber, LLP Steven Dudley pro se For defendant: Elizabeth Scott Michelle A. Reed Haley M. High Akin Gump Strauss Hauer & Feld LLP Stephanie Lindemuth Akin Gump Strauss Hauer & Feld LLP
For plaintiffs:
Gregory Haroutunian
Michael Anderson Berry
Arnold Law Firm
Rachele R. Byrd
Matthew Moylan Guiney
Wolf Haldenstein Adler Freeman & Herz LLP
Lori Gwen Feldman
George Gesten McDonald PLLC
Karen Nadine Wilson
Wilson & Brown, PLLC
Michael Joseph Benke
Casey Gerry
Jeffrey Scott Goldenberg
Goldenberg Schneider LPA
Joseph Michael Lyon
The Lyon Firm
Terence Coates
Markovits, Stock & DeMarco, LLC
Todd Seth Garber
Finkelstein, Blankinship, Frei-Pearson & Garber, LLP
Steven Dudley pro se
For defendant:
Elizabeth Scott
Michelle A. Reed
Haley M. High
Akin Gump Strauss Hauer & Feld LLP
Stephanie Lindemuth
Akin Gump Strauss Hauer & Feld LLP
OPINION AND ORDER
DENISE COTE, District Judge:
Plaintiffs bring claims on behalf of themselves, a putative nationwide class, and a putative California class against defendant USA Waste-Management Resources, LCC (“Waste Management”) for failing to prevent a data breach in which attackers obtained employees' personal information from Waste Management's internal network. The defendant has moved to dismiss the complaint. For the following reasons, the motion is granted.
Background
The following facts are derived from the consolidated amended complaint (“CAC”) and are assumed to be true. Waste Management is a company with tens of thousands of employees, providing waste collection and disposal services throughout the United States and Canada. On January 21 and January 23, 2021, an unauthorized actor infiltrated Waste Management's computer network, gaining access to its employees' Personal Identifiable Information (“PII”), such as employees' names, social security numbers, dates of birth, and driver's license numbers.
Waste Management first detected suspicious activity on its network on January 21, 2021. Waste Management did not determine that there was a data breach involving PII, however, until at least May 4. On May 28, Waste Management notified its current and former employees about the data breach. Waste Management also offered to pay for one year of identity monitoring and protection services. That same day, Waste Management notified the California Attorney General of the data breach. A California statute requires such notification when unencrypted personal information is reasonably believed to have been acquired by an unauthorized person. Cal. Civ. Code § 1798.82(f).
The plaintiffs are current and former employees of Waste Management, living in various states around the country. The plaintiffs allege that, around the time Waste Management notified them of the data breach, they began to notice an increase in the amount of spam and phishing attempts targeted at them. Additionally, several plaintiffs were victims of apparent identity theft, in which unknown actors attempted to make purchases or collect government benefits in their name. The plaintiffs allege that they have suffered increased anxiety and spent much of their time handling the consequences of the data breach.
This case is a consolidation of four separate actions against Waste Management filed in July and August of 2021. Fierro v. USA Waste-Management Resources, LLC, No. 21-cv-6147; Marcaurel v. USA Waste-Management Resources, LLC, No. 21-cv-6199; Fusilier v. USA Waste-Management Resources, LLC, No. 21-cv-6257; Krenzner v. USA Waste-Management Resources, LLC, No. 21-cv-6902. The cases were consolidated on September 3, 2021. On October 22, the Court ordered the plaintiffs to file a consolidated complaint. The defendant then moved to dismiss the complaint on January 7, 2022. The plaintiffs opposed the motion on January 28. The motion became fully submitted on February 11.
This Court has jurisdiction pursuant to the Class Action Fairness Act of 2005 (“CAFA”). CAFA confers federal jurisdiction over “certain class actions where: (1) the proposed class contains at least 100 members; (2) minimal diversity exists between the parties; and (3) the aggregate amount in controversy exceeds $5,000,000.” Purdue Pharma L.P. v. Kentucky, 704 F.3d 208, 213 (2d Cir. 2013) (citation omitted). The CAC alleges that there are over 100 class members, and that the aggregate amount of the class members' claims exceeds $5,000,000. Additionally, Waste Management is a New York LLC with its principal place of business in Texas, while several plaintiffs reside in other states, including California. See 28 U.S.C. § 1332(d)(10) (under CAFA, “an unincorporated association shall be deemed to be a citizen of the State where it has its principal place of business and the State under whose laws it is organized.”). CAFA's diversity, numerosity, and amount-in-controversy requirements have therefore been satisfied.
Discussion
The CAC brings causes of action against the defendant on behalf of all plaintiffs and the nationwide class for negligence, breach of contract, breach of implied contract, breach of confidence, breach of fiduciary duty, and unjust enrichment. The CAC also brings claims against the defendant on behalf of the California plaintiffs and the California class for violation of the California Consumer Privacy Act (“CCPA”), Cal. Civ. Code § 1798.150, California's Unfair Competition Law (“UCL”), Cal. Bus. & Prof. Code §§ 17200 et seq., and California Customer Records Act (“CCRA”), Cal. Civ. Code §§ 1798.80 et seq. The CAC requests declaratory and injunctive relief, as well as damages. The defendants have moved to dismiss for failure to state a claim pursuant to Fed.R.Civ.P. 12(b)(6). The plaintiffs do not oppose dismissal of the claim for breach of express contract, or their separate claim for declaratory and injunctive relief.
In order to state a claim and survive a motion to dismiss, “[t]he complaint must plead ‘enough facts to state a claim to relief that is plausible on its face.'” Green v. Dep't of Educ. of City of New York, 16 F.4th 1070, 1076-77 (2d Cir. 2021) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). “In determining if a claim is sufficiently plausible to withstand dismissal, ” a court “accept[s] all factual allegations as true” and “draw[s] all reasonable inferences in favor of the plaintiffs.” Melendez v. City of New York, 16 F.4th 992, 1010 (2d Cir. 2021) (citation omitted).
I. Choice of Law
Waste Management argues that Texas law should apply to the CAC's claims for negligence and breach of confidence. “A federal court sitting in diversity jurisdiction applies the choice of law rules of the forum state.” AEI Life LLC v. Lincoln Benefit Life Co., 892 F.3d 126, 132 (2d Cir. 2018) (citation omitted). A court need not engage in choice-of-law analysis if there is no “actual conflict between the laws of the jurisdictions involved.” Fireman's Fund Ins. Co. v. Great Am. Ins. Co. of N.Y., 822 F.3d 620, 641 (2d Cir. 2016) (citation omitted). An “actual conflict” exists if “the applicable law from each jurisdiction provides different substantive rules, ” those differences are “relevant to the issue at hand, ” and they “have a significant possible effect on the outcome of the trial.” Fin. One Pub. Co. Ltd. v. Lehman Bros. Special Fin., Inc., 414 F.3d 325, 331 (2d Cir. 2005) (citation omitted).
If there is an actual conflict of laws in a tort action, New York choice of law rules apply “the law of the jurisdiction having the greatest interest in the litigation.” White Plains Coat & Apron Co., Inc. v. Cintas Corp., 460 F.3d 281, 284 (2d Cir. 2006) (citation omitted). “If conflicting conductregulating laws are at issue, the law of the jurisdiction where the tort occurred will generally apply because that jurisdiction has the greatest interest in regulating behavior within its borders.” GlobalNet Financial.Com, Inc. v. Frank Crystal & Co., Inc., 449 F.3d 377, 384 (2d Cir. 2006) (citation omitted). In conflicts involving “allocation of losses, the site of the tort is less important, and the parties' domiciles are more important.” Id. at 384-85. Because this litigation arises out of the plaintiffs' allegation that Waste Management failed in its obligation to protect its employees' PII, if a conflict exists between the laws of New York and Texas, the laws of Texas will apply, since it is the site of the defendant's headquarters.
A. Negligence
No conflict exists between the law of New York and Texas applicable to the CAC's negligence claim. In both states, the elements of negligence are the same: (1) a duty of care, (2) breach of that duty, and (3) damages proximately caused by the breach. Compare Kroger Co v. Elwood, 197 S.W.3d 793, 794 (2006) with Borley v. United States, 22 F.4th 75, 78 (2d Cir. 2021). And in both states, courts must consider similar factors when determining whether a duty exists, including the economic impact of a duty, the public benefit, the cost of adhering to the duty, and the foreseeability and magnitude of the harm. Compare In re N.Y.C. Asbestos Litig., 27 N.Y.3d 765, 788 (2016) with Greater Houston Transp. Co. v. Phillips, 801 S.W.2d 523, 525 (Tex. 1990).
Waste Management nevertheless argues that a conflict exists between New York and Texas law because New York would recognize a duty to protect employees' PII, while Texas would not. Waste Management, however, does not cite to an authoritative decision from a state court in either jurisdiction holding that employers do or do not have such a duty. In both jurisdictions, those who control the premises have a duty to protect invitees from risk that is “unreasonable and foreseeable.” Compare Austin v. Kroger Tex., L.P., 465 S.W.3d 193, 205 (Tex. 2015) with Burgos v. Aqueduct Reality Corp., 92 N.Y.2d 544, 548 (1998).
Waste Management also argues that a conflict exists between New York and Texas law because, under Texas law, the plaintiffs' claims would be barred by the economic loss rule. Any difference that may exist in the jurisdiction's application of the economic loss doctrine, a doctrine they both recognize, is irrelevant since neither jurisdiction bars negligence claims for breach of a duty independent of a contractual obligation. Chapman Custom Homes, Inc., 445 S.W.3d at 718; Dorking Genetics v. United States, 76 F.3d 1261, 1269 (2d Cir. 1996). In this case, the plaintiffs allege a duty to take reasonable care in protecting the plaintiffs' PII that is independent of the contractual obligations of employment. Accordingly, the economic loss doctrine would not apply to the CAC's negligence claim under the law of either jurisdiction.
The economic loss doctrine generally bars a tort claim for purely economic losses arising from a breach of contract. See Chapman Custom Homes, Inc. v. Dallas Plumbing Co., 445 S.W.3d 716, 718 (Tex. 2014); 523 Madison Ave. Gourmet Foods, Inc. v. Finlandia Ctr., Inc., 96 N.Y.2d 280, 288 n.1 (2001).
Waste Management points to two federal court cases in which the parties agreed, for choice-of-law purposes, that Texas's economic loss doctrine would bar a negligence claim for economic harms arising out of a data breach. See Lone Star Nat'l Bank, N.A. v. Heartland Payment Sys., Inc., 729 F.3d 421, 423 (5th Cir. 2013); In re Heartland Payment Sys., Inc. Customer Data Sec. Breach Litig., MDL No. 2014, 2011 WL 1232352, at *21 (S.D. Tex. Mar. 31, 2011). Recent decisions, however, have found that the economic loss rule does not apply to such claims under Texas law. See, e.g., In re Capital One Consumer Data Sec Breach Litig., 488 F.Supp.3d 374, 396-97 (E.D. Va. 2020); Thawar v. 7-Eleven, Inc., 165 F.Supp.3d 524, 532-33 (N.D. Tex. 2016).
Regardless, these cases are minimally probative of the relevant question, which is how Texas's highest court would rule. See Chufen Chen v. Dunkin' Brands, Inc., 954 F.3d 492, 497 (2d Cir. 2020). Here, the Texas Supreme Court's recent pronouncements on the economic loss rule indicate that the doctrine would not apply to the plaintiffs' negligence claim. See Chapman Custom Homes, Inc., 445 S.W.3d at 718. Accordingly, there is no conflict between the laws of Texas and New York with respect to the negligence claim.
B. Breach of Confidence
An actual conflict exists between Texas and New York law with respect to the CAC's breach of confidence claim, although that conflict is of no moment to the claim presented here. New York law recognizes breach of confidence as an independent tort, although one that may only protect a patient's medical information. See Chanko v. Am. Broadcasting Cos. Inc., 27 N.Y.3d 46, 53-54 (2016); Young v. U.S. Dep't of Justice, 882 F.2d 633, 640-41 (2d Cir. 1989) (finding that New York has only applied the tort to physician-patient relationships). Under Texas law, breach of confidence is an element of a claim for misappropriation of trade secrets, and may not exist as a separate cause of action. See Motion Med. Tech., L.L.C. v. Thermotek, Inc., 875 F.3d 765, 775 (5th Cir. 2017); Hyde Corp v. Huffines, 158 Tex. 566, 587 (1958). Accordingly, since neither jurisdiction recognizes a breach of confidence claim brought by an employee for a third party's theft of her PII, any differences in the Texas and New York laws are immaterial. This claim may not be pursued in this action.
C. Remaining Common Law Claims
Waste Management concedes that there is no conflict between the laws of Texas and New York with respect to the plaintiffs' remaining common law claims. “[W]here the parties agree that New York law controls, this is sufficient to establish choice of law.” Federal Ins. Co. v. Am. Home Assurance Co., 639 F.3d 557, 566 (2d Cir. 2011). Accordingly, New York law applies to the plaintiffs' remaining common law claims.
II. Negligence
Waste Management moves to dismiss the claim for negligence. “Under New York law, a tort plaintiff seeking to prove a defendant's negligence must show (1) the existence of a duty on defendant's part as to plaintiff; (2) a breach of this duty; and (3) injury to the plaintiff as a result thereof.” Borley v. United States, 22 F.4th 75, 79 (2d Cir. 2021) (citation omitted). “[T]he definition, and hence the existence, of a duty relationship is usually a question for the court.” Id. In deciding whether a duty exists,
the court must settle upon the most reasonable allocation of risks, burdens and costs among the parties and within society, accounting for the economic impact of a duty, pertinent scientific information, the relationship between the parties, the identity of the person or entity best positioned to avoid the harm in question, the public policy served by the presence or absence of a duty and the logical basis of a dutyIn re N.Y.C. Asbestos Litig., 27 N.Y.3d at 788. “Foreseeability defines the scope of a duty once it has been recognized.” Id.
Applying these factors, employers have a duty to take reasonable measures to protect PII that they require from their employees. In such a situation, the safety of the data is almost entirely out of the employee's hands. The employee cannot reasonably refuse the employer's request. And the employer retains full control of the network and database infrastructure used to store the PII. Courts in this District have found that employers are in the best position to protect employees' PII. See, e.g., In re GE/CBPS Data Breach Litig., No. 20-cv-2903, 2021 WL 3406374, at *8 (S.D.N.Y. Aug. 4, 2021); Sackin v. TransPerfect Global, Inc., 278 F.Supp.3d 739, 748 (S.D.N.Y. 2017).
Waste Management argues that there is no duty to protect employees' PII against a data breach, because there is no duty to protect others from the unforeseeable misconduct of third parties. This doctrine normally sounds in premises liability rather than ordinary negligence. See Maheshwari v. City of New York, 2 N.Y.3d 288, 294 (2004). Regardless, however, a duty is still appropriate here because attempts by hackers to access PII stored in an internal network are highly foreseeable. Large data breaches regularly occur, and their frequency is only increasing. When an employer requires an employee to submit their sensitive personal information, the employee therefore has a reasonable expectation that the employer will take reasonable care not to place their personal data at unnecessary risk of exposure. See Palka v. Servicemaster Mgmt. Servs. Corp., 83 N.Y.2d 579, 585 (1994).
The duty to protect against third-party criminal activity is normally treated as a premises liability issue under Texas law as well. See Austin, 465 S.W.3d at 212 n.20.
Nevertheless, the CAC fails to state a claim for negligence, because it does not plausibly allege that Waste Management breached any duty of care. Although the CAC contains many conclusory allegations that Waste Management failed to take reasonable measures to protect its data, the CAC pleads no facts regarding any specific measures that Waste Management did or didn't take, nor does it contain any allegations regarding the manner in which their systems were breached. Cf. Sackin, 278 F.Supp.3d at 744, 748. A conclusory allegation that the defendant acted unreasonably is insufficient to state a claim for negligence. See Iqbal, 556 U.S. at 678 (“Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.”).
The plaintiffs nevertheless argue in their opposition that Waste Management breached the duty of care by failing to store its employees' PII in an encrypted format, by failing to delete old and unnecessary data, and by failing to adhere to FTC data security guidelines. But the CAC does not allege that employees' PII was not stored in an encrypted format, does not allege that Waste Management failed to delete old data, and does not point to any other failure to adhere to FTC data security guidelines. At most, the CAC suggests (although it does not affirmatively allege) that attackers may have been able to access the plaintiffs' PII in an unencrypted form. But this allegation does not plead that employees' PII was stored unencrypted on Waste Management's servers.
Without a plausible allegation that Waste Management failed to take reasonable measures to protect its employees' PII, the CAC effectively seeks to hold Waste Management liable for the fact of the data breach alone. But the law does not impose strict liability for harms arising out of the storage of personal information. Cf. Doundoulakis v. Town of Hempstead, 42 N.Y.2d 440, 448 (1977) (discussing factors used to determine whether strict liability should be imposed). The plaintiffs must therefore plausibly allege not only that there was a data breach, but that the breach was caused by Waste Management's unreasonable conduct. They have not done so. Accordingly, the CAC does not state a claim for negligence.
III. Implied Contract
Waste management moves to dismiss the claim for breach of an implied contract. “A contract implied in fact may result as an inference from the facts and circumstances of the case . . . and is derived from the presumed intention of the parties as indicated by their conduct.” Beth Israel Med. Ctr. v. Horizon Blue Cross & Blue Shield of N.J., Inc., 448 F.3d 573, 582 (2d Cir. 2006) (citation omitted). There is “no distinction” between an implied contract and an express contract; both are “just as binding.” Id. (citation omitted).
The CAC alleges that Waste Management breached an implied contract with plaintiffs to reasonably safeguard their PII. The CAC points to provisions of the employee handbook which, although they do not create an express contract, indicate that employee information is to be treated as confidential and protected from unauthorized disclosure. Other courts in this district have found similar representations in company policy documents sufficient to create an implied contract. See, e.g., In re CE/GBPS Data Breach Litig., 2021 WL 3406374, at *11-12; Sackin, 278 F.Supp.3d at 750-51. The CAC therefore plausibly alleges an implied contract requiring Waste Management to take reasonable measures to safeguard employee PII.
The CAC, however, does not allege that this contract was breached. The plaintiffs do not argue that Waste Management impliedly agreed to insure employees against any data loss -only that Waste Management agreed to act reasonably in handling their data. To state a claim for breach of the implied contract, the CAC must therefore plausibly allege that Waste Management failed to reasonably safeguard employees' data. But the CAC does not allege facts explaining what measures Waste Management took or failed to take to protect employee data, nor does it allege how the data breach actually occurred. Accordingly, the claim for breach of implied contract must be dismissed.
IV. Fiduciary Duty
Waste Management moves to dismiss the claim for breach of a fiduciary duty. “To state a breach of fiduciary duty claim under New York law, a plaintiff must plead: (i) the existence of a fiduciary duty; (ii) a knowing breach of that duty; and (iii) damages resulting therefrom.” Spinelli v. Nat'l Footbal League, 903 F.3d 185, 207 (2d Cir. 2018) (citation omitted). “A fiduciary relationship exists when one person is under a duty to act for or to give advice for the benefit of another upon matters within the scope of the relation.” Id.
New York courts have consistently found that employers are not fiduciaries for their employees. See Rather v. CBS Corp., 886 N.Y.S.2d 121, 125 (1st Dep't 2009) (listing cases). The plaintiffs argue that, even if employment alone does not create a fiduciary relationship, such a relationship arose when Waste Management required its employees to share their PII. The plaintiffs cite no cases, however, in which any court has found a fiduciary relationship under such circumstances. Waste Management's storage of employee PII does not impose a “duty to act for or to give advice for the benefit” of its employees. See Spinelli, 903 F.3d at 207 (citation omitted). No fiduciary duty therefore exists, and the claim for breach of fiduciary duty must be dismissed.
V. Unjust Enrichment
Waste Management moves to dismiss the claim for unjust enrichment. To state a claim for unjust enrichment, a plaintiff must plausibly allege “(1) that the defendant benefitted; (2) at the plaintiff's expense; and (3) that equity and good conscience require restitution.” Myun-Uk Choi v. Tower Research Capital LLC, 890 F.3d 60, 69 (2d Cir. 2018) (citation omitted). “[U]njust enrichment is not a catchall cause of action to be used when others fail.” Corsello v. Verizon N.Y., Inc., 18 N.Y.3d 777, 790 (2012). It “is not available where it simply duplicates, or replaces, a conventional contract or tort claim.” Id. (citation omitted).
The plaintiffs do not explain how their unjust enrichment action is distinct from their other contract and tort claims. The plaintiffs argue that Waste Management profited from the plaintiffs' labor, and that it would be inequitable to let them keep the profit they saved by maintaining allegedly inadequate data protection measures. But the CAC contains only conclusory allegations that Waste Management's data security practices were unreasonable. Ultimately, the plaintiffs' unjust enrichment claim simply repackages the same theories of harm alleged in its contract and tort actions. Accordingly, the unjust enrichment claim must be dismissed as duplicative.
Just as significantly, the plaintiffs do not allege that Waste Management benefitted at the plaintiffs' expense. The third-party hackers benefitted at the expense of both the plaintiffs and Waste Management, and it is that person or persons which in equity and good conscience owes restitution to the plaintiffs.
VI. California Consumer Privacy Act
Waste Management moves to dismiss the claim for violation of the California Consumer Privacy Act. The CCPA authorizes injunctive relief, declaratory relief, and damages for “[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices.” Cal. Civ. Code § 1798.150(a)(1). To bring a claim for statutory damages, a consumer must provide written notice at least 30 days before filing an action. § 1798(b). The consumer cannot bring a claim for damages if “the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur.” Id.
Waste Management argues that the CAC does not plead an “exfiltration, theft, or disclosure” of the plaintiffs' PII. The CAC's allegations, however, plainly satisfy this element of the CCPA claim. The CAC alleges that an unauthorized actor hacked into and stole the plaintiffs' PII from Waste Management's systems.
Nevertheless, the CAC fails to state a claim for violation of the CCPA, because it does not plausibly allege that Waste Management breached its “duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Id.; see also Maag v. U.S. Bank, Nat'l Assoc., No. 21-cv-31m, 2021 WL 5605278, at *2 (S.D. Cal. Apr. 8, 2021). For similar reasons, the CAC does not plausibly allege that Waste Management failed to cure its alleged violations of the CCPA. The CAC alleges in conclusory terms that Waste Management has not changed its securities practices. But the CAC contains no allegations regarding any notice of cure from Waste Management, and does not explain what violations need to be remedied.
The plaintiffs argue that Waste Management has failed to cure its alleged violations of the CCPA because the plaintiffs' data are still out there, and can still be exploited to the plaintiffs' detriment. But the CCPA does not require businesses that have experienced a data breach to place consumers in the same position they would have been absent a breach. It just requires them to remedy any “violation” of their “duty to implement and maintain reasonable security procedures and practices.” Cal. Civ. Code §§ 1798(a)(1), 1798(b). The CAC does not plausibly allege that Waste Management has failed to do so. Accordingly, the CCPA claim must be dismissed.VII. California Customer Records Act
Because the plaintiffs have failed to state a CCPA claim regardless, it is unnecessary to determine whether the plaintiffs are “consumer[s]” within the meaning of the CCPA -an issue that neither party has addressed. It is also unnecessary to decide whether the plaintiffs have a duty to plead compliance with the CCPA's 30-day notice requirement. See § 1798(b).
Waste Management moves to dismiss the claim for violation of the California Customer Records Act. The CCRA requires businesses to disclose breaches of personal information to consumers “in the most expedient time possible and without unreasonable delay, consistent with . . . any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” Cal. Civ. Code § 1798.82(a). “Any customer injured by a violation” of this requirement can recover damages. § 1798.84(b).
The CAC does not plausibly allege that the plaintiffs are “customers” of Waste Management. The CCRA defines a “customer” as “an individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business.” Cal. Civ. Code § 1798.80(c). The CAC does not allege that the plaintiffs provided their PII to Waste Management in exchange for a product or service. Instead, it alleges that they were required to give Waste Management their PII as part of their employment. Corona v. Sony Pictures Ent., Inc., No. 14-cv-9600, 2015 WL 3916744, at *7 (C.D. Cal. June 15, 2015) (finding that employees are not customers under the CCRA).
Additionally, the CAC does not plausibly allege that Waste Management unreasonably delayed notifying the plaintiffs of the data breach. The CAC alleges that Waste Management first identified suspicious activity on January 21, 2021, and became aware that employee PII may have been accessed on May 4, but did not notify the plaintiffs until May 28. The CAC alleges no facts other than this timeline to suggest that Waste Management failed to alert its employees of the data breach with the requisite expedience. The 24-day interval between Waste Management's discovery that PII may have been accessed and their notification to employees, however, is insufficient on its own to plausibly allege “unreasonable delay.” § 1798.82(a).
Other courts interpreting the CCRA have held that such bare allegations are insufficient to state a claim under the CCRA, even when the interval between the business' awareness of a breach involving personal information and their notification to customers was longer than the period at issue here. See, e.g., Razuki v. Caliber Home Loans, Inc., No. 17-cv-1718, 2018 WL 6018361, at *2 (S.D. Cal. Nov. 15, 2018) (five-month interval); but cf. In re Ambry genetics Data Breach Litig., No. 20-cv-791, 2021 WL 4891610, at *10 (C.D. Cal. Oct. 18, 2021) (three-month delay was sufficient to state a claim under the CCRA). Because the CAC does not plausibly allege that Waste Management's delay of approximately three weeks was unreasonable -- and does not plausibly allege that Waste Management knew about a breach affecting the plaintiffs' PII sooner -- the CCRA claim must be dismissed.
VIII. California Unfair Competition Law
Finally, Waste Management moves to dismiss the claim for violation of California's Unfair Competition Law. The UCL prohibits “any unlawful, unfair, or fraudulent business act or practice.” Cal. Bus. & Prof. Code § 17200.
A business practice is “unlawful” under § 17200 if it violates some other law. See De La Torre v. CashCall, Inc., 5 Cal. 5th 966, 980 (2018). As explained above, however, the CAC has not plausibly alleged that Waste Management acted unlawfully. The plaintiffs therefore fail to state a claim for violation of the UCL's “unlawful” prong. See id.
The CAC also alleges that Waste Management violated the “unfair” prong of the UCL by failing to implement basic data security measures, and by misrepresenting their data security to employees. To determine whether a business practice is unfair, “the court must weigh the utility of the defendant's conduct against the gravity of the harm to the plaintiff.” Motors, Inc. v. Times Mirror Co., 102 Cal.App.3d 735, 740 (Ct. App. 2d 1980) (cited by Cel-Tech Commc'ns, Inc. v. L.A. Cellular Tel. Co., 20 Cal.4th 163, 180 (1999)). The CAC, however, contains only a conclusory allegation that Waste Management engaged in unreasonable or fraudulent conduct. The CAC does not allege facts to explain what security measures Waste Management did or did not take. Nor does it explain what representations Waste Management made to its employees, or how those were false. Accordingly, the CAC has failed to state a claim for violation of the UCL.
Conclusion
The defendant's January 7, 2022 motion to dismiss is granted. The Clerk of Court shall enter judgment for the defendant and close the case.