I.C. v. Zynga, Inc.

600 F.Supp.3d 1034

I.C., et al., Plaintiffs,

v.ZYNGA, INC., Defendant.

Case No. 20-cv-01539-YGR

United States District Court, N.D. California.

Signed April 29, 2022

Reid Wilson Wayman Gaa, San Francisco, CA, Daniel Jay Buller, Pro Hac Vice, Scott C. Nehrbass, Foulston Siefkin LLP, Overland Park, KS, Sharon S. Almonrode, The Miller Law Firm, P.C., Rochester, MI, Adam J. Zapala, Cotchett Pitre & McCarthy LLP, Burlingame, CA, for Plaintiffs A Minor, Amy Gitre.

Daniel L. Warshaw, Pearson, Simon & Warshaw, LLP, Sherman Oaks, CA, Hassan Ali Zavareei, Mark Andrew Clifford, Pro Hac Vice, Tycko & Zavareei LLP, Washington, DC, Joseph C. Bourne, Lockridge Grindal Nauen P.L.L.P., Minneapolis, MN, Melissa S. Weiner, Pearson Simon & Warshaw, LLP, Minneapolis, MN, Sabita J. Soneji, Tycko & Zavareei LLP, Oakland, CA, for Plaintiffs Carol Johnson, Lisa Thomas.

Elizabeth A. Fegan, Fegan Scott LLC, Chicago, IL, Jennie Lee Anderson, Andrus Anderson LLP, San Francisco, CA, Lynn Ellenberger, Pro Hac Vice, Fegan Scott LLC, Pittsburgh, PA, for Plaintiffs Daniel Petro, Christopher Rosiak, Joseph Martinez, IV.

Elizabeth L. Deeley, Latham & Watkins LLP, San Francisco, CA, Serrin A. Turner, Latham & Watkins LLP, New York, NY, Susan E. Engel, Pro Hac Vice, Latham & Watkins LLP, Washington, DC, for Defendant.

ORDER GRANTING MOTION TO DISMISS

Re: Dkt. No. 96

Yvonne Gonzalez Rogers, United States District Court Judge Plaintiffs bring this consolidated putative class action against social gaming company Zynga Inc. in connection with a large-scale data breach of players’ account information. The Court previously granted Zynga's motion to dismiss the first consolidated class action complaint for lack of subject matter jurisdiction pursuant to Federal Rule of Civil Procedure ("Rule") 12(b)(1), permitting plaintiffs to amend their pleadings. Currently pending is Zynga's motion to dismiss the second consolidated class action complaint ("SAC") on the same basis. (Dkt. No. 96.) Having carefully reviewed the pleadings and the briefing on the motion, and for the reasons stated below, the Court hereby GRANTS the motion WITHOUT LEAVE TO AMEND. ¹

I. BACKGROUND

The SAC (Dkt. No. 95) alleges as follows:

Zynga develops, markets, and operates live social games including the popular Words With Friends and Farmville franchises. (SAC ¶ 42.) These games are played on the Internet, social networking sites, and mobile platforms "by millions of people around the world each day." (Id. ) Plaintiffs were among such players. (Id. ¶¶ 8–37.) Zynga offers a mix of paid and free games to players while also providing advertising services to advertising agencies and brokers. (Id. ¶¶ 42, 44.) The free games are supported by in-game advertisements, in-game purchases, and Zynga's collection and sale of users’ personal identifying information ("PII"). (Id. ¶ 44.)

One must create an account with Zynga to play its games. (Id. ¶ 47.) "In connection with the account creation process, Zynga collects certain PII from users, including their first name, last name, email address, gender, and a password for the account, if one was created." (Id. ¶ 48.) Users "have the option to link their Zynga account to their Facebook account instead of providing an email address. If a prospective user chooses to log in with Facebook, the prospective user must provide their Facebook username and/or phone number and password through a separate authentication screen." (Id. ¶ 49.) The SAC further alleges, "[u]pon information and belief, before it began using a third-party payment processor, Zynga collected financial information, such as credit card details, for game purchases or in-app purchases." (Id. ¶ 50.)

On September 12, 2019, Zynga posted on its website the following statement, titled "Player Security Announcement," which stated in relevant part:

We recently discovered that certain player account information may have been illegally accessed by outside hackers. An investigation was immediately commenced, leading third-party forensics firms were retained to assist, and we have contacted law enforcement.

While the investigation is ongoing, we do not believe any financial information was accessed. However, we have identified account login information for certain players of Draw Something and Words With Friends that may have been accessed. As a precaution, we have taken steps to protect these users’ accounts from invalid logins. We plan to further notify players as the investigation proceeds.

(Id. ¶ 84.) Zynga "never notified those customers by email, or even by a pop-up notification" regarding the data breach or "offer[ed] any assistance with mitigating the risks associated with same." (Id. ¶¶ 12, 86.)

On September 29, 2019, The Hacker News reported that a serial hacker breached Zynga's customer database and acquired the information of more than 218 million users. (Id. ¶ 67.) The hacker reported that the breach affected all Android and iOS game players who had installed and signed up for the Words With Friends game on or before September 2, 2019. (Id. ) The SAC alleges that the affected users’ PII have been sold or otherwise published on the dark web. (Id. ¶ 114.)

According to the SAC, identity theft can occur by using the PII stolen from Zynga. (Id. ¶ 95.) For example, a cyber attacker can take "a massive trove of usernames and passwords from a data breach and tr[y] to ‘stuff’ those credentials into the login page of other digital services." (Id. ¶ 97.) "The vast majority of email and password comb[inations] [will not] work, but a few will. That[ is] because many people reuse the same credentials on multiple websites." (Id. ¶ 103 (internal quotation marks and citation omitted).) In addition to these so-called credential stuffing attacks, the breached data includes "enough information for hackers to potentially create targeted phishing attacks made up to look as if they are an official communication from Zynga." (Id. ¶ 101 (internal quotation marks and citation omitted).) "The communications can also look like they are from other trusted companies, such as banks, and claim that there is suspicious activity on the account to tempt a person to click on a link and provide additional valuable PII." (Id. (citation omitted).) The information stolen from Zynga is "highly valued amongst cyber thieves and criminals," creating a "well-established market" on the dark web. (Id. ¶ 96.) The SAC cites a number of reports describing the financial, emotional, and physical injuries that victims of identity theft can suffer, particularly for minors, who comprise "a substantial portion of [Zynga's] user base." (Id. ¶¶ 59–64, 131–38.)

The SAC is not entirely consistent regarding the information stolen in the breach. At minimum, the information allegedly stolen included names, email addresses, phone numbers, Zynga usernames, Zynga passwords (some hashed and some in plain text), Zynga password reset tokens, and Facebook usernames. (Id. ¶ 67.) The SAC includes gender, home address, and credit card information in the definition of "PII" but does not specifically allege that this data was taken in the breach. (Compare id. ¶ 2 n.1 with id. ¶ 67.) The SAC also alleges that the stolen information included "dates/times when the account was created, last accessed, and the IP address of the last login," but did not include such information in the PII definition. (Compare id. ¶ 67 with id. ¶ 2 n.1.) In addition, the SAC alleges both that users’ dates of birth were stolen but also that Zynga did not collect information regarding a user's age or date of birth. (Compare id. ¶ 2 n.1 with id. ¶ 48.) Further, while alleging that Facebook passwords were stolen, the SAC also alleges that Zynga reportedly does not collect Facebook passwords and that the hacker only claimed to have accessed "the ‘Facebook IDs’ of Zynga users." (Compare id. ¶ 2 n.1 with id. ¶ 68.)

Named plaintiffs are Zynga players whose information was allegedly hacked during the breach: I.C., Amy Gitre, Carol Johnson, Lisa Thomas, Joseph Martinez IV, Daniel Petro, and Christopher Rosiak. (Id. ¶¶ 8, 14, 16, 23, 25, 27, 31.) The Court previously granted Zynga's motion to compel arbitration of the claims of Gitre, Thomas, and Martinez. (Dkt. No. 93.) With respect to the remaining plaintiffs, the following information was allegedly stolen:

• Petro: email address and Zynga username

• I.C.: email address, Zynga username, and Zynga password

• Johnson: email address, Zynga username, Games with Friends hashed password, Draw Something plain text password, date of birth, phone number, and Zynga password reset tokens

• Rosiak: email address, Zynga username, Zynga password, phone number, Facebook name, and Facebook username

(Id. ¶¶ 10, 19, 30, 31.) The only plaintiff that allegedly had their Zynga password stolen in plain text form is Johnson. (Id. ¶¶ 19, 74.) Zynga did not directly notify these plaintiffs that their information had been compromised by the breach. (Id. ¶¶ 8, 17, 29, 34.) I.C., Johnson, and Petro confirmed through the website haveibeenpwned.com, and Rosiak received notices from an identity theft monitoring service, about the same. (Id. ¶¶ 8, 17, 29, 34–35, 120–121.)

In the aftermath of the data breach, each of the named plaintiffs allege they were affected by the breach in a number of ways. I.C., who is a minor, received at least three notices regarding non-Zynga accounts indicating that I.C.’s login information may be compromised, reproduced below.

(Id. ¶¶ 106, 109, 112.) Two of those notices concerned other gaming accounts.

I.C. also received at least two suspicious emails, including one from Personal Capital, reproduced below.

(Id. ¶¶ 107, 111.) I.C. has no knowledge or experience with Personal Capital, which markets itself as an online financial advisor and personal wealth management company. (Id. ¶ 111.) I.C. "used his Zynga password for approximately 90% of his online accounts, including email, entertainment, gaming, social media popular with youth, and others." (Id. ¶ 105.) After...