In re Adobe Sys., Inc. Privacy Litig.

66 F.Supp.3d 1197

In re Adobe Systems, Inc. Privacy Litigation.

Case No.: 13–CV–05226–LHK

United States District Court, N.D. California, San Jose Division.

Signed September 04, 2014

ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT ADOBE SYSTEMS INC.'S MOTION TO DISMISS

LUCY H. KOH, United States District Judge

In this consolidated litigation, Plaintiffs Christian Duke (“Duke”), Joseph Kar (“Kar”), Christina Halpain (“Halpain”), Jacob McHenry (“McHenry”), Anne McGlynn (“McGlynn”), and Marcel Page (“Page”), individually and on behalf of those similarly situated (collectively, “Plaintiffs”) bring claims against Defendant Adobe Systems, Inc. (“Adobe”) arising out of an intrusion into Adobe's computer network in 2013 and the resulting data breach. Consol. Compl. (“Compl.”) ECF No. 39. Pending before the Court is Adobe's Motion to Dismiss, in which Adobe seeks dismissal of all of Plaintiffs' claims. (“Mot.”) ECF No. 45. Plaintiffs have filed an Opposition, (“Opp'n”) ECF No. 47, and Adobe has filed a Reply, (“Reply”) ECF No. 50. Having considered the submissions of the parties and the relevant law, the Court hereby GRANTS IN PART and DENIES IN PART Adobe's Motion to Dismiss.

I. BACKGROUND

A. Factual Allegations

Except where indicated, the facts in this section are taken from Plaintiffs' Complaint and accepted as true for the purposes of this Motion.

1. Adobe's Products and Services

Adobe is a multinational software company that sells and licenses printing, publishing, multimedia, and graphics software. Compl. ¶ 17. Adobe sells a wide range of products, including Photoshop (a widely-used digital imaging program) and ColdFusion (used by web developers to build websites and Internet applications). Id. ¶ 19. Adobe's products and services are available in two forms. Some Adobe software, such as ColdFusion, is sold through licenses, where customers pay a single licensing fee to use the software. Id. Other Adobe products are available through Adobe's subscription-based “Creative Cloud,” where customers pay a monthly fee to use Adobe's products and services. Id.

Adobe collects a variety of customer information. Customers of licensed-based products must register their products, which requires customers to provide Adobe with their e-mail addresses and create a username and password for Adobe's website. Id. Some of these customers purchased their licenses online from Adobe directly, and thus also provided Adobe with their credit card numbers and expiration dates, as well as other billing information. E.g. id. ¶¶ 19, 78, 96. Creative Cloud customers are required to keep an active credit card on file with Adobe, which is charged automatically according to the customer's subscription plan. Id. ¶ 19. In addition, some Creative Cloud customers store their files and work products in Adobe's “cloud.” E.g., id. ¶ 84. As a result of the popularity of Adobe's products, Adobe has collected personal information in the form of names, e-mail and mailing addresses, telephone numbers, passwords, credit card numbers and expiration dates from millions of customers. Id. ¶¶ 22, 50–55.

All customers of Adobe products, including Creative Cloud subscribers, are required to accept Adobe's End–User License Agreements (“EULA”) or General Terms of Use. Id. ¶ 29. Both incorporate Adobe's Privacy Policy, which provides in relevant part: “[Adobe] provide[s] reasonable administrative, technical, and physical security controls to protect your information. However, despite our efforts, no security controls are 100% effective and Adobe cannot ensure or warrant the security of your personal information.” (“Agreement”) ECF No. 46–2 at 4. Adobe's Safe Harbor Privacy Policy, which supplements Adobe's Privacy Policy, similarly provides that “Adobe ... uses reasonable physical, electronic, and administrative safeguards to protect your personal information from loss; misuse; or unauthorized access, disclosure, alteration, or destruction.” Compl. ¶ 32. Adobe makes similar representations regarding its security practices on its websites. Id. ¶¶ 33–39.

2. The 2013 Data Breach

In July 2013, hackers gained unauthorized access to Adobe's servers. Id. ¶ 48. The hackers spent several weeks inside Adobe's network without being detected. Id. By August 2013, the hackers reached the databases containing customers' personal information, as well as the source code repositories for Adobe products.Id. The hackers then spent up to several weeks removing customer data and Adobe source code from Adobe's network, all while remaining undetected. Id. The data breach did not come to light until September, when independent security researchers discovered stolen Adobe source code on the Internet. Id. ¶ 49. Adobe announced the data breach on October 3, 2013. Id. ¶ 50. Adobe announced that the hackers accessed the personal information of at least 38 million customers, including names, login IDs, passwords, credit and debit card numbers, expiration dates, and mailing and e-mail addresses. Id. ¶¶ 50–52. Adobe confirmed that the hackers copied the source code for a number of its products, including ColdFusion. Id. ¶ 53. Adobe subsequently disclosed that the hackers were able to use Adobe's systems to decrypt customers' credit card numbers, which had been stored in an encrypted form. Id. ¶ 57. The Court will refer to this sequence of events as the “2013 data breach.”

Following the 2013 data breach, researchers concluded that Adobe's security practices were deeply flawed and did not conform to industry standards. Id. ¶ 59. For example, though customers' passwords had been stored in encrypted form, independent security researchers analyzing the stolen passwords discovered that Adobe's encryption scheme was poorly implemented, such that the researchers were able to decrypt a substantial portion of the stolen passwords in short order. Id. ¶ 63. Adobe similarly failed to employ intrusion detection systems, properly segment its network, or implement user or network level system controls. Id. ¶ 62. As a result of the 2013 data breach, Adobe offered its customers one year of free credit monitoring services and advised customers to monitor their accounts and credit reports for fraud and theft. Id. ¶¶ 54, 56.

3. The Plaintiffs

Plaintiffs are customers of Adobe licensed products or Creative Cloud subscribers who provided Adobe with their personal information. Plaintiffs Kar and Page purchased licensed products directly from Adobe and provided Adobe with their names, email addresses, credit card numbers, other billing information, and other personal information. Id. ¶¶ 77–78, 95–96. Plaintiff McHenry purchased an Adobe licensed product, and provided Adobe with a username and password. Id. ¶¶ 98–99. Plaintiffs Duke, Halpain, and McGlynn subscribed to Adobe's products, and provided Adobe with their names, email addresses, credit card numbers, other billing information, and other personal information. Id. ¶¶ 74–75, 83–84, 90. Plaintiffs Duke, Kar, Halpain, and McGlynn are California citizens and residents. Id. ¶¶ 10–12, 14. Adobe informed all Plaintiffs that their personal information had been compromised as a result of the 2013 data breach. Id. ¶¶ 76, 80, 85, 92, 97, 100. Following the 2013 data breach, Plaintiffs Kar and Halpain purchased additional credit monitoring services. Id. ¶¶ 81, 86.

B. Procedural History

The seven cases underlying this consolidated action were filed in this Court between November 2013 and January 2014. See ECF No. 1; Case No. 13–CV–5611, ECF No. 1; Case No. 13–CV–5596, ECF No. 1; Case No. 13–CV–5930, ECF No. 1; Case No. 14–CV–14, ECF No. 1; Case No. 14–CV–30, ECF No. 1; Case No. 14–CV–157, ECF No. 1. The Court related the individual cases in December 2013 and January 2014, ECF Nos. 19, 22, 26,¹ and consolidated them on March 13, 2014, ECF No. 34. Plaintiffs filed their Consolidated Complaint on April 4, 2014. ECF No. 39. Adobe filed its Motion to Dismiss on May 21, 2014, ECF No. 45, with an accompanying Request for Judicial Notice, (“Def. May 21 RJN”) ECF No. 46. Plaintiffs filed their Opposition on June 11, 2014, ECF No. 47, with an accompanying Request for Judicial Notice, (“Pl. RJN”) ECF No. 48. Adobe filed its Reply on July 2, 2014, ECF No. 50, along with a second Request for Judicial Notice, (“Def. July 2 RJN”) ECF No. 51.²

II. LEGAL STANDARDS

A. Rule 12(b)(1)

A defendant may move to dismiss an action for lack of subject matter jurisdiction pursuant to Federal Rule of Civil Procedure 12(b)(1). A motion to dismiss for lack of subject matter jurisdiction will be granted if the complaint on its face fails to allege facts sufficient to establish subject matter jurisdiction. See Savage v. Glendale Union High Sch., 343 F.3d 1036, 1039 n. 2 (9th Cir.2003). If the plaintiff lacks standing under Article III of the U.S. Constitution, then the court lacks subject matter jurisdiction, and the case must be dismissed. See Steel Co. v. Citizens for a Better Env't, 523 U.S. 83, 101–02, 118 S.Ct. 1003, 140 L.Ed.2d 210 (1998). In considering a Rule 12(b)(1) motion, the Court “is not restricted to the face of the pleadings, but may review any evidence, such as affidavits and testimony, to resolve factual disputes concerning the existence of jurisdiction.” McCarthy v. United States, 850 F.2d 558, 560 (9th Cir.1988). Once a party has moved to dismiss for lack of subject matter jurisdiction under Rule 12(b)(1), the opposing party bears the burden of establishing the court's jurisdiction, see Chandler v. State Farm Mut. Auto. Ins. Co., 598 F.3d 1115, 1122 (9th Cir.2010), by putting forth “the manner and degree of evidence required” by whatever stage of the litigation the case has reached, Lujan v. Defenders of Wildlife, 504 U.S. 555, 561, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992) ; see also Barnum Timber Co. v. Envtl. Prot. Agency, 633 F.3d 894, 899 (9th Cir.2011) (at the motion to dismiss stage, Article III standing is adequately demonstrated through allegations of “specific facts plausibly explaining” why the...