In re Sony Gaming Networks & Customer Data Sec. Breach Litig.

996 F.Supp.2d 942

In re SONY GAMING NETWORKS AND CUSTOMER DATA SECURITY BREACH LITIGATION.

MDL No. 11md2258 AJB (MDD).

United States District Court, S.D. California.

Jan. 21, 2014.

Ben Barnow, Barnow and Associates PC, Chicago, IL, Brian Russell Strange, Strange & Carpenter, Lionel Z. Glancy, Marc L. Godino, Michael M. Goldberg, Glancy Binkow and Goldberg, Jon Anders Tostrud, Tostrud Law Group PC, Sandra Watson Cuneo, Cuneo Gilbert & Laduca, LLP, Los Angeles, CA, Robert R. Henssler, Jr., Douglas R. Britton, Rachel L. Jensen, Robbins Geller Rudman & Dowd LLP, Timothy Gordon Blood, Thomas Joseph O'Reardon, II, Blood Hurst & O'Reardon LLP, Mark A. Maasch Turnerand Maasch, Gayle M. Blatt, Casey, Gerry, Schenk, Francavilla, Blatt & Penfield LLP, San Diego, CA, Lance A. Harke, Harke Clasby & Bushman LLP, Miami, FL, Seth R. Gassman, Labaton Sucharow LLP, Brian Philip Murray, Glancy Binkow & Goldberg LLP, Gregory Bradley Linkh, Murray Frank LLP, Joe R. Whatley, Jr., Whatley Drake & Kallas LLC, Patrick J. Sheehan, Whatley Kallas, LLC, Shujah Ahmad Awan, Shujah Awan, Lester L. Levy, Wolf Popper, Curtis V. Trinko, Jennifer Elizabeth Traystman, Law Offices of Curtis V. Trinko, New York, NY, James D. Hoey, III, The Hoey Law Firm, La Jolla, CA, William T. Crowder, Scott E. Poynter, Emerson Poynter LLP, Little Rock, AR, Thomas Gourrier Bousquet, Bousquet Law, P.C., Muhammad Suleiman Aziz, Abraham Watkins Nichols Sorrels and Friend, Houston, TX, Caleb L.H. Marker, Christopher Paul Ridout, Ridout Lyon and Ottoson LLP, Devon M. Lyon, Ridout & Lyon, LLP, Long Beach, CA, Gillian L. Wade, Sara Dawn Avila, Mark Alan Milstein, Milstein Adelman LLP, Santa Monica, CA, Mark Schlachet, Law Offices of Mark Schlachet, Cleveland, OH, Paul C. Whalen, Paul C. Whalen, Esq., Manhasset, NY, Daniel E. Becnel, Jr., Jennifer L. Crose, Becnel Law Firm, LLC, Reserve, LA, Matthew B. Moreland, Matthew B. Moreland, Attorney at Law, Allan Kanner, Kanner & Whiteley, LLC, New Orleans, LA, David I. Pankin, Brooklyn, NY, Thomas D. Mauriello, Mauriello Law Firm APC, San Clemente, CA, for Plaintiff.

Amanda Catherine Fitzsimmons, William S. Boggs, DLA Piper LLP, San Diego, CA, David Alan Walton, Beirne Maynard et al., Houston, TX, Douglas H. Meal, Harvey J. Wolkoff, Mark P. Szpak, Robert B. Gordon, Ropes and Gray, Boston, MA, Karin Pagnanelli, Mitchell, Silberberg & Knupp LLP, Los Angeles, CA, Morris Weinberg, Jr., Zuckerman Spaeder, Tampa, FL, Rocky C. Tsai, Ropes & Gray LLP, Thad A. Davis, Gibson Dunn & Crutcher LLP, San Francisco, CA, for Defendant.

ORDER GRANTING IN PART AND DENYING IN PART DEFENDANTS' MOTION TO DISMISS PLAINTIFFS' FIRST AMENDED CONSOLIDATED CLASS ACTION COMPLAINT

ANTHONY J. BATTAGLIA, District Judge.

This action arises out of a criminal intrusion into a computer network system used to provide online gaming and Internet connectivity via an individual's gaming console or personal computer. Plaintiffs, a nationwide putative consumer class, allege that Sony Computer Entertainment America, LLC (“SCEA”), Sony Online Entertainment, LLC (“SOE”), and Sony Network Entertainment America, Inc. (“SNE”) (collectively, “Sony” or “Defendants”), failed to provide reasonable network security, including utilizing industry-standard encryption, to safeguard Plaintiffs' personal and financial information stored on Sony's network.¹

Presently before the Court is Sony's motion to dismiss Plaintiffs' First Amended Consolidated Class Action Complaint (“FACC”). (Doc. No. 135.) Sony also submitted a request for judicial notice, (Doc. No. 135, Ex. 2), a notice of lodgment of foreign authorities, (Doc. No. 135, Ex. 2), and a notice of supplemental authorities, (Doc. No. 137).² Plaintiffs filed an opposition to Sony's motion to dismiss on May 6, 2013, (Doc. No. 146), and Sony filed a reply on June 20, 2013, (Doc. No. 150). The Court issued a tentative ruling on October 10, 2013, (Doc. No. 157), and held a hearing on the motion on October 18, 2013, (Doc. No. 158). On October 24, 2013, the Court ordered supplemental briefing on seven of Plaintiffs' consumer protection claims. (Doc. No. 159.) Sony filed its supplemental brief on November 15, 2013, (Doc. No. 163), Plaintiffs filed their opposition on December 6, 2013, (Doc. No. 164), and Sony filed its reply on December 20, 2013, (Doc. No. 165). On January 7, 2014, Plaintiffs filed a notice of supplemental authority informing the Court of a recent memorandum decision issued by the Ninth Circuit.³ (Doc. No. 166.) For the reasons set forth below, the Court GRANTS IN PART and DENIES IN PART Sony's motion to dismiss.

BACKGROUND

I. Factual Background

Sony develops and markets the PlayStation Portable hand-held device (“PSP”) and the PlayStation 3 console (“PS3”) (collectively, “Console” or “Consoles”). (FACC ¶¶ 38, 39.) Both Consoles allow users to play games, connect to the Internet, and access Qriocity, Sony Online Entertainment Services, and the Play Station Network (“PSN”) (collectively, “Sony Online Services”).⁴ ( Id. at ¶¶ 40–43.) Through the PSN, which is offered to consumers free of charge, users can engage in multi-player online games, ( Id. at ¶ 27), and for additional one-time fees, the PSN allows users to purchase video games, add-on content (“map packs”), demos, themes, movie trailers, TV shows, and movies (collectively, “Downloads”). Users can also access various prepaid third party services by connecting to Sony Online Services via their Consoles or computers, including Netflix, MLB.TV, and NHL Gamecenter LIVE (collectively, “Third Party Services”). ( Id. at ¶ 45).

Before establishing a PSN, Qriocity, and/or SOE account, Plaintiffs and other consumers were required to enter into a Terms of Service User Agreement with Sony and agree to Sony's Privacy Policy. ( Id. at ¶¶ 55–60.) As part of this registration process, Plaintiffs and other consumers were required to provide Sony with personal identifying information, including their names, mailing addresses, email addresses, birth dates, credit and debit card information (card numbers, expiration dates, and security codes), and login credentials (collectively, “Personal Information”).⁵ ( Id. at ¶ 35.) On April 1, 2011, SCEA transferred its online PSN and Qriocity service operations to SNEA, including transferring Plaintiffs' and other Class members' Personal Information to SNEA for handling. ( Id. at ¶ 54.) As a result of the transfer, SNEA required all PSN and Qriocity users to enter into a new Terms of Service User Agreement (“PSN User Agreement”) and Privacy Policy (“PSN Privacy Policy”). ( Id. at ¶¶ 55, 56.) Plaintiffs who established accounts with SOE had to agree to SOE's User Agreement (“SOE User Agreement”) and SOE's Privacy Policy (“SOE Privacy Policy”). ( Id. at ¶ 60.)

On April 16, 2011 or April 17, 2011, Plaintiffs allege that hackers accessed Sony's Network (computer systems, servers, and databases), thereby stealing the Personal Information of millions of Sony's customers, including Plaintiffs. ( Id. at ¶ 65.) Plaintiffs further allege that even though Sony discovered that PSN and Qriocity user data had been stolen as early as April 17, 2011, Sony did not notify Plaintiffs and other affected consumers at that time. ( Id. at ¶ 70.) Instead, on April 20, 2011, Sony simply took the PSN and Qriocity systems offline, stating that “[w]e're aware certain functions of PlayStation Network are down. We will report back here as soon as we can with more information.” ( Id. at ¶ 71.) Thereafter, the PSN and Qriocity systems remained offline for almost a month while Sony conducted a system audit to determine the cause of the breach. ( Id. at ¶ 124.) During this time, Plaintiffs and the other Class members were unable to use Sony Online Services, and many were unable to access Third Party Services via their Consoles. ( Id.)

Between April 21, 2011 and April 25, 2011, while Qriocity and the PSN remained offline, Plaintiffs allege that Sony continued to misrepresent the circumstances of the breach. ( Id. at ¶¶ 73–77.) Specifically, Plaintiffs allege that Sony did not inform the public of the breach until April 26, 2011, when Sony made a public statement that user Personal Information had been compromised, and encouraged those affected to “remain vigilant, to review [their] account statements[,] and to monitor [their] credit reports.” ( Id. at ¶ 78.) Shortly thereafter, Plaintiffs contend Sony admitted that its failures “may have had a financial impact on our loyal customers. We are currently reviewing options and will update you when the service is restored.” ( Id. at ¶ 79.) Plaintiffs further allege that Sony conceded that “[s]ome games may require access to PSN for trophy sync, security checks[,] or other network functionality[,] and therefore cannot be played offline.” ( Id.) On May 2, 2011, Sony also took SOE offline, ( Id. at ¶ 82), and announced that SOE user Personal Information may have been compromised in the breach, ( Id. at ¶ 83). This was the first time SOE users were informed that their Personal Information may have been compromised as a result of the intrusion. ( Id. at ¶ 83.)

On April 30, 2011, ten days after Sony took the PSN and Qriocity systems offline, Sony announced that it would compensate PSN and Qriocity users in the United States with free identity theft protection services, certain free downloads and online services, and would consider helping customers who had to apply for new credit cards. ( Id. at ¶ 85.) Likewise, on May 12, 2011, ten days after Sony took the SOE network offline, Sony announced that it would compensate SOE users in the United States by offering free identity theft protection services, one month of free service, and certain free in-game bonuses and currency. ( Id. at ¶ 86.)

II. Procedural History

On August 16, 2011, the Judicial Panel on Multidistrict Litigation transferred certain civil actions from various district courts across the country into one consolidated action before this Court. (Doc. No. 1.) On ...