Opinion
2:22-cv-00855-GMN-EJY
12-22-2022
JEHU BRYANT, on behalf of himself and all other persons similarly situated, Plaintiff, v. MX HOLDINGS US, INC., et al., Defendants.
ORDER
Gloria M. Navarro, District Judge
Pending before the Court is Defendant MX Holdings US, Inc., CFP Fire Protection, Inc., COSCO Fire Protection, Inc., and Firetrol Protection Systems, Inc. (collectively, “Defendants'”) Motion to Dismiss, (ECF No. 17). Plaintiff Jehu Bryant, individually and on behalf of all other similarly situated (“Plaintiff”), filed a Response, (ECF No. 23), and Defendants filed a Reply, (ECF No. 29).
For the reasons discussed below, the Court DISMISSES Plaintiff's Complaint without prejudice for failure to sufficiently allege federal subject matter jurisdiction and DENIES Defendants' Motion to Dismiss as moot.
I. BACKGROUND
This case arises from a data breach of Defendants' network on or around October 28, 2021, in which hackers allegedly stole the personally identifiable information (“PII”) of Plaintiff and other similarly situated individuals (“Data Breach”). (Compl. ¶¶ 1-6, ECF No. 1). Plaintiff alleges that thousands of individuals were affected by the Data Breach. (Id. ¶ 42). Specifically, hackers accessed individuals' names, dates of birth, social security numbers, driver's license numbers, passport numbers, financial account numbers, and medical information. (Id. ¶ 5).
Defendants argue that Plaintiff misrepresents that his PII was stolen. (Mot. Dismiss 4:1-13, ECF No. 17). Specifically, Defendants provide a Template Notice Letter they sent to Plaintiff and other consumers following the Data Breach, which states that the Data Breach “may have resulted in the temporary exposure of some of your [PII].” (Template Notice Letter at 1, Ex. A to Mot. Dismiss, ECF No. 17-1) (emphasis added).
Defendants are corporations that perform building construction, in addition to providing safety and fire protection services. (Id. ¶ 15). Plaintiff alleges that Defendants “failed to comply with industry standards or even implement rudimentary security practices,” which resulted in the Data Breach. (Id. ¶ 25). On May 10, 2022, approximately five months after the Data Breach, Defendants notified Plaintiff in a letter that his PII may have been compromised. (Id. ¶ 26).
Plaintiff posits he and similarly situated class members now face a heightened long-term risk of future harm, specifically harm posed by identity theft and fraud. (Id. ¶ 35). Plaintiff alleges that identity thieves often hold onto to PII for “several years before using and/or selling the information to other identity thieves. (Id. ¶ 20). Plaintiff further argues with access to the PII at issue, criminals can open financial accounts, obtain medical services, obtain government benefits, file fraudulent tax returns, and obtain driver's licenses. (Id. ¶¶ 32-35). Moreover, Plaintiff asserts that the PII leaked in the breach will likely be sold or disseminated on the dark web. (Id. ¶ 30).
Plaintiff contends that Defendants failed to reasonably maintain safety and security measures, especially in light of “industry wide warnings” about the risk of cyber-attacks. (Id. ¶ 27). Plaintiff argues that industry standards highlight several basic cybersecurity safeguards that can improve cyber resilience including: (a) the proper encryption of PII; (b) educating and training employees on how to protect PII; and (c) correcting the configuration of software and network devices. (Id. ¶ 19). Plaintiff posits that the Data Breach could have been prevented had Defendants remedied the deficiencies in their data security systems and adopted security measures recommended by experts in the industry and the Federal Trade Commission. (Id. ¶¶ 22-28). Plaintiff, to mitigate the risk of harm posed by the Data Breach, “review[ed] and monitor[ed] his accounts, enroll[ed] in the free credit monitoring offered, and plac[ed] an alert on his credit with Experian.” (Id. ¶ 54).
On May 27, 2022, Plaintiff, individually and on behalf of all others similarly situated, filed the present Complaint, alleging claims for: (1) negligence; (2) invasion of privacy by public disclosure of private facts and intrusion upon seclusion; (3) breach of contract; and (4) breach of implied contract, as well as requesting injunctive relief to require Defendants to update their security protocols. (Id. ¶¶ 54-88). On July 29, 2022, Defendants filed the instant Motion to Dismiss. (See generally Mot. Dismiss (“MTD”), ECF No. 17).
II. LEGAL STANDARD
“It is to be presumed that a cause lies outside [of federal courts'] limited jurisdiction, and the burden of establishing the contrary rests upon the party asserting jurisdiction.” Kokkonen v. Guardian Life Ins. Co. of Am., 511 U.S. 375, 377 (1994) (citation omitted). Federal courts are constitutionally required to raise issues related to federal subject matter jurisdiction and may do so sua sponte. Arbaugh v. Y&H Corp., 546 U.S. 500, 514 (2006). A federal court must satisfy itself of its jurisdiction over the subject matter before proceeding to the merits of the case. Ruhrgas AG v. Marathon Oil Co., 526 U.S. 574, 577, 583 (1999); Snell v. Cleveland, 316 F.3d 822, 826 (9th Cir. 2002) (“Federal Rule of Civil Procedure 12(h)(3)[ ] provides that a court may raise the question of subject matter jurisdiction, sua sponte, at any time during the pendency of the action ....”) (footnote omitted). “A plaintiff suing in a federal court must show in his pleading, affirmatively and distinctly, the existence of whatever is essential to federal jurisdiction, and, if he does not do so, the court, on having the defect called to its attention or on discovering the same, must dismiss the case, unless the defect be corrected by amendment.” Tosco Corp. v. Cmtys. for a Better Env't, 236 F.3d 495, 499 (9th Cir. 2001) (citation omitted), abrogated on other grounds by Hertz Corp. v. Friend, 559 U.S. 77, 82-83 (2010).
III. DISCUSSION
By the instant motion, Defendants seek an order dismissing the above-titled action on the grounds that (1) Plaintiff lacks Article III standing, and (2) that Plaintiff has failed to allege facts sufficient to support any of his claims for relief. Before addressing the merits of Plaintiff's claims, however, the Court must confirm its subject-matter jurisdiction. See Slick v. CableCom, LLC, No. 22-cv-03415, 2022 WL 4181003, *1 (N.D. Cal. Sept. 12, 2022) (noting that a court “cannot decide the motion to dismiss if it lacks subject matter jurisdiction”).
Plaintiff asserts that this Court has jurisdiction over this action under the Class Action Fairness Act (“CAFA”), 28 U.S.C. § 1332(d)(2). (Compl. ¶ 11). “CAFA vests the federal courts with ‘original' diversity jurisdiction over class actions [of 100 or more persons] if: (1) the aggregate amount in controversy exceeds $5,000,000, and (2) any class member is a citizen of a state different from any defendant.” Serrano v. 180 Connect, Inc., 478 F.3d 1018, 1020-21 (9th Cir. 2007) (citing 28 U.S.C. § 1332(d)(2)). The enactment of CAFA did not alter the longstanding rule that the proponent of federal jurisdiction bears the burden of establishing that jurisdiction. Abrego v. Dow Chem. Co., 443 F.3d 676, 686 (9th Cir. 2006). Here, Plaintiff has not properly pled that CAFA's amount in controversy requirement is met.
Plaintiff's prayer for relief is silent as to what amount of damages he seeks, (Compl. ¶ 88), and the Complaint otherwise fails to calculate or explain how the $5,000,000 bar will be met in light of the injuries alleged. (See generally id.). Further, Plaintiff's allegations of class numerosity is limited to an assertion that "thousands of Class Members received letters from Defendants notifying them that Defendants learned of suspicious activity that allowed one or more cybercriminals to access their system containing . . . [their PII.]” (Id. ¶ 26). Plaintiff does not provide any basis for the claim that there are thousands of putative class members, or that the combined amount in controversy would meet the jurisdictional threshold.
Plaintiff argues that satisfaction of the numerosity requirement is evidenced by the fact that Defendant submitted its data breach notification to the California Attorney General, thereby indicating that more than 500 California residents were impacted. (Resp. 13:20-27, ECF No. 23). According to Plaintiff, California law requires a company to submit a copy of a data breach notification only when more than 500 California residents are impacted by the breach. (Id.). Even assuming this as true, Plaintiff's evidence of the numerosity requirement fails to aid the Court in determining the amount in controversy requirement. At most, Plaintiff has shown that there are hundreds of class members rather than the thousands they pled in the Complaint.
Plaintiff's conclusory allegation that the amount in controversy exceeds $5,000,000 is insufficient, without supporting factual allegations, to establish that the amount in controversy requirement under CAFA has been met. See Ibarra v. Manheim Invs., Inc., 775 F.3d 1193, 1197 (9th Cir. 2015) (explaining that the proponent of federal jurisdiction, “has the burden to put forward evidence showing that the amount in controversy exceeds $5,000,000, to satisfy the requirements of CAFA, and to persuade the court that the estimate of damages in controversy is a reasonable one”); Doe by and through Pope v. Rady Children's Hospital-San Diego, No. 3:21-cv-00114, 2021 WL 5513510, at *2 (S.D. Cal. July 19, 2021) (determining that plaintiff's complaint in a data breach case involving a proposed class of 19,788 individuals, failed to show that the amount in controversy requirement of CAFA was met by solely relying only on conclusory assertions that damages exceeded $5,000,000). A party seeking federal jurisdiction needs only to put forward a “plausible allegation that the amount in controversy exceeds the jurisdictional threshold,” if their allegation is not challenged by the opposing party or questioned by the court. Dart Cherokee Basin Operating Co., LLC v. Owens, 574 U.S. 81, 89 (2014). Furthermore, a party “is permitted to rely on ‘a chain of reasoning that includes assumptions.'” Arias v. Residence Inn, 936 F.3d 920, 925 (9th Cir. 2019) (quoting Ibarra, 775 F.3d at 1199). However, “those assumptions cannot be pulled from thin air but need some reasonable ground underlying them.” Ibarra, 775 F.3d at 1199.
Because the Court has reservations about whether the amount in controversy meets the CAFA threshold, Plaintiff must support his allegations with evidence establishing the amount in controversy. Dart Cherokee, 574 U.S. at 89; see also Petkevicius v. NBTY, Inc., No. 3:14-cv-02616-CAB-(RBB), 2017 WL 1113295, at *4 (S.D. Cal. Mar. 24, 2017) (“[S]imply stating that the amount in controversy exceeds $5,000,000, without any specific factual allegations as to the actual amount sought by the plaintiffs does not constitute a good faith allegation of the amount in controversy any more than an allegation that ‘the parties are diverse' would be sufficient to establish the requisite diversity absent specific factual allegations of the citizenship of the parties.”). Here, the only support Plaintiff offers to show the amount in controversy requirement is met are past settlements of data breach and privacy cases for over $5,000,000. (Resp. 14:3-25, ECF No. 23). However, “the Court properly considers the amount Plaintiff[] put in controversy through the allegations in [his] Complaint, not what Defendants might ultimately pay in resolving the lawsuit.” Copple v. Arthur J. Gallegher & Co., No. 22-cv-0116, 2022 WL 3357865, at *7 (W.D. Wash. Aug. 2, 2022). Although evidence of past settlement amounts are relevant, they do not “resolve the question of the total amount of damages in controversy.” Id. Indeed, the settlement amounts reflect only negotiated resolutions made prior to trial; they do not show the potential total amount of damages. See Gonzalez v. CarMax Auto Superstores, LLC, 840 F.3d 644, 648 (9th Cir. 2016) (“[T]he amount in controversy [is] the amount at stake in the underlying litigation” which “includes any result of the litigation, excluding interests and costs, that entail[s] a payment by the defendant.”) (cleaned up and citations omitted).
Accordingly, Plaintiff's Complaint is DISMISSED without prejudice. Pursuant to 28 U.S.C. § 1653, Plaintiff is granted leave to file an amended complaint to cure the deficiencies identified by this Order. If Plaintiff chooses to file an amended complaint, he must do so no later than January 23, 2022. Any amended complaint must make a plausible showing that CAFA's jurisdictional threshold regarding the amount in controversy have been met. Failure to file an amended complaint will result in a final order dismissing this civil action either for want of subject matter jurisdiction or for failure to prosecute in compliance with a court order requiring amendment. See Lira v. Herrera, 427 F.3d 1164, 1169 (9th Cir. 2005) (“If a plaintiff does not take advantage of the opportunity to fix his complaint, a district court may convert the dismissal of the complaint into dismissal of the entire action.”).
IV. CONCLUSION
IT IS HEREBY ORDERED that Plaintiff's Complaint, (ECF No. 1), is DISMISSED without prejudice.
IT IS FURTHER ORDERED that Defendants' Motion to Dismiss, (ECF No. 17), is DENIED as moot.