Summary
granting a request for judicial notice for press releases issued by the IRS on the basis that "[p]ublically accessible websites and news articles are proper subjects of judicial notice"
Summary of this case from Barrett v. Apple Inc.Opinion
Case No. 5:15-cv-01778-EJD
05-15-2018
ORDER GRANTING DEFENDANT'S MOTION TO DISMISS SECOND AND THIRD CLAIMS IN THIRD CONSOLIDATED AMENDED COMPLAINT
Re: Dkt. No. 140
I. INTRODUCTION
In the Third Consolidated Amended Complaint ("Complaint") Plaintiffs Christine Diaz ("Diaz") and Richard Brown ("Brown") allege that Defendant Intuit, Inc. ("Intuit"), knowingly allowed fraudsters to open fake accounts and file fraudulent federal and state tax returns through Intuit's TurboTax tax preparation software. Pursuant to Rule 12(b)(6), Fed.R.Civ.P., Intuit moves to dismiss the second claim for negligence brought by Brown and the third claim for aiding and abetting fraud brought by Brown and Diaz. The Court finds it appropriate to take the motion under submission for decision without oral argument pursuant to Civil Local Rule 7-1(b). For the reasons set forth below, Intuit's motion is granted.
II. BACKGROUND
Intuit develops and offers various financial and tax preparation software and related services, including TurboTax, a tax preparation software program. TurboTax can be utilized online or it can be downloaded and installed on a customer's personal computer. Inuit charges persons who file tax returns through TurboTax a "tax preparation fee" generally between approximately $50 and $150, in addition to other fees.
Plaintiffs allege that Intuit has known for years that fraudsters exploit Intuit's lax security in order to open fraudulent accounts with Intuit and file numerous fraudulent tax returns through TurboTax in other peoples' names. Intuit allegedly allows the fraud to occur through TurboTax in two ways: (a) Stolen Identity Refund Fraud ("SIRF"), where a fraudster gathers data about a taxpayer from outside means (such as the black market or "phishing"), creates a fraudulent, new TurboTax account in the victim's name, and files a fraudulent tax return in the victim's name through TurboTax; and (b) Account Takeover Refund Fraud ("ATO"), where a fraudster hacks into an existing TurboTax account and files a fraudulent return in the victim's name through TurboTax.
Intuit allegedly knew that it was allowing SIRF and ATO fraud to occur through TurboTax and that its allegedly lax security protocols were enabling and assisting the fraud. A document circulated among members of Inuit's Consumer Tax Group noted that as many as 10% of TurboTax's tens of millions of annual users were "malicious." Complaint, ¶28. An internal Intuit strategy presentation showed that the number of "suspicious" customers who successfully filed a return using TurboTax grew to approximately 2.5 million by 2012. Id., ¶29.
Intuit allegedly knew that the risk of fraud perpetrated through TurboTax was continuing to increase as the number of major external data breaches increased, exposing the personal identifying information of millions of Americans to would-be fraudsters. Despite knowledge of widely reported data breaches involving identify theft, and knowledge of SIRF and ATO fraud, Intuit allegedly maintained lax security policies. Intuit allegedly chose not to implement basic, fundamental security measures that were suggested by its own experts and by others. Moreover, Intuit eliminated one important protection it previously had in place—a multi-step authentication—in order to make it more convenient to open new accounts and to file returns (fraudulent and otherwise) through TurboTax and thereby generate more revenue for Intuit. The allegedly lax policies also included:
• allowing the re-use of the same Social Security number across numerous TurboTax accounts;
• failing to apply reasonable limits on the number of returns that could be filed from the same account and/or the same mailing address;
• permitting state returns to be filed without a corresponding federal return (an option which allegedly is recognized in the industry as facilitating the filing of fraudulent state returns and is not offered by Intuit's competitors);
• allowing TurboTax "tax preparation fees" to be paid from tax refund proceeds;
• permitting multiple tax refund payments to be delivered to the same bank account;
• allowing filers to receive tax refunds in non-traceable forms;
• providing a service that allows tax refunds to be directed to Intuit's affiliate Santa Barbara Tax Products Group (alternatively referred to as Santa Barbara Bank & Trust) which, after deducting tax preparation fees, sends the balance of the refund by non-traceable means and in non-traceable forms to fraudsters;
• failing to notify or timely notify consumers when fraudulent tax returns and/or tax returns that Intuit deemed "suspicious" were filed in their names;
• failing to timely notify tax authorities of returns Intuit deemed suspicious; and
• keeping open TurboTax accounts that were known to be used entirely for fraud and declining to flag as suspicious returns filed through such accounts.
Intuit allegedly made a deliberate and knowing decision to maintain the protocols described above to generate revenue and market share. Plaintiffs also allege that Intuit's desire to maximize fee revenue caused it to ignore the recommendations of its own security experts, Robert Lee and Shane MacDougall.
Plaintiff Brown was never a TurboTax customer; he never used TurboTax or purchased Turbo Tax software. Brown alleges that Intuit allowed fraudulent tax return(s) to be filed in his name through TurboTax. The first time Brown learned that anything was wrong was when his accountant informed him that he could not e-file his 2014 federal tax return because a fraudulent 2014 tax return had already been filed using his Social Security number. Brown also received a bill from Intuit.
Plaintiff Diaz purchased the desktop version of TurboTax and used it to e-file her tax year 2010 Ohio state and federal tax returns. Since then, Diaz has not used TurboTax. Diaz alleges that Intuit allowed fraudulent tax return(s) to be filed in her name through TurboTax. Diaz learned about the fraudulent tax returns when she received a bill from Intuit for e-filings in her name for Tax Year 2014 for state tax returns in Michigan, Missouri, Ohio and Oklahoma and for a Tax Year 2014 federal home and business tax return. Both Plaintiffs allege that they were the victims of SIRF fraud.
III. STANDARDS
A motion to dismiss under Rule 12(b)(6) tests the legal sufficiency of claims alleged in the complaint. Fed.R.Civ.P. 12(b)(6); Parks School of Business, Inc. v. Symington, 51 F.3d 1480, 1484 (9th Cir. 1995). Dismissal "is proper only where there is no cognizable legal theory or an absence of sufficient facts alleged to support a cognizable legal theory." Navarro v. Block, 250 F.3d 729, 732 (9th Cir. 2001). The complaint "must contain sufficient factual matter, accepted as true, to 'state a claim to relief that is plausible on its face.'" Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)).
IV. DISCUSSION
A. Defendant's Request for Judicial Notice
Intuit requests that the Court take judicial notice of eighteen documents. Plaintiffs oppose the request to the extent Intuit is "improperly trying to use it . . . to challenge the merits, as opposed to the sufficiency, of Plaintiffs' allegations." Plaintiffs' Opposition, p.1. Plaintiffs also disagree with the inferences Intuit seeks to draw from several of the documents. Further, Plaintiffs contend that several documents are not the proper subject of judicial notice and/or are not relevant.
Pursuant to Federal Rule of Evidence 201, a court may judicially notice a fact that is not subject to reasonable dispute because it is generally known or can be accurately and readily determined from sources whose accuracy cannot reasonably be questioned. Defendant's request is granted as to (1) a copy of internal Intuit records related to tax returns associated with a taxpayer whose name and Social Security number match Plaintiff Brown because these records are quoted and incorporated by reference in the Complaint. Tellabs, Inc. v. Makor Issues & Rights, Ltd., 551 U.S. 308, 322 (2007) ("[C]ourts must consider the complaint in its entirety, as well as other sources courts ordinarily examine when ruling on Rule 12(b)(6) motions to dismiss, in particular, documents incorporated into the complaint by reference, and matters of which a court may take judicial notice."); see also Branch v. Tunnell, 14 F.3d 449, 454 (9th Cir. 1994) ("[D]ocuments whose contents are alleged in a complaint and whose authenticity no party questions, but which are not physically attached to the pleading, may be considered in ruling on a Rule 12(b)(6) motion to dismiss"), overruled on other grounds by Galbraith v. Cty. Of Santa Clara, 307 F.3d 1119 (9th Cir. 2002).
Intuit's request is also granted as to the following IRS documents: (2) a copy of IRS Publication 1345 ("Handbook for Authorized IRS e-file Providers of Individual Income Tax Returns"); (3) a copy of IRS Publication 3112 ("IRS e-file Application and Participation"); and (4) a copy of IRS Publication 3415 ("Electronic Tax Administration Advisory Committee's Annual Report to Congress"). A court may take judicial notice of records and reports of administrative bodies. See United States v. 14.02 Acres, 547 F.3d 943, 955 (9th Cir. 2008) (judicial notice is appropriate for records and reports of administrative bodies); Pasillas v. Deutsche Bank Nat'l Trust Co., No. 12-04123 LHK, 2014 WL 1006300, at *3 n.6 (N.D. Cal. Mar. 12, 2014) (taking judicial notice of IRS publication). Intuit's request is also granted as to (5) a copy of IRS Commissioner John Koskinen's October 20, 2015 Remarks at a Security Summit Press Briefing, and a copy of Commissioner Koskinen's June 11, 2015 Press Remarks regarding the Security Summit; (6) a copy of an IRS press release dated April 3, 2014, entitled "As efile Grows, IRS Receives Fewer Returns on Paper" and a copy of an IRS press release dated January 14, 2016, entitled "IRS Ready to Start 2016 Tax Season: Encourages use of IRS.gov and e-File; Works with States, Industry on Identity Theft Refund Fraud"; (7) a copy of a webpage about the Electronic Tax Administration Advisory Committee (ETAAC), (8) a copy of an IRS webpage entitled "Get An Identity Protection PIN (IP PIN)"; (9) a copy of an IRS fact sheet dated January 2015, entitled "IRS Combats Identity Theft and Refund Fraud on Many Fronts"; (10) a copy of an IRS Tax Tip dated July 2017 entitled "Choosing the Correct Filing Status"; and (11) a copy of the IRS's Section 7216 FAQ webpage, entitled "Section 7216 Frequently Asked Questions." Publically accessible websites and news articles are proper subjects of judicial notice. Minor v. FedEx Office & Print Servs., Inc., 182 F. Supp.3d 966, 974 (N.D. Cal. 2016) (websites); Spitzer v. Aljoe, No. 13-05442 MEJ, 2016 WL 3275148, at *4 (N.D. Cal. June 15 2016) (newspaper articles). The Court takes judicial notice that these publications were in the public realm at the time they were issued, but not for the truth of their contents. Brodsky v. Yahoo! Inc., 630 F.Supp.2d 1104, 1111 (N.D. Cal. 2009).
Intuit's request is denied as to (12) a copy of the Class Action Complaint (obtained from ECF) filed in Welborn v. Internal Revenue Service, et al., Case No. 1:15-cv-01352-RMC (D.D.C., filed Aug. 20, 2015); (13) a copy of the complaint filed in Krippendorf v. United States of America, Office of Personnel Management, et al., Case No. 1:15-cv-01321-ABJ (D.D.C., filed Aug. 14, 2015) and a copy of the Initial Practice and Procedural Order in In re U.S. Office of Personnel Management Data Security Breach Litigation, 1:15-mc-1394 (ABJ); MDL Docket No. 2664 (D.D.C., filed Nov. 10, 2015). Although court documents and pleadings in other litigations are judicially noticeable (see, e.g., Reyn's Pasta Bella, LLC v. Visa USA, Inc., 442 F.3d 741, 746 n.6 (9th Cir. 2006)), these documents are not relevant to the issues raised in the motion before the Court. Intuit's request is similarly denied as to the remaining documents because they are not relevant: (14) a copy of a TurboTax FAQ entitled "How do I import or enter my W-2?"; (15) a copy of a webpage about H&R Block's options for customers to pay for tax preparation fees via refund transfer and to receive their tax refunds on a prepaid card; (16) a copy of a webpage about Jackson Hewitt's options for customers to receive their tax refund on a prepaid card; (17) a copy of a webpage about Liberty Tax's options for customers to pay for tax preparation fees via refund transfer and to receive their tax refunds on a prepaid card; and (18) a copy of a Washington Post article dated March 1, 2016, entitled "Can you tell the real TurboTax email from the scam?"
B. Brown's Negligence Claim
In order to plead a claim for negligence under California law, a plaintiff must establish the following elements: (1) the defendant owed a legal duty to use due care, (2) a breach of that duty, and (3) the breach was the proximate or legal cause of the resulting injury. Ladd v. Cnty. of San Mateo, 12 Cal. 4th 913, 917 (1996). "Whether a legal duty arises is a 'question of law which is simply an expression of the sum total of the policy considerations that lead a court to conclude that a particular plaintiff is entitled to protection.'" Ileto v. Glock Inc., 349 F.3d 1191, 1203 (9th Cir. 2003) (quoting Jacoves v. United Merchandising Corp., 9 Cal.App.4th 88, 114 (1992)). The general rule in California is that all persons have a duty "to use ordinary care to prevent others being injured as a result of their conduct." Rowland v. Christian, 69 Cal.2d 108, 112 (1968). In determining whether to impose a legal duty, courts consider the factors set forth in Rowland v. Christian, 69 Cal.2d 108 (1968), including:
[F]oreseeability of harm to the plaintiff, the degree of certainty that the plaintiff suffered injury, the closeness of the connection between the defendant's conduct and the injury suffered, the moral blame attached to the defendant's conduct, the policy of preventing future harm, the extent of the burden to the defendant and consequences to the community of imposing a duty to exercise care with resulting liability for breach, and the availability, cost, and prevalence of insurance for the risk involved.
Id. at 113. The most important factor in establishing a duty is foreseeability. Dillon v. Legg, 68 Cal.2d 728, 740 (1968); Tarasoff v. Regents of Univ. of Calif., 17 Cal.3d 425, 434-35 (1976).
When analyzing whether there is a duty of care, a court does not decide "if a particular plaintiff's injury was reasonably foreseeable in light of a particular defendant's conduct" but instead evaluates more generally whether "the category of negligent conduct at issue is sufficiently likely to result in the kind of harm experienced." Ballard v. Uribe, 41 Cal.3d 564, 572-3 n.6 (1986) (emphasis in original).
The Court previously held that the allegations in the Second Consolidated Amended Complaint were insufficient to support a negligence claim because Brown's alleged injury was not reasonably foreseeable. Brown was not a TurboTax customer and never provided personal identifying information to Intuit and there were no allegations of "suspicious circumstances" or "danger signals" that would have or should have placed Intuit on notice of potential harm to Brown.
See Sun 'n Sand, Inc. v. United California Bank, 21 Cal.3d 671, 695-96 (1978).
See Software Design & Application, Ltd. v. Hoefer & Arnett, Inc., 49 Cal.App.4th 472 (1996).
The allegations in the current Complaint suffer from the same defects. Contrary to Plaintiffs' assertion, it is not enough to generally plead that identity theft is foreseeable, that tax fraud committed through identity theft is foreseeable, or that tax fraud committed through TurboTax is foreseeable. See E-Shops Corp. v. U.S. Bank Nat'l Ass'n, 678 F.3d 659 (8th Cir. 2012) (general allegations that an unspecified data breach occurred within U.S. Bank's computer system which enabled unidentified third parties to access cardholder information to make fraudulent transaction held insufficient to establish Bank's knowledge that the particular transactions at issue were fraudulent). Instead, the relevant inquiry is "whether the category of negligent conduct at issue is sufficiently likely to result in the kind of harm experienced that liability may appropriately be imposed on the negligent party." Ileto v. Glock, 349 F.3d at 1204 (quoting Ballard, supra). Here, the alleged category of negligent conduct consists essentially of Intuit's failure to use reasonable means to detect and prevent the misuse of TurboTax for the preparation and filing of tax returns. In evaluating whether liability should be imposed for this alleged category of negligent conduct and the resulting harm to Brown, it bears emphasizing that there is no general duty to protect against the conduct of another in the absence of a special relationship. Tarasoff, 17 Cal.3d at 435. As such, courts have consistently refused to impose a duty of care in the context of financial transactions involving fraud and identity theft. See e.g. QDOS, Inc. v. Signature Financial, LLC, 17 Cal.App.5th 990, 998 (2017) (no duty for high-end sports car seller to investigate when presented with a validly endorsed check made out to seller drawn from account of a third party); Burns v. Neiman Marcus Grp., Inc., 173 Cal.App.4th 479, 488-90 (2009) (retailer had no duty to inquire before accepting plaintiff's checks to pay off a retail employee's store credit card); Casey v. U.S. Bank Nat'l Ass'n, 127 Cal.App.4th 1138, 1149 (2005) (bank owes no duty to nondepositors to investigate or disclose suspicious activities); Karen Kane, Inc. v. Bank of America, 67 Cal.App.4th 1192, 1198-99 (1998) (bank owed no duty of inquiry to non-customer merchant). In the banking context, the California Supreme Court carved out a narrow exception in imposing on a bank a limited duty to noncustomers when there is "objective indicia" of fraud. Sun 'n Sand, Inc. v. United California Bank, 21 Cal.3d at 695. To "activate" a duty of care, there must be circumstances that are "sufficiently suspicious" to alert the defendant of fraud. Id.
Plaintiffs cite to several negligence cases involving personal injury. See Collins v. Navistar, Inc., 214 Cal.App.4th 1486, 1508 (2013); O'Hara v. W. Seven Trees Corp., 75 Cal.App.3d 798, 803 (1977); Pamela L. v. Farmer, 112 Cal.App.3d 206, 209 (1980); T.H. v. Norvartis Pharm. Corp., 407 P.3d 18, 37 (2017). The cases are clearly factually distinguishable from the instant action and will not be addressed herein.
In this case, a fraudster used Brown's real phone number, address and Social Security number to create a fake TurboTax account. Complaint, ¶111. Brown does not allege that the fraudsters' use of his personal identifying information to open an account was in any way "suspicious" or raised "danger signals." Instead, Brown alleges that Intuit recognized that the account came from a "High Risk Domain"—Hushmail.com:
Intuit specifically and contemporaneously recognized the account opened by the fraudster in Mr. Brown's name as coming from a "High Risk Domain," and generated an instruction to "Please ask
taxpayer to fax ID, W-2 and SS card to 858-430-3104." On information and belief, these additional materials/information were not ultimately received by Intuit. Still, despite the information that it had, Intuit made no effort to contact or notify Mr. Brown about the account or the e-filing or confirm the legitimacy thereof, or to stop the fraudster from creating and using the fraudulent TurboTax account, and Intuit processed the fraudulent return through TurboTax. A simple contact to Mr. Brown using the contact information it was provided, for example, could have alerted Mr. Brown immediately to the fraudster's activities, and stopped the fraud from occurring.
Id. This single indicator of alleged fraud—use of a "High Risk Domain"—does not create circumstances sufficiently suspicious to alert Intuit of fraud. Brown does not allege that email accounts issued by Hushmail.com are used for wholly fraudulent purposes. Nor does he allege that legitimate TurboTax customers would never use a Hushmail.com email address. In the absence of these types of allegations, the use of Hushmail.com is insufficient to establish Intuit's actual knowledge of fraud. This single indicator of alleged fraud stands in sharp contrast to the objective indicia of fraud that "activated" a duty of care in Sun 'n Sand, i.e. checks that were altered significantly to raise the amount payable, drawn payable to the order of the defendant bank, and presented to the bank by a third party seeking to negotiate the checks for his own benefit. To impose a duty of care on the basis of an email coming from an allegedly "High Risk Domain," in the absence of other objective indicia of fraud, would "stretch the concept of foreseeability of harm in determining duty beyond recognition." Burns, 173 Cal.App.4th at 489. Because the alleged harm to Brown was not foreseeable, the negligence claim fails as a matter of law.
C. Aiding and Abetting Fraud Claim
Liability may be imposed "on one who aids and abets the commission of an intentional tort if the person (a) knows the other's conduct constitutes a breach of duty and gives substantial assistance or encouragement to the other to so act or (b) gives substantial assistance to the other in accomplishing a tortious result and the person's own conduct, separately considered, constitutes a breach of duty to the third person." Saunders v. Super. Ct., 27 Cal. App.4th 832, 846 (1994). To satisfy the knowledge element, an aider and abettor must have "actual knowledge of the specific primary wrong the defendant substantially assisted." In re First Alliance Mortg. Co., 471 F.3d 977, 993 (9th Cir. 2006) (quoting Casey v. U.S. Bank National Assn., 127 Cal.App.4th at 1145); see also Neilson v. Union Bank of Cal., N.A., 290 F.Supp.2d 1101, 1119 (C.D. Cal. 2003) (plaintiff must plead actual knowledge of the primary violation); Howard v. Superior Court, 2 Cal.App.4th 745, 749 (1992) ("while aiding and abetting may not require a defendant to agree to join the wrongful conduct, it necessarily requires a defendant to reach a conscious decision to participate in tortious activity for the purpose of assisting another in performing a wrongful act"); Gerard v. Ross, 204 Cal.App.3d 968, 983 (1988) ("A defendant can be held liable as a co-tortfeasor on the basis of acting in concert only if he or she knew that a tort had been, or was to be, committed, and acted with the intent of facilitating the commission of that tort."); Resolution Trust Corp. v. Rowe, No. 90-20114 BAC, 1993 WL 183512, at *6 (N.D. Cal. Feb. 8, 1993) (actual knowledge and intent are required to impose aiding and abetting liability).
Pursuant to Rule 9(b), Fed.R.Civ.P., fraud, including aiding and abetting fraud, must be pled with particularity. In re Countrywide Financial Corp. Mortgage-Backed Securities Litigation, Nos. 11-2265 MRP, 12-04775 MRP, 2013 WL 8116709, at *2 (C.D. Cal. Jan. 10, 2013). Rule 9(b), Fed.R.Civ.P., permits knowledge to be pled generally. Neilson, 290 F.Supp.2d at 1119. "Although this obviates the necessity of pleading detailed facts supporting allegations of knowledge, it does not relieve a pleader of the burden of alleging the nature of the knowledge a defendant purportedly possessed." Id.
Despite the new allegations added to the Complaint, Plaintiffs' allegations remain insufficient to establish a claim for aiding and abetting. Plaintiffs allege that Intuit generally knew tax fraud was occurring on a massive scale every year through Turbo Tax and that Intuit deliberately implemented policies that it knew directly enabled and encouraged the fraud. Lacking, however, are allegations of "actual knowledge of the specific primary wrong" against Plaintiffs. In re First Alliance Mortg. Co., 471 F.3d at 993 (bank that had conducted investigation and received reports that detailed fraudulent practices of mortgage company held liable for aiding and abetting mortgage company). Plaintiff Brown alleges that "Intuit had contemporaneous information identifying" the false returns filed in his name as "malicious." Complaint, ¶110. Brown also alleges that "Intuit specifically and contemporaneously recognized the account opened by the fraudster in [his] name as coming from a 'High Risk Domain,' and its systems thus generated an instruction to 'Please ask taxpayer to fax ID, W-2 and SS Card to 858-430-3105.'" Complaint, ¶ 111. Although Plaintiffs' allegations may support an inference that Intuit was suspicious of potential fraud or knew that there was a risk of fraud, the allegations are insufficient to show that Intuit had "actual knowledge" of fraud associated with the account opened with Brown's personal identifying information. See E-Shops Corp. v. U.S. Bank Nat'l Ass'n, 678 F.3d at 664 ("The single suggestion that a change of address after a number of large orders signals identity theft is attenuated when, in the ordinary course of banking business, cardholders change their address for various unspecified reasons." ). "[T]he actual knowledge standard [ ] require[s] more than a vague suspicion of wrongdoing." In re First Alliance Mortg. Co., 471 F.3d at 993 n.4.
Plaintiffs also fail to allege that Intuit had actual knowledge that tax returns submitted in Plaintiff Diaz's name were fraudulent. Diaz alleges that "Intuit had contemporaneous information identifying" the tax filings in her name as "malicious." Complaint, ¶ 123. This allegation lacks any factual basis and is too vague and conclusory to support an inference that Intuit had actual knowledge of fraud. Plaintiffs next allege the following:
While discovery is ongoing, certain materials produced by Intuit indicate as follows: In or around 2015, at least five fake TurboTax accounts with different usernames were opened and registered to a single email address, derekdiaz74@yahoo.com. Though it was able to link the personal information submitted for these fake accounts to personal information it already had regarding Ms. Diaz and her husband, Intuit made no effort to contact Ms. Diaz or her husband to alert them regarding the opening of these five new accounts or to confirm the legitimacy of same. At or around 3:16 a.m. on January 21, 2015, ten electronic tax filings were attempted using Ms. Diaz's and her husband's Social Security numbers through one of the five new, fake accounts. The attempted filings included state tax return filings in Ohio, Michigan, Oklahoma, Missouri, and a federal tax return filing with the IRS. Even though Intuit knew these attempted filings were done in Ms. Diaz's name and Social Security number
and were done using not only a different account and email address than the TurboTax account/email address Ms. Diaz had used previously, but also done using one of five separate accounts that the fraudster had recently opened using the same personal information, Intuit made no effort to contact Ms. Diaz to alert her regarding this activity or to confirm the legitimacy thereof, or to stop the fraudster from creating and using the fraudulent TurboTax accounts. A simple contact to Ms. Diaz, for example, could have alerted her immediately to the fraudster's activities, and stopped the fraud from occurring. Intuit did not immediately forward these ten tax return filings to the appropriate state or federal agencies. Instead, Intuit identified several problems with these attempted e-filings but again made no effort to notify Ms. Diaz about this unusual and suspicious activity. In fact, despite the problematic nature of these attempted filings, Intuit took measures to assist the fraudster, and sent a "Hold Message" to derekdiaz74@yahoo.com, stating:
We have identified an issue within the TurboTax product associated with the Import Feature of one or more of your W-2's. This issue may have resulted in a duplication of the amounts in boxes 12, 14, and 15-20. To correct the issue, please return to TurboTax and select the Review tab. Follow the prompts that come up to re-file your return.
At or around 8:34 p.m. on January 22, 2015 another ten filings were attempted by the fraudster in Ms. Diaz's name and Social Security number, again using one of the five new false accounts, including state tax return filings in Ohio, Michigan, Oklahoma, Missouri, and a federal tax return filing with the IRS. Presumably, the fraudster followed the "prompts" provided by Intuit when resubmitting these fraudulent returns. Despite the information that it had, Intuit made no effort to notify Ms. Diaz about the e-filings, or to stop the fraudster from creating and using the fraudulent TurboTax accounts, and Intuit processed the fraudulent returns through TurboTax.
Complaint, ¶ 124. Plaintiffs allege that based upon the information Intuit had, Intuit "knew that the accounts opened in Diaz's name and returns filed through those accounts were fraudulent or at the least were highly likely to be fraudulent." Id., ¶125. Conspicuously absent, however, are any allegations specifying when Intuit learned of the use of a different account and email address, the use of multiple new usernames, and the numerous attempts at filing tax return. Plaintiffs allege only vaguely that Intuit "was able to link the personal information submitted for these fake accounts to personal information it already had regarding Ms. Diaz and her husband" without alleging when Intuit "was able" to make this link. Plaintiffs do not allege that Intuit made this link at the time Intuit transmitted the tax returns in Diaz's name. Moreover, even if Intuit knew of the account activity described above at or near the time Intuit transmitted tax returns in Diaz's name, it does not necessarily follow that Intuit knew of actual fraud. Plaintiffs do not allege that Intuit could distinguish with certainty legitimate tax returns from fraudulent tax returns at the time of filing based upon the account activity associated with Diaz's name. At most, the account activity may have or should have given Intuit reason to suspect fraud, which is insufficient to support an aiding and abetting claim. See Casey v. U.S. Bank National Assn., 127 Cal.App.4th at 1147-1149 (allegations that defendant knew "something fishy was going on" insufficient to establish actual knowledge because "suspicion and surmise do not constitute actual knowledge").
Plaintiffs acknowledge in their Complaint that their allegations are predicated upon materials produced by Intuit during discovery. Complaint, ¶124. Intuit explains that in response to Plaintiffs' discovery, Intuit used information provided by Diaz and her husband "to retroactively analyze tax returns previously submitted to the IRS and state revenue agencies and identify fraudulent tax returns filed in their names." Intuit's Motion, p.11. Plaintiffs do not allege that Intuit could have or did conduct such an analysis at the time of the fraudulent activity. --------
The aiding and abetting also fails because Plaintiffs does not allege sufficient facts to establish that Intuit gave substantial assistance to the alleged fraud perpetrated against Brown and Diaz. Substantial assistance requires a "significant and active, as well as a knowing participation in the wrong." Alfus v. Pyramid Tech. Corp., 745 F.Supp. 1511, 1520 (N.D. Cal. 1990) (citation omitted); see also Howard v. Superior Court, 2 Cal.App.4th 745, 749 (1992) ("while aiding and abetting may not require a defendant to agree to join the wrongful conduct, it necessarily requires a defendant to reach a conscious decision to participate in tortious activity for the purpose of assisting another in performing a wrongful act").
Here, Plaintiffs allege that Intuit knew Brown's personal identifying information was being used to create a TurboTax account associated with a "High Risk Domain Name," and yet made no effort to contact or notify Brown. Complaint, ¶111. Diaz similarly alleges that Intuit identified several problems with efilings in her name, but Intuit made no effort to notify Ms. Diaz about the unusual and suspicious activity. Id., ¶124. These and other failure to act allegations regarding, inter alia, maintaining deficient protocols, policies and practices enabling fraud, failing to provide notice, and failing to provide data to the IRS or state tax agencies (Complaint, ¶¶38-64, 228, 229, 233, 237-38, 240) are insufficient to establish substantial assistance for purposes of aiding and abetting liability. See Fiol v. Doellstedt, 50 Cal.App.4th 1318, 1326 (1996) ("Mere knowledge that a tort is being committed and the failure to prevent it does not constitute aiding and abetting.").
Plaintiffs attempt to allege several ways in which Intuit purportedly provided affirmative assistance to fraudsters, all of which are deficient. Among other things, Intuit allegedly modified its fraud prevention technology with the goal of blocking fewer suspicious users, eliminated multi-step authentication, allowed the re-use of the same Social Security number across numerous accounts, and permitted filers to file state tax returns without filing a corresponding federal return. Complaint, ¶¶43, 46, 47, 51. Lacking, however, are any allegations connecting the alleged acts of affirmative assistance to the fraudulent returns filed in Plaintiffs' names. See In re Mortgage Fund '08 LLC, 527 B.R. 351, 365 (N.D. Cal. 2015) ("To plead substantial assistance, a plaintiff must allege that the defendant's conduct was a substantial factor in bringing about the injury allegedly suffered by the plaintiff."); see also United States v. United Healthcare Ins. Co., 848 F.3d 1161, 1181-82 (9th Cir. 2016) (allegations describing some details of a generalized fraud scheme insufficient under Rule 9(b) because allegations "provide[d] no details linking" defendants to scheme).
With respect to Diaz, Plaintiffs allege that Intuit affirmatively assisted the fraud by notifying the putative taxpayer of a potential error. Complaint, ¶124. This error message is too insignificant and passive to constitute substantial assistance. Alfus v. Pyramid Tech. Corp., 745 F.Supp. at 1520. The error message fails to establish that Intuit "reach[ed] a conscious decision to participate in tortious activity for the purpose of assisting another in performing a wrongful act." Howard v. Superior Court, 2 Cal.App.4th 745, 749 (1992).
Two affirmative acts relate to processing payments and refunds: Intuit allows TurboTax fees to be paid from refund proceeds and allows refunds to be paid by non-traceable means. Complaint, ¶¶228, 231-32. Although in theory these two services offered by Intuit may facilitate fraud, the Complaint does not include any allegation that Intuit knew these services were used by fraudsters to commit fraud against Brown and Diaz. See In re Mortgage Fund '08 LLC, 527 B.R. at 365 (N.D. Cal. 2015. Indeed, with respect to payment of TurboTax fees, Plaintiffs' allegations are to the contrary: Brown and Diaz allege that they each received bills from Intuit. Complaint, ¶¶114, 127. Lastly, Plaintiffs allege that Intuit provided affirmative assistance by transmitting "suspicious" tax returns. Transmission of the allegedly "suspicious" tax returns, without more, is insufficient to establish substantial assistance because Intuit is required by law to transmit returns within three days. IRS Pub. 1345, p. 34.
The cases relied upon by Plaintiffs are readily distinguishable from the instant action. In, Facebook, Inc. v. MaxBounty, Inc., No. 10-04712 JF, 2011 WL 4346514, at *4 (N.D. Cal. Sept. 14, 2011), Facebook alleged, among other things, that the aider and abettor interacted with a specifically identified primary tortfeasor, providing encouragement, direction, and even technical support to implement the alleged fraud. Here, Plaintiffs have not alleged that Intuit provided encouragement, direction or technical support directly to a specific fraudster. In Benson v. JP Morgan Chase Bank, N.A., Nos. 09-5272 EMC, 09-5560 EMC, 2010 WL 1526394, at *4 (N.D. Cal. Apr. 15, 2010), the plaintiffs alleged facts showing that a bank aided and abetted the primary tortfeasor, who was identified by name, in a Ponzi scheme by allowing the tortfeasor and his associates to deposit monies into accounts, permitting them to commingle funds, allowing them to transfer large amounts of investment deposits to offshore banking accounts, allowing the tortfeasor to use investor monies to pay for personal expenses, and authorizing remote banking platforms that prevented oversight. In contrast, Plaintiffs in this case fail to allege the identity of any primary tortfeasor, much less that the Intuit knew that a specific tortfeasor was committing fraud using Plaintiffs' personal identifying information or that Intuit made a conscious decision to participate in the fraud.
V. CONCLUSION
For the reasons set forth above, Intuit's motion to dismiss Plaintiffs' second and third claims is GRANTED. The Court sets a case management conference for June 7, 2018 at 10:00 a.m. The Parties shall file a joint case management statement in accordance with Local Rule 16-8 no later than May 25, 2018.
IT IS SO ORDERED. Dated: May 15, 2018
/s/_________
EDWARD J. DAVILA
United States District Judge