Case Number: 17STLC03822 Hearing Date: January 16, 2018 Dept: 77

Defendant Equifax Information Services, LLC’s Demurrer to Complaint is SUSTAINED with 20 days’ leave to amend.

Background

On September 21, 2017, Plaintiff Michelle Rehn (“Plaintiff”) filed this action against Defendant Equifax Information Services, LLC (“Defendant”), alleging one cause of action for violation of California Data Breach Act, Civ. Code § 1798.80 et seq. This action arose from an alleged data breach of Plaintiff’s personal information held by Defendant.

On November 13, 2017, Defendant filed a Demurrer. On December 28, 2017, Plaintiff filed her Opposition. On January 8, 2018, Defendant filed a Reply.

Meet and Confer

Pursuant to CCP § 430.41(a), “[b]efore filing a demurrer pursuant to this chapter, the demurring party shall meet and confer in person or by telephone with the party who filed the pleading that is subject to demurrer for the purpose of determining whether an agreement can be reached that would resolve the objections to be raised in the demurrer.”

Defendant has submitted a declaration stating its counsel met and conferred with Plaintiff’s counsel, but was unable to reach an agreement resolving the objections raised in the Demurrer. (See Morris Decl. ¶ 2.)

Timeliness of the Demurrer

CCP § 430.40(a) states, “[a] person against whom a complaint or cross-complaint has been filed may, within 30 days after service of the complaint or cross-complaint, demur to the complaint or cross-complaint.” Courts have the discretion to consider untimely demurrer so long as their action does not affect the substantial rights of parties. (Jackson v. Doe (2011) 192 Cal.App.4th 742, 749.)

Here, the Proof of Service shows that the Summons and Complaint were served on October 13, 2017. The Demurrer was filed on November 13, 2017. Therefore, the Court finds that the Demurrer is timely.

Legal Standards

“A demurrer tests the legal sufficiency of the factual allegations in a complaint.” (Ivanoff v. Bank of America, N.A. (2017) 9 Cal.App.5th 719, 725.) The Court looks to whether “the complaint alleges facts sufficient to state a cause of action or discloses a complete defense.” (Id.) The court “assume[s] the truth of the properly pleaded factual allegations, facts that reasonably can be inferred from those expressly pleaded and matters of which judicial notice has been taken.” (Id.) The court liberally construes the pleading with a view to substantial justice between the parties. (Id. at 726.) “This rule of liberal construction means that the reviewing court draws inferences favorable to the plaintiff, not the defendant.” (Perez v. Golden Empire Transit Dist. (2012) 209 Cal.App.4th 1228, 1238.) Allegations in the complaint must not be read in isolation for purposes of a demurrer or a motion to strike. (Perkins v. Superior Court (1981) 117 Cal.App.3d 1, 6.)

“Where the defect raised by a motion to strike or by demurrer is reasonably capable of cure, ‘leave to amend is routinely and liberally granted to give the plaintiff a chance to cure the defect in question.’” (CLD Const., Inc. v. City of San Ramon (2004) 120 Cal.App.4th 1141, 114.)

Discussion

A. Violation of California Data Breach Act, Civ. Code § 1798.80 et seq. (First Cause of Action)

Civ. Code § 1798.82(a) states: “A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, (2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” (Italics added.)

Civ. Code § 1798.82(c) states: “The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made promptly after the law enforcement agency determines that it will not compromise the investigation.”

Pursuant to Civ. Code § 1798.81.5(b), “[a] business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” (Italics added.)

The Complaint alleges that Defendant “organizes, assimilates and analyzes data on more than 820 million customers . . . worldwide.” (Compl. ¶ 5.) The Complaint further alleges that “in or around May through July 2017, the personal information data of approximately 143 million Americans was exposed as a result of a data breach.” (Id. ¶ 6.) Importantly, Plaintiff alleges that Defendant failed to timely notify her that “her personal identifying information was part of the breach” (id. ¶ 7) as required by Civ. Code § 1798.82 and implemented reasonable measures to protect her personal data as required by Civ. Code § 1798.81.5 (id. ¶ 16). Plaintiff alleges that she did not know she was impacted by the data breach until she visited Defendant’s website. (Id. ¶¶ 9-10, 17.) Because of the breach, Plaintiff alleges she suffered emotional distress and the prospect of identity theft. (Id. ¶ 11.)

i. Personal Information as Defined by Civ. Code § 1798.82(h)

Defendant contends that Plaintiff fails to allege what personal information as defined by Civ. Code § 1798.82(h) was breached. (Demurrer p. 4.) Defendant then appears to contend that “personal information” as alleged by Plaintiff is uncertain, but also then appears to argue that Plaintiff fails to sufficiently allege what personal information was breached. (Id.)

To the extent Defendant is demurring to the meaning of “personal information” for uncertainty, it is improper. Special demurrers for uncertainty are not permitted in a limited jurisdiction court. (Code Civ. Proc., § 92(c); see also Butler v. Sequeira (1950) 100 Cal.App.2d 143, 145–146 [“A special demurrer for uncertainty is not intended to reach the failure to incorporate sufficient facts in the pleading, but is directed at the uncertainty existing in the allegations actually made.”].)

To the extent Plaintiff is demurring to the Complaint for failure to sufficiently allege “personal information” as defined by Civ. Code § 1798.82(h), the Court is not persuaded. The Court notes that allegations in the complaint must not be read in isolation (Perkins, supra, 117 Cal.App.3d at 6), and the Court must construe the Complaint liberally in favor of Plaintiff (Perez, supra, 209 Cal.App.4th at 1238). The Court notes that Plaintiff alleges that the data breach affected personal information of 143 million Americans, which included her. (Compl. ¶¶ 6-10.) Plaintiff further alleges that the personal information that was breached included “social security numbers, birth dates, addresses and, in some instances, driver’s license numbers.” (Id. ¶ 6.) Thus, Plaintiff has sufficiently alleged “personal information” as defined by Civ. Code § 1798.82(h).

ii. Damages

Civ. Code § 1798.84(b) states: “Any customer injured by a violation of this title may institute a civil action to recover damages.”

Civ. Code § 1798.84(c) provides: “[i]n addition, for a willful, intentional, or reckless violation of Section 1798.83, a customer may recover a civil penalty not to exceed three thousand dollars ($3,000) per violation; otherwise, the customer may recover a civil penalty of up to five hundred dollars ($500) per violation for a violation of Section 1798.83.”

Defendant contends that Plaintiff fails to sufficiently allege her statutory damages and emotional distress damages. (Demurrer pp. 4-5; Reply pp. 3-4.) Defendant contends that Plaintiff fails to allege how Defendant acted willfully, intentionally, or recklessly as required by Civ. Code § 1798.84(c). (Demurrer pp. 4-5.) The Court notes, however, that the issue of damages here does not depend on Civ. Code § 1798.84(c) as Plaintiff has alleged emotional distress damages. The Court notes that Civ. Code § 1798.84(b) provides that Plaintiff can bring the instant action for any damages and does not bar emotional distress damages.

In reply, Defendant contends that emotional distress damages are not plausible because “Plaintiff’s harm did not occur until she was informed of the breach, so there can be no harm in any alleged delay in notifying her about the breach.” (Reply p. 4.) As discussed above, Plaintiff’s first cause of action does not depend on Civ. Code § 1798.82 (unreasonable delay in notification) as Plaintiff also alleges a violation of Civ. Code § 1798.81.5(b) (failure to implement reasonable security measures). Accordingly, Plaintiff may allege emotional distress damages caused by violation of Civ. Code § 1798.84(b). For this reason, the Court finds that Plaintiff has sufficiently alleged the element of damages of her claim.

To the extent Defendant is demurring to Plaintiff’s prayer for statutory damages (as distinct from failure to allege the element of damages), it is improper to raise this issue in a demurrer. “A demurrer is not the appropriate vehicle to challenge a portion of a cause of action demanding an improper remedy.” (Caliber Bodyworks, Inc. v. Superior Court (2005) 134 Cal.App.4th 365, 384; see also Kong v. City of Hawaiian Gardens Redevelopment Agency (2002) 108 Cal.App.4th 1028, 1047 [“a demurrer cannot rightfully be sustained to part of a cause of action or to a particular type of damage or remedy.”].)

iii. Failure to Allege Sufficient Facts

Defendant also contends that Plaintiff alleges in a conclusory manner that it failed to “timely” provide notice to Plaintiff of the data breach (in violation of Civ. Code § 1798.82) and to implement “reasonable measures” (in violation of Civ. Code § 1798.81.5(b)) to protect her personal data. (Demurrer pp. 2-4.)

As an initial matter, Plaintiff’s first cause of action is premised on the violation of Civ. Code § 1798.82 and § 1798.81.5. “A demurrer does not lie to a portion of a cause of action.” (PH II, Inc. v. Superior Court (1995) 33 Cal.App.4th 1680, 1682.) Thus, in order for the Court to sustain the Demurrer, the Court must find that Plaintiff fails to allege sufficient facts as to the violation of both Civ. Code § 1798.82 and § 1798.81.5.

In opposition, Plaintiff argues that Defendant failed to timely provide notice to her because the breach occurred around May 2017 and Defendant failed to provide notice until September 2017. (Opp. p. 3.) The Court notes that the Complaint does not allege that Defendant did not provide notice until September 2017. A demurrer tests the legal sufficiency of the facts alleged in a complaint, not facts argued in the parties’ motion. (See Ivanoff, supra, 9 Cal.App.5th at 725.)

The Court notes that the Complaint alleges that “[o]ver a month after the breach occurred, Equifax, through its website . . . let individuals know if they were affected by the data.” (Compl. ¶ 8.) The fact that Defendant did not make the notification of the data breach until a month later is not sufficient to demonstrate that Defendant’s notification was untimely and in violation of Civ. Code § 1798.80 et seq. The Complaint does not allege that the one-month notification delay was not caused by “a law enforcement agency [determining] that the notification will impede a criminal investigation.” (See Civ. Code §§ 1798.82(a), (c).) Therefore, the Court finds that Plaintiff fails to sufficiently allege a violation of Civ. Code § 1798.82 in this respect.

As for the issue of “reasonable measures,” Plaintiff contends that what is reasonable is a question of fact for the trier of fact to decide. (Opp. pp. 3-4.) While this is a correct statement of the law, the Court finds that Plaintiff has alleged no facts in the Complaint as to how Defendant failed to implement “reasonable measures” in violation of Civ. Code § 1798.81.5. For this reason, Plaintiff also fails to sufficiently allege a violation of Civ. Code § 1798.81.5.

For the foregoing reasons, Defendant’s Demurrer to the Complaint is SUSTAINED with 20 days’ leave to amend.

Moving party to give notice.