
    Montgomery BEYER, Plaintiff, v. SYMANTEC CORPORATION, Defendant.
    Case No. 18-cv-02006-EMC
    United States District Court, N.D. California.
    Signed September 21, 2018
    Cassidy Kim, Noah M. Schubert, Robert C. Schubert, Willem F. Jonckheer, Schubert Jonckheer & Kolbe LLP, San Francisco, CA, for Plaintiff.
    Laurence F. Pulgram, Ciara Nicole Mittan, Tyler Griffin Newby, Fenwick & West LLP, San Francisco, CA, Molly Roberta Melcher, Fenwick & West LLP, Mountain View, CA, for Defendant.
    ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT'S MOTION TO DISMISS
    Docket No. 17
   EDWARD M. CHEN, United States District Judge I. INTRODUCTION

Plaintiff Montgomery Beyer (hereafter "Beyer") brings the instant action alleging that certain network security software products sold by Defendant Symantec Corporation (hereafter "Symantec"), specifically network security software products sold or licensed to consumers under the Norton brand ("Norton Products") and to businesses under the Symantec brand ("Enterprise Products," and together with the Norton Products, the "Affected Products"), contained critical defects. See Docket No. 1 ("Compl.") ¶¶ 1-2. Beyer's allegations arise out of a report by Google Inc.'s team of expert cybersecurity analysts, Project Zero, which detail alleged vulnerabilities in a component of Symantec's software, the AntiVirus Decomposer Engine. Id. ¶¶ 2, 25. Beyer argues that Symantec advertises that the Affected Products "protects against the latest online threats" or "protects against viruses, spyware, hackers, rootkits, identity theft, phishing scams, and fraudulent Web sites" while knowing that its products suffered from a core decomposer engine defect that exposed entire computer operating systems to various security vulnerabilities. Id. ¶¶ 20-24. Beyer further argues that Symantec failed to disclose that it did not implement patches for third-party source code that it used throughout its product line, and various Symantec misrepresentations and omissions form the basis for his causes of action. Id.

Beyer asserts five causes of action, namely (i) a California Consumer Legal Remedies Act ("CLRA") claim, Cal. Civ. Code §§ 1750, et seq. , (ii) a California Song-Beverly Consumer Warranty Act claim, Cal. Civ. Code §§ 1790, et seq. , (iii) a California False Advertising Law ("FAL") claim, Cal. Bus. & Prof. Code §§ 17500, et seq. , (iv) a California Unfair Competition Law ("UCL") claim, Cal. Bus. & Prof. Code §§ 17200, et seq. , and (v) a claim for "Quasi-Contract/Unjust Enrichment." Id. ¶¶ 51-96. Beyer purports to represent a nationwide class combining persons who purchased and/or licensed an Affected Product between December 21, 2005 and September 19, 2016. Id. ¶¶ 1, 42-50. Beyer further asserts a consumer subclass for purposes of the claims under the CLRA and the Song-Beverly Act. Id. ¶ 43.

Symantec has moved to dismiss for (i) failure to plead the facts and circumstances of the alleged fraud with particularity under Fed. R. Civ. P. 9(b), (ii) failure to state a claim under Fed. R. Civ. P. 12(b)(6), and (iii) lack of Article III standing under Fed. R. Civ. P. 12(b)(1). For the following reasons, the Court DISMISSES without prejudice the CLRA, FAL, UCL, and unjust enrichment claims as to the Third Software. The Court also DISMISSES Beyer's Song-Beverly Act claim without prejudice. The Court otherwise DENIES the motion to dismiss. The motion to strike is also DENIED.

II. FACTUAL AND PROCEDURAL BACKGROUND

The complaint alleges the following:

Symantec produces and sells security software under the Symantec and Norton brands. Both the Symantec and Norton products contain a key component called the AntiVirus Decomposer Engine. This component unpacks compressed executable files so that they can be scanned for malicious code. Id. ¶ 2. On June 28, 2016, Google's Project Zero team released a report on alleged vulnerabilities in the AntiVirus Decomposer Engine. Id. ¶¶ 2, 25.

Beyer alleges that Project Zero discovered that the AntiVirus Decomposer Engine was defectively designed so that it unpacked files in the computer operating system's privileged core, which lies at the core of the computing environment and has unrestricted access to and writing permissions for the computer's files ("High Privilege Defect"). Id. ¶ 25. Specifically, Beyer alleges this Engine scanned for malicious files by unpacking and examining compressed executable files within the kernel or the root, which resulted from Symantec unnecessarily assigning the highest privilege levels to the file scanning and analysis function. Id. The exposure of potentially malicious files in this high-privilege environment opened the operating systems up to corruption. Id. ¶ 3. As such, Beyer suggests that Symantec violated a key cybersecurity best practice, the principle of least privilege, which states that software should operate using the least amount of privilege necessary to complete the task. Id. ¶ 26; see also id. ¶ 35-36 (it appears that Symantec also prescribes the best practice of "run[ning] the principle of least privilege where possible to limit the impact of exploit by threats" as far back as 2007.). Beyer further alleges that Symantec exposed users' computers to a "critical vulnerability" by failing to implement industry-standard security measures such as "sandboxing," i.e. , opening files in an isolated virtual environment separate from critical processes and programs. Id. ¶ 27. Beyer also alleges that Symantec relied on third party open source code to design this Engine but had failed to update the open source code for at least seven years, resulting in vulnerabilities that caused "total information disclosure" and "total compromise of system integrity" ("Outdated Source Code Defect"). Id. ¶¶ 29-30. As a result, Beyer alleges that Symantec sold software that did not conform to cybersecurity best practices, did not reasonably protect users' computer systems against online threats, and made users' computer systems more susceptible to cyberattacks than they would have otherwise been without the software. Id. ¶ 7.

Beyer alleges he purchased five Norton Products containing these defects. See Compl. ¶¶ 10, 20-24. He seeks recovery for the second and third purchases only. See Docket No. 22 ("Opp"), at 8 n.3. Beyer made his second purchase "in March 2009," when he bought Norton 360 Premier, v. 2.0 ("Second Software"). Id. ¶ 21. Beyer alleges that prior to making his purchase he reviewed the product page on Symantec's website, which represented that Norton 360 Premier, v. 2.0, " 'defends you against a broad range of online threats' through key technologies, including antivirus, antispyware, rootkit detection, and automatic updates," and "provides 'enhanced protection' through 'industry leading virus, spyware and firewall protection.' " Id. He does not expressly allege that he relied on any of these statements. Id.

"That same year," Beyer purchased another Norton 360 Premier, v. 2.0, from Best Buy ("Third Software"). Id. ¶ 22. Prior to doing so, he "reviewed the relevant product page on Best Buy's website" and "relied on similar representations that the Third Software '[p]rotects against viruses, spyware, rootkits, identity theft, phishing scams, and fraudulent Web sites.' " Id. Beyer does not allege that Symantec was responsible for the publication of these representations as opposed to, e.g. , Best Buy. However, he does allege that, "[t]o the best of his knowledge, Mr. Beyer also reviewed and relied upon the various comparable representations and statements on the software's packaging and box in connection with the purchase." Id. Plaintiff also generally alleges that "Plaintiff and the Consumer Subclass relied to their detriment on Defendant's misrepresentations and omissions in purchasing and licensing the Norton Products." Compl. ¶ 62.

III. DISCUSSION

A. Article III Standing as to the Enterprise Products

To satisfy Article III's case or controversy requirement, a plaintiff must demonstrate that he or she has suffered an injury in fact, that the injury is traceable to the defendant's conduct, and that the injury can be redressed by a favorable decision. See Fortyune v. Am. Multi-Cinema, Inc. , 364 F.3d 1075, 1081 (9th Cir. 2004). Here, Beyer purchased Norton Products and brings a putative class comprising anyone who purchased a Norton or Enterprise Product that contained critical defects. See Compl. ¶¶ 1-2, 42. Beyer alleges that both Norton Products and Enterprise Products incorporate the AntiVirus Decomposer Engine and were affected by the alleged security flaws. Id. ¶ 3. Symantec submits that Enterprise Products differ in that they permit the user to centrally manage the security and data on multiple machines. See Docket No. 17 ("Mot.") at 31 (citing Pulgram Decl., Ex. D). Symantec thus contends that there is no similarity in the potential injury, the essential element of the inquiry for Article III standing. See id.

However, this does not necessary deprive Beyer of standing to bring class allegations for purchasers of the Enterprise Products. The ability to centrally manage security data does not gainsay the fundamental defect in the way the Symantec products were designed. The same alleged defects exist in both lines of products. Compl. ¶ 3.

This Court, like others in the Northern District, has held that a plaintiff may proceed on class claims against unpurchased products if they are "substantially similar" to products he has purchased. Swearingen v. Late July Snacks LLC , No. 13-cv-4324-EMC, 2017 WL 4641896, at *5 (N.D. Cal. Oct. 16, 2017) (quoting Astiana v. Dreyer's Grand Ice Cream, Inc. , No. C-11-2901 EMC, 2012 WL 2990766 (N.D. Cal. July 20, 2012) ).

In Astiana , the plaintiffs challenged food labels on Dreyer's ice cream products, some of which they had not purchased. In that case,

Plaintiffs are challenging the same kind of food products (i.e. , ice cream) as well as the same labels for all of the products-i.e. , "All Natural Flavors" for the Dreyer's/Edy's products and "All Natural Ice Cream" for the Haagen-Dazs products. That the different ice creams may ultimately have different ingredients is not dispositive as Plaintiffs are challenging the same basic mislabeling practice across different product flavors. Indeed, many of the ingredients are the same ....

Astiana , 2012 WL 2990766, at *13. As a result, the Court held that the plaintiffs had alleged sufficiently similarity to survive the pleading stage and that "material differences are better addressed at the class certification stage." Id.

Similarly, this Court held in Swearingen that the plaintiff had pleaded sufficient similarity between purchased and non-purchased cracker and snack chips, because "the non-purchased products are different flavors of the same Multigrain Snack Chips product purchased by Plaintiffs." Swearingen , 2017 WL 4641896, at *5. "In addition, Plaintiffs have identified a common mislabeling practice across all products." Id. Swearingen distinguished Kane v. Chobani , No. 12-cv-2425-LHK, 2013 WL 5289253 (N.D. Cal. Sept. 19, 2013), which Defendant in this case also raises. See Mot. at 32-33. The Kane plaintiffs brought claims regarding Chobani yogurts, some of which they had not purchased. The court there denied standing for the non-purchased yogurts. But as noted in Swearingen , "the court did not hold that the different yogurt products were not substantially similar. Rather, the court found that plaintiffs' complaint contained insufficient information for it 'to discern ... which products [p]laintiffs are contending contained each representation and for which products these representations were false.' " Swearingen , 2017 WL 4641896, at *6 (quoting Kane , 2013 WL 5289253, at *11 ).

This case is analogous to Astiana and Swearingen . As in Astiana , where the same kind of food product (ice cream) was at issue, the same kind of software product is in dispute here, namely antivirus software. And as in Astiana , where the different ingredients did not preclude standing because the plaintiff challenged "the same basic mislabeling practice," the fact that Enterprise Products have central management features does not preclude standing, because Plaintiff alleges the same security defects in the enterprise and consumer products.

Kane is distinguishable for the same reasons discussed in Swearingen : The Kane complaint failed to specify which products contained the flawed labels, while Plaintiff here has alleged that the AntiVirus Decomposer Engine is in both consumer and enterprise products. See Compl. ¶ 1. Defendant's citation of Romero v. HP, Inc. , No. 16-cv-5415-LHK, 2017 WL 386237 (N.D. Cal. Jan. 27, 2017), is distinguishable for the same reason. See Mot. at 23 (citing Romero for its holding that "plaintiff lacked standing for printers she did not purchaser where plaintiff did not plead facts that indicated what misrepresentations were made to each printer, and whether the misrepresentations were false").

Defendant raises a number of dissimilarities between the two product lines, i.e. , different purchasers (sophisticated business purchasers compared to lay consumer purchasers), different sales materials, and different marketing channels. See Mot. at 31. To Defendant, these dissimilarities would result in dissimilar injuries (though it does not explain how). See id. Such arguments can be addressed at a later stage. See Astiana , 2012 WL 2990766, at *13. For purposes of the motion to dismiss for standing (not, e.g. , class certification), Plaintiff has alleged sufficient similarity between the enterprise and consumer products to proceed. The Court therefore DENIES Defendant's 12(b)(1) motion. For the same reasons, the class allegations are not "immaterial" or "impertinent," and the Court DENIES Defendant's 12(f) motion to strike those allegations. See Mot. at 33-34.

B. Beyer's Fraud Claims Under the UCL, FAL, and CLRA

Beyer alleges that Symantec's statements constitute misrepresentations about its products in violation of the CLRA, the FLA, and the UCL's fraudulent prong. Beyer also alleges that Symantec's failure to disclose the defects was an omission in violation of the same statutes.

The FAL prohibits businesses from disseminating statements that are "untrue or misleading, and which is known, or which by the exercise of reasonable care should be known, to be untrue or misleading." Cal. Bus. & Prof. Code § 17500. The CLRA prohibits " 'unfair methods of competition and unfair or deceptive acts or practices' in transactions for the sale or lease of goods to consumers." Daugherty v. Am. Honda Motor Co. , 144 Cal. App. 4th 824, 833, 51 Cal.Rptr.3d 118 (2006) (quoting Cal. Civ. Code. § 1770(a) ). "The standards for determining whether a representation is misleading under the False Advertising Law apply equally to claims under the CLRA."

Colgan v. Leatherman Tool Grp., Inc. , 135 Cal. App. 4th 663, 680, 38 Cal.Rptr.3d 36 (2006). The UCL prohibits "any fraudulent business act or practice," as well as any "unfair, deceptive, untrue or misleading advertising" or any violation of the FAL. Id. § 17200. Beyer also alleges that the CLRA and FLA violations violated the UCL's unlawful prong.

Because Beyer's claims sound in fraud, the heightened pleading requirements of Rule 9(b) apply. Under Rule 9(b), the plaintiff must plead the "who, what, when, where, and how" of the alleged misconduct. Kearns v. Ford Motor Co. , 567 F.3d 1120, 1124-25 (9th Cir. 2009). This requires the plaintiff to allege "an account of the time, place, and specific content" of the false or misleading statements. Swartz v. KPMG LLP , 476 F.3d 756, 764 (9th Cir. 2007) (per curiam) (internal quotation marks and citation omitted). In addition, the "plaintiff must set forth what is false or misleading about a statement, and why." Vess v. Ciba-Geigy Corp. USA , 317 F.3d 1097, 1106 (9th Cir. 2003).

1. Misrepresentation or Omission

Symantec contends that Beyer's claims must be dismissed because Symantec's statements about Norton 360, v. 2.0, are mere puffery and would therefore not mislead a "reasonable consumer," as required by the statutes at issue. Consumer Advocate v. Echostar Satellite Corp. , 113 Cal. App. 4th 1351, 1360, 8 Cal.Rptr.3d 22 (2003) ; Elias , 950 F.Supp.2d at 854. Furthermore, Symantec argues that even if the statements were not mere puffery, Beyer has failed to "set forth what is false or misleading about a statement, and why" as required under Rule 9(b). See Coleman-Anacleto v. Samsung Elecs. Am., Inc. , No. 16-cv-02941-LHK, 2016 WL 4729302, at *14 (N.D. Cal. Sept. 12, 2016).

a. Affirmative Statements

For the purposes of this motion, the Court only needs to consider whether the following representations are actionable :

• The Second Software "defends you against a broad range of online threats through key technologies, including antivirus, antispyware, rootkit detection, and automatic updates." See Compl. ¶ 21.
• The Second Software provides "enhanced protection" through "industry leading virus, spyware and firewall protection." Id.
• The statement on Best Buy's website that the Third Software "[p]rotects against viruses, spyware, hackers, rootkits, identity theft, phishing scams, and fraudulent Web sites." Id. ¶ 22; see Docket No. 23-1.
• The "comparable statements and representations" on the Third Software's packaging and box. Id.

As an initial matter, the statements regarding the Third Software cannot support Beyer's claims. The statement that the software protects against various digital maladies was on Best Buy's website; the FAC does not allege that this statement is attributable to Symantec. In the absence of allegations to the contrary, absent allegations that the statement is attributable to Symantec and not just Best Buy, no claim against Symantec is stated.

In contrast, the "comparable statements and representations" on the packaging and box, id. , are attributable to Symantec. However, that allegation runs afoul Rule 9(b), which requires Beyer to identify the statements at issue with particularity. The mere allegation that the statements are "comparable" to those on Best Buy's website are insufficient.

The above claims regarding the Third Software are therefore DISMISSED. Because Beyer may be able to make additional allegations to cure these defects, the dismissal is without prejudice.

That leaves the statements regarding the Second Software. Symantec argues that these statements are puffery.

A misrepresentation must be a "specific and measurable claim, capable of being proved false or of being reasonably interpreted as a statement of objective fact." Rasmussen v. Apple Inc. , 27 F. Supp. 3d 1027, 1039-40 (N.D.Cal. 2014) (citing Coastal Abstract Serv., Inc. v. First Am. Title Ins. Co. , 173 F.3d 725, 731 (9th Cir. 1999) ). "Generalized, vague, and unspecified assertions constitute 'mere puffery' upon which a reasonable consumer cannot rely, and hence are not actionable." Anunziato v. eMachines, Inc. , 402 F. Supp. 2d 1133, 1139 (C.D. Cal. 2005) (citing Glen Hollywood Entm't, Inc. v. Tektronix, Inc. , 343 F.3d 1000, 1005 (9th Cir. 2003) ); accord Consumer Advocates , 113 Cal. App. 4th at 1361 n.3, 8 Cal.Rptr.3d 22. "Ultimately, the difference between a statement of fact and mere puffery rests in the specificity or generality of the claim.... Thus, a statement that is quantifiable, that makes a claim as to the specific or absolute characteristics of a product, may be an actionable statement of fact while a general, subjective claim about a product is non-actionable puffery." Demetriades v. Yelp, Inc. , 228 Cal. App. 4th 294, 311, 175 Cal.Rptr.3d 131 (2014) (quoting Newcal Indus., Inc. v. Ikon Office Solution , 513 F.3d 1038, 1053 (9th Cir. 2008) ).

For example, in Consumer Advocate , the plaintiffs brought a putative class action against a satellite television company under the UCL, FAL, and CLRA for false or misleading ads. The statements were that the service would provide "crystal clear digital video," "CD-quality" audio, an on-screen program guide showing the schedule "up to 7 days in advance," and 50 channels of content. Consumer Advocate , 113 Cal. App. 4th at 1353, 8 Cal.Rptr.3d 22. The court held that the first two statements were "mere puffing," id. at 1361 n.3, 8 Cal.Rptr.3d 22, and "all-but-meaningless superlatives," as opposed to "factual representations that a given standard is met." Id. at 1361, 8 Cal.Rptr.3d 22. In contrast, the claims regarding 50 channels and 7 days were factual representations. Id. at 1361-62, 8 Cal.Rptr.3d 22.

In Elias , a consumer brought a putative class action against Hewlett-Packard. He had purchased a laptop from the manufacturer, and he had selected a customization option for a graphics card that, unbeknownst to him, required a higher power supply than the laptop supplied. This allegedly causes computers to overheat, freeze, crash, and even catch fire. As a result, the plaintiff's laptop malfunctioned and was damaged beyond repair. The plaintiff brought, inter alia , claims under the CLRA, FAL, and the fraudulent prong of the UCL for the manufacturer's alleged misrepresentations in the laptop's capabilities. In purchasing the laptop, the plaintiff had relied on statements on the manufacturer's website advertising that the computers at issue had "ultra-reliable performance," "full power and performance," "versatile, reliable system[s]," and were "packed with power" and "delivers the power you need." Elias , 903 F. Supp. 2d at 854. The court held that these were "[g]eneralized advertisements" that "say nothing about the specific characteristics or components of the computer." Id. at 855. See also Anunziato , 402 F. Supp. 2d at 1140 (statements that a line of laptops has the "latest technology" and "outstanding quality, reliability, and performance" are non-actionable puffery, where plaintiff alleged that the laptops contained a defect that caused them to overheat).

In L.A. Taxi Cooperative, Inc. v. Uber Techs., Inc. , 114 F.Supp.3d 852, 861 (N.D. Cal. 2015), the court determined that some statements made by Uber were puffery while others were sufficiently specific to be actionable. The complaint alleged that Uber's advertising made false or misleading statements about the safety of its service compared to taxis. Of those statements, the court found that "GOING THE DISTANCE TO PUT PEOPLE FIRST" and "BACKGROUND CHECKS YOU CAN TRUST" were generalized, unmeasurable, and subjective claims amounting to puffery. Id. However, other statements were actionable non-puffery:

For example, Uber claims that it is "setting the strictest safety standards possible," that its safety is "already best in class," and that its "three-step screening" background check procedure, which includes "county, federal and multi-state checks," adheres to a "comprehensive and new industry standard." Uber has historically described its background check procedures as "industry-leading." Uber's statements also explicitly compare the safety of its services with those offered by taxi cab companies. For example, a statement on Uber's blog describing its "rigorous" background check procedures reads, "Unlike the taxi industry, our background checking process and standards are consistent across the United States and often more rigorous than what is required to become a taxi driver."

Id. The court concluded that "[a] reasonable consumer reading these statements in the context of Uber's advertising campaign could conclude that an Uber ride is objectively and measurably safer than a ride provided by a taxi or other competitor service, i.e., it is statistically most likely to keep riders from harm." Id.

Symantec's statements about the Second Software while somewhat general are sufficiently specific so as to not constitute mere puffery at the pleading stage. This case is similar to L.A. Taxi , in which Uber's description of its background checks as "industry-leading" contributed to an actionable impression that an Uber ride is objectively safer. See id. Here, while the statement in this case does not contain something akin to the more explicit comparison to competitors, as in L.A. Taxi , Symantec's statement that its software is "industry leading" could lead a reasonable consumer to believe that Symantec software would adhere to industry best practices. That is a reasonable inference for purposes of the motion to dismiss. Cf. L.A. Taxi ("industry-leading" background checks implied degree of safety). Best practices may be sufficiently concrete to be provable. For instance, Symantec had best-practice guidelines which were violated by the High Privilege Defect and Outdated Source Code Defect. Compl. ¶ 35.

In contrast, Symantec's alleged statement that the software "defends you against a broad range of online threats through key technologies, including antivirus, antispyware, rootkit detection, and automatic updates," Compl. ¶ 21, is similar to the claims in Elias that the laptops have "ultra-reliable performance" and "full power and performance," Elias , 903 F. Supp. 2d at 854, and the claims in Anunziato that the laptops there had "outstanding quality, reliability, and performance." Anunziato , 402 F. Supp. 2d at 1140. Those general descriptions are non-actionable puffery.

As for the "industry leading" claim, its misleading nature is dependent on Symantec's failure to disclose the two Defects. The Court therefore turns to California law on misleading omissions.

b. Omissions

An omission is actionable "if the omitted fact is (1) contrary to a [material] representation actually made by the defendant or (2) is a fact the defendant was obliged to disclose." Gutierrez v. Carmax Auto Superstores Cal. , 19 Cal. App. 5th 1234, 1258, 228 Cal.Rptr.3d 699 (2018) (alteration in original) (internal quotation marks omitted) (quoting Daugherty , 144 Cal. App. 4th at 835, 51 Cal.Rptr.3d 118 ); accord Hodsdon , 891 F.3d at 861. The omitted fact must also be material. See id. at 1256, 228 Cal.Rptr.3d 699. As for the first prong, the Defects' existence is contrary to Symantec's representation that its products are "industry leading," as discussed above. The question for the first prong, then, is whether that representation and the omitted fact are material. See id. at 1256, 1258, 228 Cal.Rptr.3d 699. A statement is material "if a reasonable consumer would deem it important in determining how to act in the transaction at issue." Gutierrez , 19 Cal. App. 5th at 1258, 228 Cal.Rptr.3d 699. "[M]ateriality usually is a question of fact" that should be left to the jury unless the statement at issue is "obviously unimportant." Id. at 1262, 228 Cal.Rptr.3d 699. Symantec's representation that its products provide "enhanced protection" through "industry leading virus, spyware and firewall protection" is not obviously unimportant. Compl. ¶ 21. The question of materiality survives the motion to dismiss.

The Defects are also material. The complaint alleges that the High Privilege Defect opened up affected machines to "a wide variety of cyberattacks," some of which qualify as "critical" vulnerabilities and require "[v]ery little knowledge or skill" to exploit, according to a standard vulnerability scoring system. Id. ¶ 28 (alteration in original). Likewise, the Outdated Source Code Defect allegedly exposed affected machines to "[d]ozens of public vulnerabilities," including some that were publicly known. Id. ¶ 29. These vulnerabilities were also rated "critical" and required little knowledge to exploit. Id. ¶ 30. Symantec argues that there is no indication that the Defects were ever actually exploited and so they cannot be material. It is true that the complaint lacks any allegations of such exploits. However, Symantec's argument is factual in nature and is premature on a motion to dismiss. At the pleading stage, the court draws reasonable inferences in the plaintiff's favor. Given the allegations described above, it is reasonable to infer that the Defects are important and material, because they affect the effectiveness and function of Affected Products.

The second prong of omission under Gutierrez regards the duty to disclose even in the absence of a particular representation. Traditionally under California law, "[t]o state a claim for failing to disclose a defect, a party must allege '(1) the existence of a design defect; (2) the existence of an unreasonable safety hazard; (3) a causal connection between the alleged defect and the alleged safety hazard; and that the manufacturer knew of the defect at the time a sale was made.' " Williams v. Yamaha Motor Co. Ltd. , 851 F.3d 1015, 1025 (9th Cir. 2017) (quoting Apodaca v. Whirlpool Corp. , No. 13-0725 JVS, 2013 WL 6477821, at *9 C.D. Cal. Nov. 8, 2013 ).

The requirement in Williams that there be a safety hazard has been cast into doubt by recent California Court of Appeal opinions. See Collins v. eMachines, Inc. , 202 Cal. App. 4th 249, 134 Cal.Rptr.3d 588 (2011) ; Rutledge v. Hewlett-Packard Co. , 238 Cal. App. 4th 1164, 190 Cal.Rptr.3d 411 (2015). These recent appellate decisions extend liability for non-disclosure to beyond safety hazards by "sanction[ing] a UCL omission claim when: the plaintiff alleges that the omission was material;

second, the plaintiff must plead that the defect was central to the product's function; and third, the plaintiff must allege one of the four LiMandri factors." Hodsdon v. Mars, Inc. , 891 F.3d 857, 863 (9th Cir. 2018) (citing Collins , 134 Cal.Rptr.3d at 593-95 ). The LiMandri factors are: "(1) when the defendant is in a fiduciary relationship with the plaintiff; (2) when the defendant had exclusive knowledge of material facts not known to the plaintiff; (3) when the defendant actively conceals a material fact from the plaintiff; and (4) when the defendant makes partial representations but also suppresses some material facts." LiMandri v. Judkins , 52 Cal. App. 4th 326, 336, 60 Cal.Rptr.2d 539 (1997) (quoting Heliotis v. Schuman , 181 Cal. App. 3d 646, 651, 226 Cal.Rptr. 509 (1986) ). Importantly, the defect must not only be central to the product's function; it must also be physical. See Hodsdon , 891 F.3d at 864 ( Collins and Rutledge require a "physical defect" and the alleged existence of slave labor in chocolate supply chain "is not a physical defect at all, much less one related to the chocolate's function as chocolate").

Although the Williams test was employed by the Ninth Circuit in Wilson v. Hewlett-Packard Co. , 668 F.3d 1136 (9th Cir. 2012), the California Court of Appeal's decision in Rutledge post-data Wilson. And the Ninth Circuit's decision in Hodsdon considered whether Collins and Rutledge effectively overruled Wilson 's safety-hazard requirement. In that case, Hodsdon had sued the Mars chocolate manufacturer for failing to disclose that its suppliers used forced and child labor. The district court had dismissed under 12(b)(6), and the Ninth Circuit affirmed. In doing so, the court did not decide which of the two standards applied because the court found that the complaint would fail under either standard. See Hodsdon , 891 F.3d at 864. Nevertheless, it suggested that a non-disclosure claim may lie under either of the standards:

The recent California cases show that Wilson 's safety hazard pleading requirement is not necessary in all omission cases, but that the requirement may remain applicable in some circumstances. In other words, Collins and Rutledge are not necessarily irreconcilable with Wilson because, where the challenged omission does not concern a central functional defect, the plaintiff may still have to plead a safety hazard to establish that the defendant had a duty to disclose. For example, ... Wilson may still apply where the defect in question does not go to the central functionality of the product, but still creates a safety hazard.

Id. (footnote omitted).

Because the complaint in the instant case does not allege a safety hazard, the issue under Collins and Rutledge is whether the High Privilege Defect and Outdated Source Code Defect constitute "physical" defects that were "central" to the Affected Products' function.

These Defects may be considered "physical." As the California appellate court has noted in the very context, "computer software ... may be characterized as tangible property" because the software is " 'recorded in a physical form which has physical existence, takes up space on the tape, disc, or hard drive, makes physical things happen, and can be perceived by the senses.' " Microsoft Corp. v. Franchise Tax Bd. , 212 Cal. App. 4th 78, 87, 150 Cal.Rptr.3d 770 (2012) (quoting South Cent. Bell Tel. Co. v. Barthelemy , 643 So.2d 1240, 1246 (La. 1994) ). Software is "a certain arrangement of matter," which is "physically recorded on some tangible medium[ ] [and] constitutes a corporeal body." Id. (quoting Barthelemy , 643 So.2d at 1246 ). This is unlike the use of child labor in the production of a chocolate bar in Hodson , which is non-physical. See Hodsdon , 891 F.3d at 864.

The next question is whether under Collins and Rutledge these High Privilege Defect and Outdated Source Code Defect are central to the Affected Products' function. In Collins plaintiffs had complained that a computer chip in eMachine computers caused "critical data corruption" of the hard drive. Id. at 862. In Rutledge , the plaintiffs alleged that defective inverters in Hewlett Packard's laptops caused the screens to darken. These defects are "central to the product's function" because they "render[ ] those products incapable of use by any consumer." Id. at 864 (emphasis omitted). In contrast, the Hodsdon plaintiff's opposition to the use of slave labor in producing chocolate is "based on subjective preferences" which some consumers do not share. Id.

Here, the complaint sufficiently alleges the Defects are central to the function of the Affected Products of safeguarding computers against online threats, virus, spyware, etc. The Defects allegedly open up the operating systems to corruption, create a "critical vulnerability" to online threats, and make computers more susceptible to cyberattacks than they would have otherwise been without the software. Compl. ¶¶ 3, 7, 29-30. Although the complaint does not identify specific instances of resulting damage to computers loaded with the Affected Products, cf. Williams v. Yamaha Motor Co., Ltd. , 851 F.3d 1015, 1028-29 (9th Cir. 2017) (alleged risk of fire in defective motors was speculative where the complaint failed to allege that any customer experienced such a fire), that is not dispositive to a motion to dismiss where all reasonable inferences must be drawn in Plaintiff's favor.

2. Reliance

Reliance is required to achieve standing under the UCL, FAL, and CLRA. See Cal. Bus. & Prof. Code §§ 17204 (UCL), 17535 (FAL) ; Cal. Civ. Code. § 1780(a) (CLRA) ; In re Tobacco II Cases , 46 Cal. 4th 298, 328, 93 Cal.Rptr.3d 559, 207 P.3d 20 (2009). Reliance is alleged where the "misrepresentation or nondisclosure was 'an immediate cause' of the plaintiff's injury-producing conduct," such as where "the plaintiff 'in all reasonable probability' would not have engaged in [that] conduct" in the absence of the fraud. Id. at 326, 93 Cal.Rptr.3d 559, 207 P.3d 20 (quoting Mirkin v. Wasserman , 5 Cal. 4th 1082, 1110-11, 23 Cal.Rptr.2d 101, 858 P.2d 568 (1993) (Kennard, J., concurring in part and dissenting in part) ). "[A] presumption, or at least an inference, of reliance arises where there is a showing that a misrepresentation was material." Id. at 327, 93 Cal.Rptr.3d 559, 207 P.3d 20. Materiality is sufficiently alleged, as discussed above.

Symantec argues, however, that Beyer's vague allegations of reliance fall short under Rule 9(b) because he fails to allege he actually read or relied on any representation. See Mot. at 18. It is true that Beyer only alleges that he "reviewed the product page" for the Second Software and does not explicitly allege that he saw the statement that the software was "industry leading." Compl. ¶ 21. Nevertheless, it is reasonable to infer for purposes of the motion to dismiss from the fact that he reviewed the product page that he saw the "industry leading" statement on the page.

3. Knowledge of the Purported Defects at the Time of Sale

Symantec also argues that Beyer fails to sufficiently allege that it knew of the Defects at the time of sale. As an initial matter, Symantec fails to note differences amongst the three statutes as to the knowledge requirement. Knowledge of an undisclosed defect is required for a claim of misrepresentation to lie under the CLRA. See Coleman-Anacleto v. Samsung Elecs. Am., Inc. , No. 16-cv-2941-LHK, 2017 WL 86033 (N.D. Cal. Jan. 10, 2017) (citing Wilson v. Hewlett-Packard Co. , 668 F.3d 1136, 1145 (9th Cir. 2012) ). A claim under the FAL requires that the defendant have known or reasonably should have known that the statement in question was misleading. See Cal. Bus. & Prof. Code § 17500. However, knowledge is not required under the UCL's fraudulent prong. See In re Tobacco II Cases , 46 Cal. 4th at 312, 93 Cal.Rptr.3d 559, 207 P.3d 20 (holding that a claim under the UCL's fraudulent prong, in order to fulfil its purpose of protecting the public, does not require that the deception be "known to be false to the perpetrator" (quoting Day v. AT & T Corp. , 63 Cal. App. 4th 325, 332, 74 Cal.Rptr.2d 55 (1998) ). The UCL claim therefore survives irrespective of knowledge of falsity.

As for the other claims, Symantec argues that the complaint does not allege that it knew of the defects. It points out that the earliest specific allegation of knowledge is when Project Zero revealed the defects in 2016, seven years after Beyer's 2009 purchase of the Second Software. The allegations that it knew of the defects at the time of sale, Symantec argues, are conclusory. Symantec singles out ¶ 40 of the complaint, which alleges:

As the proprietary owner and licensor of the Affected Products, Symantec knew, or was otherwise reckless or willfully blind in not knowing, that its AntiVirus Decomposer Engine suffered from extremely serious defects, i.e., the High Privilege Defect and the Outdated Source Code Defect. Furthermore, Symantec knew, or was otherwise reckless or willfully blind in not knowing, that its security practices diverged significantly from its own best practices recommendations.

Beyer's Opposition merely parrots this paragraph. See Docket No. 22 ("Opp.") at 16. Despite this, the complaint sufficiently alleges knowledge, because it alleges that Symantec designed and produced the software in question. It plausibly follows from this fact that Symantec knew how the Second Software functioned, including that the software unpacked potentially malicious files in a high-privilege environment. It also plausibly follows that Symantec knew it had used third-party code and knew it did not patch that code when updates were released by the third parties. Furthermore, as early as 2007, Symantec published best-practice guidelines advising readers to the principle of least privilege and to keep third-party code updated. See Compl. ¶ 21. Together, this suffices to establish knowledge, which need only be plead generally. See Fed. R. Civ. P. 9(b) ("Malice, intent, knowledge, and other conditions of a person's mind may be plead generally."). But the allegations suffice at the pleading stage. The CLRA and FAL claims therefore survive.

In sum, the Court DISMISSES without prejudice Beyer's fraud claims as to the Third Software. The motion is otherwise DENIED.

4. Song-Beverly Act Claim

Under the Song-Beverly Act, "every sale of consumer goods that are sold at retail in this state shall be accompanied by the manufacturer's and retail seller's implied warranty that the goods are merchantable,"

unless such warranty is properly disclaimed. Cal. Civ. Code § 1792. Consumer goods are those that are "primarily for personal, family, or household purposes, except for clothing and consumables." Id. § 1791(a). The warranty means that the goods:

(1) Pass without objection in the trade under the contract description.
(2) Are fit for the ordinary purposes for which such goods are used.
(3) Are adequately contained, packaged, and labeled.
(4) Conform to the promises or affirmations of fact made on the container or label.

Id. § 1791.1(a). Beyer alleges that Symantec's Second Software violated each of these four warranties. Compl. ¶ 72; see Opp. at 21.

Symantec argues that the Song-Beverly claim fails because Beyer failed to allege that the Second Software was "sold at retail in this state." It notes that Beyer is a resident of Michigan and that Beyer alleges only that he "purchased an upgrade to Norton 360 Premier, v. 2.0." Compl. ¶ 21. Beyer's responds that the Second Software's end user license agreement selects California law in its choice of law provision. See id. ¶ 11. And under California law, title passes at the time and place that "the seller completes his performance with reference to the physical delivery of the goods." Cal. Comm. Code § 2401(2). Where the contract does not require the seller to deliver the goods to the buyer, "title passes to the buyer at the time and place of shipment." Id. § 2401(2)(a). Beyer states in his brief that he bought the Second Software on Symantec's website, and that Symantec "shipped" the product to him from California by electronic delivery, so that titled passed-and thus was "sold at retail"-in California. However, as Symantec correctly points out, these facts are missing from Beyer's complaint. Neither does he allege that the product was electronically delivered to him from California. The Song-Beverly claim is therefore DISMISSED with leave to amend.

5. UCL Claim

Apart from the fraudulent and unlawful prongs of the UCL, Beyer also asserts claims under the unfair prong:

90. Defendant's actions as alleged in this Complaint constitute an "unfair" practice, because they offend established public policy and are immoral, unethical, oppressive, unscrupulous, and substantially injurious to Defendant's customers. The harm caused by Defendant's wrongful conduct outweighs any utility of such conduct and has caused substantial injury to Plaintiff and the Nationwide Class. Defendant could and should have chosen one of many reasonably available alternatives, including not selling antivirus products that contained fundamental defects with the core engine, disclosing the defects to prospective purchasers, and/or not representing that its products were suitable for ordinary consumer or business use. Additionally, Defendant's conduct was "unfair," because it violated the legislatively declared policies reflected by California's strong consumer protection and false advertising laws, including the CLRA, CAL. CIV. CODE §§ 1750 et seq. and the FAL, CAL. BUS. & PROF. CODE §§ 17500 et seq.

See Compl. ¶ 90.

As an initial matter, the Court agrees with Symantec that the "unfair" claim relies on the same factual allegations as those underlying the "unlawful" and "fraudulent" claims, meaning it sounds in fraud and Rule 9(b) applies. See Kearns v. Ford Motor Co. , 567 F.3d 1120, 1127 (9th Cir. 2009). Because the allegations regarding the Third Software are lacking under Rule 9(b) as discussed above, those claims under the unfairness prong are DISMISSED without prejudice. However, the allegations regarding the Second Software are sufficient in this regard.

Symantec also argues that Beyer's unfairness claim fails the applicable substantive standard. Since Cel-Tech Communications, Inc. v. Los Angeles Cellular Telephone Co. , 20 Cal. 4th 163, 83 Cal.Rptr.2d 548, 973 P.2d 527 (1999), the California Court of Appeal has been split on the appropriate standard to apply in a consumer action under the unfair prong of the UCL. In Graham v. Bank of America, N.A. , 226 Cal. App. 4th 594, 172 Cal.Rptr.3d 218 (2014), the court described the three lines of cases on the issue post- Cel-Tech. While Graham endorsed a line of cases with a "more rigorous test" under which "a plaintiff ... must show the 'defendant's conduct is tethered to an[ ] underlying constitutional, statutory, or regulatory provision, or that it threatens an incipient violation of an antitrust law, or violates the policy or spirit of an antitrust law.' " Id. at 613, 172 Cal.Rptr.3d 218 (quoting Wilson v. Hynek , 207 Cal. App. 4th 999, 1008, 144 Cal.Rptr.3d 4 (2012) ), it acknowledged other court have applied a broader balancing test of unfairness, e.g. weighing the utility of the defendant's conduct against the gravity of the harm to the victim. Id. at 612-613.

Under either test, the complaint survives. Under the more rigorous test, Beyer has sufficiently identified a California public policy against misleading marketing statements, as embodied in the CLRA, FAL, and the UCL's fraudulent prong. Because Symantec's statements regarding the Second Software, as alleged, contravene this public policy, Beyer has made out a claim as to that product. Cf. In re Carrier IQ, Inc. , 78 F.Supp.3d 1051, 1116, 1117 (N.D. Cal. 2015).

6. Quasi-Contract/Unjust Enrichment Claim

That leaves Beyer's claim for unjust enrichment. California courts have stated that courts may construe an unjust enrichment claim "as a quasi-contract claim seeking restitution." Rutherford Holdings, LLC v. Plaza Del Rey , 223 Cal. App. 4th 221, 231, 166 Cal.Rptr.3d 864 (2014). "The doctrine (of unjust enrichment) applies where plaintiffs, while having no enforceable contract, nonetheless have conferred a benefit on defendant which defendant has knowingly accepted under circumstances that make it inequitable for the defendant to retain the benefit without paying for its value." Hernandez v. Lopez , 180 Cal. App. 4th 932, 938, 103 Cal.Rptr.3d 376 (2009). Symantec's only argument against the unjust enrichment claim is that it fails because Beyer's other claims fail. Because Beyer's other claims do survive as to the Second Software, the unjust enrichment claim also survives as to that software. The motion is DENIED to that extent. But because the claims as to the Third Software do not survive for lack of specificity under Rule 9(b), the unjust enrichment claim is DISMISSED without prejudice as to the Third Software.

IV. CONCLUSION

For the foregoing reasons, the Court DISMISSES without prejudice the CLRA, FAL, UCL, and unjust enrichment claims as to the Third Software. The Court otherwise DENIES the motion to dismiss. The motion to strike is also DENIED.

This order disposes of Docket No. 17.

IT IS SO ORDERED. 
      
      Representations cited in paragraph 18 and 19 in the Complaint are not actionable as they are all after Beyer's dates of purchase. See Compl. ¶¶ 18-19. Beyer's citation of these materials in his opposition to Symantec's motion to dismiss are thus irrelevant. See Docket No. 22, at 16-17.
     
      
      This conclusion is without prejudice to future motions, e.g. , for summary judgment or adjudication which take into accord the factual record of, inter alia , the frequency of harm suffered as a result of the defects.
     
      
      Again, this ruling is without prejudice to any future motions or adjudication should the factual record establish Plaintiff cannot meet his burden of proving, e.g. , that he saw and read the product statement.
     
      
      Symantec also argues that the cases Beyer cites are inapposite because they pertain to conventional purchases not conducted online. See Docket No 24 (Reply) at 11. However, California case law supports Beyer's position that § 2401(2)(a) applies to online purchases. See Cal. State Elecs. Ass'n v. Zeos Int'l Ltd. , 41 Cal. App. 4th 1270, 1275-77, 49 Cal.Rptr.2d 127 (1996) ; see also In re Seagate Tech. LLC Litig. , No. 16-cv-0523-JCS, 2017 WL 3670779, at *16 (N.D. Cal. Aug. 25, 2017).
     
      
      Symantec also argues that the unfairness claim should fail, because its factual basis overlaps entirely with the fraudulent and unlawful claims, which fail. Because the fraudulent and unlawful claims survive, this argument in inapposite.
     