
    IN RE: YAHOO! INC. CUSTOMER DATA SECURITY BREACH LITIGATION
    Case No. 16-MD-02752-LHK
    United States District Court, N.D. California, San Jose Division.
    Signed March 9, 2018
    ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS
    Re: Dkt. No. 205
   LUCY H. KOH, United States District Judge

Plaintiffs Kimberly Heines, Hashmatullah Essar, Paul Dugas, Matthew Ridolfo, Deana Ridolfo, Yaniv Rivlin, Mali Granot, Brian Neff, and Andrew Mortensen (collectively, "Plaintiffs") bring a putative class action against Defendant Yahoo! Inc. ("Yahoo"). Plaintiff Brian Neff also brings a putative class action against Defendant Aabaco Small Business, LLC ("Aabaco") (collectively with Yahoo, "Defendants"). Before the Court is Defendants' motion to dismiss Plaintiffs' First Amended Consolidated Class Action Complaint ("FAC"), ECF No. 196. ECF No. 205 ("Mot."). Having considered the parties' submissions, the relevant law, and the record in this case, the Court hereby GRANTS in part and DENIES in part the motion to dismiss.

I. BACKGROUND

A. Factual Background

Defendant Yahoo was founded in 1994 and has since grown into a source for internet searches, email, shopping, news, and many other internet services. FAC ¶ 32. One of Yahoo's most important services is Yahoo Mail, a free email service. Id. ¶ 33. Plaintiffs allege that "[m]any users have built their digital identities around Yahoo Mail, using the service for everything from their bank and stock trading accounts to photo albums and even medical information." Id.

Yahoo also offers online services for small businesses, including website hosting and email services (hereinafter, "Small Business Services"). Id. ¶ 34. Users must pay for Small Business Services, and users are required to provide credit or debit card information for automatic monthly payments for Small Business Services. Id. Prior to November 2015, Yahoo provided these services through a division called Yahoo Small Business. Id. "Since November 2015, Yahoo has provided its small business services through its wholly owned subsidiary Aabaco." Id.

Plaintiffs allege that in order to obtain email services and Small Business Services from Defendants, users are required to provide personal identification information ("PII") to Defendants. Id. ¶ 35. This PII includes the user's name, email address, birth date, gender, ZIP code, occupation, industry, and personal interests. Id. ¶ 37. For some Yahoo accounts, including the small business accounts, users are required to submit additional information, including credit or debit card numbers and other financial information. Id. ¶¶ 34, 36.

In addition to the PII that Plaintiffs submitted directly to Defendants, Plaintiffs also allege that users used their Yahoo email accounts to send and receive a variety of personal information. Id. ¶ 7. Each named Plaintiff alleges that he or she included sensitive information in the content of his or her Yahoo emails. See, e.g. , id. ¶¶ 18-21. The individual allegations of the named Plaintiffs, including allegations regarding the personal information that these named Plaintiffs included in their Yahoo email accounts, are discussed further below.

1. Earlier Data Security Issues Putting Yahoo on Notice

Plaintiffs allege that Defendants have a long history of data security failures that should have put Defendants on notice of the need to enhance their data security. For example, in 2008 and 2009, "multiple hosts on Yahoo's corporate network were compromised." Id. ¶¶ 64-65. In 2010, Google notified Yahoo that attackers were using Yahoo systems to attack Google. Id. ¶ 66. In 2011, then-Chief Information Security Officer ("CISO") Justin Somaini gave a presentation "identifying gaping holes in Yahoo's data security." Id. ¶ 67. In 2012, a third party informed Yahoo of a vulnerability within its system. Id. ¶ 72.

Yahoo also experienced a breach in 2012. Although the Federal Trade Commission found as early as 2003 that "SQL injection attacks" were a known and preventable data security threat, "in 2012, Yahoo admitted that more than 450,000 user accounts were compromised through an SQL injection attack-with the passwords simply stored in plain text." Id. ¶¶ 77-78. Plaintiffs allege that according to news stories at the time, "[s]ecurity experts were befuddled ... as to why a company as large as Yahoo would fail to cryptographically store the passwords in its database. Instead, [the passwords] were left in plain text, which means a hacker could easily read them." Id. ¶ 77.

According to Plaintiffs, the 2012 hackers intended the 2012 attack as a wake-up call, and the hackers left a message stating: "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat ... There have been many security holes exploited in Web servers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly." Id. ¶ 79. However, despite this warning, Plaintiffs allege that "Yahoo's culture actively discouraged emphasis on data security." Id. ¶ 89. Plaintiffs allege that "former Yahoo security staffers interviewed later told Reuters that requests made by Yahoo's security team for new tools and features such as strengthened cryptography protections were, at times, rejected on the grounds that the requests would cost too much money, were too complicated, or were simply too low a priority." Id.

Yahoo also hired security firms who identified problems with Yahoo's systems. For example, in 2012, Yahoo retained Mandiant, an outside cybersecurity firm, to perform a threat assessment; Mandiant's subsequent report detailed issues with Yahoo's security and attack groups in Yahoo's systems. Id. ¶¶ 70, 73, 75. Similarly, Dell SecureWorks and Leaf SR conducted security assessments at various times between 2013 and 2016 that turned up vulnerabilities. Id. ¶¶ 83-84, 87-88.

2. Three Data Breaches at Issue in the Instant Case

The instant lawsuit involves three data breaches that occurred between 2013 and 2016. According to Plaintiffs, Defendants represented to users that users' accounts with Defendants were secure. For example, Yahoo's website stated that "protecting our systems and our users' information is paramount to ensuring Yahoo users enjoy a secure user experience and maintaining our users' trust" and that "[w]e deploy industry standard physical, technical, and procedural safeguards that comply with relevant regulations to protect your personal information." Id. ¶ 43. Similarly, Aabaco's website stated that "[w]e have physical, electronic, and procedural safeguards that comply with federal regulations to protect your Personal Information." Id. ¶ 46. Nonetheless, despite these representations, Plaintiffs allege that Defendants did not use appropriate safeguards to protect users' PII and that Plaintiffs' PII was thus exposed to hackers who infiltrated Defendants' systems. Specifically, Plaintiffs allege three separate data breaches: a breach that occurred in 2013, a breach that occurred in 2014, and a "forged cookie breach" that occurred in 2015 and 2016. The Court refers to these breaches collectively as the "Data Breaches." The Court discusses each below.

a. The 2013 Breach

The first breach occurred in August 2013 ("2013 Breach"). Id. ¶ 133. Hackers gained access to Yahoo accounts and stole users' Yahoo logins, country codes, recovery emails, dates of birth, hashed passwords, cell phone numbers, and zip codes. Id. ¶ 134. Significantly, the 2013 Breach also gave hackers access to the contents of users' emails, and thus exposed any sensitive information that users included in the contents of their emails. Id. Plaintiffs allege that users used their Yahoo emails for a variety of personal and financial transactions, and thus that Yahoo email accounts contained "credit card numbers, ... bank account numbers, Social Security numbers, driver's license numbers, passport information, birth certificates, deeds, mortgages, and contracts." Id.

On December 14, 2016, more than three years after the 2013 Breach occurred, Yahoo disclosed the 2013 Breach but underestimated its true scope. Id. ¶ 133. Specifically, Yahoo stated that "an unauthorized third party ... stole data associated with more than one billion user accounts." Id. Almost a year later, on October 3, 2017, Yahoo announced that the 2013 Breach had actually affected every user account-approximately three billion, not one billion, accounts. Id. ¶¶ 145-46. Plaintiffs allege that the 2013 Breach occurred because Yahoo did not timely move away from an outdated encryption technology known as MD5. Id. ¶ 90. According to Plaintiffs, it was widely recognized in the data security industry long before the 2013 Breach that MD5 was "cryptographically broken and unsuitable for further use. " Id. ¶ 91. Nevertheless, Yahoo did not begin to upgrade from MD5 until the summer of 2013. Id. ¶ 93. Plaintiffs allege, however, that Yahoo's move from MD5 in the summer of 2013 was too late to prevent the 2013 Breach. Id. ¶¶ 94-96.

b. The 2014 Breach

The second breach occurred in late 2014 ("2014 Breach"). Id. ¶ 102. Plaintiffs allege that "the 2014 breach began with a 'spear phishing' email campaign sent to upper-level Yahoo employees. One or more of these employees fell for the bait, and Yahoo's data security was so lax, that this action was enough to hand over the proverbial keys to the kingdom." Id. ¶ 154 (footnote omitted). Through this attack, hackers gained access to at least 500 million Yahoo user accounts. Id. ¶ 102.

According to Plaintiffs, in August 2016, a hacker posted for sale on the dark web the personal information of 200 million Yahoo users. Id. ¶ 122. Plaintiffs also allege that "a geographically dispersed hacking group based in Eastern Europe managed to sell copies of the database to three buyers for $300,000 apiece months before Yahoo disclosed the 2014 Breach." Id. ¶ 123.

Plaintiffs allege that Yahoo knew about the 2014 Breach as it was happening, but that Yahoo did not publicly disclose the existence of the 2014 Breach until September 22, 2016, approximately two years later. Id. ¶¶ 126, 129. Plaintiffs allege that Yahoo's announcement of the 2014 Breach "came just two months after Yahoo announced Verizon's plan to acquire its operating assets, and just weeks after Yahoo reported to the SEC that it knew of no incidents of unauthorized access of personal data that might adversely affect the potential acquisition." Id. ¶ 126. Plaintiffs allege that Yahoo delayed notifying users or the public about the 2014 Breach while "Yahoo solicited offers to buy the company. Reportedly, Yahoo wanted the offers in by April 19, 2016," and thus waited to disclose the breach until September 2016. Id. ¶ 121.

Plaintiffs also allege that "[b]y intentionally failing to disclose the breach in a timely manner as required by law, Yahoo misled consumers into continuing to sign up for Yahoo services and products, thus providing Yahoo a continuing income stream and a better chance of finalizing a sale of the company to Verizon." Id. ¶ 130. In the September 22, 2016 announcement of the 2014 Breach, Yahoo stated that the affected "account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers." Id. ¶ 126.

Plaintiffs allege that Yahoo's claim that it had not known about the 2014 Breach for two years was "met with immediate skepticism." Id. ¶ 128. Indeed, in a 2016 10-K filing with the SEC, Yahoo revealed that an independent investigation determined that Yahoo had contemporaneous knowledge of the 2014 Breach, yet failed to properly investigate and analyze the breach, due in part to "failures in communication, management, inquiry and internal reporting" that led to a "lack of proper comprehension and handling" of the 2014 Breach. Id. ¶ 129.

c. The Forged Cookie Breach

The third data breach occurred sometime in 2015-2016 ("Forged Cookie Breach"). Id. ¶ 117. According to the FAC, the attackers in the Forged Cookie Breach used forged cookies to access Yahoo users' accounts. Id. "Cookies" are text files that Yahoo places on users' computers to store login information so that users do not need to reenter login information every time the users access their accounts. Id. By forging these cookies, hackers were able to access Yahoo accounts without needing a password to the accounts. Id. ¶ 118. Moreover, by forging cookies, hackers were able to remain logged on to accounts for long periods of time. Id.

According to Plaintiffs, the attackers in the Forged Cookie Breach are "thought to be the same parties involved in the 2014 Breach." Id. Specifically, Plaintiffs allege that "the hackers in the 2014 Breach used some of the data obtained in the 2014 Breach to then forge cookies, help others forge cookies, or use the cookies to gain actual access to specific accounts." Id. ¶ 119. "The 2014 Breach and Forged Cookie Breach have since been attributed to two Russian FSB agents, a Russian hacker, and a Canadian hacker." Id. ¶ 153. Plaintiffs allege that in a 2016 10-K filing with the SEC, Yahoo disclosed that an independent committee of Yahoo's Board of Directors had determined that Yahoo's information security team knew, at a minimum, about the Forged Cookie Breach as it was happening, "but took no real action in the face of that knowledge." Id. ¶ 149. Instead, Plaintiffs allege, Yahoo "quietly divulged" the existence of the Forged Cookie Breach in Yahoo's 10-Q filing with the SEC on November 9, 2016 and did not begin notifying users about the Forged Cookie Breach until February 2017. Id. ¶¶ 139, 142.

3. Allegations of Individual Named Plaintiffs

The FAC is brought by nine named Plaintiffs on behalf of four putative classes and one putative subclass. The Court briefly discusses the allegations of these individual named Plaintiffs below.

a. Named Plaintiffs Representing the United States Class and California Subclass

Plaintiffs Kimberly Heines, Hashmatullah Essar, Paul Dugas, Matthew Ridolfo, and Deana Ridolfo ("United States Plaintiffs") assert claims on behalf of the putative United States Class, which consists of all free Yahoo account holders in the United States whose accounts were compromised in any of the Data Breaches. Id. ¶¶ 18-22, 161. Additionally, California Plaintiffs Heines and Dugas assert claims on behalf of the putative California subclass, which consists of all California Yahoo account holders whose accounts were compromised in any of the Data Breaches. Id. ¶¶ 18, 20, 163.

Plaintiff Kimberly Heines, a resident of California, alleges that she used her Yahoo email account in conjunction with Direct Express, which is the service through which Plaintiff Heines receives her Social Security, and thus her Yahoo email account "included ... information relating to her account with Direct Express." Id. ¶ 18. In 2015, Plaintiff Heines discovered that her monthly Social Security benefits had been stolen from her Direct Express account and used to purchase gift cards. Id. As a result, Plaintiff Heines fell behind on her bills, and she paid late fees as a result. Id. After the theft, Plaintiff Heines began receiving debt collection calls for debts she had not herself incurred, and she saw unfamiliar debts on her credit report, which harmed her credit score. Id. Plaintiff Heines alleges that she has spent over 40 hours dealing with the consequences of the identity theft. Id.

Plaintiff Hashmatullah Essar, a resident of Colorado, used two free Yahoo email accounts. Id. ¶ 19. Plaintiff Essar used these accounts "for all of his personal, financial, and business needs" including receiving bank statements, applying for jobs, and securing a mortgage. Id. Plaintiff Essar began receiving "phishing emails from a credit card company purporting to be affiliated with American Express, asking him to follow a link to log-in to his 'Serve' account," which Plaintiff Essar did not own. Id. After Plaintiff Essar was notified of the 2014 Breach, he signed up for and has paid $35.98 per month for LifeLock credit monitoring service. Id. In February 2017, "an unauthorized person fraudulently filed a tax return under his Social Security Number," and in March 2017 he was denied credit and had freezes placed on his credit. Id.

Plaintiff Paul Dugas, a resident of California, used four Yahoo email accounts "for his banking, investment accounts, business emails, and personal emails." Id. ¶ 20. In April 2016, Plaintiff Dugas was unable to file his personal tax return because a tax return had already been filed under his Social Security Number. Id. As a result, "both of his college-aged daughters missed deadlines to submit" their financial aid applications, and Plaintiff Dugas was forced to pay $9,000 in educational expenses that he otherwise would not have had to pay. Id. Moreover, Plaintiff Dugas has also experienced numerous fraudulent charges on his credit cards, he has had to replace his credit cards, and he has had to pay money to three different credit bureaus to freeze his accounts. Id.

Plaintiffs Matthew Ridolfo and Deana Ridolfo, a married couple, are residents of New Jersey. Id. ¶ 21. They both "used their Yahoo accounts for nearly twenty years for general banking, credit card management and communications, a mortgage refinance, and communication with friends and family." Id. Both Plaintiffs Matthew and Deana Ridolfo experienced numerous instances of credit card fraud as a result of the Data Breaches. Id. Specifically, eleven credit card or bank accounts were opened or attempted to be opened in Plaintiff Matthew Ridolfo's name, and at least eight accounts were opened or attempted to be opened in Plaintiff Deana Ridolfo's name. Id. The Ridolfos experienced fraudulent charges on their credit cards. Id. The Ridolfos eventually purchased and enrolled in LifeLock to help monitor their credit and finances, and they each pay $30.00 per month for these services. Id. ¶ 22. Nonetheless, as late as January 31, 2017, an unauthorized person attempted to open an additional credit card in Plaintiff Deana Ridolfo's name. Id.

b. Named Plaintiffs Representing the Israel Class

Plaintiffs Yaniv Rivlin and Mali Granot ("Israel Plaintiffs") assert claims on behalf of the putative Israel Class, which consists of all Yahoo account holders in Israel whose accounts were compromised in any of the Data Breaches. Id. ¶¶ 23-24, 161.

Plaintiff Yaniv Rivlin, a resident of Tel Aviv, Israel, used his Yahoo email account "mainly for personal purposes, including banking, friends and family, credit card statements, and social security administration." Id. ¶ 25. Plaintiff Rivlin also pays Yahoo $20.00 per year for an email forwarding service and keeps a credit card on file with Yahoo to pay for the service. Id. After being notified that his account had been breached, Plaintiff Rivlin has noticed an increase in spam and unsolicited advertisements, and Plaintiff Rivlin has spent considerable time changing many user names and passwords on many accounts to prevent fraud. Id.

Plaintiff Mali Granot, a resident of Raanana, Israel, uses her Yahoo email account "to correspond with family, friends and school." Id. ¶ 24. Plaintiff Granot was unexpectedly locked out of her account and, when she regained access, she received numerous unsolicited chat requests and other unsolicited services. Id.

c. Named Plaintiff Representing the Small Business Users Class

Plaintiff Brian Neff ("Small Business Users Plaintiff") asserts claims on behalf of a putative Small Business Users Class, which consists of all Yahoo or Aabaco business account holders in the United States whose accounts were compromised in any of the Data Breaches. Id. ¶¶ 25-27, 161.

Plaintiff Neff, a resident of Texas, "contracted with Yahoo for two services, Yahoo! Web Hosting for www.TheInsuranceSuite.com and Yahoo! Business Email, for which he has paid Yahoo $13.94 every month." Id. ¶ 25. Plaintiff Neff has also used Yahoo and Aabaco's web hosting services "in connection with another 54 websites, paying anywhere from $3.94 to $15.94 per month for each website." Id. In May 2015, Plaintiff Neff incurred fraudulent charges on two of his credit cards, both of which were on file with Yahoo to pay for the services described above. Id. ¶ 26. Additionally, a credit card was fraudulently opened in Plaintiff Neff's name. Id. Plaintiff Neff has spent "significant time and incurred expenses mitigating the harm to him from these security breaches and identity theft." Id. Plaintiff Neff has "stopped using the TheInsuranceSuite.com website" and "is in the process of migrating that website to a more secure provider," which Plaintiff Neff alleges will require significant expenses. Id. ¶ 27.

d. Named Plaintiff Representing the Paid Users Class

Plaintiff Andrew Mortensen ("Paid Users Plaintiff") asserts claims on behalf of a putative Paid Users Class, which consists of all paid Yahoo account holders in the United States and Israel whose accounts were compromised in any of the Data Breaches. Id. ¶¶ 28, 161.

Plaintiff Mortensen, a resident of Texas, opened an email account with Yahoo and has used his account for personal and business purposes, ranging from sharing personal information with friends and family to managing banking and financial information. Id. ¶ 28. Plaintiff Mortensen has also "paid $19.95 per year for Yahoo's premium email service." Id. Plaintiff Mortensen has received spam calls every week and spam texts every two weeks. Id. Plaintiff Mortensen alleges that he has been "forced to expend approximately three hours of time and effort checking credit and opening accounts." Id.

B. Procedural History

After the 2014 Breach was announced on September 22, 2016, a number of lawsuits were filed against Defendants. These lawsuits generally alleged that Yahoo failed to adequately protect its users' accounts, failed to disclose its inadequate data security practices, and failed to timely notify users of the data breach.

In late 2016, Plaintiffs in several lawsuits moved to centralize pretrial proceedings in a single judicial district. See 28 U.S.C. § 1407(a) ("When civil actions involving one or more common questions of fact are pending in different districts, such actions may be transferred to any district for coordinated or consolidated pretrial proceedings."). On December 7, 2016, the Judicial Panel on Multidistrict Litigation ("JPML") issued a transfer order selecting the undersigned judge as the transferee court for "coordinated or consolidated pretrial proceedings" in the multidistrict litigation ("MDL") arising out of the 2014 Breach. See ECF No. 1 at 1-2.

On December 14, 2016, one week after the JPML issued the transfer order for cases arising from the 2014 Breach, Yahoo announced the existence of the 2013 Breach. Plaintiffs in several lawsuits that had been filed regarding the 2014 Data Breach then amended their complaints to include claims regarding the 2013 Breach. Additionally, more lawsuits were filed in the Northern District of California regarding the 2013 Breach and the 2014 Breach. Again, these lawsuits generally alleged that Yahoo failed to adequately protect its users' accounts, failed to disclose its inadequate data security practices, and failed to timely notify users of the data breach. These lawsuits were related or transferred to the undersigned judge. ECF Nos. 7, 9, 30, 33, 40, 64.

Plaintiffs filed a Consolidated Class Action Complaint covering all three Data Breaches on April 12, 2017. ECF No. 80. On May 22, 2017, Defendants filed a first round motion to dismiss. ECF No. 94. On August 30, 2017, the Court granted in part and denied in part the first round motion to dismiss. ECF No. 132 ("First MTD Order").

After the Court had issued its ruling on the first round motion to dismiss, Yahoo disclosed on October 3, 2017 that the 2013 data breach had affected an additional two billion Yahoo user accounts. In response, the Court amended the case schedule to allow Plaintiffs enough time to amend their complaint and to conduct discovery. ECF No. 147.

Plaintiffs filed the instant FAC on December 15, 2017. ECF No. 174. On January 19, 2018, Defendants filed the instant motion to dismiss. ECF No. 205 ("Mot."). The same day, Defendants filed a request for judicial notice in connection with their motion to dismiss. ECF No. 206. On February 9, 2018, Plaintiffs filed an opposition to Defendants' motion to dismiss. ECF No. 211 ("Opp."). On February 19, 2018, Defendants filed a reply in support of their motion to dismiss. ECF No. 212 ("Reply").

II. LEGAL STANDARD

A. Motion to Dismiss Under Rule 12(b)(6)

Pursuant to Federal Rule of Civil Procedure 12(b)(6), a defendant may move to dismiss an action for failure to allege "enough facts to state a claim to relief that is plausible on its face." Bell Atl. Corp. v. Twombly , 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged. The plausibility standard is not akin to a 'probability requirement,' but it asks for more than a sheer possibility that a defendant has acted unlawfully." Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (citations omitted).

For purposes of ruling on a Rule 12(b)(6) motion, the Court "accept[s] factual allegations in the complaint as true and construe[s] the pleadings in the light most favorable to the nonmoving party." Manzarek v. St. Paul Fire & Marine Ins. Co. , 519 F.3d 1025, 1031 (9th Cir. 2008). However, a court need not accept as true allegations contradicted by judicially noticeable facts, Shwarz v. United States , 234 F.3d 428, 435 (9th Cir. 2000), and a "court may look beyond the plaintiff's complaint to matters of public record" without converting the Rule 12(b)(6) motion into one for summary judgment, Shaw v. Hahn , 56 F.3d 1128, 1129 (9th Cir. 1995). Mere "conclusory allegations of law and unwarranted inferences are insufficient to defeat a motion to dismiss." Adams v. Johnson , 355 F.3d 1179, 1183 (9th Cir. 2004).

B. Leave to Amend

If the Court concludes that a motion to dismiss should be granted, it must then decide whether to grant leave to amend. Under Rule 15(a) of the Federal Rules of Civil Procedure, leave to amend "shall be freely given when justice so requires," bearing in mind "the underlying purpose of Rule 15... [is] to facilitate decision on the merits, rather than on the pleadings or technicalities." Lopez v. Smith , 203 F.3d 1122, 1127 (9th Cir. 2000) (citation omitted). Nonetheless, a district court may deny leave to amend a complaint due to "undue delay, bad faith or dilatory motive on the part of the movant, repeated failure to cure deficiencies by amendments previously allowed, undue prejudice to the opposing party by virtue of allowance of the amendment, [and] futility of amendment." See Leadsinger, Inc. v. BMG Music Publ'g , 512 F.3d 522, 532 (9th Cir. 2008) (alteration in original) (citation omitted).

III. REQUEST FOR JUDICIAL NOTICE

The Court first addresses Defendants' request for judicial notice. ECF No. 206. The Court may take judicial notice of matters that are either "generally known within the trial court's territorial jurisdiction" or "can be accurately and readily determined from sources whose accuracy cannot reasonably be questioned." Fed. R. Evid. 201(b). Public records, including judgments and other publicly filed documents, are proper subjects of judicial notice. See, e.g. , United States v. Black , 482 F.3d 1035, 1041 (9th Cir. 2007) ("[Courts] may take notice of proceedings in other courts, both within and without the federal judicial system, if those proceedings have a direct relation to matters at issue."); Rothman v. Gregor , 220 F.3d 81, 92 (2d Cir. 2000) (taking judicial notice of a filed complaint as a public record).

However, to the extent any facts in documents subject to judicial notice are subject to reasonable dispute, the Court will not take judicial notice of those facts. See Lee v. City of L.A. , 250 F.3d 668, 689 (9th Cir. 2001) ("A court may take judicial notice of matters of public record.... But a court may not take judicial notice of a fact that is subject to reasonable dispute." (internal quotation marks and citation omitted) ), overruled on other grounds by Galbraith v. Cty. of Santa Clara , 307 F.3d 1119 (9th Cir. 2002).

Defendants request judicial notice of the following documents:

Ex. A: Legislative Counsel's Digest for California Assembly Bill 1541;
Ex. B: California Assembly, Committee on Privacy and Consumer Protection, Analysis of Assembly Bill 1541.

Plaintiffs do not object to Defendants' request for judicial notice. The Court agrees that these documents are proper subjects of judicial notice. See Anderson v. Holder , 673 F.3d 1089, 1094 n.1 (9th Cir. 2012) ("Legislative history is properly a subject of judicial notice."). Therefore, the Court GRANTS Defendants' unopposed request for judicial notice of Exhibits A and B. The Court next turns to address the substance of Defendants' motion to dismiss the FAC.

IV. DISCUSSION

As set forth above, the United States Plaintiffs assert claims on behalf of the putative United States Class, which consists of all free Yahoo account holders in the United States whose accounts were compromised in any of the Data Breaches. FAC ¶¶ 18-22, 161. Additionally, the California Plaintiffs assert claims on behalf of the putative California subclass, which consists of all California Yahoo account holders whose accounts were compromised in any of the Data Breaches. Id. ¶¶ 18, 20, 163.

The Israel Plaintiffs assert claims on behalf of the putative Israel Class, which consists of all Yahoo account holders in Israel whose accounts were compromised in any of the Data Breaches. Id. ¶¶ 23-24, 161.

The Small Business Users Plaintiff asserts claims on behalf of a putative Small Business Users Class, which consists of all Yahoo or Aabaco business account holders in the United States whose accounts were compromised in any of the Data Breaches. Id. ¶¶ 25-27, 161.

The Paid Users Plaintiff asserts claims on behalf of a putative Paid Users Class, which consists of all paid Yahoo account holders in the United States and Israel whose accounts were compromised in any of the Data Breaches. Id. ¶¶ 28, 161.

The FAC asserts a total of thirteen causes of action: six California statutory claims and seven California common-law claims on behalf of the putative classes. Specifically, the FAC asserts the following thirteen causes of action: (1) a claim under the unlawful prong of the California Unfair Competition Law ("UCL") on behalf of all classes (Count One); (2) a claim under the unfair prong of the UCL on behalf of all classes (Count Two); (3) a claim for deceit by concealment on behalf of all classes (Count Three); (4) a claim for negligence on behalf of all classes (Count Four); (5) a claim for breach of contract on behalf of all classes (Count Five); (6) a claim for breach of implied contract on behalf of all classes (Count Six); (7) a claim for breach of the implied covenant of good faith and fair dealing on behalf of all classes (Count Seven); (8) a claim for declaratory relief on behalf of all classes (Count Eight); (9) a claim under the fraudulent prong of the UCL on behalf of the Small Business Users Class (Count Nine); (10) a claim for misrepresentation on behalf of the Small Business Users Class (Count Ten); (11) a claim under the California Consumers Legal Remedies Act ("CLRA") on behalf of the Paid Users Class (Count Eleven); (12) a claim under § 1798.81.5 of the California Customer Records Act ("CRA") on behalf of the California subclass (Count Twelve); and (13) a claim under § 1798.82 of the CRA on behalf of the California subclass (Count Thirteen). Id. ¶¶ 180-312.

Defendants move to dismiss claims that were either dismissed with leave to amend in the First MTD Order or were newly added in the FAC. First, Defendants raise particular objections to eleven of Plaintiffs' thirteen causes of action-i.e., all claims except the claim under the fraudulent prong of the UCL on behalf of the Small Business Users Class (Count Nine) and the claim for misrepresentation on behalf of the Small Business Users Class (Count Ten). Next, Defendants argue that Plaintiffs may not seek punitive damages as to any of their claims.

The Court first considers Defendants' challenges to Plaintiffs' causes of action in turn, then considers Defendants' arguments regarding punitive damages.

A. UCL

In Count One, all Plaintiffs allege a claim under the unlawful prong of the UCL. In Count Two, all Plaintiffs allege a claim under the unfair prong of the UCL. Defendants move to dismiss the UCL unlawful and unfair claims of Plaintiffs Rivlin, Granot, and Mortensen on the ground that those three Plaintiffs lack standing to bring claims under the UCL. Mot. at 5-6.

In order to establish standing for a UCL claim, Plaintiffs must show that they personally "lost money or property as a result of the unfair competition." Cal. Bus. & Prof. Code § 17204 ; Kwikset Corp. v. Superior Court , 51 Cal.4th 310, 120 Cal.Rptr.3d 741, 246 P.3d 877, 887 (2011). As the California Supreme Court has explained:

There are innumerable ways in which economic injury from unfair competition may be shown. A plaintiff may (1) surrender in a transaction more, or acquire in a transaction less, than he or she otherwise would have; (2) have a present or future property interest diminished; (3) be deprived of money or property to which he or she has a cognizable claim; (4) be required to enter into a transaction, costing money or property, that would otherwise have been unnecessary.

Kwikset , 120 Cal.Rptr.3d 741, 246 P.3d at 885-86.

Under those standards, this Court previously dismissed the UCL claims of Plaintiffs Rivlin and Granot because they did not sufficiently allege standing under the UCL. First MTD Order at 39. The Court explained that "Plaintiffs' imminent risk of future costs as a result of the Data Breaches ... is not sufficient to allege 'lost money or property' under the UCL." Id.

Plaintiffs Rivlin and Granot's amended allegations fare no better. Again, the FAC states that "the Yahoo Data Breaches have caused [Plaintiffs Rivlin and Granot] to be at substantial risk for identity theft, if in fact [their] identit[ies]

ha[ve] not already been stolen." FAC ¶¶ 23-24. As the Court has already concluded, such reliance on the threat of future harm does not satisfy the UCL's "lost money or property" standing requirement. Indeed, Plaintiffs concede that, based on the Court's prior ruling, the UCL claims of Plaintiffs Rivlin and Granot cannot proceed. Opp. at 4 n.6. Thus, the Court GRANTS Defendants' motion to dismiss the UCL unlawful and unfair claims of Plaintiffs Rivlin and Granot. The Court dismisses with prejudice because Plaintiffs Rivlin and Granot have failed to cure the deficiencies addressed in the First MTD Order.

The Court reaches a different conclusion as to Paid Users Plaintiff Mortensen. To the extent that Plaintiff Mortensen claims a "greater risk of identity theft and other fraud," FAC ¶ 28, like Plaintiffs Rivlin and Granot, he has failed to allege "lost money or property" under the UCL. However, Plaintiff Mortensen offers further allegations beyond those of Plaintiffs Rivlin and Granot. Plaintiffs argue that these allegations establish standing under the UCL because he has alleged lost benefit of the bargain. Opp. at 4. The Court agrees.

Plaintiff Mortensen's allegations are sufficient to allege that he suffered benefit-of-the-bargain losses. In particular, Plaintiff Mortensen pleads that he has paid $19.95 each year since December 2007 for Yahoo's premium email service. FAC ¶ 28. Defendants represented that their email services were "secure." Id. ¶ 40. Plaintiff Mortensen alleges that he "would not have provided [his] PII to Yahoo or signed up for the supposedly secure services" had he known that Yahoo's email service was not as secure as Defendants represented. Id. ¶ 285. Accordingly, Plaintiff Mortensen claims that he was damaged because he paid for services "either worth nothing or worth less than was paid for them because of their lack of security." Id. ¶ 210. These allegations closely parallel the Small Business Users Plaintiff Neff's allegations, which the Court concluded adequately alleged lost benefit of the bargain. First MTD Order at 36-37.

Defendants' central response is that Plaintiff Mortensen does not allege that he was deprived of the premium services for which he paid. Mot. at 6. In other words, Defendants argue that because added security was not a benefit of Plaintiff Mortensen's bargain with Defendants, Plaintiff Mortensen has failed to allege lost benefit of the bargain. Reply at 3.

Based on Plaintiff Mortensen's specific allegations, the Court rejects Defendants' argument in this context. Plaintiff Mortensen's request for lost benefit of the bargain mirrors the California Supreme Court's determination in Kwikset that a plaintiff who has "surrender[ed] in a transaction more, or acquire[d] in a transaction less, than he or she otherwise would have" may bring a UCL claim. 120 Cal.Rptr.3d 741, 246 P.3d at 885. Plaintiff Mortensen's allegations state that he expected to receive secure email services and that he would not have signed up for the services in the absence of such assurances. FAC ¶ 285. Even if his annual fee did not provide for security measures above and beyond those for free accounts, Plaintiff Mortensen pleads that Defendants' representations about security formed part of the reason for him to use Yahoo Mail in the first place and to pay $19.95 per year for the premium email service. Id. Moreover, Plaintiff Mortensen alleges that he would not have signed up for the supposedly secure services or turned over his PII at all if Defendants had disclosed the security issues. Id. Defendants' argument does not undermine Plaintiff Mortensen's plausible allegations that he lost the benefit of the bargain.

Such benefit-of-the-bargain losses are sufficient to allege "lost money or property," and thus standing, under the UCL. See In re Anthem, Inc. Data Breach Litig. , No. 15-MD-02617-LHK, 2016 WL 3029783, at *30 (N.D. Cal. May 27, 2016) (finding plaintiffs' alleged benefit of the bargain losses were sufficient to establish standing under the UCL); In re Adobe Sys., Inc. Privacy Litig. , 66 F.Supp.3d 1197, 1224 (N.D. Cal. 2014) (finding allegations that plaintiffs "personally spent more on Adobe products than they would had they known Adobe was not providing the reasonable security Adobe represented it was providing" to be sufficient to allege standing under the UCL). Accordingly, Paid Users Plaintiff Mortensen has adequately alleged standing under the UCL, and the Court DENIES Defendants' motion to dismiss Plaintiff Mortensen's UCL unlawful and unfair claims for lack of UCL standing.

B. Deceit by Concealment and Negligence

All Plaintiffs bring a claim for deceit by concealment in Count Three and a claim for negligence in Count Four. Defendants first argue that the economic loss rule bars both sets of claims. Mot. at 22-24. Defendants separately contend that, with respect to the deceit by concealment claim, Plaintiffs have failed to plead either reliance or damages. Id. at 19-22. The Court addresses each of these arguments in turn.

1. Economic Loss Rule

Defendants first contend that Plaintiffs' deceit by concealment and negligence claims fail under the economic loss rule. Mot. at 22-24.

Under the economic loss rule, "purely economic losses are not recoverable in tort." NuCal Foods, Inc. v. Quality Egg LLC , 918 F.Supp.2d 1023, 1028 (E.D. Cal. 2013) (citing S.M. Wilson & Co. v. Smith Int'l, Inc. , 587 F.2d 1363, 1376 (9th Cir. 1978) ); Robinson Helicopter Co. v. Dana Corp. , 34 Cal.4th 979, 22 Cal.Rptr.3d 352, 102 P.3d 268, 272 (2004) ("The economic loss rule requires a purchaser to recover in contract for purely economic loss due to disappointed expectations, unless he can demonstrate harm above and beyond a broken contractual promise."). The purpose of the rule is to "prevent[ ] the law of contract and the law of tort from dissolving one into the other." Robinson Helicopter , 22 Cal.Rptr.3d 352, 102 P.3d at 273 (citation omitted); Aas v. Superior Court , 24 Cal.4th 627, 101 Cal.Rptr.2d 718, 12 P.3d 1125, 1135 (2000) ("A person may not ordinarily recover in tort for the breach of duties that merely restate contractual obligations."), superseded by statute on other grounds as recognized in McMillin Albany LLC v. Superior Court , 4 Cal.5th 241, 227 Cal.Rptr.3d 191, 408 P.3d 797 (2018). However, the economic loss rule does not prevent recovery in tort if a "special relationship" exists between the plaintiff and the defendant. J'Aire Corp. v. Gregory , 24 Cal.3d 799, 157 Cal.Rptr. 407, 598 P.2d 60, 63 (1979) ; Biakanja v. Irving , 49 Cal.2d 647, 320 P.2d 16, 19 (1958).

Although Defendants argue that the "special relationship" exception never applies when the plaintiff and the defendant are in privity, Mot. at 23, this Court has previously rejected that argument. As the Court explained, "[w]hen determining whether a special relationship exists under J'aire between parties that are in privity of contract, California courts have drawn a distinction between contracts involving goods and contracts involving services." R Power Biofuels, LLC v. Chemex LLC , No. 16-CV-00716-LHK, 2016 WL 6663002, at *5 (N.D. Cal. Nov. 11, 2016). Specifically, the California Court of Appeal's decision in North American Chemical Co. v. Superior Court held that where parties are in privity of contract, the J'aire exception applies if the contracts are for services. 59 Cal.App.4th 764, 69 Cal.Rptr.2d 466, 477 (1997). Other courts in this district have reached the same conclusion. See, e.g. , Corelogic, Inc. v. Zurich Am. Ins. Co. , No. 15-CV-03081-RS, 2016 WL 4698902, at *5 (N.D. Cal. Sept. 8, 2016). Thus, the crucial issue for applying the J'aire exception here is whether the contract at issue is one for goods or services. R Power Biofuels , 2016 WL 6663002, at *7.

The allegations in the FAC counsel that the contract between Plaintiffs and Defendants is one for services, not goods. A contract for "goods" involves the purchase or sale of "all things ... which are movable at the time of identification to the contract for sale," Cal. Com. Code § 2105(1), while a contract for services involves the purchase of labor and the "knowledge, skill, and ability" of the contracting party. TK Power, Inc. v. Textron, Inc. , 433 F.Supp.2d 1058, 1062 (N.D. Cal. 2006). Here, Plaintiffs plead that Defendants provided email and other related services by maintaining a web-based platform where users can set up accounts. FAC ¶¶ 33-34. Not only does the FAC repeatedly refer to what Defendants provide as "services," see, e.g. , id. ¶¶ 24-28, 30, 32, 173, but Defendants themselves have Terms of Service, which state that "Yahoo! provides the Yahoo! Services," id. , Ex. 1, at 1. Thus, Plaintiffs' contract with Defendants is properly characterized as a contract for services.

Having concluded that the contract is for services, the J'aire exception is available to Plaintiffs if they have adequately pled a "special relationship." The J'aire court utilized six factors for determining when a "special relationship" exists:

(1) the extent to which the transaction was intended to affect the plaintiff, (2) the foreseeability of harm to the plaintiff, (3) the degree of certainty that the plaintiff suffered injury, (4) the closeness of the connection between the defendant's conduct and the injury suffered, (5) the moral blame attached to the defendant's conduct and (6) the policy of preventing future harm.

157 Cal.Rptr. 407, 598 P.2d at 63. Applying these criteria to the facts as pled, it is evident that a duty was owed by Defendants to Plaintiffs in the present case.

First, the contract entered into between the parties related to email services for Plaintiffs. Plaintiffs were required to turn over their PII to Defendants and did so with the understanding that Defendants would adequately protect Plaintiffs' PII and inform Plaintiffs of breaches. FAC ¶ 215. Second, it was plainly foreseeable that Plaintiffs would suffer injury if Defendants did not adequately protect the PII. Id. Third, the FAC asserts that hackers were able to gain access to the PII and that Defendants did not promptly notify Plaintiffs, thereby causing injury to Plaintiffs. See, e.g. , ¶ 221. Fourth, the injury was allegedly suffered exactly because Defendants provided inadequate security and knew that their system was insufficient. Id. ¶ 215. Fifth, Defendants "knew their data security was inadequate" and that "they [did not] have the tools to detect and document intrusions or exfiltration of PII." Id. "Defendants are morally culpable, given their repeated security breaches, wholly inadequate safeguards, and refusal to notify Plaintiffs ... of breaches or security vulnerabilities." Id. Sixth, and finally, Defendants' concealment of their knowledge and failure to adequately protect Plaintiffs' PII implicates the consumer data protection concerns expressed in California statutes, such as the CRA and CLRA. See In re Adobe Sys. , 66 F.Supp.3d at 1227.

Although Defendants seek to short-circuit this analysis by referring to general propositions, Mot. at 23-24, the Ninth Circuit has admonished district courts for failing to examine all of J'aire 's six factors. Kalitta Air, L.L.C. v. Cent. Tex. Airborne Sys., Inc. , 315 F. App'x 603, 606 (9th Cir. 2008). Under those factors, Plaintiffs have adequately pled a "special relationship" with Defendants, so Plaintiffs' negligence and deceit by concealment claims are not barred by the economic-loss rule. Because Defendants make no other arguments with respect to the negligence claim, the Court DENIES Defendants' motion to dismiss Plaintiffs' negligence claim.

Defendants make additional arguments for dismissal of the deceit by concealment claim. Specifically, Defendants contend that Plaintiffs' deceit by concealment claim fails to plead either reliance or damages. The Court therefore turns to these remaining arguments.

2. Deceit by Concealment

Under California law, a plaintiff may assert a claim for deceit by concealment based on "[t]he suppression of a fact, by one who is bound to disclose it, or who gives information of other facts which are likely to mislead for want of communication of that fact." Cal. Civ. Code § 1710(3). An action for fraud and deceit based on concealment has five elements:

(1) the defendant must have concealed or suppressed a material fact, (2) the defendant must have been under a duty to disclose the fact to the plaintiff, (3) the defendant must have intentionally concealed or suppressed the fact with the intent to defraud the plaintiff, (4) the plaintiff must have been unaware of the fact and would not have acted as he did if he had known of the concealed or suppressed fact, and (5) as a result of the concealment or suppression of the fact, the plaintiff must have sustained damage.

Tenet Healthsystem Desert, Inc. v. Blue Cross of Cal. , 245 Cal.App.4th 821, 199 Cal.Rptr.3d 901, 920 (2016) (quoting Mktg. W., Inc. v. Sanyo Fisher (USA) Corp. , 6 Cal.App.4th 603, 7 Cal.Rptr.2d 859, 864 (1992) ). Defendants challenge only the last two elements, contending that Plaintiffs fail to sufficiently plead reliance or damages in connection with their deceit by concealment claims. Mot. at 19-22. The Court addresses each of these arguments in turn.

i. Reliance

Defendants first contend that the deceit by concealment claims of all Plaintiffs (except Plaintiff Neff) must be dismissed because there is no allegation that any Plaintiff read Yahoo's Privacy Policy when signing up for a Yahoo Mail account. Mot. at 19-20. The Court disagrees.

As noted above, under the reliance element, the plaintiff must demonstrate that he "would not have acted as he did if he had known of the concealed or suppressed fact." Tenet Healthsystem , 199 Cal.Rptr.3d at 920 (quoting Mktg. W. , 7 Cal.Rptr.2d at 864 ). Plaintiffs' allegations satisfy that requirement. Plaintiffs allege that Defendants knew that their system was vulnerable to attack by at least 2012 and learned of the 2014 Breach while it was happening. FAC ¶ 201. In spite of this knowledge, Defendants did not warn Plaintiffs about the security problems or the 2014 Breach. Id. ¶¶ 202-04, 207. The FAC highlights the importance of Defendants' security measures as a factor in Plaintiffs' decision whether to use Defendants' services. See, e.g. , id. ¶¶ 184, 191, 205-06. Finally, Plaintiffs explain that, had they known about the inadequacy of these security measures, they "would have taken measures to protect themselves." Id. ¶ 205. Plaintiffs' allegations are sufficient to show that they would have behaved differently had Defendants disclosed the security weaknesses of the Yahoo Mail system.

The sole argument raised in Defendants' motion to dismiss is unpersuasive. Harkening back to the dismissal of Plaintiffs' UCL fraud claim in this Court's First MTD Order, Defendants argue that Plaintiffs do not plead that they read Yahoo's Privacy Policy. Mot. at 19-20. Defendants' reliance on this portion of the First MTD Order is misplaced. The Court required Plaintiffs to plead that they actually read and relied on the Privacy Policy because Plaintiffs' theory was that Defendants made misrepresentations in the Privacy Policy. First MTD Order at 48-49. Here, in contrast, Plaintiffs' deceit by concealment claim is not based on statements in the Privacy Policy, so whether Plaintiffs read the Privacy Policy is immaterial.

Perhaps sensing this deficiency, Defendants do not repeat the same argument in their reply but instead raise two new contentions. Even if the Court were to consider these belated assertions, they are unavailing. See Pham v. Fin. Indus. Regulatory Auth. Inc. , No. 12-CV-06374-EMC, 2013 WL 1320635, at *1 (N.D. Cal. Apr. 1, 2013) ("[T]hese arguments-raised for the first time on reply-have been waived."), aff'd sub nom. Huy Pham v. Fin. Indus. Regulatory Auth., Inc. , 589 F. App'x 345 (9th Cir. 2014). First, Defendants argue that Plaintiffs must provide more detail about Defendants' omissions, Reply at 11-12, but they offer no explanation of what more Plaintiffs need to identify, and the Court finds that what Plaintiffs have identified is sufficiently specific.

Second, Defendants also criticize Plaintiffs for continuing to use Yahoo Mail and taking no remedial actions after learning of Defendants' allegedly inadequate security. Id. at 12. However, Defendants fail to acknowledge that Defendants' delayed disclosures are likely to have harmed Plaintiffs in the interim. Plaintiffs did not even know that they should take any remedial actions during the periods of Defendants' delayed disclosures. Moreover, contrary to Defendants' suggestion, the actions that Plaintiffs took after the fact do not conclusively determine what actions they would have taken if they had been alerted before the fact. The FAC provides at least one good reason why Plaintiffs may not have ceased their use of Yahoo Mail after the fact-namely, Plaintiffs have already established their "digital identities around Yahoo Mail." FAC ¶ 33. Plaintiffs can consistently plead that they took minimal or no action after learning of the security defects but that they "would have taken measures to protect themselves" if they had been informed beforehand. Id. ¶ 205. Accordingly, Plaintiffs have plausibly alleged the necessary element of reliance.

ii. Damages

Defendants argue that, except for Plaintiff Neff, Plaintiffs do not properly plead damages from the concealment. Mot. at 21. Specifically, Defendants contend that Plaintiffs are limited to recovering out-of-pocket losses. Id. at 20. The out-of-pocket measure is designed to put the plaintiff in the financial position he or she was in prior to the transaction. All. Mortg. Co. v. Rothwell , 10 Cal.4th 1226, 44 Cal.Rptr.2d 352, 900 P.2d 601, 609 (1995). Under that measure, Defendants contend, Plaintiffs with free Yahoo accounts have suffered no damage because they did not pay anything to use Yahoo Mail. Mot. at 21.

In arguing that Plaintiffs are limited to out-of-pocket losses, Defendants rely on California Civil Code § 3343. Section 3343(a) states that "[o]ne defrauded in the purchase, sale or exchange of property is entitled to recover the difference between the actual value of that with which the defrauded person parted and the actual value of that which he received." In other words, in § 3343(a), the California legislature has expressly provided that the out-of-pocket measure is applicable in fraud cases involving the "purchase, sale or exchange of property." All. Mortg. , 44 Cal.Rptr.2d 352, 900 P.2d at 609 (quoting Cal. Civ. Code § 3343(a) ). The question in the instant case is whether § 3343(a) governs Plaintiffs' deceit by concealment claims. It does not.

By its terms, § 3343(a) is restricted to cases where the plaintiff is "defrauded in the purchase, sale or exchange of property." The same limitation appears in the title of the statutory section: "Fraud in purchase, sale or exchange of property; additional damages." Defendants' cited California state authorities follow that pattern. In Alliance Mortgage , the plaintiff claimed fraud in the inducement of a loan for the purchase of real property. 44 Cal.Rptr.2d 352, 900 P.2d at 605. In Fladeboe v. American Isuzu Motors Inc. , the plaintiff alleged fraud and negligent misrepresentation in connection with the sale of automobiles. 150 Cal.App.4th 42, 58 Cal.Rptr.3d 225, 233 (2007). Moreover, in all of Defendants' district court cases, the underlying fraud claim was based in contract. See Song Fi, Inc. v. Google, Inc. , No. 14-CV-05080-CW, 2016 WL 1298999, at *7 (N.D. Cal. Apr. 4, 2016) (concerning fraud claim where plaintiffs alleged that defendants had duty to disclose based on the Terms of Service contract between the parties); Daly v. Viacom, Inc. , 238 F.Supp.2d 1118, 1125 (N.D. Cal. 2002) (concerning fraud claim where "plaintiff allege[d] that defendant misrepresented material facts when it induced plaintiff to sign a contract").

This case is different, as no exchange of property occurred and Plaintiffs' claim does not sound in contract. FAC ¶¶ 200-11. Rather, Plaintiffs allege that Defendants committed deceit by concealment under California Civil Code § 1709 by violating the duty to disclose. The California Court of Appeal has ruled that, for the tort of deceit, "the appropriate measure of damages is defined by Civil Code sections 1709 and 3333." Sprague v. Frank J. Sanders Lincoln Mercury, Inc. , 120 Cal.App.3d 412, 174 Cal.Rptr. 608, 610 (1981) ; see also Romo v. Stewart Title of Cal. , 35 Cal.App.4th 1609, 42 Cal.Rptr.2d 414, 422 (1995) ("A tort victim is not limited to his or her 'out-of-pocket' losses; rather, he or she is entitled to compensatory damages for any actual loss, as well as punitive damages for fraud (if the fraud consisted of an intentional misrepresentation or concealment)."). Neither of those statutes is limited to out-of-pocket losses. California Civil Code § 1709 permits recovery of "any damage which [the plaintiff] thereby suffers." Similarly, California Civil Code § 3333 instructs that "[f]or the breach of an obligation not arising from contract, the measure of damages ... is the amount which will compensate for all the detriment proximately caused thereby, whether it could have been anticipated or not." Thus, the out-of-pocket restriction in § 3343 does not apply, and Plaintiffs are entitled to recover their compensatory damages.

Accordingly, the Court DENIES Defendants' motion to dismiss Plaintiffs' deceit by concealment claim.

C. Contract Claims

In Counts Five through Seven, all Plaintiffs assert contract claims against Defendants. Specifically, Plaintiffs assert breach of contract in Count Five, breach of implied contract in Count Six, and breach of the implied covenant of good faith and fair dealing in Count Seven. Defendants move to dismiss these claims to the extent that they seek consequential damages in light of the limitations of liability in Defendants' Terms of Service. Mot. at 6-7. Plaintiffs argue that they have adequately pled that Defendants' limitation-of-liability provisions are unconscionable. Opp. at 5-12. Alternatively, Plaintiffs argue that their claims seek direct damages from Defendants' breach of contractual obligations. Id. at 13-14. Because the Court agrees that Plaintiffs have adequately pled unconscionability, the Court need not address Plaintiffs' alternative argument.

Defendants argue that their Terms of Service bar recovery for damages other than direct damages. Specifically, Defendants point out that Yahoo's Terms of Service contained the following clause limiting Yahoo's liability:

YOU EXPRESSLY UNDERSTAND AND AGREE THAT YAHOO! ... SHALL NOT BE LIABLE TO YOU FOR ANY PUNITIVE, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES , INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES (EVEN IF YAHOO! HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), RESULTING FROM: ... UNAUTHORIZED ACCESS TO OR ALTERATION OF YOUR TRANSMISSIONS OR DATA ... OR ... ANY OTHER MATTER RELATING TO THE YAHOO! SERVICE.

FAC, Ex. 1, at 10 (emphasis added). Aabaco's Terms of Service contained the same clause limiting Aabaco's liability. Id. , Ex. 16, at 17. Plaintiffs argue that these limitations of liability are unconscionable. Opp. at 5-12.

In order to state a claim that a contractual term is unconscionable, Plaintiffs must allege facts showing that the term is both procedurally and substantively unconscionable. Pokorny v. Quixtar, Inc. , 601 F.3d 987, 996 (9th Cir. 2010) ; In re iPhone Application Litig. , No. 11-MD-02250-LHK, 2011 WL 4403963, at *7 (N.D. Cal. Sept. 20, 2011). "The procedural element of unconscionability focuses on two factors: oppression and surprise." Aron v. U-Haul Co. of Cal. , 143 Cal.App.4th 796, 49 Cal.Rptr.3d 555, 564 (2006). "The substantive element of unconscionability focuses on the actual terms of the agreement and evaluates whether they create overly harsh or one-sided results as to shock the conscience." Id. (internal quotation marks and citation omitted). Although unconscionability is ultimately a question of law, "numerous factual inquiries bear upon that question." A & M Produce Co. v. FMC Corp. , 135 Cal.App.3d 473, 186 Cal.Rptr. 114, 123 (1982).

Plaintiffs have adequately alleged oppression and surprise to support procedural unconscionability. "Oppression arises from an inequality of bargaining power which results in no real negotiation and an absence of meaningful choice." Id. at 122 (internal quotation marks and citation omitted). "Surprise involves the extent to which the supposedly agreed-upon terms of the bargain are hidden in a prolix printed form drafted by the party seeking to enforce the disputed terms." Id. (internal quotation marks omitted). The Ninth Circuit has held that "a contract is procedurally unconscionable under California law if it is 'a standardized contract, drafted by the party of superior bargaining strength, that relegates to the subscribing party only the opportunity to adhere to the contract or reject it.' "

Pokorny , 601 F.3d at 996 (quoting Ting v. AT & T , 319 F.3d 1126, 1148 (9th Cir. 2003) ). Plaintiffs plead such a circumstance in alleging that Defendants' liability limitations appear near the end of the 12-page legal Terms of Service document where the Terms of Service are contained in an adhesion contract and customers may not negotiate or modify any terms. FAC ¶¶ 236-37. Although the fact that Plaintiffs could have used other email services may weaken their procedural unconscionability claim, the Ninth Circuit has "consistently followed the [California] courts that reject the notion that the existence of 'marketplace alternatives' bars a finding of procedural unconscionability." Shroyer v. New Cingular Wireless Servs., Inc. , 498 F.3d 976, 985 (9th Cir. 2007).

Under the particular circumstances of this case, Plaintiffs have also made sufficient allegations to support substantive unconscionability. In particular, Plaintiffs claim that the limitations of liability are overly one-sided and bar any effective relief. FAC ¶¶ 238, 240. In Silicon Valley Self Direct, LLC v. Paychex, Inc. , the court found substantively unconscionable a nearly identical provision that "exempt[ed] under all circumstances 'special, indirect, incidental, or consequential or punitive damages, including any theory of liability (including contract, tort or warranty).' " No. 15-CV-01055-EJD, 2015 WL 4452373, at *6 (N.D. Cal. July 20, 2015). Like the provision at issue in Silicon Valley , Defendants' limitations of liability here involve "expansive liability limitation and preclusion of nearly every type of damages claim." Id. California courts have similarly concluded that limitations are substantively unconscionable when they "guarantee[ ] that plaintiffs could not possibly obtain anything approaching full recompense for their harm." Lhotka v. Geographic Expeditions, Inc. , 181 Cal.App.4th 816, 104 Cal.Rptr.3d 844, 852 (2010) ; see also Harper v. Ultimo , 113 Cal.App.4th 1402, 7 Cal.Rptr.3d 418, 423 (2003) (finding substantive unconscionability where the damages limitation at issue did not even allow for "the theoretical possibility [that the customer] can be made whole").

Defendants suggest that their limitations of liability are not so broad. For example, they point out that there is no bar on direct damages. Mot. at 12. Nevertheless, the same was true in Silicon Valley . Moreover, Plaintiffs further support this point by pleading that "[c]onsequential damages are ... a clear and well-understood consequence of a data breach." FAC ¶ 240. That allegation further supports Plaintiffs' argument that consequential damages are imperative to address the injuries from Defendants' inadequate security. Additionally, substantive unconscionability is not defeated by Defendants' promise not to invoke the limitations against certain of Plaintiffs' claims in this case. Mot. at 12. The substantive unconscionability inquiry looks to whether the actual terms of the agreement create overly harsh or one-sided results. Aron , 49 Cal.Rptr.3d at 564. Here, Defendants do not point to any language in their limitations of liability that restricts their scope. Hence, the actual terms of the limitations of liability allow Defendants to evade important California common-law and statutory obligations, such as the CRA and CLRA. FAC ¶ 242.

Finally, Plaintiffs make allegations about the lack of a reasonable commercial justification for Defendants' limitations on liability. Plaintiffs point out that "Defendants have obligations under both state and federal law to maintain acceptable levels of data security" and are better-equipped to bear the risk as "technology giants providing internet services which they advertised as being safe and sophisticated." Id. ¶ 239. In contrast, individual users "who just want to sign up for an email address" are not as well-situated to shoulder such risks. Id. ¶ 240. In this way, Plaintiffs conclude that the limitations' allocation of risk is unreasonable and unexpected. See id. (alleging a "commercially unfair re-allocation of risk"). To be sure, when a defendant offers a free service, it may be commercially reasonable for the defendant to "retain broad discretion over those services and to minimize its exposure to monetary damages." Darnaa, LLC v. Google, Inc. , No. 15-CV-03221-RMW, 2015 WL 7753406, at *3 (N.D. Cal. Dec. 2, 2015). However, especially in light of the allegations that Defendants took minimal action despite knowing about their inadequate security measures, Plaintiffs adequately plead that Defendants' limitations of liability are substantively unconscionable.

In sum, Plaintiffs have adequately pled the necessary elements of procedural and substantive unconscionability. Accordingly, the Court DENIES Defendants' motion to dismiss Plaintiffs' claims for breach of contract, breach of implied contract, and breach of the implied covenant of good faith and fair dealing.

D. Declaratory Relief

All Plaintiffs assert in Count Eight a claim for declaratory relief against Defendants. Plaintiffs' declaratory relief claim alleges that certain provisions of Defendants' Terms of Service are "unconscionable and unenforceable, or precluded by federal and state law." FAC ¶ 257.

Defendants move to dismiss this claim on two grounds. First, Defendants argue that Plaintiffs have failed to state a claim under Rule 12(b)(6) because Plaintiffs have not sufficiently alleged that the contractual provisions at issue are unconscionable or otherwise unlawful. Mot. at 15. Second, Defendants argue that declaratory relief is improper because it is duplicative of other relief sought in the FAC. Id. Because the Court has already concluded that Plaintiffs have sufficiently alleged unconscionability, the Court need only address Defendants' second argument that Plaintiffs' declaratory relief claim is redundant of Plaintiffs' contract claims.

Under 28 U.S.C. § 2201(a), "any court of the United States, upon the filing of an appropriate pleading, may declare the rights and other legal relations of any interested party seeking such declaration, whether or not further relief is or could be sought." A claim for declaratory relief may be "unnecessary where an adequate remedy exists under some other cause of action." Reyes v. Nationstar Mortg. LLC , No. 15-CV-01109-LHK, 2015 WL 4554377, at *7 (N.D. Cal. July 28, 2015) (quoting Mangindin v. Wash. Mut. Bank , 637 F.Supp.2d 700, 707 (N.D. Cal. 2009) ). However, "[t]he existence of another adequate remedy does not preclude a declaratory judgment that is otherwise appropriate." Fed. R. Civ. P. 57. Ultimately, a critical question is whether the declaratory relief "will serve a useful purpose in clarifying and settling the legal relations in issue." McGraw-Edison Co. v. Preformed Line Prods. Co. , 362 F.2d 339, 342 (9th Cir. 1966).

Defendants point out that Plaintiffs' declaratory relief claim borrows the unconscionability allegations from Plaintiffs' contract claims. FAC ¶ 258. Defendants argue that because "Plaintiffs allege no additional facts or otherwise meaningfully differentiate the contract and declaratory relief claims," the declaratory relief claim is "wholly redundant." Mot. at 15. Plaintiffs respond that the contract and declaratory relief claims are distinct. While the contract claims seek "past damages" for Defendants' conduct, the declaratory relief claim seeks "a forward-looking declaration" of the unenforceability of provisions in Defendants' Terms of Service. Opp. at 17. The Court concludes that the declaratory relief claim may move forward.

Based on the pleadings, the contract claims and the declaratory relief claim seek different relief. The contract claims request retrospective relief-namely, damages-for the past harms that Plaintiffs have suffered as a result of Defendants' failure to keep their promises about adequate security. FAC ¶¶ 243, 247, 254. In contrast, the declaratory relief claim asks the Court to declare that certain provisions of Defendants' Terms of Service are unconscionable. Id. ¶ 257. Although Plaintiffs' contract claims are similarly premised on claims that those provisions are unconscionable, those arguments are merely a means to obtaining damages for the harms already suffered. A declaration of unconscionability would govern ongoing interactions between Plaintiffs and Defendants and clarify the parties' legal rights under the Terms of Service. Therefore, the Court concludes that Plaintiffs' declaratory relief claim appears to serve a distinct purpose from the contract claims and thus should not be dismissed.

Other courts have allowed plaintiffs to pursue declaratory relief in similar circumstances when such relief is premised on other viable claims. See, e.g. , In re Easysaver Rewards Litig. , 737 F.Supp.2d 1159, 1175 (S.D. Cal. 2010) ; California v. Kinder Morgan Energy Partners, L.P. , 569 F.Supp.2d 1073, 1091 (S.D. Cal. 2008). Indeed, one case from outside this district noted the distinction between forward-looking and retrospective relief in concluding that the plaintiff could maintain its declaratory relief claim with its breach of contract claim. Kenneth F. Hackett & Assocs., Inc. v. GE Capital Info. Tech. Sols., Inc. , 744 F.Supp.2d 1305, 1311 (S.D. Fla. 2010). Many of Defendants' cited authorities are inapposite. For example, in Solarcity Corp. v. Sunpower Corp. , the plaintiff agreed that its declaratory relief claim overlapped with its other claims, and the Court was simply faced with the question whether to dismiss with or without prejudice. No. 16-CV-05509-LHK, 2017 WL 1739169, at *3 (N.D. Cal. May 4, 2017). In In re Zappos.com, Inc. , the court concluded that a declaratory relief claim was "on its face duplicative" where it asked the court to declare that the defendant had violated the same state and federal laws already pled in the complaint. No. 12-CV-00325-RCJ, 2013 WL 4830497, at *5 (D. Nev. Sept. 9, 2013). Here, the FAC provides a sufficient basis to conclude that the declaratory relief claim seeks something distinct from the contract claims.

Accordingly, the Court DENIES Defendant's motion to dismiss Plaintiffs' declaratory relief claim.

E. CLRA

In Count Eleven, Paid Users Plaintiff Mortensen asserts a claim against Yahoo under the CLRA, which prohibits "unfair methods of competition and unfair or deceptive acts or practices undertaken by any person in a transaction intended to result or that results in the sale or lease of goods or services to any consumer." Cal. Civ. Code § 1770(a).

Defendants move to dismiss Paid User Plaintiff Mortensen's CLRA claim on two grounds. First, Defendants argue that Plaintiff Mortensen does not sufficiently allege reliance as required for a CLRA claim. Mot. at 16. Second, Defendants argue that Yahoo's email platform does not qualify as a "good" or "service" within the meaning of the CLRA. Id. The Court addresses each of these arguments in turn.

1. Reliance

Defendants first contend that Plaintiff Mortensen does not plead reliance. Mot. at 16. Specifically, Defendants fault Plaintiff Mortensen for failing to include any allegations that he "actually read" the alleged misrepresentations in the Terms of Service that give rise to Plaintiff Mortensen's CLRA claim. Id. Plaintiffs counter that Plaintiff Mortensen's claim is not premised on a misrepresentation in the Terms of Service but instead on Defendants' material omissions about the security of their databases and the resulting breaches. Opp. at 17.

Defendants' arguments fail for familiar reasons. Like with Plaintiffs' deceit by concealment claim, Defendants point to a portion of this Court's First MTD Order where the Court required Plaintiffs to plead that they actually read and relied on Defendants' Privacy Policy. First MTD Order at 48-49. However, such an allegation was necessary in that situation because Plaintiffs' theory depended on misrepresentations in the Privacy Policy. Here, in contrast, Plaintiff Mortensen's theory is not that Yahoo made misrepresentations but instead that Yahoo was obligated to disclose certain material facts. FAC ¶ 281. Plaintiff Mortensen alleges that Yahoo had exclusive knowledge about the inadequacy of its security and contemporaneous knowledge about the 2014 Breaches and Forged Cookie Breach but actively concealed those facts from customers. Id. The FAC supports that, had Yahoo disclosed the breaches, the significant media and expert attention would have alerted Plaintiff Mortensen and he would not have provided his PII or signed up for Yahoo's services. Id. ¶¶ 4, 132, 285. These allegations are sufficient to conclude that if Yahoo had disclosed the security inadequacies and breaches, Plaintiff Mortensen would have been aware and would have acted differently.

Defendants cannot overcome this conclusion by noting that they disclosed that Yahoo Mail would not necessarily be secure because "no data transmission over the Internet or information storage technology can be guaranteed to be 100% secure." FAC, Ex. 13, at 1. Such a disclosure does not undercut Plaintiffs' contention that Yahoo had "exclusive knowledge of material facts not known or reasonably accessible to" Plaintiffs. Collins v. eMachines, Inc. , 202 Cal.App.4th 249, 134 Cal.Rptr.3d 588, 593 (2011). Nor can Yahoo escape liability just because Plaintiff Mortensen does not claim that he stopped using Yahoo Mail after learning of the breaches. See FAC ¶ 28. As explained in the deceit by concealment section, Plaintiff Mortensen can simultaneously plead that he took little action after learning of the security defects but that he would have acted differently if he had been informed beforehand. Id. ¶ 285. Thus, Plaintiff Mortensen has adequately alleged that he relied on Yahoo's omissions. The Court next turns to Defendants' broader argument that the CLRA is inapplicable because Yahoo did not provide a "good" or "service."

2. "Good" or "Service"

Defendants next contend that Yahoo Mail is neither a "good" nor a "service"

and so does not come within the ambit of the CLRA. Mot. at 16. The CLRA applies only to a limited set of consumer transactions, and is not a law of "general applicability." Ting , 319 F.3d at 1148. For example, only a consumer may allege a violation of the CLRA. See id. A "consumer" is defined as "an individual who seeks or acquires, by purchase or lease, any goods or services for personal, family, or household purposes." Cal. Civ. Code § 1761(d). "Goods" is defined as "tangible chattels bought or leased for use primarily for personal, family, or household purposes." Id. § 1761(a). "Services" is defined as "work, labor, and services for other than a commercial or business use." Id. § 1761(b).

Defendants argue that software never qualifies as either a "good" or "service" under the CLRA. Mot. at 16. For support, Defendants rely on two previous decisions by this Court- Ferrington v. McAfee , No. 10-CV-01455-LHK, 2010 WL 3910169, at *19 (N.D. Cal. Oct. 5, 2010), and In re iPhone Application Litigation , 844 F.Supp.2d 1040, 1070 (N.D. Cal. 2012). The holdings in those cases are not as expansive as Defendants suggest.

Ferrington involved computer software downloaded directly from the Internet. 2010 WL 3910169, at *1. The Court did not hold that software can never constitute a "good," but only "that the software Plaintiffs purchased [was] not a good covered by the CLRA." Id. at *19 (emphasis added). The Court based its analysis on the "CLRA's express limitation of goods to 'tangible chattels.' " Id. (emphasis added). The Court's statements do not foreclose the possibility that software may sometimes qualify as a "good" under the CLRA. In fact, in In re iPhone , which was decided shortly thereafter, this Court concluded that software downloaded into a tangible good may be subject to the CLRA where the claim arises from the "sale of [the] good, and not the downloading of free software." 844 F.Supp.2d at 1071 ; see also In re Lenovo Adware Litig. , No. 15-MD-02624-RMW, 2016 WL 6277245, at *11 (N.D. Cal. Oct. 27, 2016) (denying motion to dismiss because the "CLRA claim [was] premised on [the] purchase of Lenovo laptops," not the software installed on the laptop).

Certainly, too, software sold in a physical form may constitute "tangible chattels" and thus qualify as a "good" under the CLRA because "[a] consumer can purchase [the software] in a store, pick it up in her hands, and carry it home." Haskins v. Symantec Corp. , No. 13-CV-01834-JST, 2013 WL 6234610, at *9 (N.D. Cal. Dec. 2, 2013) ; see also Ladore v. Sony Computer Entm't Am., LLC , 75 F.Supp.3d 1065, 1073 (N.D. Cal. 2014) (noting that the plaintiff went to a physical store location to purchase the tangible video game that came in a box with physical documents); Perrine v. Sega of Am., Inc. , No. 13-CV-01962-JSW, 2013 WL 6328489, at *4 (N.D. Cal. Oct. 3, 2013) (determining that a video game purchased by plaintiffs qualified as a "good").

As to whether the software at issue in Ferrington qualified as a "service," this Court merely stated one conclusory sentence with no analysis: "software generally is not a service for purposes of the CLRA." 2010 WL 3910169, at *19. As that statement reflects, the Court did not find that software never constitutes a "service" for purposes of the CLRA. Instead, a court must analyze the particular facts at issue to determine whether the software at issue falls within the definition of "service." For example, Judge Tigar has explained that "there are good reasons to consider antivirus software to be a 'service' under the CLRA, since it continually updates and runs regular virus checking." Haskins , 2013 WL 6234610, at *9 n.9.

Here, Plaintiffs have adequately alleged that Defendants provide a "service" to Plaintiffs. The FAC pleads that Yahoo Mail is "one of the oldest email services" and the "primary service" provided by Yahoo. FAC ¶ 33. Unlike in Ferrington , Plaintiffs have not purchased software that they downloaded from the Internet. Rather, Plaintiffs have signed up for accounts on a web-based platform, maintained by Yahoo, where they can engage in activities ranging from private email communication to bank and stock trading to photo storage. Id. That Yahoo continually upkeeps and updates the system further solidifies that Yahoo is providing a "service," i.e., "work, labor, and services for other than a commercial or business use." Cal. Civ. Code § 1761(b). Moreover, as noted above, the FAC's repeated labeling of Yahoo's offerings as "services" is supported by the fact that Yahoo itself has Terms of Service and defines "Yahoo! Services " as including "communications tools, forums, shopping services , search services , personalized content and branded programming." FAC ¶¶ 24-28, 30, 32, 173; Ex. 1, at 1 (emphases added). Thus, Plaintiffs have adequately pled that Yahoo provides a "service" that is subject to the CLRA.

Accordingly, the Court DENIES Defendants' motion to dismiss Plaintiff Mortensen's CLRA claim.

F. CRA

In Counts Twelve and Thirteen, California Plaintiffs Heines and Dugas assert two claims against Defendants under the CRA, Cal. Civ. Code § 1798.80 et seq. , on behalf of the putative California subclass. The CRA "regulates businesses with regard to treatment and notification procedures relating to their customers' personal information." Corona v. Sony Pictures Entm't, Inc. , No. 14-CV-09600-RGK, 2015 WL 3916744, at *6 (C.D. Cal. June 15, 2015). Plaintiffs claim that Defendants violated §§ 1798.81.5 and 1798.82.

Defendants first contend that these claims should be dismissed as to the Forged Cookie Breach because neither Plaintiff Heines nor Plaintiff Dugas adequately alleges standing. Defendants next make contentions specific to each of the two statutory sections.

The Court first analyzes Defendants' standing argument, then analyzes the two statutory sections in turn.

1. Standing

Defendants move to dismiss Plaintiffs' CRA claims to the extent they rely on the Forged Cookie Breach because, according to Defendants, Plaintiffs lack Article III standing to sue with respect to those claims. Article III standing to sue requires that (1) the plaintiff suffered an injury in fact, i.e., "an invasion of a legally protected interest which is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical"; (2) the injury is " 'fairly traceable' to the challenged conduct"; and (3) the injury is "likely" to be "redressed by a favorable decision." Lujan v. Def. of Wildlife , 504 U.S. 555, 560-61, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992). "The party invoking federal jurisdiction bears the burden of establishing these elements ... with the manner and degree of evidence required at the successive stages of litigation." Id. at 561, 112 S.Ct. 2130. At the pleading stage, "[g]eneral allegations" of injury may suffice. Id.

Defendants contend that Plaintiffs lack Article III standing because Plaintiffs cannot establish "injury in fact." Specifically, Defendants assert that Plaintiffs Heines and Dugas have not alleged any harm from the Forged Cookie Breach. Mot. at 17. Plaintiffs respond that Plaintiffs Heines and Dugas have plainly alleged injury from the Forged Cookie Breach. Opp. at 24. Plaintiffs are correct.

Contrary to Defendants' suggestion, the allegations for Plaintiffs Heines and Dugas are not limited to the 2013 Breach or the 2014 Breach. For example, Plaintiffs expressly allege that "Plaintiffs Heines and Dugas ... were deprived of prompt notice of the 2013, 2014, and Forged Cookie Breaches and were thus prevented from taking appropriate protective measures." FAC ¶ 308. Likewise, Plaintiffs allege that Defendants' failure to implement security measures resulted in the Forged Cookie Breach and that, "[a]s the direct and legal result ..., Plaintiffs Heines and Dugas ... were harmed because their PII and financial information were compromised." Id. ¶ 295. Finally, both Plaintiff Heines and Plaintiff Dugas allege that they were affected by all of the breaches, though not singling out the Forged Cookie Breach specifically. Id. ¶¶ 18 ("[T]he Yahoo Data Breaches have caused Plaintiff Heines to be at substantial risk for further identity theft."), 20 ("[T]he Yahoo Data Breaches have caused Plaintiff Dugas to be at substantial risk for further identity theft."). Notwithstanding that the Forged Cookie Breach was a separate breach that affected a smaller number of users, id. ¶¶ 6, 117-18, the FAC alleges that Plaintiffs Heines and Dugas were among those affected.

Thus, Plaintiffs Heines and Dugas have adequately alleged that they suffered injury as a result of the Forged Cookie Breach. Having rejected Defendants' standing argument as to both CRA statutory sections at issue, the Court next turns to each individual statutory section.

2. Cal. Civ. Code § 1798.81.5 -Inadequate Security

Plaintiffs assert that Defendants violated § 1798.81.5 of the CRA. This provision provides, in relevant part:

A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

Cal. Civ. Code § 1798.81.5(b).

Defendants argue that CRA "reasonable security" measures were not required for California residents potentially affected by the 2013 and 2014 Breaches because, at the time of the 2013 and 2014 Breaches, the CRA did not require Defendants to protect the personal information allegedly stolen. See Mot. at 25-26. Defendants' argument requires understanding an amendment to § 1798.81.5's definition of "personal information" that became effective on January 1, 2016. Accordingly, the Court first addresses § 1798.81.5's definition of "personal information" and the 2016 amendment to that definition. The Court then addresses the parties' arguments regarding the 2013 and 2014 Breaches.

"Personal information" is defined in § 1798.81.5(d)(1) of the statute. In 2013 and 2014, at the time of the 2013 and 2014 Breaches, the statute defined personal information as the following:

[A]n individual's first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
(A) Social security number.
(B) Driver's license number or California identification card number.
(C) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
(D) Medical information.

Cal. Civ. Code § 1798.81.5(d)(1) (2014).

Significantly, the definition of "personal information" in the pre-2016 version of this section of the CRA did not include "[a] username or email address in combination with a password or security question and answer that would permit access to an online account." This language was added to the definition of "personal information" in § 1798.81.5(d)(1) by an amendment that became effective on January 1, 2016. The definition of personal information now reads:

(A) An individual's first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
(i) Social security number.
(ii) Driver's license number or California identification card number.
(iii) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
(iv) Medical information.
(v) Health insurance information.
(B) A username or email address in combination with a password or security question and answer that would permit access to an online account.

Cal. Civ. Code § 1798.81.5(d)(1).

Defendants claim that the 2013 and 2014 Breaches revealed only online account information. Mot. at 26. Thus, Defendants argue, the 2013 and 2014 Breaches did not reveal "personal information" as that term was defined in the pre-2016 versions of the CRA, and so Defendants were not required to provide reasonable security measures at the time of the 2013 and 2014 Breaches. Id. Defendants contend that, if the Court were to apply the 2016 amendment to Plaintiffs' CRA claim regarding the 2013 and 2014 Breaches, the Court would be applying the amendments retroactively, which the Court may not do. Id. Plaintiffs do not engage with Defendants' retroactivity argument because Plaintiffs argue that their claim is well-pled even under the pre-2016 version of the CRA. Opp. at 20-22.

Because Plaintiffs do not advocate for application of the 2016 version of the CRA, the Court conducts its analysis under the pre-2016 version. As noted above, the personal information protected by the pre-2016 version of the CRA includes an individual's first name or initial and last name in combination with (1) a social security number, (2) a driver's license or California ID card number, (3) an account number, credit or debit card number, in combination with a code or password that would provide access to a financial account, or (4) medical information. See Cal. Civ. Code § 1798.81.5(d)(1) (2014). The FAC alleges that "[d]uring the 2013 and 2014 Breaches, hackers were able to take the names, email addresses, telephone numbers, birth dates, passwords, and security questions of Yahoo account holders." FAC ¶ 7. On its face, that information does not fit the pre-2016 definition of personal information. However, as a result of obtaining users' passwords and security questions, hackers were able to access "financial communications and records containing credit cards, retail accounts, banking, account passwords, IRS documents, and social security numbers from transactions conducted by email." Id. Therefore, the question is whether Defendants are liable when hackers were able to retrieve personal information by logging into users' accounts.

The Court concludes that Plaintiffs have not stated a claim on the facts of this case. The statute applies to "[a] business that owns, licenses, or maintains personal information" and imposes a duty to "protect the personal information from unauthorized access, destruction, use, modification, or disclosure." Cal. Civ. Code § 1798.81.5(b). Here, Plaintiffs do not argue that Defendants "own, license, or maintain" the information in Plaintiffs' emails. Rather, Defendants require Plaintiffs to turn over their PII, which includes information such as name, email address, birth date, gender, and ZIP code. FAC ¶ 37. In the 2013 and 2014 Breaches, the hackers allegedly gained access to that information in addition to users' passwords and security questions, all of which Defendants had stored in their databases. Id. ¶¶ 7, 155. It is that information that Defendants were required to protect from unauthorized access by adopting and maintaining "reasonable security" measures. Indeed, "the purpose of [the statute] is to encourage businesses that own, license, or maintain personal information about Californians to provide reasonable security for that information." Cal. Civ. Code § 1798.81.5(a)(1) (emphasis added).

Accordingly, the Court GRANTS Defendants' motion to dismiss the California Plaintiffs' CRA § 1798.81.5 claim to the extent that claim is based on Defendants' failure to provide "reasonable security" measures as to the 2013 and 2014 Breaches. The Court dismisses with prejudice because amendment appears futile, and Plaintiffs do not request an opportunity to amend.

3. Cal. Civ. Code § 1798.82 -Delayed Notification

Plaintiffs also assert that Defendants violated § 1798.82 of the CRA. This provision provides, in relevant part:

A person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose a breach of the security of the system following discovery or notification of the breach in the security of the data to a resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person....

Cal. Civ. Code § 1798.82(a). The statute requires that disclosure "shall be made in the most expedient time possible and without unreasonable delay." Id. The statute also describes the information that must be included in the security breach notification and the form that the security breach notification must take. See id. § 1798.82(d).

In the First MTD Order, this Court denied Defendant's motion to dismiss Plaintiffs' claim with respect to the 2014 Breach and the Forged Cookie Breach. First MTD Order at 92. However, this Court dismissed Plaintiffs' claim with respect to the 2013 Breach because Plaintiffs did not include allegations about when Defendants "discover[ed]" or were "notif[ied]" of the 2013 Breach. First MTD Order at 64; see also id. at 70 n.11 (noting that "Plaintiffs have not alleged when Defendants discovered the 2013 Breach"). Without such allegations, Plaintiffs had not adequately alleged that Defendants "unreasonably delay[ed]" in notifying Plaintiffs of the 2013 Breach on December 14, 2016. Id. at 65. The Court granted leave to amend for Plaintiffs to "allege facts sufficient to show that Defendants unreasonably delayed in failing to notify Plaintiffs that the 2013 Breach occurred." Id.

Defendants argue that Plaintiffs have failed to cure this deficiency. Specifically, Defendants contend that, in the FAC, "Plaintiffs provide no details regarding the actual discovery date of the 2013 Breach." Mot. at 18. Plaintiffs admit that the FAC does not allege either an exact or approximate date that Defendants discovered the 2013 Breach, but argue that their allegations permit an inference that Defendants delayed anywhere from one to three years. Opp. at 22-23. Plaintiffs' present allegations are insufficient.

As Plaintiffs concede, the FAC does not indicate, either explicitly or approximately, when Defendants discovered that the 2013 Breach had taken place. Plaintiffs ask the Court to make an inference that Defendants knew well before the December 2016 disclosure because Yahoo failed to fix any of the critical issues identified by the 2012 Mandiant report and the 2013 to 2016 Dell SecureWorks and Leaf SR security assessments. FAC ¶¶ 70-97. Such allegations may raise the prospect that Defendants should have discovered the 2013 Breach at an earlier date, but they do bear on when Defendants should have notified customers of the 2013 Breach because they say nothing about when Defendants actually discovered the 2013 Breach. Plaintiffs also point to their allegations that Defendants knew about the 2014 Breach and Forged Cookie Breach as they were happening but did not inform Plaintiffs of those breaches until September 2016 and February 2017, respectively. Id. ¶¶ 126, 142. Plaintiffs argue that "Defendants' delays in notifying consumers of the 2014 Breach and [the] Forged Cookie Breach support a finding that" Defendants delayed in notifying consumers of the 2013 Breach. Opp. at 23. Such an inference is not plausible when neither Plaintiffs nor the FAC offer any basis to compare the 2013 Breach to the 2014 Breach and the Forged Cookie Breach. Although the 2014 Breach and Forged Cookie Breach are allegedly related, FAC ¶ 119, the 2013 Breach is not alleged to be related to either of the previous breaches.

Plaintiffs' allegations with respect to Yahoo's October 2017 disclosure of the three billion user account scope of the 2013 Breach further demonstrate the inadequacy of their pleadings on this point. Plaintiffs allege that Yahoo announced in October 2017 that the 2013 Breach had affected all three billion user accounts. Id. ¶ 145. Plaintiffs allege that Yahoo was first alerted to the information that would lead to discovery of the full scope of the 2013 Breach by the end of January 2017 but that Yahoo did not determine until months after the June 2017 acquisition by Verizon that "closer to three billion, not one billion, accounts had been compromised in 2013." Id. ¶ 146. Again, Plaintiffs' allegations are too uncertain to divine any date of discovery, whether specific or estimated. Without more specific information, the Court cannot evaluate whether Defendants unreasonably delayed in notifying customers about the extent of the 2013 Breach on October 3, 2017.

In the First MTD Order, the Court noted that Plaintiffs failed to allege anything "suggesting when Defendants learned of the 2013 breach." First MTD Order at 65. Those allegations were necessary to allow the Court to determine whether Defendants unreasonably delayed in notifying Plaintiffs of the 2013 Breach (and, relatedly, which version of the CRA was in effect). Id. at 64-65. Plaintiffs' allegations remain insufficient. Thus, the Court GRANTS Defendants' motion to dismiss the California Plaintiffs' CRA § 1798.82 claim to the extent that claim is based on the 2013 Breach. The Court dismisses with prejudice because Plaintiffs have failed to cure the deficiencies addressed in the First MTD Order.

G. Punitive Damages

Plaintiffs request that the Court award punitive damages in connection with their claims for deceit by concealment, negligence, breach of the implied covenant of good faith and fair dealing, misrepresentation, and violations of the CRA. FAC ¶¶ 211, 223, 255, 277, 297, 312. Defendants move to dismiss Plaintiffs' claims to the extent that they seek punitive damages. Mot. at 27.

As a preliminary matter, the parties disagree over the correct procedural mechanism to move for dismissal. Defendants bring their motion under Rule 12(b)(6) for failure to state a claim. Mot. at 28. Plaintiffs argue that use of Rule 12(b)(6) is improper in this scenario and that Defendants should have moved to strike under Rule 12(f). Opp. at 32 n.27. Rule 12(b)(6), not Rule 12(f), is the appropriate vehicle here.

Rule 12(f) permits a court to "strike from a pleading an insufficient defense or any redundant, immaterial, impertinent, or scandalous matter." Defendants' contention that Plaintiffs cannot seek punitive damages as a matter of law does not readily fit any of the grounds in Rule 12(f). As the Ninth Circuit has held, " Rule 12(f) does not authorize district courts to strike claims for damages on the ground that such claims are precluded as a matter of law." Whittlestone, Inc. v. Handi-Craft Co. , 618 F.3d 970, 974-75 (9th Cir. 2010). Instead, "[t]he proper medium for challenging the sufficiency of factual allegations in a complaint is through Rule 12(b)(6) not Rule 12(f)." Consumer Sols. REO, LLC v. Hillery , 658 F.Supp.2d 1002, 1020 (N.D. Cal. 2009) ; Parker v. Fid. Sec. Life Ins. Co. , No. 06-CV-00654-AWI, 2006 WL 2190956, at *5 (E.D. Cal. Aug. 1, 2006). Thus, the Court analyzes Defendants' motion regarding punitive damages pursuant to Rule 12(b)(6).

Defendants advance two arguments in support of dismissal of Plaintiffs' claims to the extent those claims seek punitive damages. First, Defendants argue that Plaintiffs have not alleged that an officer, director, or agent of Defendants committed an oppressive, fraudulent, or malicious act. Mot. at 28. Second, Defendants raise particular objections to certain of Plaintiffs' claims-namely, the claims for negligence, breach of the implied covenant of good faith and fair dealing, and violations of the CRA. Id. at 26-27. The Court first addresses Defendants' argument as to all claims, then addresses Defendants' argument as to individual claims.

1. Acts by Agent, Officer, or Director

Defendants first move to dismiss all of Plaintiffs' claims to the extent those claims seek punitive damages on the ground that Plaintiffs have failed to allege that an officer, director, or agent committed the oppressive, fraudulent, or malicious acts. Mot. at 28. By statute, where a plaintiff proves "by clear and convincing evidence that the defendant has been guilty of oppression, fraud, or malice, the plaintiff, in addition to the actual damages, may recover [punitive] damages." Cal. Civ. Code § 3294(a). Nevertheless, a corporate entity cannot commit willful and malicious conduct; instead, "the advance knowledge and conscious disregard, authorization, ratification or act of oppression, fraud, or malice must be on the part of an officer, director, or managing agent of the corporation." Id. § 3294(b) ;

Taiwan Semiconductor Mfg. Co. v. Tela Innovations, Inc. , No. 14-CV-00362-BLF, 2014 WL 3705350, at *6 (N.D. Cal. July 24, 2014) ("[A] company simply cannot commit willful and malicious conduct-only an individual can."). Therefore, Plaintiffs must plead that an officer, director, or managing agent of Defendants committed an act of oppression, fraud, or malice.

Plaintiffs satisfy that standard by focusing on particular conduct by the CISOs. For example, then-CISO Justin Somani found "gaping holes in Yahoo's data security" as early as 2011, FAC ¶ 67, and also knew about the 2014 Breach as it was happening, id. ¶ 104, but took no specific action in response. When Bob Lord became CISO at Yahoo in October 2015, he identified the "security and endemic culture issues" as a problem. Id. ¶ 110. Moreover, although he was aware that a nation state actor may have been involved in the 2014 Breach and that the company's response had been to "sweep it under the rug," his approach was to continue to hide it from the public. Id. ¶¶ 111-12. Indeed, the FAC notes that Yahoo's internal documents, including those between Bob Lord and Yahoo's general counsel, "contradicted [Yahoo's] public statements." Id. ¶ 125. When Yahoo finally revealed in its 2016 10-K filing with the SEC that it had contemporaneous knowledge of the 2014 Breach, the 10-K filing failed to mention that both Bob Lord and Yahoo's general counsel knew about the 2014 Breach. Id. ¶ 129. These circumstances make plausible Plaintiffs' claim that high-ranking executives and managers at Yahoo, including its CISO, committed oppressive, fraudulent, or malicious conduct.

Defendants read their cited authority too broadly. In Xerox Corp. v. Far WesternGraphics, Inc. , the court found the pleadings defective because the plaintiff failed to "allege any conduct by an officer, director or managing agent of [the defendant] sufficient to support the imposition of punitive damages against [the defendant]." No. 03-CV-4059-JF, 2004 WL 2271587, at *2 (N.D. Cal. Oct. 6, 2004). Similarly, in Taiwan Semiconductor , the punitive damages allegations were insufficient because the plaintiff failed to "include the names or titles of any individual actor." 2014 WL 3705350, at *6. In contrast, Plaintiffs here include the names and titles of individual actors who are alleged to have committed malicious conduct supporting an award of punitive damages. Plaintiffs' allegations are significantly more robust than those in Taiwan Semiconductor and Far Western Graphics . Plaintiffs have adequately pled that an officer, director, or managing agent of Defendants committed an act of oppression, fraud, or malice.

Because Defendants make no other punitive damages arguments with respect to the deceit by concealment and misrepresentation claims, the Court DENIES Defendants' motion to dismiss Plaintiffs' deceit by concealment and misrepresentation claims to the extent those claims seek punitive damages. Defendants make additional arguments for dismissal of the claims for negligence, breach of the implied covenant of good faith and fair dealing, and violations of the CRA to the extent those claims seek punitive damages. The Court therefore turns to these remaining arguments.

2. Individual Claims

Defendants next move to dismiss Plaintiffs' claims for negligence, breach of the implied covenant of good faith and fair dealing, and violations of the CRA to the extent those claims seek punitive damages. Mot. at 26-27. The Court addresses these individual claims one at a time.

First, Defendants move to dismiss Plaintiffs' claim for negligence. It is true that conduct which may be described as unreasonable or negligent generally "does not satisfy the highly culpable state of mind warranting punitive damages." Evans v. Home Depot U.S.A., Inc. , No. 16-CV-07191-JSW, 2017 WL 679531, at *2 (N.D. Cal. Feb. 21, 2017) (quoting Woolstrum v. Mailloux , 141 Cal.App.3d Supp. 1, 190 Cal.Rptr. 729, 735 (1983) ). Nevertheless, "even where the claim formally sounds in negligence, if the plaintiff can make a showing that defendant's conduct goes beyond gross negligence and demonstrates a knowing and reckless disregard, punitive damages may be available." Simplicity Int'l v. Genlabs Corp. , No. 09-CV-06146-SVW, 2010 WL 11515296, at *2 (C.D. Cal. Apr. 21, 2010) (citing Sturges v. Charles L. Harney, Inc. , 165 Cal.App.2d 306, 331 P.2d 1072, 1080 (1958) ). Here, Plaintiffs have alleged numerous fraudulent, malicious, and oppressive acts on the part of Defendants, including that Defendants "did nothing to protect its user data" and "made a conscious and deliberate decision not to alert any of Yahoo's customers that their PII had been stolen." FAC ¶¶ 1, 9. Accordingly, the Court DENIES Defendants' motion to dismiss Plaintiffs' negligence claim to the extent that claim seeks punitive damages.

Second, Defendants move to dismiss Plaintiffs' claim for breach of the implied covenant of good faith and fair dealing. Under California law, punitive damages are not available for breach of contract claims. Cal. Civ. Code § 3294(a) (providing for punitive damages "[i]n an action for the breach of an obligation not arising from contract"); Applied Equip. Corp. v. Litton Saudi Arabia Ltd. , 7 Cal.4th 503, 28 Cal.Rptr.2d 475, 869 P.2d 454, 460 (1994). Thus, except in the insurance context, "an award of punitive damages is not recoverable for breach of the implied covenant of good faith and fair dealing." Monaco v. Bear Stearns Residential Mortg. Corp. , 554 F.Supp.2d 1034, 1043 (C.D. Cal. 2008) ; see also Copesky v. Superior Court , 229 Cal.App.3d 678, 280 Cal.Rptr. 338, 345 (1991) ("[T]here is only one category of business transactions which definitionally is amenable to tort actions for contract breaches, and that is insurance."). Plaintiffs cite no contrary authority. Accordingly, the Court GRANTS Defendants' motion to dismiss Plaintiffs' claim for breach of the implied covenant of good faith and fair dealing to the extent that claim seeks punitive damages. Because Plaintiffs cannot pursue punitive damages for this claim as a matter of law, the Court grants dismissal with prejudice.

Third, and finally, Defendants move to dismiss the California Plaintiffs' claims under the CRA. "[W]here a statute creates new rights and obligations not previously existing in the common law, the express statutory remedy is deemed to be the exclusive remedy available for statutory violations, unless it is inadequate." Brewer v. Premier Golf Props. , 168 Cal.App.4th 1243, 86 Cal.Rptr.3d 225, 232 (2008) (quoting De Anza Santa Cruz Mobile Estates Homeowners Ass'n v. De Anza Santa Cruz Mobile Estates , 94 Cal.App.4th 890, 114 Cal.Rptr.2d 708, 725 (2001) ). The CRA, which governs the "treatment and notification procedures relating to ... customers' personal information," Corona , 2015 WL 3916744, at *6, was passed in 2000 and is not asserted to have any common-law analogue. Additionally, the CRA contains a provision spelling out the damages that a plaintiff may recover. See Cal. Civ. Code § 1798.84. While the CRA allows for civil penalties when a defendant willfully, intentionally, or recklessly violates a section not at issue here, see id. § 1798.84(c), the CRA does not allow for such penalties based on violations of the statutes at issue here or expressly allow for punitive damages. Plaintiffs make no argument otherwise. Accordingly, the Court GRANTS Defendants' motion to dismiss the California Plaintiffs' CRA claims to the extent those claims seeks punitive damages. Because Plaintiffs cannot pursue punitive damages for these claims as a matter of law, the Court grants dismissal with prejudice.

V. CONCLUSION

For the foregoing reasons, the Court GRANTS IN PART AND DENIES IN PART Defendants' motion to dismiss. Specifically, the Court rules as follows:

• The Court GRANTS WITH PREJUDICE Defendants' motion to dismiss the UCL unlawful and unfair claims of Plaintiffs Rivlin and Granot, but DENIES Defendants' motion to dismiss the UCL unlawful and unfair claims of Plaintiff Mortensen. In the First MTD Order, the Court denied Defendants' motion to dismiss the UCL unlawful and unfair claims of all other Plaintiffs.
• The Court DENIES Defendants' motion to dismiss Plaintiffs' deceit by concealment claim.
• The Court DENIES Defendants' motion to dismiss Plaintiffs' negligence claim.
• The Court DENIES Defendants' motion to dismiss Plaintiffs' claim for breach of contract.
• The Court DENIES Defendants' motion to dismiss Plaintiffs' claim for breach of implied contract.
• The Court GRANTS WITH PREJUDICE Defendants' motion to dismiss Plaintiffs' claim for breach of the implied covenant of good faith and fair dealing to the extent that claim seeks punitive damages, but otherwise DENIES Defendants' motion to dismiss Plaintiffs' claim for breach of the implied covenant of good faith and fair dealing.
• The Court DENIES Defendants' motion to dismiss Plaintiffs' declaratory relief claim.
• In the First MTD Order, the Court denied Defendants' motion to dismiss the fraudulent prong of Small Business Users Plaintiff Neff's UCL claim.
• The Court DENIES Defendants' motion to dismiss Small Business Users Plaintiff Neff's misrepresentation claim to the extent that claim seeks punitive damages.
• The Court DENIES Defendants' motion to dismiss Plaintiff Mortensen's CLRA claim.
• The Court GRANTS WITH PREJUDICE Defendants' motion to dismiss the California Plaintiffs' CRA § 1798.81.5 claim to the extent that claim is based on the 2013 and 2014 Breaches. The Court also GRANTS WITH PREJUDICE Defendants' motion to dismiss the California Plaintiffs' CRA § 1792.81.5 claim to the extent that claim seeks punitive damages.
• The Court GRANTS WITH PREJUDICE Defendants' motion to dismiss the California Plaintiffs' CRA § 1798.82 claim to the extent that claim is based on the 2013 Breach. In the First MTD Order, the Court denied Defendants' motion to dismiss the California Plaintiffs' CRA § 1798.82 claim to the extent that claim is based on the 2014 Breach or the Forged Cookie Breach. The Court also GRANTS WITH PREJUDICE Defendants' motion to dismiss the California Plaintiffs' CRA
§ 1798.82 claim to the extent that claim seeks punitive damages.

IT IS SO ORDERED. 
      
      Defendants also argue that California courts agree "that contracts for nonessential recreational activities cannot be procedurally unconscionable." Pokrass v. The DirecTV Grp., Inc. , No. 07-CV-00423-VAP, 2008 WL 2897084, at *7 (C.D. Cal. July 14, 2008). Defendants do not, however, explain how email qualifies as a recreational activity. In fact, the FAC highlights how users have "built their digital identities around Yahoo Mail," using the service for banking, stock trading, and medical information. FAC ¶¶ 7, 33. Additionally, the Small Business Users Class uses the system for conducting business. Id. ¶ 34.
     
      
      The Court need not address whether a different result would obtain if hackers had gotten access to email content by, for example, intercepting emails.
     