In Anderson v. Kimpton Hotel & Rest. Grp., LLC, No. 19-cv-01860-MMC, 2019 U.S. Dist. LEXIS 133869, at *13-14 (N.D. Cal. Aug. 8, 2019), Judge Chesney dismissed a data breach claim under California’s data breach statute, Civil Code 1798.81.5. The facts were as follows:
In their complaint, plaintiffs [*2] allege “Kimpton uses an online reservation system that facilitates the booking of hotel reservations.” (See Compl. ¶ 16.) Plaintiffs further allege that, on July 28, 2017, Kimpton informed its customers, including each of the three plaintiffs, that “hackers may have accessed reservation information between August 10, 2016 and March 9, 2017.” (See id.) In particular, Kimpton advised its customers in writing that, during said seven-month period, there was “unauthorized access of Sabre Hospitality Solutions SynXis Central Reservations system (‘Sabre’),” a “provider of reservations services” that had been “enlist[ed]” by Kimpton as a “vendor.” (See Def.’s Req. for Judicial Notice Ex. A.) According to plaintiffs, “the online reservation system,” i.e., Sabre, “only deletes reservation details 60 days after the hotel stay” (see Compl. ¶ 17), thereby providing an unauthorized third party access to reservation information for a nine-month period beginning June 11, 2016, and ending March 9, 2017. Plaintiffs allege that they booked hotel reservations with Kimpton during such period, in particular, “the period of August 10, 2016 to March 9, 2017” (see Compl. ¶ 2), that, in order to do so, they [*3] were required to provide and did provide Kimpton with their “private identifiable information (‘PII’),” specifically, their “full name, credit and debit card account numbers, card expiration dates, card verification codes, emails, phone numbers, [and] full addresses” (see Compl. ¶ 3; see also Compl. ¶¶ 6-9, 18), and that their “PII” was “accessed by hackers” who “proceeded to misuse” it (see Compl. ¶¶ 6, 8, 9). Based on said allegations, plaintiffs allege on behalf of each plaintiff three causes of action arising under California law, and, on behalf of Thomas alone, five additional causes of action arising under, respectively, the laws of Arizona, Colorado, Pennsylvania, New York, and Texas.
The District Court found the claim inadequately pleaded.
In the Second Claim for Relief, plaintiffs allege Kimpton violated § 1798.81.5 of the California Civil Code, which provides that any “business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” See Cal. Civ. Code § 1798.81.5(b); see also Cal. Civ. Code § 1798.84 (providing cause of action for violation of § 1798.81.5(b)). As Kimpton points out, however, plaintiffs fail to allege any facts in support of their conclusory assertion that Kimpton violated § 1798.81.5 by “failing to implement and maintain reasonable security procedures and practices.” (See Compl. ¶ 70); Razuki v. Caliber Home Loans, Inc., 2018 U.S. Dist. LEXIS 196070, 2018 WL 6018361, at *1 (S.D. Cal. November 15, 2018) (dismissing § 1798.81.5 claim where plaintiff alleged “[d]efendant knew of higher-quality security protocols available to them but failed to implement them”; finding allegation was “precisely the type of threadbare claim Iqbal warns of”) (internal quotation and citation omitted). Moreover, plaintiffs allege Thomas is “an Arizona citizen residing in Mesa, Arizona” (see Compl. ¶ 7), i.e., not a California resident, and, consequently, § 1798.81.5 does not apply to him.