Docket Entries Since Last Update
NOTE: This court's RSS feed does not list MOTION entries, so Bloomberg Law cannot detect them and thus they will not be listed here. However, motions will be included if you update the docket.
LEE WALTERS, Plaintiff, v. KIMPTON HOTEL & RESTAURANT GROUP, LLC, Defendant.
April 13, 2017, Filed
April 13, 2017, Decided
For Lee Walters, individually and on behalf of all others similarly situated, Plaintiff: Michael Francis Ram, LEAD ATTORNEY, Matt Malone, Ram Olson Cereghino & Kopczynski LLP, San Francisco, CA; John A. Yanchunis, PRO HAC VICE, Morgan and Morgan, P.A., Tampa, FL; Marisa Kendra Glassman, PRO HAC VICE, Morgan and Morgan Complex Litigation Group, Tampa, FL.
For Kimpton Hotel & Restaurant Group, LLC, Defendant: Daniel Rubin Warren, David A. Carney, PRO HAC VICE, Baker Hostetler LLP, Cleveland, OH; Douglas Shively, PRO HAC VICE, Cleveland, OH; Teresa Carey Chow, Baker & Hostetler LLP, Los Angeles, CA.
VINCE CHHABRIA, United States District Judge.
ORDER GRANTING IN PART AND DENYING IN PART THE MOTION TO DISMISS
Re: Dkt. No. 36
The motion to dismiss is granted in part and denied in part.
1. Kimpton's motion to dismiss the complaint for lack of standing is denied.
As an initial matter, the Court agrees with Kimpton that the allegations about Walters's December 28, 2015 hotel stay do not support standing. This stay occurred several months prior to the date the malware attack allegedly began, and Walters offers no allegations to show how the breach could have placed at risk the data associated with the payment card that Walters used during that stay.
The May 29th visit, on the other hand, fell during the alleged "at-risk" window. Walters alleged that, from February 16, 2016 until July 7, 2016, hackers used malware to access Kimpton computer systems and steal copies of customer data. It is plausible to infer from the complaint that Walters's information was among the payment card information stolen. The theft of Walters's payment card data and the time and effort he has expended to monitor his credit are sufficient to demonstrate injury for standing purposes. See Lewert v. P.F. Chang's China Bistro, 819 F.3d 963 , 965 , 967-68 (7th Cir. 2016). Unlike the plaintiffs in Clapper v. Amnesty Int'l USA, whose fears that the Government would monitor and intercept their communications were insufficient to demonstrate "certainly impending" injury, Walters plausibly alleged that his data has already been stolen and that it was taken in a manner that suggests it will be misused. 568 U.S. 398 , 133 S. Ct. 1138 , 1151 , 185 L. Ed. 2d 264 (2013); see Galaria v. Nationwide Mut. Ins. Co., 663 Fed. App'x 384 , 388 (6th Cir. 2016) ("There is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals.").
Kimpton points to several district court cases holding that the theft of payment card data, coupled with evidence of a single or just a few unauthorized charges, is insufficient to confer standing. See Dugas v. Starwood Hotels & Resorts Worldwide, Inc., No. 16-cv-00014, 2016 U.S. Dist. LEXIS 152838 , [2016 BL 368099], 2016 WL 6523428 , at *5 (S.D. Cal. Nov. 3, 2016); Torres v. Wendy's Co., 195 F. Supp. 3d 1278 , 1284-85 (M.D. Fla. 2016); In re SuperValu, Inc., No. 14-md-02586, [2016 BL 3925], 2016 U.S. Dist. LEXIS 2592 , [2016 BL 3925], 2016 WL 81792 , at *5 (D. Minn. Jan. 7, 2016). The Court respectfully disagrees that a plaintiff must actually suffer the misuse of his data or an unauthorized charge before he has an injury for standing purposes. See [*2] Lewert, 819 F.3d at 967-68 (concluding that time and effort spent monitoring card statements and financial accounts were sufficient to confer standing to Lewert even though he had not yet experienced unauthorized charges); see also In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197 , 1215 (N.D. Cal. 2014) ("[T]o require Plaintiffs to wait until they actually suffer identity theft or credit card fraud in order to have standing would run counter to the well-established principle that harm need not have already occurred or be 'literally certain' in order to constitute injury-in-fact.").
2. The motion to dismiss the implied contract claim is denied.
3. The motion to dismiss the negligence claim is denied.
For the reasons discussed above, Walters has alleged actual damages. With respect to Kimpton's argument that the economic loss rule bars this claim, the Court lacks sufficient information to rule on this claim at the motion to dismiss stage.
4. The motion to dismiss the UCL claims is denied in part and granted in part.
For the reasons stated above, Walters has alleged economic injury resulting from the breach. Accordingly, the motion to dismiss the UCL claims for unfair and unlawful business practices is denied.
However, Walters fails to plead that he actually relied on Kimpton's alleged misrepresentations, as he was required to do to state a UCL claim based on fraud. See Kwikset Corp. v. Superior Court, 51 Cal. 4th 310 , 326 , 120 Cal. Rptr. 3d 741 , 246 P.3d 877 & n.9 (2011). The fraud claim will be dismissed with prejudice because Kimpton put Walters on notice of this defect in its first motion to dismiss, and, when given the opportunity to amend his complaint rather than respond to the motion, Walters failed to correct the defect.
IT IS SO ORDERED.
Dated: April 13, 2017
/s/ Vince Chhabria
United States District Judge