ORDER GRANTING MOTION TO DISMISS
Re: Dkt. No. 15
EDWARD J. DAVILA, District Judge.
Plaintiffs Mark Foster and Akiko Foster ("Plaintiffs") filed this putative class action suit against Defendant Essex Property Trust, Inc. ("Defendant"), asserting various state claims arising out of a data breach. Presently before the court is Defendant's Motion to Dismiss pursuant to Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). See Mot., Dkt. No. 15.
Federal jurisdiction arises pursuant to 28 U.S.C. § 1332(d). The court found this matter suitable for decision without oral argument pursuant to Civil Local Rule 7-1(b) and previously vacated the associated hearing. Having carefully considered the parties' pleadings, the court grants Defendant's motion for the reasons explained below.
I. FACTUAL AND PROCEDURAL BACKGROUND
Defendant is a real estate investment trust that invests in apartment communities along the West Coast of the United States. Compl., Dkt. No. 1 at ¶ 10. It develops, redevelops, and manages multifamily communities located in Northern California, Southern California, and Seattle Metro areas. Id. Plaintiffs are husband and wife, and reside in an apartment leased from Defendant in Menlo Park, California. Id. at ¶ 8.
Plaintiffs allege that when they leased their apartment from Defendant, they were required to provide Defendant with sensitive personal and financial information. Id. at ¶¶ 1, 4. Defendant allegedly kept this information in its computer systems, servers, and databases. Id. at ¶ 4.
Plaintiff alleges that Defendant sustained one or more security breaches to its computer network due to their failure to maintain adequate data security. Id. at ¶¶ 2, 15. These security breaches allegedly placed Plaintiffs' private information, including their names, mailing addresses, email addresses, private cell phone numbers, birth dates, credit and debit card numbers, employment information, salaries, and social security numbers into the hands of cyber criminals. Id. at ¶¶ 3, 22. Plaintiffs allege that Defendant disclosed the data breach to its customers. Id. at ¶ 34. As a result of the data breach, Plaintiffs allege their personal information was used to make unauthorized charges on their credit cards, and exposed them to a greater risk of identity theft and fraud. Id. at ¶¶ 8, 32. Plaintiffs further allege that the information possessed by cyber criminals may be used to harass or stalk them. Id. at ¶ 33.
Plaintiffs commenced the instant action on December 19, 2014, asserting the following claims: (1) violation of California's Unfair Competition Law; (2) violation of California's Consumers Legal Remedies Act; (3) violation of California Civil Code § 1798.80 et seq; (4) negligence under California law; and (5) breach of duty of good faith and fair dealing. See Dkt. No. 1. Defendant filed its Motion to Dismiss on March 16, 2015. See Dkt. No. 15. This matter has been fully briefed. See Opp'n, Dkt. No. 20; Reply, Dkt. No. 22.
II. LEGAL STANDARD
Although Defendant raises two rules in its motion, only one requires discussion. A Rule 12(b)(1) motion challenges subject matter jurisdiction and may be either facial or factual. Wolfe v. Strankman, 392 F.3d 358, 362 (9th Cir. 2004). In a factual inquiry like the one presented here, the court may consider materials beyond the complaint. Savage v. Glendale Union High Sch., 343 F.3d 1036, 1039-40 n.2 (9th Cir. 2003). "Once the moving party has converted the motion to dismiss into a factual motion by presenting affidavits or other evidence properly brought before the court, the party opposing the motion must furnish affidavits or other evidence necessary to satisfy its burden of establishing subject matter jurisdiction." Id.
Standing is properly challenged through a Rule 12(b)(1) motion. White v. Lee, 227 F.3d 1214, 1242 (9th Cir. 2000). Because it is a jurisdictional requirement, the plaintiff has the burden to establish standing. Chandler v. State Farm Mut. Auto. Ins. Co., 598 F.3d 1115, 1122 (9th Cir. 2010)
III. DISCUSSION
Under Article III of the Constitution, federal courts have jurisdiction over certain "cases" and "controversies." Clapper v. Amnesty Int'l USA, 133 S.Ct. 1138, 1146 (2013). As part of the case-or-controversy requirement, the plaintiff must have standing to sue. Id. There are three elements to standing: (1) the plaintiff must have suffered an "injury in fact;" (2) there must be a causal connection between the injury and the conduct complained of; and (3) it must be likely that the injury will be redressed by a favorable decision. Susan B. Anthony List v. Driehaus, 134 S.Ct. 2334, 2341 (2014). The class action plaintiff "bears the burden of showing that he has standing for each type of relief sought." Summers v. Earth Island Inst., 555 U.S. 488, 493 (2009).
In this case, the parties dispute whether Plaintiff has sufficiently pled an injury in fact. "An injury sufficient to satisfy Article III must be concrete and particularized and actual or imminent, not conjectural or hypothetical." Driehaus, 135 S. Ct. at 2341 (internal quotations omitted). "An allegation of future injury may suffice if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur." Id. (internal quotations omitted). "[A]llegations of possible future injury are not sufficient." Clapper, 133 S. Ct. at 1147 (internal quotations omitted).
Here, all of Plaintiffs claims rely on one common injury: the theft of their personal information from Defendant's computer system, which they allege was then used in an unauthorized manner or could be used in that way in the future. In a factual attack on this assertion, Defendant contends Plaintiffs could not have suffered the injury they allege and will not suffer injury in the future because their personal information was not, in fact, stolen. Mot. at 4. To support this argument, Defendant offers declarations of two employees who purportedly have knowledge of Defendant's computer system and the breach. According to one of the employees, Plaintiffs' resident information and credit card information was not accessed because it was not stored in the internally-hosted system that was the subject of the breach. See Decl. of Kevin Moller, Dkt. No. 15-1 at ¶¶ 5-7, 9. According to the second employee, Defendant did not have Plaintiffs' credit card information because Plaintiffs made rental payments by check. See Decl. of Lisa Demeter, Dkt. No. 15-2 at ¶¶ 4-5, 7-10.
In response, Plaintiffs simply repeat allegations from the complaint. They represent that Defendant had their personal information, including credit and debit card numbers, and that this information was accessed during the breach. Opp'n at 2. Plaintiffs, however, did not provide any evidence in conjunction with their opposition brief, though it appears they certainly could have. Indeed, Plaintiffs make specific representations in the complaint about what information was taken by the purported "cyber criminals," which includes their credit and debit card numbers. Compl. at ¶¶ 1, 22. They further allege that, as a result of the data breach, unknown third parties made unauthorized charges on their credit cards and exposed them to a greater risk of identity theft and fraud. Id. at ¶¶ 8. Given these particular allegations, it should have been a simple matter for Plaintiffs to submit declarations or other evidence showing either that their personal information was entered into Defendant's computer system, or at the very least, that unauthorized charges were made to their credit and bank accounts after the date of the security breach. The latter category of information, which could consist of Plaintiffs' own account statements, is presumably available to them without the need for formal discovery. Plaintiffs failed to produce any evidence with their opposition. As such, they have not met their burden of establishing an injury in fact in response to a factual attack on their standing allegations. See Figy v. Frito-Lay N. Am., Inc., 67 F.Supp.3d 1075, 1085-86 (N.D. Cal. 2014) (opining that, even when an evidentiary hearing is not held on a Rule 12(b)(1) motion, a plaintiff's obligation in response to a factual challenge is to present affidavits or other evidence to support subject matter jurisdiction).
Defendant also argues that Plaintiffs' purported risk of future identity theft does not constitute a "certainly impending" injury. Mot. at 6. In response, Plaintiffs argue there is a credible threat of immediate harm because the unencrypted data stolen included personal information, the data was accessed by an unknown third party since Defendant's information has been misused, and hackers have used and continue to use the stolen source code to infiltrate Defendant's computers. Opp'n at 4. Plaintiffs further contend there is an increased risk of future harm generated by Defendant's lenient security and the resulting breach. Id.
Since Plaintiffs have not shown, contrary to Defendants' evidence, that any of their information was actually stolen, their theory of potential future harm is implausible. Moreover, their reliance on Krottner v. Starbucks Corporation, 628 F.3d 1139 (9th Cir. 2010), is misplaced. In Krottner, an unknown third party stole a laptop from Starbucks that contained the unencrypted personal information of approximately 97,000 Starbucks employees. 628 F.3d at 1140. Starbucks, thereafter, sent a letter to the plaintiffs and other affected employees alerting them of the theft. Id. at 1140-41. The plaintiffs alleged that after receiving the letter, they spent a substantial amount of time monitoring their financial accounts, placing fraud alerts on their credit cards, and generating anxiety and stress. Id. at 1141. The Ninth Circuit held that the plaintiffs had suffered an injury sufficient to confer standing even though their personal information was stolen but not misused. Id. at 1140. The Ninth Circuit made two findings that are instructive. First, the allegation that plaintiff had "generalized anxiety and stress" as a result of the laptop theft was a present injury sufficient to confer standing. Id. at 1142. Second, as to whether an increased risk of identity theft could constitute an injury in fact, the Ninth Circuit found that it was sufficient to allege a credible threat of real and immediate harm stemming from the theft of a laptop that contained their unencryped personal data. Id. at 1143.
Plaintiffs' allegations are distinguishable from those at issue in Krottner. Plaintiffs do not allege an emotional injury such as anxiety or stress. Moreover, unlike the laptop in Krottner that indisputably contained the plaintiffs' personal information, it has not been established here that the data breach could have resulted in the release of Plaintiffs' personal information. As discussed above, Plaintiffs could have attempted to meet their burden by offering evidence to support the allegation that unauthorized charges were made on their credit cards. Furthermore, unlike the plaintiffs' allegations in Krottner which focused on the theft's personal impact and their engagement in surveilling financial accounts, Plaintiffs' allegations in this case focus extensively on third-party studies and reports regarding identity theft in general. See Compl. at ¶¶ 16-20, 23-31.
In sum, Plaintiffs have failed to sufficiently show an injury in fact. As such, they have failed to meet their burden of establishing standing. Since jurisdiction has yet to be established, the court declines at this time to address the sufficiency of Plaintiffs' claims.
IV. CONCLUSION
Based on the foregoing, Defendant's Motion to Dismiss under Federal Rule of Civil Procedure 12(b)(1) is GRANTED due to lack of standing. Plaintiffs' entire complaint is DISMISSED WITH LEAVE TO AMEND.
Any amended complaint addressing the deficiencies identified herein must be filed on or before December 11, 2015.
The court schedules this case for a Case Management Conference at 10:00 a.m. on February 25, 2016. The parties shall file a Joint Case Management Conference Statement on or before February 18, 2016.
IT IS SO ORDERED.