A federal district court in the Northern District of California granted in part a motion to dismiss putative class action claims filed against Western Digital, a hard drive manufacturer whose older devices experienced a cyber-attack, where the plaintiffs alleged that their stored data was deleted but not that it was stolen. While plaintiffs will be permitted to maintain claims related to the data loss, they lack standing to assert claims based on future data misuse.
The plaintiffs in Riordan, et al. v. Western Digital, 5:21-cv-06074, are consumers from several different states who had purchased certain models of external hard drives that Western Digital had sold in the early 2010’s but no longer supported. According to the plaintiffs, Western Digital announced in 2021 that it discovered a cyber-attack remotely targeting these hard drive models and causing them to be reset to factory settings, effectively deleting all stored data. After an initial dismissal without prejudice, plaintiffs filed an amended complaint with more detail about their alleged data loss and reasserted claims under the California Song-Beverly Consumer Warranty Act, as well as tort and contractual claims. Western Digital filed a motion to dismiss, which the court granted in part on September 29, 2023.
Plaintiffs asserted that they had suffered two distinct injuries: one for the data that was lost on their devices, and a separate injury for future data misuse. For the second theory, the plaintiffs cited to the Ninth Circuit’s 2018 decision in In re Zappos to argue that “the fact that the hackers accessed personal information that could be used to commit a crime establishes a ‘substantial risk’ that the hackers will commit identity theft or fraud,” which was sufficient injury-in-fact for standing purposes. However, in Zappos, plaintiffs either directly alleged that their personal information had been stolen or provided examples of other potential class members’ stolen information being used for identity fraud. The Riordan plaintiffs speculated that hackers could have taken the data before it was deleted but did not allege any facts in support. The court found that the failure to adequately allege that any data theft actually occurred distinguished plaintiffs’ case from Zappos and that plaintiffs lacked injury-in-fact and standing to bring claims premised on risk of future injury.
The court also dismissed without prejudice all but one of plaintiffs’ claims based on the loss of data theory, based largely on their failure to plead where or when they purchased the external hard drives that were wiped during the attack. The only claim to survive was for unjust enrichment, which was allowed to go forward even after the other claims were dismissed on the basis that “[t]he [c]ourt construes these allegations as pleading a claim for quasi-contract seeking restitution and, therefore, . . . not subject to dismissal on the basis that it is improperly pled as a standalone claim.”