A federal district court in the Northern District of California granted in part a motion to dismiss putative class action claims filed against Western Digital, a hard drive manufacturer whose older devices experienced a cyber-attack, where the plaintiffs alleged that their stored data was deleted but not that it was stolen.  While plaintiffs will be permitted to maintain claims related to the data loss, they lack standing to assert claims based on future data misuse.

The plaintiffs in Riordan, et al. v. Western Digital, 5:21-cv-06074, are consumers from several different states who had purchased certain models of external hard drives that Western Digital had sold in the early 2010’s but no longer supported.  According to the plaintiffs, Western Digital announced in 2021 that it discovered a cyber-attack remotely targeting these hard drive models and causing them to be reset to factory settings, effectively deleting all stored data.  After an initial dismissal without prejudice, plaintiffs filed an amended complaint with more detail about their alleged data loss and reasserted claims under the California Song-Beverly Consumer Warranty Act, as well as tort and contractual claims.  Western Digital filed a motion to dismiss, which the court granted in part on September 29, 2023.

Plaintiffs asserted that they had suffered two distinct injuries:  one for the data that was lost on their devices, and a separate injury for future data misuse.  For the second theory, the plaintiffs cited to the Ninth Circuit’s 2018 decision in In re Zappos to argue that “the fact that the hackers accessed personal information that could be used to commit a crime establishes a ‘substantial risk’ that the hackers will commit identity theft or fraud,” which was sufficient injury-in-fact for standing purposes.  However, in Zappos, plaintiffs either directly alleged that their personal information had been stolen or provided examples of other potential class members’ stolen information being used for identity fraud.  The Riordan plaintiffs speculated that hackers could have taken the data before it was deleted but did not allege any facts in support.  The court found that the failure to adequately allege that any data theft actually occurred distinguished plaintiffs’ case from Zappos and that plaintiffs lacked injury-in-fact and standing to bring claims premised on risk of future injury.

The court also dismissed without prejudice all but one of plaintiffs’ claims based on the loss of data theory, based largely on their failure to plead where or when they purchased the external hard drives that were wiped during the attack.  The only claim to survive was for unjust enrichment, which was allowed to go forward even after the other claims were dismissed on the basis that “[t]he [c]ourt construes these allegations as pleading a claim for quasi-contract seeking restitution and, therefore, . . . not subject to dismissal on the basis that it is improperly pled as a standalone claim.”

Tags: Article III Standing, Class Action Procedure, Cybersecurity, Data Privacy, Litigation, Ninth Circuit, privacy, technology
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Sam Greeley Sam Greeley

Samuel Greeley is an associate in the firm’s Washington, D.C. office representing clients in complex civil litigation and government investigations. Sam’s practice focuses on a broad range of high-stakes issues facing companies in the tech sector, including class actions, antitrust investigations and litigation…

Samuel Greeley is an associate in the firm’s Washington, D.C. office representing clients in complex civil litigation and government investigations. Sam’s practice focuses on a broad range of high-stakes issues facing companies in the tech sector, including class actions, antitrust investigations and litigation, and federal agency enforcement matters. This includes advising clients on issues relating to cryptocurrency and digital assets, and how they can stay ahead of the quickly evolving enforcement and litigation landscape. He has also defended clients from class actions and white collar investigations in other industries, including life sciences and healthcare.

Read more about Sam GreeleyEmail
Show more Show less
Photo of Kathryn Cahoy Kathryn Cahoy

Kate Cahoy uses her substantial class action experience to help clients develop strategic and innovative solutions to their most challenging litigation matters. She specializes in defending clients in complex, high-stakes class action disputes involving privacy, antitrust, and consumer protection claims and has achieved…

Kate Cahoy uses her substantial class action experience to help clients develop strategic and innovative solutions to their most challenging litigation matters. She specializes in defending clients in complex, high-stakes class action disputes involving privacy, antitrust, and consumer protection claims and has achieved significant victories for clients in the technology, entertainment, consumer product, and financial services industries. In addition, Kate has substantial experience litigating cases brought under California’s Section 17200 and other consumer protection, competition, and privacy laws, including the Sherman Act, California Consumer Privacy Act (CCPA), California Invasion of Privacy Act (CIPA), Wiretap Act, Stored Communications Act, Children’s Online Privacy Protection Act (COPPA), Video Privacy Protection Act (VPPA), and common law and constitutional rights of privacy, among others.

Read more about Kathryn CahoyEmail
Show more Show less