A federal district court in the Northern District of California granted in part a motion to dismiss putative class action claims filed against Western Digital, a hard drive manufacturer whose older devices experienced a cyber-attack, where the plaintiffs alleged that their stored data was deleted but not that it was stolen.  While plaintiffs will be permitted to maintain claims related to the data loss, they lack standing to assert claims based on future data misuse.

The plaintiffs in Riordan, et al. v. Western Digital, 5:21-cv-06074, are consumers from several different states who had purchased certain models of external hard drives that Western Digital had sold in the early 2010’s but no longer supported.  According to the plaintiffs, Western Digital announced in 2021 that it discovered a cyber-attack remotely targeting these hard drive models and causing them to be reset to factory settings, effectively deleting all stored data.  After an initial dismissal without prejudice, plaintiffs filed an amended complaint with more detail about their alleged data loss and reasserted claims under the California Song-Beverly Consumer Warranty Act, as well as tort and contractual claims.  Western Digital filed a motion to dismiss, which the court granted in part on September 29, 2023.

Plaintiffs asserted that they had suffered two distinct injuries:  one for the data that was lost on their devices, and a separate injury for future data misuse.  For the second theory, the plaintiffs cited to the Ninth Circuit’s 2018 decision in In re Zappos to argue that “the fact that the hackers accessed personal information that could be used to commit a crime establishes a ‘substantial risk’ that the hackers will commit identity theft or fraud,” which was sufficient injury-in-fact for standing purposes.  However, in Zappos, plaintiffs either directly alleged that their personal information had been stolen or provided examples of other potential class members’ stolen information being used for identity fraud.  The Riordan plaintiffs speculated that hackers could have taken the data before it was deleted but did not allege any facts in support.  The court found that the failure to adequately allege that any data theft actually occurred distinguished plaintiffs’ case from Zappos and that plaintiffs lacked injury-in-fact and standing to bring claims premised on risk of future injury.

The court also dismissed without prejudice all but one of plaintiffs’ claims based on the loss of data theory, based largely on their failure to plead where or when they purchased the external hard drives that were wiped during the attack.  The only claim to survive was for unjust enrichment, which was allowed to go forward even after the other claims were dismissed on the basis that “[t]he [c]ourt construes these allegations as pleading a claim for quasi-contract seeking restitution and, therefore, . . . not subject to dismissal on the basis that it is improperly pled as a standalone claim.”

Tags: Article III Standing, Class Action Procedure, Cybersecurity, Data Privacy, Litigation, Ninth Circuit, privacy, technology
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Sam Greeley Sam Greeley

Samuel Greeley is an associate in the firm’s Washington, DC office representing clients in complex civil litigation and government investigations. Sam’s practice focuses on a broad range of high-stakes issues facing companies in the tech sector, including class actions, antitrust investigations and litigation…

Samuel Greeley is an associate in the firm’s Washington, DC office representing clients in complex civil litigation and government investigations. Sam’s practice focuses on a broad range of high-stakes issues facing companies in the tech sector, including class actions, antitrust investigations and litigation, and federal agency enforcement matters. This includes advising clients on issues relating to cryptocurrency and digital assets, and how they can stay ahead of the quickly evolving enforcement and litigation landscape. He has also defended clients from class actions and white collar investigations in other industries, including life sciences and healthcare.

Read more about Sam GreeleyEmail
Show more Show less
Photo of Kathryn Cahoy Kathryn Cahoy

Kate Cahoy co-chairs the firm’s Class Actions Litigation Practice Group and serves on the leadership committee for the firm’s Technology Industry Group. She defends clients in complex, high-stakes class action disputes and has achieved significant victories across various industries, including technology, entertainment, consumer…

Kate Cahoy co-chairs the firm’s Class Actions Litigation Practice Group and serves on the leadership committee for the firm’s Technology Industry Group. She defends clients in complex, high-stakes class action disputes and has achieved significant victories across various industries, including technology, entertainment, consumer products, and financial services. Kate has also played a key role in developing the firm’s mass arbitration defense practice. She regularly advises companies on the risks associated with mass arbitration and has a proven track record of successfully defending clients against these challenges.

Leveraging her success in class action litigation and arbitration, Kate helps clients develop strategic and innovative solutions to their most challenging legal issues. She has extensive experience litigating cases brought under California’s Section 17200 and other consumer protection, competition, and privacy laws, including the Sherman Act, California Consumer Privacy Act (CCPA), California Invasion of Privacy Act (CIPA), Wiretap Act, Stored Communications Act, Children’s Online Privacy Protection Act (COPPA), Video Privacy Protection Act (VPPA), along with common law and constitutional rights of privacy, among others.

Recent Successes:

Represented Meta (formerly Facebook) in a putative nationwide advertiser class action alleging violations under the California Unfair Competition Law (UCL) related to charges from allegedly “fake” accounts. Successfully narrowed claims at the pleadings stage, defeated class certification, opposed a Rule 23(f) petition, won summary judgment, and defended the victory on appeal to the Ninth Circuit. The Daily Journal selected Covington’s defense of Meta as one of its 2021 Top Verdicts, and Law.com recognized Kate as a Litigator of the Week Shoutout.
Defeated a landmark class action lawsuit against Microsoft and OpenAI contending that the defendants scraped data from the internet for training generative AI services and incorporated data from users’ prompts, allegedly in violation of CIPA, the Computer Fraud and Abuse Act (CFAA), and other privacy and consumer protection laws.

Kate regularly contributes to the firm’s blog, Inside Class Actions, and was recently featured in a Litigation Daily interview titled “Where Privacy Laws and Litigation Trends Collide.” In recognition of her achievements in privacy and antitrust class action litigation, the Daily Journal named her as one of their Top Antitrust Lawyers (2024), Top Cyber Lawyers (2022), and Top Women Lawyers in California (2023). Additionally, she received the Women of Influence award from the Silicon Valley Business Journal and was recognized by Daily Journal as a Top Attorney Under 40.

Read more about Kathryn CahoyEmail
Show more Show less