In a putative consumer data breach class action, a court in the Northern District of California recently denied a cloud solution company’s motion to dismiss the plaintiffs’ negligence claim finding that the plaintiffs plausibly alleged that the company owed consumers a duty of care. See In re Accellion, Inc. Data Breach Litig., 2024 WL 4592367 (N.D. Cal. Oct. 28, 2024).
In February 2021, plaintiffs filed suit against Accellion, Inc.—a cloud solutions company that offered a secure file transfer application called the File Transfer Appliance (FTA)—claiming that their personally identifiable information had been exposed due to the FTA’s alleged security vulnerabilities. In July 2023, Accellion moved to dismiss all eleven counts from the plaintiffs’ complaint. In January 2024, the court largely granted Accellion’s motion but found that the plaintiffs alleged facts sufficient to support their negligence and Washington State Consumer Protection Act claims. See In re Accellion, Inc. Data Breach Litig., 713 F. Supp. 3d 623 (N.D. Cal. 2024). In March 2024, plaintiffs filed an amended complaint, adding additional allegations in support of those two claims. In April, Accellion moved to dismiss the plaintiffs’ amended negligence claim on the ground that the plaintiffs failed to adequately allege that a special relationship existed between themselves and Accellion and that, therefore, Accellion did not owe a duty of care to the plaintiffs.
The court again declined to dismiss the negligence claim at this stage. The court explained that California courts consider four factors to assess whether a special relationship exists between two parties: (1) dependence, (2) control, (3) limits to the scope of the community to which a duty of care is owed, and (4) benefits to the duty-holder. The court found all four factors present here.
First, according to the court, the plaintiffs adequately alleged they depended on Accellion and the FTA to securely maintain and transfer their personal information; the court concluded that these allegations differed from those in other negligence actions brought by data breach victims because the plaintiffs could “not have protected themselves through their own vigilance.” Second, the court found that the plaintiffs’ allegations were sufficient to plead that Accellion had control over the FTA. Third, the court found that the alleged scope of the proposed special relationship was appropriately limited because the FTA “did not transfer everyone’s data” but instead only the data of the individuals who used the FTA; that those individuals’ “exact identities” are currently unknown and may “be difficult to ascertain” did not, according to the court, “improperly broaden the scope of the special relationship.” Finally, the court found that the plaintiffs had adequately alleged that Accellion derived a commercial benefit from providing the FTA to its customers. Accordingly, the court concluded that the plaintiffs’ allegations were sufficient to state a claim for negligence.