Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

In re Yahoo! Inc. Customer Data Security Breach Litigation

United States District Court, N.D. California, San Jose Division

August 30, 2017

IN RE YAHOO! INC. CUSTOMER DATA SECURITY BREACH LITIGATION

          ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS RE: DKT. NO. 94

          LUCY H. KOH, United States District Judge

         Plaintiffs Kimberly Heines, Hashmatullah Essar, Paul Dugas, Matthew Ridolfo, Deana Ridolfo, Rajesh Garg, Scarleth Robles, Maria Corso, Jose Abitbol, Yaniv Rivlin, Mali Granot, and Brian Neff (collectively, “Plaintiffs”) bring a putative class action against Defendant Yahoo! Inc. (“Yahoo”). Plaintiff Brian Neff also brings a putative class action against Defendant Aabaco Small Business, LLC (“Aabaco”) (collectively with Yahoo, “Defendants”).

         Before the Court is Defendants' motion to dismiss Plaintiffs' Consolidated Class Action Complaint (“CCAC”). ECF No. 94 (“Mot.”). Having considered the parties' submissions, the relevant law, and the record in this case, the Court hereby GRANTS in part and DENIES in part the motion to dismiss.

         I. BACKGROUND

         A. Factual Background

         Defendant Yahoo was founded in 1994 and has since grown into a source for internet searches, email, shopping, news and many other internet services. CCAC ¶ 24. One of Yahoo's most important services is Yahoo Mail, a free email service. Id. ¶ 25. Plaintiffs allege that “[m]any users have built their digital identities around Yahoo Mail, using the service for everything from their bank and stock trading accounts to photo albums and even medical information.” Id.

         Yahoo also offers online services for small business, including website hosting and email services (hereinafter, “Small Business Services”). Id. ¶ 29. Users must pay for Small Business Services, and users are required to provide credit or debit card information for automatic monthly payments for Small Business Services. Id. Prior to November 2015, Yahoo provided these services through a division called Yahoo Small Business. Id. “Since November 2015, Yahoo has provided its small business services through its wholly owned subsidiary Aabaco.” Id.

         Plaintiffs allege that in order to obtain email services and Small Business Services from Defendants, users are required to provide personal identification information (“PII”) to Defendant. This PII includes the user's name, email address, birth date, gender, ZIP code, occupation, industry, and personal interests.[1] CCAC ¶¶ 1, 32. For some Yahoo accounts, including the small business accounts, users are required to submit additional PII, including credit or debit card numbers and other financial information. Id. ¶ 32.

         In addition to the PII that Plaintiffs submitted directly to Defendants, Plaintiffs also allege that users used their Yahoo email accounts to send and receive a variety of personal information. Each named Plaintiff alleges that he or she included sensitive PII in the content of his or her Yahoo emails. The individual allegations of the named Plaintiffs, including allegations regarding the personal information that these named Plaintiffs included in their Yahoo email accounts, are discussed further below.

         1. Earlier 2012 Data Breach Putting Yahoo on Notice of Data Security Issues

         Plaintiffs allege that Defendants have a long history of data security failures that should have put Defendants on notice of the need to enhance their data security. For example, although the Federal Trade Commission found as early as 2003 that “SQL injection attacks” were a known and preventable data security threat, “[i]n 2012, Yahoo admitted that more than 450, 000 user accounts were compromised through an SQL injection attack-with the passwords simply stored in plain text.” Id. ¶ 47-48. Plaintiffs allege that according to news stories at the time, “[s]ecurity experts were befuddled … as to why a company as large as Yahoo would fail to cryptographically store the passwords in its database. Instead, [the passwords] were left in plain text, which means a hacker could easily read them.” Id.

         According to Plaintiffs, the 2012 hackers intended the 2012 attack as a wake-up call, and the hackers left a message stating “We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat . . . There have been many security holes exploited in Web servers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly.” Id. ¶ 49. However, despite this warning, Plaintiffs allege that “Yahoo's internal culture actively discouraged emphasis on data security.” Id. ¶ 50. Plaintiffs allege that “former Yahoo security staffers interviewed later told Reuters that requests made by Yahoo's security team for new tools and features such as strengthened cryptography protections were, at times, rejected on the grounds that the requests would cost too much money, were too complicated, or were simply too low a priority.” Id. ¶ 50.

         2. Three Data Breaches at Issue in the Instant Case

         The instant lawsuit involves three data breaches that occurred between 2013 and 2016. According to Plaintiffs, Defendants represented to users that users' accounts with Defendants were secure. For example, Yahoo's website stated that “protecting our systems and our users' information is paramount to ensuring Yahoo users enjoy a secure user experience and maintaining our users' trust” and that “[w]e have physical, electronic, and procedural safeguards that comply with federal regulations to protect personal information about you.” Id. ¶ 34. Similarly, Aabaco's website stated that “[w]e have physical, electronic, and procedural safeguards that comply with federal regulations to protect your Personal Information.” Id. ¶ 35. Nonetheless, despite these representations, Plaintiffs allege that Defendants did not use appropriate safeguards to protect users' PII and that Plaintiffs' PII was thus exposed to hackers who infiltrated Defendants' systems. Specifically, Plaintiffs allege three separate data breaches: a breach that occurred in 2013, a breach that occurred in 2014, and a “forged cookie breach” that occurred in 2015 and 2016. The Court refers to these breaches collectively as the “Data Breaches.” The Court discusses each below.

         a. The 2013 Breach

         The first breach occurred in August 2013 (“2013 Breach”). Id. ¶ 56. At that time, hackers gained access to more than one billion Yahoo accounts and stole users' Yahoo login, country code, recovery e-mail, date of birth, hashed passwords, cell phone numbers, and zip codes. Id. Plaintiffs allege that this 2013 Breach was particularly egregious “given the fact that 1 billion accounts were compromised, when there are only 3 billion people with Internet access in the world.” Id. ¶ 59 (internal quotation marks and brackets omitted).

         Significantly, the 2013 Breach also gave hackers access to the contents of users' emails, and thus exposed any PII or other sensitive information that users included in the contents of their emails. Id. Plaintiffs allege that users used their Yahoo emails for a variety of personal and financial transactions, and thus that Yahoo email accounts contained “records involving credit cards, retail accounts, banking, account passwords, IRS documents, and social security numbers from transactions conducted by email, in addition to other confidential and sensitive information contained therein.” Id. ¶ 1.

         Yahoo did not disclose the fact of the 2013 Breach until December 14, 2016, over three years after the 2013 Breach occurred in August 2013. Id. ¶ 78. Plaintiffs allege that the 2013 Breach occurred because Yahoo did not timely move away from an outdated encryption technology known as MD5. Id. ¶ 53. According to Plaintiffs, it was widely recognized in the data security industry long before the 2013 Breach that MD5 was “cryptographically broken and unsuitable for further use.” Id. ¶ 55. Nevertheless, Yahoo did not begin to upgrade from MD5 until the summer of 2013. Id. ¶¶ 54-55. Plaintiffs allege, however, that Yahoo's move from MD5 in the summer of 2013 was too late to prevent the 2013 Breach. Id. ¶¶ 54-55.

         b. The 2014 Breach

         The second breach occurred in late 2014 (“2014 Breach”). Plaintiffs allege that “the 2014 breach began with a ‘spear phishing' email campaign sent to upper-level Yahoo employees. One or more of these employees fell for the bait, and Yahoo's data security was so lax, that this action was enough to hand over the proverbial keys to the kingdom.” Id. ¶ 91. Through this attack, hackers gained access to at least 500 million Yahoo user accounts. Id. ¶ 62. Many of the accounts breached in the 2014 Breach were accounts that had previously been breached in the 2013 Breach. Id. ¶ 63. In its motion to dismiss, Yahoo states that it received evidence from law enforcement that the criminal intruders responsible for the 2013 Breach were unrelated to the perpetrators of the 2014 Breach. See Mot. at 19.[2]

         According to Plaintiffs, in August 2016, hackers posted for sale on the dark web the personal information of 200, 000, 000 Yahoo users. Id. ¶ 70. Plaintiffs also allege that “a geographically dispersed hacking group based in Eastern Europe managed to sell copies of the database to three buyers for $300, 000 apiece months before Yahoo disclosed the 2014 Breach.” Id. ¶ 71.

         Plaintiffs allege that Yahoo knew about the 2014 Breach as it was happening, but that Yahoo did not publicly disclose the existence of the 2014 Breach until September 22, 2016, approximately two years later. Plaintiffs allege that Yahoo's announcement of the 2014 Breach “came just two months after Yahoo announced Verizon's plan to acquire its operating assets, and just weeks after Yahoo reported to the SEC that it knew of no incidents of unauthorized access of personal data that might adversely affect the potential acquisition.” Id. ¶ 73. Significantly, Plaintiffs allege that Yahoo delayed notifying users or the public about the 2014 Breach while “Yahoo solicited offers to buy the company. Reportedly, Yahoo wanted the offers in by April 19, 2016, ” and thus waited to disclose the breach until September 2016. Id. ¶ 69.

         Plaintiffs also allege that “[b]y intentionally failing to disclose the breach in a timely manner as required by law, Yahoo misled consumers into continuing to sign up for Yahoo services and products, thus providing Yahoo a continuing income stream and a better chance of finalizing a sale of the company to Verizon.” Id. In the September 22, 2016 announcement of the 2014 Breach, Yahoo stated that the affected “account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.” Id. ¶ 73.

         Plaintiffs allege that Yahoo's claim that it had not known about the 2014 Breach for two years was “met with immediate skepticism.” Id. ¶ 74. Indeed, in a recent 10-K filing with the SEC, Yahoo revealed that an independent investigation determined that Yahoo had contemporaneous knowledge of the 2014 Breach, yet failed to properly investigate and analyze the breach, due in part to “failures in communication, management, inquiry and internal reporting” that led to a “lack of proper comprehension and handling” of the 2014 Breach. Id. ¶ 4.

         c. The Forged Cookie Breach

         The third data breach occurred in 2015 and 2016 (“Forged Cookie Breach”). According to the CCAC, the attackers in the Forged Cookie Breach used forged cookies to access Yahoo users' accounts. “Cookies” are files that Yahoo places on users' computers to store login information so that users do not need to reenter login information every time the users access their accounts. Id. ¶ 67. By forging these cookies, hackers were able to access Yahoo accounts without needing a password to the accounts. Id. ¶ 68. Moreover, by forging cookies, hackers were able to remain logged on to accounts for long periods of time. Id. ¶ 68.

         According to Plaintiffs, the attackers in the Forged Cookie Breach are “presumed to be the same parties involved in the 2014 Breach.” Id. Specifically, Plaintiffs allege that “the 2014 Breach and Forged Cookie Breach have since been attributed to two Russian FSB agents, a Russian hacker, and a Canadian hacker.” Id. ¶ 90. Plaintiffs allege that in a recent 10-K filing with the SEC, Yahoo disclosed that an independent committee of Yahoo's Board of Directors had determined that Yahoo's information security team knew, at a minimum, about the Forged Cookie Breach as it was happening, “but took no real action in the face of that knowledge.” Id. ¶ 86. Instead, Plaintiffs allege, Yahoo “quietly divulged” the existence of the Forged Cookie Breach in Yahoo's 10-Q filing with the SEC filed on November 9, 2016 and did not begin notifying users about the Forged Cookie Breach until February 2017. Id. ¶ 80-81.

         3. Allegations of Individual Named Plaintiffs

         The CCAC is brought by eleven named Plaintiffs on behalf of four putative classes. The Court briefly discusses the allegations of these individual named Plaintiffs below.

         a. Named Plaintiffs Representing the United States Class

         Plaintiffs Kimberley Heines, Hasmatullah Essar, Paul Dugas, Matthew Ridolfo, Deana Ridolfo, and Rajesh Garg (“United States Plaintiffs”) assert claims on behalf of the putative United States Class, which consists of all Yahoo account holders in the United States whose accounts were compromised in any of the Data Breaches. CCAC ¶¶ 10-14, 105.

         Plaintiff Kimberley Heines (“Heines”), a resident of California, alleges that she used her Yahoo email account in conjunction with Direct Express, which is the service through which Heines receives her Social Security, and thus her Yahoo email account “included information relating to her account with Direct Express.” Id. ¶ 10. In 2015, Heines discovered that her monthly Social Security benefits had been stolen from her Direct Express account and used to purchase gift cards. Id. As a result, Heines fell behind on her bills, and she paid late fees as a result. Id. After the theft, Heines began receiving debt collection calls for debts she herself had not incurred, and she saw unfamiliar debts appearing on her credit report, which harmed her credit score. Id. Heines alleges that she has spent over 40 hours dealing with the consequences of the identity theft. Id.

         Plaintiff Hasmatullah Essar (“Essar”), a resident of Colorado, used two free Yahoo email accounts. Id. ¶ 11. Essar used these accounts “for all of his personal, financial, and business needs” including receiving bank statements, applying for jobs, and securing a mortgage. Id. Essar began receiving “phishing emails from a credit card company purporting to be affiliated with American Express, asking him to follow a link to log-in to his ‘Serve' account, ” which Essar did not own. Id. After Essar was notified of the 2014 Breach, Essar signed up for and has paid $35.98 per month for LifeLock credit monitoring service. Id. In February 2017, “an unauthorized person fraudulently filed a tax return under his Social Security Number, ” and in March 2017 he was denied credit and had freezes placed on his credit. Id.

         Plaintiff Paul Dugas (“Dugas”), a resident of California, used four Yahoo email accounts “for his banking, investment accounts, business emails, and personal emails.” Id. ¶ 12. In April of 2016, Dugas was unable to file his personal tax returns because a tax return had already been filed under his Social Security Number. Id. As a result, “both of his college-aged daughters missed deadlines to submit” their financial aid applications, and accordingly Dugas was forced to pay $9, 000 in educational expenses that he otherwise would not have had to pay. Id. Moreover, Dugas has also experienced numerous fraudulent charges on his credit cards, he has had to replace his credit cards, and he has had to pay money to three different credit bureaus to freeze his accounts. Id.

         Plaintiffs Matthew Ridolfo and Deana Ridolfo, a married couple, are residents of New Jersey. Id. ¶ 13. They both “used their Yahoo accounts for nearly twenty years, for general banking, credit card management and communications, a mortgage refinance, and communication with friends and family.” Id. Both Matthew and Deana Ridolfo experienced numerous instances of credit card fraud as a result of the Data Breaches. Id. Specifically, eleven credit card or bank accounts were opened or attempted to be opened in Matthew Ridolfo's name, and at least eleven credit card accounts were opened or attempted to be opened in Deana Ridolfo's name. Id. The Ridolfos experienced fraudulent charges on their credit cards. Id. The Ridolfos eventually purchased and enrolled in LifeLock to help monitor their credit and finances, and they each pay $30.00 per month for these services. Id. Nonetheless, as late as January 31, 2017, an unauthorized person opened an additional credit card in Matthew Ridolfo's name. Id.

         Plaintiff Rajesh Garg (“Garg”), a citizen of Illinois, “used his Yahoo account for banking, investment accounts, business emails, banking, credit card, healthcare, social security, and for friends and family.” Id. ¶ 14. Garg suffered significant embarrassment when unauthorized and inappropriate emails were sent on his behalf to his business and personal contacts. Id.

         b. Named Plaintiffs Representing the Israel Class

         Plaintiffs Yaniv Rivlin and Mali Granot (“Israel Plaintiffs”) assert claims on behalf of the putative Israel Class, which consists of all Yahoo account holders in Israel whose accounts were compromised in any of the Data Breaches. Id. ¶¶ 15-16. 105.

         Plaintiff Yaniv Rivlin (“Rivlin”), a resident of Tel Aviv, Israel, used his Yahoo email account “mainly for personal purposes, including banking, friends and family, credit card statements, and social security administration.” Id. ¶ 15. Rivlin also pays Yahoo $20.00 per month for an email forwarding service and keeps a credit card on file with Yahoo to pay for the service. Id. After being notified that his account had been breached, Rivlin has noticed an increase in spam and unsolicited advertisements, and Rivlin has spent considerable time changing many user names and passwords on many accounts to prevent fraud. Id.

         Plaintiff Mali Granot (“Granot”), a resident of Raanana, Israel, uses her Yahoo email account “to correspond with family, friends and school.” Id. ¶ 16. Granot was unexpectedly locked out of her account and, when she regained access, Granot received numerous unsolicited chat requests and other unsolicited services. Id.

         c. Named Plaintiffs Representing Australia, Venezuela, and Spain Class

         Plaintiffs Scarleth Robles, Mara Corso, and Jose Abitbol (“Australia, Venezuela, and Spain Plaintiffs”) assert claims on behalf of the putative Australia, Venezuela, and Spain Class, which consists of all Yahoo account holders in Australia, Venezuela, or Spain whose accounts were compromised in any of the Data Breaches. Id. ¶¶ 17-19, 105.

         Plaintiff Scarleth Robles (“Robles”), a resident of Venezuela, uses her Yahoo account to “advise[] entrepreneurs on business ventures and ideas and requests that potential clients send their entrepreneurial and business proposals to her Yahoo email address.” Id. ¶ 17. Around September 2016, Robles noticed that business proposals disappeared from her email account and unidentified persons “stole business ideas from her email account.” Id. As a result, Robles alleges that she lost “approximately ten clients” from her business. Id.

         Plaintiff Maria Corso (“Corso”), a resident of Clearview, South Australia, used her Yahoo email account to “send sensitive information, including financial documents, her tax security number, work history, and medical information.” Id. ¶ 18. Corso was locked out of her account without warning, and after contacting Yahoo customer service, Corso was told that “Russian hackers tried over 60 times to gain access to her Yahoo email account.” Id. Corso also purchased security protection and continues to pay an annual fee of $150 for that service. Id.

         Plaintiff Jose Abitbol (“Abitbol”) is a resident of New York but a citizen of Spain. Id. ¶ 19. Abitbol alleges that his “Yahoo email account contains sensitive and confidential information, including information about his bank accounts, business, investment accounts, credit cards, personal matters, and social security number.” Id. After obtaining Abitbol's “bank account number through his Yahoo email account, ” an unknown person made at least two fraudulent wire transfer requests for a total of $50, 000. Id.

         d. Named Plaintiff Representing the Small Business Users Class

         Plaintiff Brian Neff (“Small Business Users Plaintiff” or “Neff”) asserts claims on behalf of a putative Small Business Users Class, which consists of all Yahoo business account holders in the United States whose accounts were compromised in any of the Data Breaches. Id. ¶¶ 20, 105. Plaintiff Neff, a resident of Texas, “contracted with Yahoo for two services, Yahoo! Web Hosting for www.TheInsuranceSuite.com and Yahoo! Business Email, for which he has paid Yahoo $13.94 every month . . . .” Id. ¶ 20. Neff has also used Yahoo and Aabaco's web hosting services “in connection with another 54 websites, paying anywhere from $3.94 to $15.94 per month for each website.” Id. In May 2015, Neff incurred fraudulent charges on two of his credit cards, both of which were on file with Yahoo to pay for the services described above. Id. Additionally, a credit card was fraudulently opened in Neff's name. Neff has spent “significant time and incurred expenses mitigating the harm to him from these security breaches and identity theft.” Id. Neff also “intends to migrate his insurance agency website, www.TheInsuranceSuite.com, to a more secure provider, ” which Neff alleges will require significant expenses. Id.

         B. Procedural History

         After the 2014 Breach was announced on September 22, 2016, a number of lawsuits were filed against Defendants. These lawsuits generally alleged that Yahoo failed to adequately protect its users' accounts, that Yahoo failed to disclose its inadequate data security practices, and that Yahoo failed to timely notify users of the data breach.

         In late 2016, Plaintiffs in several lawsuits moved to centralize pretrial proceedings in a single judicial district. See 28 U.S.C. § 1407(a) (“When civil actions involving one or more common questions of fact are pending in different districts, such actions may be transferred to any district for coordinated or consolidated pretrial proceedings.”). On December 7, 2016, the Judicial Panel on Multidistrict Litigation (“JPML”) issued a transfer order selecting the undersigned judge as the transferee court for “coordinated or consolidated pretrial proceedings” in the multidistrict litigation (“MDL”) arising out of the 2014 Breach. See ECF No. 1 at 1-3.

         On December 14, 2016, one week after the JPML issued the transfer order for cases arising from the 2014 Breach, Yahoo announced the existence of the 2013 Breach. Plaintiffs in several lawsuits that had been filed regarding the 2014 Data Breach then amended their complaints to include claims regarding the 2013 Breach. Additionally, more lawsuits were filed in the Northern District of California regarding the 2013 Breach and the 2014 Breach. Again, these lawsuits generally alleged that Yahoo failed to adequately protect its users' accounts, that Yahoo failed to disclose its inadequate data security practices, and that Yahoo failed to timely notify users of the data breach.

         This Court found that claims regarding the 2013 Breach were related under Civil Local Rule 3-12 to claims regarding the 2014 Breach, and therefore all lawsuits in the Northern District of California regarding the 2014 Breach were reassigned to the undersigned judge. ECF Nos. 7, 9, 30, 40, 64. Additionally, the JPML issued a conditional transfer order transferring one case regarding the 2013 Breach, Baker v. Yahoo, 17-CV-00135, to the undersigned judge. ECF No. 33.

         On February 9, 2017, the Court held a hearing to appoint Lead Plaintiffs' Counsel. ECF No. 56. Following this hearing, the Court issued an order appointing a Plaintiffs' Executive Committee. ECF No. 58. At a case management conference on March 2, 2017, the Court ordered the Plaintiffs' Executive Committee to file a consolidated amended complaint by April 12, 2017. ECF No. 68. Plaintiffs then filed the instant Consolidated Class Action Complaint (“CCAC”) on April 12, 2017. ECF No. 80. The CCAC asserts one federal statutory claim, five California statutory claims, and seven California common law claims. Id. At a further case management conference on May 4, 2017, the Court determined that because there is a “limited number of claims . . ., many of those claims contain overlapping elements, and the case involves only two defendants, one of which is a subsidiary of the other, ” the first motion to dismiss should “proceed without phasing.” ECF No. 89.

         On May 22, 2017, Defendants filed the instant motion to dismiss. ECF No. 94 (“Mot.”). The same day, Defendants filed a request for judicial notice in connection with their motion to dismiss. ECF No. 95. On June 30, 2017, Plaintiffs filed an opposition to Defendants' motion to dismiss, ECF No. 117 (“Opp.”), and a response to Defendants' request for judicial notice, ECF No. 118. On August 1, 2017, Defendants filed a reply in support of their motion to dismiss, ECF No. 121 (“Reply”), and a reply in support of their request for judicial notice, ECF No. 122. On August 10, 2017, Defendants filed a notice of errata to their reply in support of the motion to dismiss. ECF No. 124. On August 15, 2017, Plaintiffs filed an administrative motion for leave to file a sur-reply, ECF No. 126, and a statement of recent decision pursuant to Civil Local Rule 7-3(d)(2), ECF No. 127.

         II. LEGAL STANDARD

         A. Motion to Dismiss Under Rule 12(b)(6)

         Pursuant to Federal Rule of Civil Procedure 12(b)(6), a defendant may move to dismiss an action for failure to allege “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged. The plausibility standard is not akin to a ‘probability requirement, ' but it asks for more than a sheer possibility that a defendant has acted unlawfully.” Ashcroft v. Iqbal, 566 U.S. 662, 678 (2009) (internal citation omitted).

         For purposes of ruling on a Rule 12(b)(6) motion, the Court “accept[s] factual allegations in the complaint as true and construe[s] the pleadings in the light most favorable to the nonmoving party.” Manzarek v. St. Paul Fire & Marine Ins. Co., 519 F.3d 1025, 1031 (9th Cir. 2008). However, a court need not accept as true allegations contradicted by judicially noticeable facts, Shwarz v. United States, 234 F.3d 428, 435 (9th Cir. 2000), and a “court may look beyond the plaintiff's complaint to matters of public record” without converting the Rule 12(b)(6) motion into one for summary judgment, Shaw v. Hahn, 56 F.3d 1028, 1029 n.1 (9th Cir. 2011). Mere “conclusory allegations of law and unwarranted inferences are insufficient to defeat a motion to dismiss.” Adams v. Johnson, 355 F.3d 1179, 1183 (9th Cir. 2004).

         B. Leave to Amend

         If the court concludes that a motion to dismiss should be granted, it must then decide whether to grant leave to amend. Under Rule 15(a) of the Federal Rules of Civil Procedure, leave to amend “shall be freely given when justice so requires, ” bearing in mind “the underlying purpose of Rule 15 . . . [is] to facilitate decision on the merits, rather than on the pleadings or technicalities.” Lopez, 203 F.3d at 1127 (citation omitted). Nonetheless, a district court may deny leave to amend a complaint due to “undue delay, bad faith or dilatory motive on the part of the movant, repeated failure to cure deficiencies by amendments previously allowed, undue prejudice to the opposing party by virtue of allowance of the amendment, [and] futility of amendment.” See Leadsinger, Inc. v. BMG Music Publ'g, 512 F.3d 522, 532 (9th Cir. 2008) (alteration in original).

         III. REQUEST FOR JUDICIAL NOTICE

         The Court first addresses Defendants' request for judicial notice. ECF No. 94. The Court may take judicial notice of matters that are either “generally known within the trial court's territorial jurisdiction” or “can be accurately and readily determined from sources whose accuracy cannot reasonably be questioned.” Fed.R.Evid. 201(b). Public records, including judgments and other publicly filed documents, are proper subjects of judicial notice. See, e.g., United States v. Black, 482 F.3d 1035, 1041 (9th Cir. 2007) (“[Courts] may take notice of proceedings in other courts, both within and without the federal judicial system, if those proceedings have a direct relation to matters at issue.”); Rothman v. Gregor, 220 F.3d 81, 92 (2d Cir. 2000) (taking judicial notice of a filed complaint as a public record).

         However, to the extent any facts in documents subject to judicial notice are subject to reasonable dispute, the Court will not take judicial notice of those facts. See Lee v. City of L.A., 250 F.3d 668, 689 (9th Cir. 2001) (“A court may take judicial notice of matters of public record . . . But a court may not take judicial notice of a fact that is subject to reasonable dispute.”) (internal quotation marks omitted), overruled on other grounds by Galbraith v. Cty. of Santa Clara, 307 F.3d 1119 (9th Cir. 2002).

Defendants request judicial notice of the following documents:
Ex. A: “Security at Yahoo” subpage within Yahoo's “Privacy Center, ” https://policies.yahoo.com/us/en/yahoo/privacy/topics/security/index.htm; last accessed: May 18, 2017;
Ex. B: Australia Universal Terms of Service, “Yahoo7 Terms of Service, ” https://policies.yahoo.com/au/en/yahoo/terms/utos/index.htm; last accessed: May 19, 2017;
Ex. C: Additional Terms of Service, “Yahoo Communications Terms, ” https://policies.yahoo.com/xw/en/yahoo/terms/product-atos/comms/index.htm; last accessed: May 19, 2017;
Ex. D: Venezuela Universal Terms of Service, “Condiciones del Servicio, ” https://policies.yahoo.com/e2/es/yahoo/terms/utos/index.htm; last accessed: May 19, 2017;
Ex. E: Yahoo Press Release, “An Important Message to Yahoo Users on Security, ” dated Sept. 22, 2016, https://investor.yahoo.net/releasedetail.cfm?releaseid=990570; last accessed: May 19, 2017;
Ex. F: Yahoo Press Release, “Important Security Information for Yahoo Users, ” dated Dec. 14, 2016, https://investor.yahoo.net/ReleaseDetail.cfm?releaseid=1004285; last accessed: May 18, 2017;
Ex. G: Yahoo! Inc., Annual Report (Form 10-K) (Mar. 1, 2017);
Ex. H: Yahoo! Inc., Quarterly Report (Form 10-Q) (May 9, 2017);
Ex. I: Internal Revenue Service Taxpayer Guide to Identity Theft, dated Apr. 18, 2017, https://www.irs.gov/uac/taxpayer-guide-to-identity-theft; last accessed: May 18, 2017;
Ex. J: Department of Justice Press Release, “U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts, ” dated Mar. 15, 2017, https://www.justice.gov/opa/pr/us-charges-russian-fsb-officers-and-theircriminal-conspirators-hacking-yahoo-and-millions; last accessed: May 18, 2017;
Ex. K: Remarks of Acting Assistant Attorney General for National Security Mary B. McCord, “Acting Assistant Attorney General Mary B. McCord Delivers Remarks at Press Conference Announcing Charges Against Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo, ” dated Mar. 15, 2017, https://www.justice.gov/opa/speech/acting-assistant-attorney-general-mary-b-mccorddelivers-remarks-press-conference; last accessed: May 18, 2017;
Ex. L: Second Amended Class Action Complaint, Dugas v. Starwood Hotels & Resorts Worldwide, Inc., S.D. Cal. Case No. 3:16-CV-00014, Dkt. No. 31;
Ex. M: Legislative Counsel's Digest for Senate Bill 46;
Ex. N: California Assembly, Committee on Judiciary, Analysis of Senate Bill 46;
Ex. O: Privacy Rights Clearinghouse Letter to Senator Corbett in Support of Senate Bill 46, dated Apr. 16, 2013;
Ex. P: California Assembly, Committee on Appropriations, Analysis of Senate Bill 46;
Ex. Q: California Assembly, Judiciary Committee, Mandatory Information Worksheet for Senate Bill 46.
These documents fall into five categories: (1) Documents referenced in the complaint (Exhibits A-G); (2) Securities and Exchange Commission Filings (Exhibits G-H); (3) Information on government websites (Exhibits I-K); (4) Court filings (Exhibit L); and (5) Legislative history documents (Exhibits M-Q).

         In Plaintiffs' response to Defendants' request for judicial notice, Plaintiffs state that they do not object to judicial notice of Exhibits A through G (documents referenced in the complaint), or Exhibits L through Q (court filings and legislative history documents). ECF No. 118 at 2-4. The Court agrees that these documents are proper subjects of judicial notice. See United States v. Ritchie, 342 F.3d 903, 908 (9th Cir. 2003) (“Even if a document is not attached to a complaint, it may be incorporated by reference into a complaint if the plaintiff refers extensively to the document or the document forms the basis of the plaintiff's claim.”); Reyn's Pasta Bella, LLC v. Visa USA, Inc., 442 F.3d 741, 746 n.6 (9th Cir. 2006) (holding that a court “may take judicial notice of court filings and other matters of public record.”); Anderson v. Holder, 673 F.3d 1089, 1094 n.1 (9th Cir. 2012) (“Legislative history is properly a subject of judicial notice.”). Therefore, the Court GRANTS Defendants' unopposed request for judicial notice of Exhibits A through G and Exhibits L through Q.

         As to Exhibits H through K, Plaintiffs concede that SEC filings (Exhibit H) and information on government websites (Exhibits I-K) are proper subjects of judicial notice. Ex. 118 at 2-3. However, Plaintiffs state that these documents contain disputed facts that are not proper subjects of judicial notice. Particularly, with respect to Exhibits I through K, Plaintiffs state that “[b]y excerpting specific self-serving statements, rather than referencing the documents as a whole, Defendants suggest that the references are being used to prove the truth of the cited ‘facts.'” Id. at 3.

         However, as discussed above, a court may take judicial notice of a document without taking judicial notice of reasonably disputed facts contained in the document. See Lee, 250 F.3d at 689 (“A court may take judicial notice of matters of public record . . . But a court may not take judicial notice of a fact that is subject to reasonable dispute.”). As both parties concede, both SEC filings and documents on government websites are proper subjects of judicial notice. See Michery v. Ford Motor Co., 650 F. App'x 338, 341 n.2 (9th Cir. 2016) (taking judicial notice of the existence of documents on a government website); Dreiling v. Am. Exp. Co., 458 F.3d 942, 946 n.2 (9th Cir. 2006) (holding that “SEC filings” are “subject to judicial notice.”). Thus, the Court GRANTS Defendants' request for judicial notice of Exhibits H through K, “not for the truth of the facts recited therein, but for the existence of the opinion, which is not subject to reasonable dispute over its authenticity.” Lee, 250 F.3d at 690. Because Plaintiffs dispute facts contained within Exhibits H through K, the Court does not take judicial notice of any facts in these documents. The Court next turns to address the substance of Defendants' motion to dismiss the CCAC.

         IV. DISCUSSION

         As set forth above, Plaintiffs Kimberley Heines, Hasmatullah Essar, Paul Dugas, Matthew Ridolfo, Deana Ridolfo, and Rajesh Garg (“United States Plaintiffs”) assert claims on behalf of the putative United States Class, which consists of all Yahoo account holders in the United States whose accounts were compromised in any of the Data Breaches. CCAC ¶¶ 10-14, 105.

         Plaintiffs Yaniv Rivlin and Mali Granot (“Israel Plaintiffs”) assert claims on behalf of the putative Israel Class, which consists of all Yahoo account holders in Israel whose accounts were compromised in any of the Data Breaches. Id. ¶¶ 15-16. 105.

         Plaintiffs Scarleth Robles, Mara Corso, and Jose Abitbol (“Australia, Venezuela, and Spain Plaintiffs”) assert claims on behalf of the putative Australia, Venezuela, and Spain Class, which consists of all Yahoo account holders in Australia, Venezuela, or Spain whose accounts were compromised in any of the Data Breaches. Id. ¶¶ 17-19, 105.

         Plaintiff Brian Neff (“Small Business Users Plaintiff”) asserts claims on behalf of a putative Small Business Users Class, which consists of all Yahoo business account holders in the United States whose accounts were compromised in any of the Data Breaches. Id. ¶ 20, 105.

         The CCAC asserts one federal statutory claim, five California statutory claims, and seven California common law claims on behalf of the four putative classes. Specifically, the CCAC asserts (1) a claim under the California Unfair Competition Law (“UCL”) on behalf of the United States Class and the Israel Class; (2) a claim under the California Consumer Legal Remedies Act (“CLRA”) on behalf of the United States Class and the Israel Class; (3) a claim under the California Customer Records Act (“CRA”) on behalf of the United States Class and the Israel Class; (4) a claim under the federal Stored Communications Act on behalf of the United States Class and the Israel Class; (5) a claim under the California Online Privacy Protection Act on behalf of the United States Class and the Israel Class; (6) a claim for breach of express contract on behalf of the United States Class, the Israel Class, and the Small Business Users Class; (7) a claim for breach of implied contract on behalf of the United States Class, the Israel Class, and the Small Business Users Class; (8) a claim for breach of the implied covenant of good faith and fair dealing on behalf of the United States Class, the Israel Class, and the Small Business Users Class; (9) a claim for fraudulent inducement on behalf of the Small Business Users Class; (10) a claim for negligent misrepresentation on behalf of the Small Business Users Class; (11) a claim under the UCL on behalf of the Small Business Users Class; (12) a claim for negligence on behalf of the Australia, Venezuela, and Spain Class; and (13) a claim for declaratory relief on behalf of all classes. Id. ¶¶ 126-234. All of these claims relate to three data breaches: the 2013 Breach, the 2014 Breach, and the Forged Cookie Breach (collectively, “Data Breaches”).

         Defendants move to dismiss Plaintiffs' CCAC in its entirety. First, Defendants argue that Plaintiffs have not established that they have Article III standing to assert any of their claims. Next, Defendants raise particular objections to each of Plaintiffs' thirteen causes of action.

         The Court first considers Defendants' arguments regarding Article III standing and then considers Defendants' challenges to each of Plaintiffs' causes of action in turn.

         A. Article III Standing

         Defendants first move to dismiss the CCAC in its entirety because, according to Defendants, Plaintiffs lack Article III standing to sue. Article III standing to sue requires that (1) the plaintiff suffered an injury in fact, i.e., “an invasion of a legally protected interest which is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical”; (2) the injury is “‘fairly traceable' to the challenged conduct, ” and (3) the injury is “likely” to be “redressed by a favorable decision.” Lujan v. Def. of Wildlife, 504 U.S. 555, 560-61 (1992). “The party invoking federal jurisdiction bears the burden of establishing these elements . . . with the manner and degree of evidence required at the successive stages of litigation.” Id. at 561. At the pleading stage, “[g]eneral allegations” of injury may suffice. Id.

         Defendants contend that Plaintiffs lack Article III standing because Plaintiffs cannot establish “injury in fact” and because Plaintiffs cannot establish that their injury is “fairly traceable” to the actions of Defendants. See Mot. at 20-25. The Court addresses these arguments in turn.

         1. Injury In Fact

         Defendants argue that Plaintiffs lack Article III standing because Plaintiffs have not suffered an injury in fact that is concrete and particularized. See Mot. at 21. In a class action, named plaintiffs representing a class “must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.” Warth v. Seldin, 422 U.S. 490, 502 (1975). “[I]f none of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class.” O'Shea v. Littleton, 414 U.S. 488, 494 (1974).

         According to Defendants, named Plaintiffs have not suffered an injury in fact because Plaintiffs allege only vague and unspecified harms, such as the loss of “unspecified information” and emails. Moreover, Defendants argue that Plaintiffs' other allegations of injury are speculative, and that any monetary injuries suffered by Plaintiffs have been reimbursed. Plaintiffs, by contrast, argue that all Plaintiffs have suffered concrete harms from the Data Breaches, and that several courts have found these harms sufficient to establish injury in fact in similar data breach cases. Specifically, Plaintiffs contend that all Plaintiffs have suffered harm in the form of (1) risk of future identity theft; and (2) loss of value of their PII. See Opp. at 15-18. In addition, Plaintiffs contend that several Plaintiffs-although not all Plaintiffs-have experienced additional injuries such as harm from identity theft, consequential out of pocket expenses, and loss of benefit of the bargain. See id.

         For the reasons discussed below, the Court agrees with Plaintiffs that Plaintiffs have adequately alleged injury in fact. The Court first discusses the two injuries that all Plaintiffs allege that they have suffered: (1) the risk of future identity theft, and (2) the loss of value of their PII.

         The Court then briefly addresses the additional harms suffered by some, although not all, Plaintiffs.

         a. Risk of Future Identity Theft

         Plaintiffs argue that they have all suffered an injury in fact because Plaintiffs all have suffered an increased risk of future identity theft as a result of the Data Breaches. The Court agrees with Plaintiffs. In In re Adobe Systems, Inc. Privacy Litigation, 66 F.Supp.3d 1197, 1214-15 (N.D. Cal. 2014), this Court held that plaintiffs whose PII was exposed during a data breach of Adobe's servers had standing to sue Adobe for the data breach, even though the plaintiffs' personal information had not yet been misused by the hackers. In Adobe, the plaintiffs alleged that Adobe's servers were hacked and that the hackers spent “several weeks collecting names, usernames, passwords, email addresses, phone numbers, mailing addresses, and credit card numbers and expiration dates.” Id. at 1214. The Adobe plaintiffs alleged that their “personal information was among the information taken during the breach, ” and that “[s]ome of the stolen data ha[d] already surfaced on the Internet.” Id. The Court held that the plaintiffs' allegations were sufficient “to establish Article III injury-in-fact at the pleadings stage” because the plaintiffs adequately alleged an “imminent” threat that their personal information would be misused by the hackers. Id. at 1215.

         Several other courts have also found that similar allegations of future harm suffice to establish Article III standing at the motion to dismiss stage. For example, in Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010), the Ninth Circuit addressed for the first time “whether an increased risk of identity theft constitutes an injury-in-fact.” The Ninth Circuit held that because the plaintiffs “alleged a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data, ” the plaintiffs “sufficiently alleged an injury-in-fact for purposes of Article III standing.” Id. at 1143.

         Furthermore, in Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir. 2015), the Seventh Circuit cited Adobe with approval and held that “[l]ike the Adobe plaintiffs, the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit- card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood' that such an injury will occur.” See also Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 967 (7th Cir. 2016) (holding that the plaintiffs had established Article III standing based on “the increased risk of fraudulent charges and identity theft they face because their data has already been stolen.”). Similarly, in Galaria v. Nationwide Mut. Ins. Co., 663 F. App'x 384, 388 (6th Cir. 2016), the Sixth Circuit held that allegations of a risk of future harm were sufficient for Article III standing and noted that “[w]here a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims' data for the fraudulent purposes alleged in Plaintiffs' complaints.” Plaintiffs' allegations here are substantially similar to the plaintiffs' allegations in Adobe and other cases finding Article III standing based on the risk of future identity theft. Plaintiffs allege that in the 2013 Breach and the 2014 Breach, “hackers stole the names, email addresses, telephone numbers, birth dates, passwords, and security questions of Yahoo account holders.” CCAC ¶ 1. As a result, hackers gained “access to the email contents of all breached Yahoo accounts.” Id. Moreover, in the Forged Cookie Breach, the hackers were able to forge authentication cookies and thus “remain logged into the hacked [email] accounts for weeks or indefinitely.” Id. ¶ 68.

         Plaintiffs allege that, as a result of the Data Breaches, hackers were able to access the contents of Plaintiffs' email accounts, “and thus any private information contained within those emails, such as financial communications and records involving credit cards.” Id. ¶ 1. Indeed, Plaintiffs allege that they used their Yahoo email accounts in connection with numerous personal financial transactions, including receiving Social Security payments, maintaining investment accounts, and filing income tax returns. See, e.g. Id. ¶¶ 1, 10-14. Like the plaintiffs in Adobe, Plaintiffs here allege that their personal information was among the information taken during the Data Breaches. See id.; see also Id. ¶ 1. Further, like the plaintiffs in Adobe, Plaintiffs here allege that the stolen data has appeared on the dark web, and has indeed remained for sale on the dark web “as late as March 17, 2017.” Id. ¶ 84; Remijas, 794 F.3d at 694 (“[O]nce stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years.”).

         In these circumstances, Plaintiffs have alleged a “credible threat of real and immediate harm” stemming from the data breaches. Krottner, 628 F.3d at 1143. There is no dispute that Plaintiffs' Yahoo accounts were hacked. “Presumably, the purpose of the hack is, sooner or later, to . . . assume those consumers' identities” or to misuse Plaintiffs' PII in other ways. Remijas, 794 F.3d at 693. Indeed, as discussed below, several United States Plaintiffs allege that their stolen PII has already been misused by identity thieves, and they have experienced concrete harms as a result. See infra Part III.B.c.i.

         Accordingly, as the Court found in Adobe, the Court finds that Plaintiffs have sufficiently alleged “a concrete and imminent threat of future harm suffic[ient] to establish Article III injury-in-fact at the pleadings stage.” See Adobe, 66 F.Supp.3d 1197, 1215.

         b. Loss of Value of PII

         In addition, Plaintiffs also argue that all Plaintiffs have suffered an injury in fact because the Data Breaches caused all Plaintiffs to suffer a loss of value of their PII as a result of the Data Breaches. See Opp. at 17. Again, the Court agrees with Plaintiffs. As the Court explained in In re Anthem, Inc. Data Breach Litigation (“Anthem II”), 2016 WL 3029783, at *14 (N.D. Cal. May 17, 2016), “the Ninth Circuit and a number of district courts have approved” allegations of damages arising from the loss of value of PII. For example, in In re Facebook Privacy Litigation, 72 F. App'x 494, 494 (9th Cir. 2014), the Ninth Circuit found that the plaintiffs plausibly alleged that they experienced harm where the plaintiffs' personal information was disclosed in a data breach, and the plaintiffs “los[t] the sales value of th[eir] [personal] information” as a result. Similarly, in Anthem II, this Court found that the plaintiffs plausibly alleged injury from the loss of value of their PII where the plaintiffs alleged that their PII was disclosed in a data breach, and that plaintiffs' PII was subsequently sold on the black market by hackers. Anthem II, 2016 WL 3029783, at *14-15; see also Svenson v. Google, Inc., 2015 WL 1503429, at *5 (N.D. Cal. Apr. 1, 2015) (“Svenson's allegations of diminution in value of her personal information are sufficient to show contract damages for pleading purposes.”).

         Plaintiffs allege here that “hackers stole the names, email addresses, telephone numbers, birth dates, passwords, and security questions of Yahoo account holders.” CCAC ¶ 1. Plaintiffs allege that this PII is highly valuable to Defendants because Defendants use this information for “targeted advertising.” Id. ¶ 36. Moreover, Plaintiffs allege that this PII is “highly valuable to identity thieves, ” and that hackers have sold this PII on the “dark web.” Id. ¶ 41. Plaintiffs' CCAC includes several examples of hackers selling PII from Yahoo accounts on the dark web following the Data Breaches. See, e.g., ¶ 70. For example, “[i]n August 2016, a hacker identifying himself or herself as ‘peaceofmind' posted for sale on the dark web the PII from 200 million Yahoo accounts.” Id. As recently as March 17, 2017, stolen information from the Data Breaches “was still for sale on underground hacker forums.” Id. ¶ 84. Specifically, the CCAC contains screenshots of hackers selling documents labeled as “Yahoo, 100K, email: pass, decrypted, ” and “Yahoo, 5, 737, 977, decrypted, complete.” Id. Plaintiffs allege that this PII is particularly valuable because hackers can use this information, and in many cases have used this information, to “gain[] access to the email contents of all breached Yahoo accounts and thus any private information contained within those emails.” Id. ¶ 1. Plaintiffs allege that, as a result of their valuable PII being for sale on the dark web, Plaintiffs have lost the value of their PII. See, e.g., id. ¶¶ 135, 145.

         Accordingly, as the Court found in Anthem II, Plaintiffs' allegations that their PII is a valuable commodity, that a market exists for Plaintiffs' PII, that Plaintiffs' PII is being sold by hackers on the dark web, and that Plaintiffs have lost the value of their PII as a result, are sufficient to plausibly allege injury arising from the Data Breaches. Anthem II, 2016 WL 3029783, at *15-16 (finding plaintiff plausibly alleged injury where plaintiffs alleged that their PII was a valuable commodity to identity thieves, that an economic market existed for the PII, and that the value of Plaintiffs' PII decreased as a result of the data breach).

         c. Additional Harms

         As set forth above, the Court finds that all Plaintiffs have suffered injury in fact in the form of (1) the risk of future identity theft; and (2) loss of value of their PII. In addition, the Court also finds that individual Plaintiffs, though not all Plaintiffs, have alleged additional injuries in fact as a result of the Data Breaches. Specifically, some individual Plaintiffs have also alleged (1) that their stolen PII has already been misused by identity thieves; (2) that they have paid out of pocket mitigation expenses; and (3) loss of benefit of the bargain. The Court briefly discusses these additional injuries below.

         i. Plaintiffs who Allege their Stolen PII has Already been Misused

         First, several United States Plaintiffs allege that their stolen PII has already been misused by identity thieves and that they have experienced concrete harms as a result. For example, Plaintiffs Essar and Dugas allege that they used their Yahoo email accounts to conduct their personal finances, and that their Social Security numbers were stolen from their Yahoo email accounts as a result of the Data Breaches. See, e.g., CCAC ¶¶ 11-12. Dugas alleges that a fraudulent tax return was filed under his Social Security number and that he was not able to timely file his own taxes as a result. Id. ¶ 12. Because Dugas could not file his own tax return, Dugas was unable to timely file a financial aid application for his daughters. Id. This resulted in Dugas needing to pay an additional $9, 000 in tuition expenses that he would not otherwise have had to pay. Id.

         Similarly, Plaintiffs Matthew and Deana Ridolfo allege that they used their Yahoo email account to manage their personal finances, that their credit card information was stolen from their Yahoo email accounts in the Data Breaches, and that unauthorized credit card accounts were subsequently opened in their names. Id. ΒΆ 13. The ...


Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.