Court dismisses complaint against Robinhood regarding November 2021 data breach
A lawsuit targeting Robinhood hit the curb earlier this week, as Judge James Donato of the California Northern District Court dismissed a complaint against the online broker concerning a November 2021 data breach.
This putative class action arises from a November 2021 data breach that is said to have exposed the full names, email addresses, dates of birth, zip codes, and other personally identifiable information (PII) of over seven million customers of defendant Robinhood Markets, Inc.
In an 84-page consolidated amended complaint (CAC), 25 Robinhood customers in California, Illinois, New York, Utah, South Carolina, Georgia, Virginia, Massachusetts, Oklahoma, New Jersey, Kansas, Kentucky, and Florida allege 24 claims ranging from negligence and breach of contract to violations of multiple state consumer protection and data security laws. The named plaintiffs have sued on behalf of themselves, a putative national class, and 11 putative state subclasses.
Robinhood has asked to dismiss the CAC under Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). The Judge found that dismissal is warranted on grounds other than those proposed by Robinhood.
The CAC as it currently stands is not a workable pleading under Rule 8. To start, the claims for the national class include negligence, negligence per se, breach of contract, breach of implied contract, unjust enrichment, and declaratory judgment. These are common law claims, and the CAC is silent about the law that is intended to govern them.
Plaintiffs have invoked the Class Action Fairness Act (CAFA) as the basis of the Court’s subject matter jurisdiction. CAFA is a species of diversity jurisdiction, which means that the Court will apply state substantive law to resolve the claims. What that state law might be is not identified in the CAC. This is a problem because the parties are literally all over the map. The named plaintiffs are citizens of 13 different states, and Robinhood is alleged to be a Delaware business entity with a principal place of business in California.
The motion to dismiss briefing compounded the lack of clarity by citing a potpourri of cases from multiple state jurisdictions, which the parties appear to have selected mainly for content they liked rather than for good reasons of choice of law. As a result, the parties did not provide useful arguments on key issues such as the possible application of the economic loss rule.
Robinhood posited, with little explanation, that the California economic loss rule applies to the negligence claims. Plaintiffs said that the California rule is inapplicable because “Plaintiffs are from various states beyond California, including some where the economic loss rule does not apply.”
The Judge concludes that this is no way to litigate the sprawling claims on behalf of multiple putative classes in the CAC.
Another problem is that the CAC is thin on facts. To be sure, the occurrence of the data breach is based on public and user communications by Robinhood and some of the named plaintiffs alleged concrete and particularized injuries from the breach. Even so, the Judge said, the CAC is “a bit anaemic with respect to its main theory that Robinhood did not properly protect user data”.
For the most part, plaintiffs say only that “it appears” that Robinhood did not use adequate security measures, and allege “on information and belief” that Robinhood did not follow Federal Trade Commission data security guidelines.
The lengthy summaries of data security safeguards in the CAC are untethered to facts indicating that Robinhood’s conduct fell short in any way. This is not necessarily a flaw that dooms plaintiffs’ case, but the absence of facts about Robinhood’s conduct exacerbates the general lack of clarity in the CAC.
Robinhood bears responsibility for its own shortcomings, the Judge noted. Its Rule 12(b)(6) brief teed up a new theory on almost every page, typically without any meaningful discussion or analysis. In the end, it simply threw out bullet points linked to footnotes stuffed with citations to statutes and cases.
Such half-baked briefing falls well below the standards of professionalism expected of counsel and parties in this District. It also violates the Court’s Standing Order for Civil Cases, which expressly states that arguments raised with inadequate supporting authority and discussion will be disregarded.
Overall, the CAC did not present “a short and plain statement of the claim showing that the pleader is entitled to relief,” as Rule 8(a)(2) requires. The Court dismissed it and plaintiffs may file by March 20, 2023, a second amended complaint.
No new claims or parties may be added without the Court’s prior consent. A failure to meet this deadline will result in a dismissal of the case under Rule 41(b).