Demurrer to Complaint
TENTATIVE RULINGS
Date: June 11, 2026
# Case Name Tentative
1. 30-2025-01454345 1. Case Management Conference 2. Demurrer to Complaint Morris vs. Data Media Associates, LLC Defendant Data Media Associates, LLC (“Defendant”) demurs to the Complaint of plaintiff Theodora Morris (“Plaintiff”) on the ground that the pleading fails to allege sufficient facts to support any viable cause of action.
Damages Defendant first argues that Plaintiff has failed to allege any damages or injury arising from the incident and all of her causes of action fail for this reason. Defendant contends that Plaintiff only vaguely alleges that she sustained economic loss and emotional distress and those allegations are insufficient because damages for emotional distress must be supported by something more than conclusory allegations and for monitoring and lost time to be compensable. Moreover, Plaintiff must allege that her need for future monitoring is a reasonably certain consequence of Defendant’s purported breach of duty, and that such monitoring was reasonable and necessary.
Plaintiff alleges that, as a result of the data breach, she has experienced “substantial and ongoing emotional distress, which has sometimes manifested in physical symptoms[.]” (Compl. ¶ 25.) She further alleges that she “has expended time and effort and incidental costs in an effort to mitigate the harm by researching and taking steps to ascertain whether her personal information has been used to commit identity theft or otherwise misused, by placing security freezes or removing freezes on her credit reports and will need to continue to do so for the foreseeable future.” (Compl. ¶ 26.) Plaintiff alleges that while Defendant has offered some victims credit monitoring services, those services are wholly insufficient to compensate her for her damages. (Compl. ¶ 20.)
General damages of emotional harm and distress are insufficient to support Plaintiff’s claim for damages. (Holly v. Alta Newport Hospital, Inc. (2020) 612 F.Supp.3d 1017, 1026 [holding conclusory allegations of “fear of identity theft, embarrassment, anxiety, emotional pain and upset” and injuries to nervous system to be insufficient].) Here, Plaintiff’s allegation of emotional distress that has “sometimes” manifested in physical symptoms, without more, is vague and conclusory. Thus, Plaintiff has not adequately alleged emotional distress damages.
Looking for case law or statutes not cited here? Search published authorities
Examples: “Why did the court rule this way?” · “What were the procedural grounds?” · “Is appearance required?”
However, Plaintiff’s allegations regarding monitoring and incidental costs are sufficient. “Courts have found that credit monitoring may be ‘compensable where evidence shows that the need for future monitoring is a reasonably certain consequence of the defendant's breach of duty, and that the monitoring is reasonable and necessary.’ ” (Gardiner v. Walmart Inc. (N.D. Cal. 2021) 2021 WL 2520103, at *6.) Here, in viewing the allegations in their totality, Plaintiff has adequately alleged a need for future monitoring and damages in the form of incidental costs, which is supported by the allegation that Defendant’s offer of services are
insufficient and that Plaintiff has been required to place and/or remove security freezes on her credit reports. Thus, Defendant’s argument that Plaintiff’s allegations of damages are insufficient fails.
First Cause of Action for Negligence Defendant argues that the economic loss doctrine forecloses Plaintiff’s negligence claim unless bodily injury or property damage has resulted. Defendant further argues that this cause of action fails because Plaintiff alleges no facts in support of her allegation that Defendant’s data security was deficient or that Defendant otherwise breached any duty of care.
The economic loss rule provides that, “[i]n general, there is no recovery in tort for negligently inflicted ‘purely economic losses,’ meaning financial harm unaccompanied by physical or property damage.” (Sheen v. Wells Fargo Bank, N.A. (2022) 12 Cal.5th 905, 922.) “The economic loss rule has been applied in various contexts. First, it carries force when courts are concerned about imposing ‘ “liability in an indeterminate amount for an indeterminate time to an indeterminate class.” ’ ” (Ibid.) “In another recurring set of circumstances, the rule functions to bar claims in negligence for pure economic losses in deference to a contract between litigating parties.” (Ibid.)
Here, while Plaintiff has only adequately alleged economic loss, rather than physical harm, the economic loss rule does not bar her negligence claim. Defendant does not contend that the parties had a contract. Further, Defendant does not argue that the context of potential liability in an indeterminate amount for an indeterminate time to an indeterminate class is present here. Thus, Defendant has failed to establish that the economic loss rule applies.
Plaintiff alleges that Defendant owed a duty to keep her private information safe from unauthorized disclosure to third parties and breached that duty by failing to implement adequate security systems and practices consistent with industry standards and state and federal law. (Compl. ¶¶ 21-22.) Plaintiff further alleges that Defendant did not inform victims of the data breach, which occurred in June 2023, until August 2023. (Compl. ¶ 15.) The Court finds that these allegations are sufficient to allege breach of a duty of care.
Second Cause of Action for The Customer Records Act (CRA) Plaintiff concedes she has no viable cause of action under the CRA. Thus, the Demurrer to the second cause of action is SUSTAINED without leave to amend.
Third Cause of Action for Conversion Defendant argues that this cause of action fails because Plaintiff does not allege that Defendant acted intentionally to convert her information and instead admits that Defendant is also the victim of a cyberattack. Further, Plaintiff has not been deprived of her information and she may still use or access that information.
“ ‘The elements of a conversion claim are: (1) the plaintiff’s ownership or right to possession of the property; (2) the defendant’s conversion by a wrongful act or disposition of property rights; and (3) damages. . . .’ [Citation.]” (Hodges v. County of Placer (2019) 41 Cal.App.5th 537, 551.) “In order to establish a conversion, the plaintiff ‘must show an intention or purpose to convert the goods and to exercise ownership over them, or to prevent the owner from taking possession of his property.’ ” (Collin v. American Empire Insurance Company (1994) 21 Cal.App.4th 787, 812.)
Plaintiff alleges that she was in possession, had the right to immediate possession, and was the owner with right to possession of personal identifying information and health information and Defendant permitted one or more unknown parties to access that property by failing to train employees and maintain a security system in compliance with industry standards. (Compl. ¶¶ 37-38.) She does not allege, however, any intention by Defendant to convert her personal information, exercise ownership over them, or prevent her from possession. Thus, the Court finds that this cause of action fails.
Fourth Cause of Action for Invasion of Privacy Defendant argues that this cause of action fails because unintentional access to personal information resulting from a breach or attack does not meet the high bar necessary to plead an invasion of privacy claim. Defendant further argues that Plaintiff has failed to allege that her information has been published or otherwise publicly disclosed.
“In order to state a cause of action for invasion of privacy, a party must establish (1) a legally protected privacy interest, (2) a reasonable expectation of privacy in the records, (3) a serious invasion of the privacy interest, and (4) damages caused by the invasion of the privacy interest.” (Rosales v. City of Los Angeles (2000) 82 Cal.App.4th 419, 428.) A common law invasion of privacy claim requires intentional conduct. (Marich v. MGM/UA Telecommunications, Inc. (2003) 113 Cal.App.4th 415, 421.) However, “ ‘[i]ntent is not . . . limited to consequences which are desired. If the actor knows that the consequences are certain, or substantially certain, to result from his act, and still goes ahead, he is treated by the law as if he had in fact desired to produce the result.’ ” (Id. at p. 422.)
Here, Defendant’s argument that this cause of action is insufficient because it is based on an unintentional data breach fails, as allegations that Defendant knew or was substantially certain that a breach could occur as a result of its alleged failure to maintain sufficient security is enough to support the claim. Thus, Plaintiff’s allegations that Defendant failed to adequate secure Plaintiff’s private information from disclosure to third parties, and also failed to timely notify Plaintiff once Defendant possessed knowledge to a substantial certainty that a data breach occurred, are sufficient. Further, Defendant’s argument that Plaintiff has not alleged that her information has been published or publicly disclosed lacks merit, as Plaintiff alleges through her Complaint that her private information has been accessed by one or more unauthorized parties.
In light of all the above, the Court OVERRULES the Demurrer to the first cause of action for negligence and fourth cause of action for invasion of privacy and SUSTAINS the Demurrer to the second cause of action under the CRA and the third cause of action for conversion, with 20 days leave to amend as to the third cause of action only.
Moving party to give notice.
2. 30-2025-01528592 1. Case Management Conference 2. Motion to Compel Arbitration Hold vs. Fortanix, Inc. Defendant Fortanix, Inc. (“Defendant”) moves to compel arbitration and stay the case pending arbitration.
Plaintiff Joseph Hold (“Plaintiff”) opposes the motion.