OpenAI Is Meticulously Destroying All the Allegations Against It

MEMORANDUM OF POINTS AND AUTHORITIES

IV. ARGUMENT

C. Plaintiffs’ Claims Fail for Reasons Specific to Each Claim.

8. Plaintiffs Fail to State a Claim for Negligence.

Plaintiffs’ claim for negligent handling of personal data suffers from the same defects as their CCPA claim and must also be dismissed.

To prevail on a negligence claim, a plaintiff must establish: “(1) defendant’s obligation to conform to a certain standard of conduct for the protection of others against unreasonable risks (duty); (2) failure to conform to the standard (breach of the duty); (3) a reasonably close connection between the defendant’s conduct and resulting injuries (proximate cause); and (4) actual loss (damages).” Aguilar v. Hartford Accident & Indem. Co., No. CV 18-8123-R, 2019 WL 2912861, at *2 (C.D. Cal. Mar. 13, 2019) (citing Corales v. Bennett, 567 F.3d 554, 572 (9th Cir. 2009)).

The negligence pleading standard in the context of a data breach is “particularly demanding.” See, e.g., In re Sony Gaming Networks and Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 971-72 (S.D. Cal. 2014), order corrected, No. 11MD2258 AJB (MDD), 2014 WL 12603117 (S.D. Cal. Feb. 10, 2014) (“[T]he Court will not allow expensive, potentially burdensome class action discovery to ensue in the absence of a viable” negligence claim). Here, Plaintiffs have not pled any of the required elements.

First, the complaint fails to allege any duty of care the OpenAI Entities owed to Plaintiffs. Plaintiffs merely allege that the OpenAI Entities negligently “collect[ed], maintain[ed], and control[ed] their customers’ sensitive personal information.” (Compl. ¶ 237.) But Plaintiffs have not alleged that they are customers of any OpenAI Entity or had any relationship with an OpenAI Entity that would have created a duty.

Nor have they alleged that the OpenAI Entities collected or maintained any of Plaintiffs’ “sensitive personal information” or “personal data.” (Id. ¶¶ 19- 20, 23-28.) In fact, Plaintiffs allege that the data at issue is available in public Github repositories. (Id. ¶¶ 10, 46, 82-83.)

Plaintiffs have failed to plead the existence of a duty owed by any OpenAI Entity. Schmitt v. SN Servicing Corp., No. 21-CV-03355-WHO, 2021 WL 3493754, at *4 (N.D. Cal. Aug. 9, 2021) (finding duty inadequately pled where plaintiffs fail to address the relevant factors, including the “foreseeability of harm to plaintiff, the degree of certainty that plaintiff suffered injury, the closeness of the connection between the defendant’s conduct and the injury suffered, … the extent of the burden to defendant and the consequences to the community of imposing a duty with resulting liability for breach”) (cleaned up).

Second, Plaintiffs also have not shown a breach of any duty. Despite generic allegations that the OpenAI Entities learned of “multiple instances of release of [PII],” Plaintiffs offer no facts regarding these purported disclosures. (Id. ¶ 238.) On these threadbare allegations, Plaintiffs have not sufficiently alleged duty or breach.

See, e.g., Schmitt, 2021 WL 3493754, at *5 (dismissing negligence claim where plaintiffs failed to provide “factual allegations from which [the Court] can draw a reasonable inference that PII. . . was among the information compromised during the data breach); Anderson, 2019 WL 3753308, at *5 (dismissing claim where “plaintiffs fail to allege any facts in support of their conclusory assertion” that defendant “fail[ed] to implement and maintain reasonable security procedures and practices”).

Plaintiffs’ citations to statutory standards—Cal. Civ. Code sections 1798.82, et seq, and 1798.100, et seq.—and to the right to privacy under California Constitution—also fail to support a breach. Even if Plaintiffs can rely on these provisions to define the standard of care, Plaintiffs have not pled any facts demonstrating how OpenAI purportedly violated them. See, e.g., Schmitt, 2021 WL 3493754, at *5; Anderson, 2019 WL 3753308, at *5.

Third, Plaintiffs cannot establish proximate cause as they cannot make “the requisite connection between the alleged breach and damages.” See Schmitt, 2021 WL 3493754, at *6 (dismissing negligence claim because plaintiffs failed to show causation when “plaintiffs have not plausibly pleaded that PII or identifiable information was disclosed (information that [defendant] had a duty to protect)”).

Fourth, Plaintiffs fail to adequately plead any redressable injuries. None of Plaintiff’s alleged injuries satisfy the requisite damages standard for negligence. (See Compl. ¶ 239.)

• Alleged loss of control over identity is insufficient. Aguilar, 2019 WL 2912861 at *2 (“alleged loss of control [over] medical information and personal financial information” does not establish damages).

• Alleged lost time is “too speculative to constitute cognizable injury.” Corona v. Sony Pictures Ent., Inc., No. 14-CV-09600 RGK (Ex), 2015 WL 3916744, at *4 (C.D. Cal. June 15, 2015). Plaintiffs fail to specify what steps they took “to cure [the] harm to their privacy.” (See Compl. ¶ 239.) In any event, “the cost of lost time” is “not recoverable under the economic loss doctrine.” See Gardiner v. Walmart Inc., No. 20-CV-04618-JSW, 2021 WL 2520103, at *8 (N.D. Cal. Mar. 5, 2021) (time spent not recoverable in tort).

• Alleged threat of future harm “is insufficient to constitute actual loss.” Corona, 2015 WL 3916744, at *3; see Huynh v. Quora, Inc., No. 18-CV-07597-BLF, 2020 WL 7408230, at *6 (N.D. Cal. June 1, 2020) (dismissing negligence claim because plaintiffs alleged the “mere danger of future harm,” without “specific factual statements that Plaintiffs’ [PII] has been misused”).

• Alleged privacy injuries are conclusory and inadequately pled. In any event, “an alleged loss of property in the form of personal information is insufficient to support a claim for negligence.” Aguilar, 2019 WL 2912861 at *2.

• Alleged economic loss is unsupported by any facts demonstrating economic loss associated with the alleged disclosure of their PII. To the extent plaintiffs are attempting to allege economic losses, the economic loss rule bars recovery for any economic losses in tort unless there is a “special relationship” between the parties. Corona, 2015 WL 3916744, at *5. Plaintiffs have not alleged that a special relationship exists here.