Some Robinhood statements about security were falsifiable, but Ps didn't properly allege they relied on those statements

Mehta v. Robinhood Financial LLC, 2021 WL 6882392, No. 21-cv-01013-SVK (N.D. Cal. Sept. 8, 2021)

Plaintiffs alleged that unauthorized third parties were able to access approximately 2,000 Robinhood customers’ accounts and deplete their funds due to Robinhood’s insufficient security measures. Previously, the court denied Robinhood’s motion to dismiss claims for negligence and violations of the California Consumer Privacy Act (CCPA), the constitutional right to privacy, and the unlawful and unfair prongs of the Unfair Competition Law (UCL). The court dismissed claims for breach of contract and violations of the Customer Records Act (CRA), CLRA, FAL, and fraudulent prong of the UCL with leave to amend; this opinion addressed the amended complaint. Robinhood moved again to dismiss.

Plaintiff sufficiently alleged the existence of promises to reimburse customers for losses from unauthorized account activity.

Were Robinhood’s claims about its security measures mere puffery? Previously, the court held that statements that Robinhood “take[s] privacy and security seriously” and is “[d]edicated to maintaining the highest security standards” were puffery. Robinhood’s Financial Privacy Notice states: “To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include computer safeguards and secured files and buildings.” Those were “specific, non-subjective guarantee[s]” on which a reasonable consumer could rely. Plaintiffs also alleged falsity, pleading that Robinhood’s systems “lack[ ] simple and almost universal security measures used by other broker-dealer online systems” and “Robinhood fails to verify changes in bank account links and failed to store user credentials in an encrypted format.”

Still, UCL claims under the fraudulent prong, CLRA, and FAL claims failed.

Was it plausible that plaintiffs relied on the Financial Privacy Notice? Plaintiffs argued that “it would be unrealistic or otherwise unfair to expect a plaintiff to pinpoint the exact representation she relied on amid a sea of representations.” This was a close call, but the court determined that the plaintiffs didn’t allege enough about the statements they actually saw and actually relied on; motion granted with leave to replead.