`
`
`
`
`
`
`
`
`
`
`
`UNITED STATES DISTRICT COURT
`
`NORTHERN DISTRICT OF CALIFORNIA
`
`EDWARD BATON, et al.,
`
`Plaintiffs,
`
`v.
`
`LEDGER SAS, et al.,
`
`Case No. 21-cv-02470-EMC
`
`
`ORDER GRANTING DEFENDANTS’
`MOTIONS TO DISMISS
`
`Docket Nos. 55, 56, 58
`
`
`
`
`
`Defendants.
`
`
`
`
`
`I.
`
`INTRODUCTION
`
`Plaintiffs, customers who purchased a hardware wallet to protect cryptocurrency assets,
`
`bring a putative class action seeking redress for harms they allegedly suffered stemming from a
`
`data breach exposing over 270,000 pieces of personally identifiable information, including
`
`customer names, email addresses, postal addresses and telephone numbers. Docket No. 33 (First
`
`Amended Complaint or “FAC”). Now pending before the Court are Defendants Shopify USA,
`
`Shopify, Inc. and Ledger’s respective motions to dismiss the complaint for, among other reasons,
`
`lack of personal jurisdiction. Docket Nos. 55, 56, 58.
`
`For the following reasons, the Court finds that it lacks personal jurisdiction over each
`
`defendant and that jurisdictional discovery is unwarranted. Therefore, the Court GRANTS the
`
`motions to dismiss and dismisses the case with prejudice.
`
`II.
`
`BACKGROUND
`
`A.
`
`Summary of Allegations in the FAC
`
`Plaintiffs are customers of Defendant Ledger SAS (“Ledger”), a French company based in
`
`Paris that sells hardware wallets to allow customers to manage cryptocurrency. Docket No. 33
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`
`United States District Court
`
`
`
`Case 3:21-cv-02470-EMC Document 77 Filed 11/08/21 Page 2 of 22
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`(“FAC”) ¶ 2, 21. Ledger sells its hardware wallets—the Ledger Nano X and Ledger Nano S—
`
`through its e-commerce website, which operates on Defendant Shopify, Inc.’s platform. FAC ¶¶
`
`2, 16-17. Plaintiffs allege they, and several putative classes, each bought a Ledger hardware
`
`wallet on Ledger’s e-commerce website, through Shopify’s platform, between July 2017 and June
`
`2020. Id. ¶¶ 16-20. When Plaintiffs made their purchases, they provided their name, email
`
`addresses, telephone numbers and postal addresses. Id.
`
`Plaintiffs’ claims arise of two security incidents involving data breaches exposing
`
`Plaintiffs’ contact information. FAC ¶¶ 78, 79, 88. First, Plaintiffs allege that between April and
`
`June 2020, rogue Shopify, Inc. employees exported a trove of data, including Ledger’s customer
`
`transactional records. Id. ¶¶ 78-79. Shopify allegedly publicly announced the theft on September
`
`22, 2020, which involved the data of approximately 272,000 people. Id. ¶¶ 79, 82. Plaintiffs
`
`allege that Ledger did not inform them that their data was involved in the Shopify breach at that
`
`time. Id. ¶ 83. Second, Plaintiffs allege that Ledger publicly announced that an unauthorized
`
`third-party gained access to Ledger’s e-commerce database through an application programming
`
`interface key on June 25, 2020 and acquired the email addresses of one million customers and
`
`physical contact information of 9,500 customers. Id. ¶ 88. Plaintiffs allege that Ledger did not
`
`disclose that the attack on Ledger’s website and the theft of Shopify’s data were connected, that
`
`Ledger downplayed the scale of the actual attack, and, as a result, Plaintiffs and putative class
`
`members were subject to phishing scams, cyber-attacks, and demands for ransom and threats. Id.
`
`¶¶ 95-118. Plaintiffs contend that Ledger knew that its customer list was highly valuable to
`
`hackers, because it was a list of people who have converted substantial wealth into anonymized
`
`crypto-assets that are transferrable without a trace. Id. ¶ 5.
`
`Plaintiffs allege that despite knowing the high value of its customer list and the need for
`
`confidentiality, Ledger did not implement security measures to protect its customers by regularly
`
`deleting and/or archiving the customer data to protect that information from online accessibility.
`
`FAC ¶ 136, and that Ledger failed to exercise reasonable care in obtaining, retaining, securing,
`
`safeguarding, deleting, and protecting its customers personal information that Ledger had in its
`
`possession from being compromised, lost, or stolen, and from being accessed, and misused by
`
`2
`
`Northern District of California
`
`United States District Court
`
`
`
`Case 3:21-cv-02470-EMC Document 77 Filed 11/08/21 Page 3 of 22
`
`
`
`unauthorized persons, id. ¶ 117. Similarly, Plaintiffs allege Shopify failed to exercise reasonable
`
`care in obtaining, retaining, securing, safeguarding, deleting, and protecting their personal
`
`information in their possession from being compromised, lost, or stolen, and from being accessed,
`
`and misused by unauthorized persons. FAC ¶¶ 78-83.
`
`Plaintiffs are five Ledger customers who reside, respectively, in California, Georgia, New
`
`York, London, United Kingdom and Tel Aviv, Israel. Id. ¶¶ 26-20. They purport to represent
`
`several classes and subclasses, ranging from customers internationally to customers in particular
`
`states who suffered particular harms. Id. ¶ 145. Plaintiffs bring claims for, among others,
`
`negligence, negligence per se, injunctive relief and remedies under California’s unfair competition
`
`law, Georgia’s Fair Business Practices Act and New York’s General Business Law. Id. ¶¶ 168-
`
`276.
`
`B.
`
`Relevant Factual Background Contained in Jurisdictional Declarations
`
`Defendants include additional factual background relevant to the Court’s jurisdictional
`
`inquiries at the motion to dismiss stage. Shopify USA states that it is incorporated in Delaware,
`
`has its principal place of business in Ontario, Canada, and never had a business relationship with
`
`Ledger. Docket No. 55-1 (“Harris-John Decl.”) ¶¶ 3-6. Shopify Inc., explains it is a Canadian
`
`corporation that it is not registered to do business in California and, does not have any employees
`
`in California. Docket No. 56-1 (“McIntomny Decl.”) ¶¶ 2-5. It explains that the “rogue”
`
`individuals who were responsible for the data breach of Shopify, Inc.’s platform were not
`
`employees of Shopify or any of its affiliated companies, but independent contractors of a company
`
`called TaskUs, who were located in the Philippines. Id. ¶¶ 11-12. Ledger explains that it is a
`
`French company with no California or U.S. employees. Docket No. 59 (“Ricomard Decl.”) ¶¶ 5,
`
`11, 17.
`
`C.
`
`Procedural Background
`
`Defendant Ledger Technologies was voluntarily dismissed from this case. Docket No. 36.
`
`Remaining Defendants Shopify USA, Shopify, Inc. and Ledger move to dismiss Plaintiffs’ First
`
`Amended Complaint on multiple grounds, including for lack of personal jurisdiction and failure to
`
`state a claim. Docket Nos. 55, 56, 58.
`
`3
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`
`United States District Court
`
`
`
`Case 3:21-cv-02470-EMC Document 77 Filed 11/08/21 Page 4 of 22
`
`
`
`A.
`
`Federal Rule of Procedure 12(b)(2)
`
`III.
`
`LEGAL STANDARD
`
`A defendant may move to dismiss based on lack of personal jurisdiction pursuant to
`
`Federal Rule of Civil Procedure 12(b)(2).
`
`In opposing a defendant's motion to dismiss for lack of personal
`jurisdiction, the plaintiff bears the burden of establishing that
`jurisdiction is proper. Where, as here, the defendant's motion is
`based on written materials rather than an evidentiary hearing, the
`plaintiff need only make a prima facie showing of jurisdictional
`facts to withstand the motion to dismiss. The plaintiff cannot
`“simply rest on the bare allegations of its complaint,” but
`uncontroverted allegations in the complaint must be taken as true.
`
`
`Mavrix Photo, Inc. v. Brand Techs., Inc., 647 F.3d 1218, 1223 (9th Cir. 2011); see also Data Disc,
`
`Inc. v. Sys. Tech. Assocs., Inc., 557 F.2d 1280, 1285 (9th Cir. 1977) (noting that “[t]he limits
`
`which the district judge imposes on the pre-trial proceedings will affect the burden which the
`
`plaintiff is required to meet”). In addition, all disputed facts are resolved in favor of the plaintiff.
`
`See Pebble Beach Co. v. Caddy, 453 F.3d 1151, 1154 (9th Cir. 2006); see also Freestream
`
`Aircraft (Berm.) Ltd. v. Aero Law Grp., 905 F.3d 597, 602 (9th Cir. 2018) (stating that
`
`“[u]ncontroverted allegations in the complaint must be taken as true, and factual disputes are
`
`construed in the plaintiff's favor”).
`
`A.
`
`Personal Jurisdiction
`
`IV.
`
`DISCUSSION
`
`The test for personal jurisdiction is generally stated as follows:
`
`Where, as here, no federal statute authorizes personal jurisdiction,
`the district court applies the law of the state in which the court sits.
`California's long-arm statute, Cal. Civ. Proc. Code § 410.10, is
`coextensive with federal due process requirements, so the
`jurisdictional analyses under state law and federal due process are
`the same. For a court to exercise personal jurisdiction over a
`nonresident defendant consistent with due process, that defendant
`must have “certain minimum contacts” with the relevant forum
`“such that the maintenance of the suit does not offend ‘traditional
`notions of fair play and substantial justice.’”
`
`
`Mavrix, 647 F.3d at 1223.
`
`There are two categories of personal jurisdiction: (1) general jurisdiction and (2) specific
`
`4
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Northern District of California
`
`United States District Court
`
`
`
`Case 3:21-cv-02470-EMC Document 77 Filed 11/08/21 Page 5 of 22
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`jurisdiction. Freestream, 905 F.3d at 602. Plaintiffs contend that the Court has general
`
`jurisdiction (and, in the alternative, specific jurisdiction) over Shopify USA and specific
`
`jurisdiction over Shopify, Inc. and Ledger.
`
`As explained below, the Court lacks general jurisdiction (and specific jurisdiction) over
`
`Shopify USA, and lacks specific jurisdiction over Shopify, Inc. and Ledger.
`
`1.
`
`The Court Lacks General Jurisdiction Over Shopify USA
`
`Where there is general jurisdiction over a defendant, the plaintiff can bring any claim
`
`against the defendant in the forum state. Thus, in order for general jurisdiction to obtain, the
`
`defendant's contacts with the forum state must be so continuous and systematic as to render the
`
`defendant essentially at home in the forum State. See Daimler AG v. Bauman, 571 U.S. 117, 122,
`
`128 (2014); see also Schwarzenegger v. Fred Martin Motor Co., 374 F.3d 797, 807 (9th Cir.
`
`2004) (asking whether the defendant has continuous and systematic contacts that approximate
`
`physical presence in the forum state). “With respect to a corporation, the place of incorporation
`
`and principal place of business are ‘paradig[m] ... bases for general jurisdiction.’” Daimler, 571
`
`U.S. at 137. General jurisdiction outside of those forums is available “[o]nly in an exceptional
`
`case,” Martinez v. Aero Caribbean, 764 F.3d 1062, 1070 (9th Cir. 2014), where the defendant’s
`
`contacts are so “continuous and systematic” as to “‘approximate physical presence’ in the forum
`
`state,” Pestmaster Franchise Network, Inc. v. Mata, 2017 WL 1956927, at *2 (N.D. Cal. 2017)
`
`(quoting Mavrix, 647 F.3d at 1223-24).
`
`Here, Plaintiffs argue that the Court has general jurisdiction over Shopify USA, but
`
`concede that Shopify USA is neither incorporated in California (it is a Delaware corporation), nor
`
`is California Shopify USA’s principal place of business (Shopify USA’s principal place of
`
`business is Ottawa, Canada). FAC ¶ 24. Instead, to support their contention that the Court has
`
`general jurisdiction over Shopify USA, Plaintiffs observe that Shopify USA previously listed San
`
`Francisco, CA as its principal place of business since 2014, including, allegedly, during the time
`
`period that the data breach took place in 2019. Opposition at 11-13. Plaintiffs point to Shopify
`
`USA’s business registration filings in various states that continued to list San Francisco as its
`
`principal place of business until 2019 or 2020, Docket No. 67-1 (“Economides Decl.”), Exhs. 1, 3,
`
`5
`
`Northern District of California
`
`United States District Court
`
`
`
`Case 3:21-cv-02470-EMC Document 77 Filed 11/08/21 Page 6 of 22
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`6, and cites litigation from 2017 and 2018 in which Shopify USA represented to courts that its
`
`principal place of business was in San Francisco, Opposition at 11-12.
`
`However, Plaintiffs’ observation that Shopify USA’s place of business at the time of the
`
`data breach was in California does not establish the Court’s general jurisdiction over Shopify
`
`USA. Courts have uniformly held that general jurisdiction is to be determined no earlier than the
`
`time of filing of the complaint. Sabre Int’l Sec. v. Torres Advanced Enter. Sols., LLC, 60 F. Supp.
`
`3d 21, 30 (D.D.C. 2014) (collecting cases); see also Young v. Daimler AG, 228 Cal. App. 4th 855,
`
`864 (2014) (“Unlike specific jurisdiction, general jurisdiction is determined no earlier than at the
`
`time a suit is filed.”). Plaintiffs do not dispute that at the time this case was filed, in April 2021,
`
`Spotify USA’s principal place of business was in Ottawa, Canada–not San Francisco, California.
`
`FAC ¶ 24.
`
`Plaintiffs’ citation to Delphix Corp. v. Embarcadero Technologies, Inc., an unpublished,
`
`non-precedential Ninth Circuit memorandum disposition, for the proposition that “[c]ourts must
`
`examine the defendant’s contacts with the forum at the time of the events underlying the dispute,”
`
`749 Fed. Appx. 502, 506 (9th Cir. 2018), is unavailing. First, the language Plaintiffs cite from
`
`Delphix quotes a precedential Ninth Circuit decision, Steel v. United States, which makes explicit
`
`that its holding is about specific jurisdiction. 813 F.2d 1545, 1549 (9th Cir. 1987) (“When a court
`
`is exercising specific jurisdiction over a defendant, arising out of or related to the defendant’s
`
`contacts with the forum, the fair warning that due process requires arises not at the time of the suit,
`
`but when the events that gave rise to the suit occurred.”) (Emphasis added). There is no
`
`precedential decision holding that the same logic applies to the analysis of general jurisdiction—a
`
`point that Judge Rawlinson emphasizes in her partial dissent in Delphix, 749 Fed. Appx. at 507-
`
`08—which is consistent with the Ninth Circuit’s caution that “[b]ecause the assertion of judicial
`
`authority over a defendant is much broader in the case of general jurisdiction than specific
`
`jurisdiction, a plaintiff invoking general jurisdiction must meet an ‘exacting standard’ for the
`
`minimum contacts required.” Ranza v. Nike, Inc., 793 F.3d 1059, 1069 (9th Cir. 2015) (citation
`
`omitted).
`
`Because Shopify USA’s principal place business must be analyzed at the time the
`
`6
`
`Northern District of California
`
`United States District Court
`
`
`
`Case 3:21-cv-02470-EMC Document 77 Filed 11/08/21 Page 7 of 22
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`complaint for filed for purposes of general jurisdiction, Plaintiffs’ only remaining theory for the
`
`Court to assert general jurisdiction is that this is “an exceptional case” in which general
`
`jurisdiction is available in California even though it is not one of the paradigm fora. Id. Plaintiffs
`
`are unable to show that this is such an exceptional case where Shopify USA’s contacts are so
`
`“continuous and systematic” as to “‘approximate physical presence’ in [California],” Mata, 2017
`
`WL 1956927 at *2. Shopify USA entered evidence that it permanently closed its San Francisco
`
`office in September 2020, that its corporate officers are located in Ontario, Canada and New York,
`
`approximately three-quarters of its employees are located outside of California, and a vast
`
`majority of its business activities are conducted outside of, and have no relationship to, California.
`
`Docket No. 55-1 (“Harris-John Decl.”) ¶¶ 3, 5, 7, 8. Plaintiffs do not dispute these representations
`
`and make no allegations sufficient to show that Shopify USA is “so heavily engaged in activity in
`
`[California] as to render it essentially at home.” BNSF Ry. Co. v. Tyrell, 137 S. Ct. 1549, 1559
`
`(2017); see also King v. Bumble Trading, Inc., 2020 WL 663741, at *2 (N.D. Cal. 2020) (finding
`
`that defendant corporation’s principal place of business was in Texas, where its “CEO[] lives and
`
`works,” notwithstanding “documents filed with the California Secretary of State” stating that its
`
`“principal executive office is in San Francisco”).
`
`Thus, the Court finds that it lacks general jurisdiction over Shopify USA.
`
`B.
`
`Specific Jurisdiction
`
`Specific jurisdiction exists in tort type cases where: (1) the defendant “purposefully
`
`directed” its activities towards California; (2) the plaintiff’s claims “arise out of” those forum-
`
`related activities; and (3) the exercise of jurisdiction is “reasonable.” See Morrill v. Scott Fin.
`
`Corp., 873 F.3d 1136, 1142 (9th Cir. 2017). The purposeful direction test applies where, as here,
`
`Plaintiffs assert primarily tort or statutory claims. See e.g., id.; Caces-Tiamson v. Equifax, No. 20-
`
`CV-00387-EMC, 2020 WL 1322889, at *3 (N.D. Cal. Mar. 20, 2020) (courts should apply a
`
`purposeful direction analysis to tort claims arising from data breaches); Matus v. Premium
`
`Nutraceuticals, LLC, No. EDCV 15-01851 DDP (DTBx), 2016 WL 3078745, at *3 (C.D. Cal.
`
`2016) (applying purposeful direction test where the plaintiff alleged violations of the UCL, FAL,
`
`and CLRA and a claim for negligent misrepresentation). “The plaintiff bears the burden of
`
`7
`
`Northern District of California
`
`United States District Court
`
`
`
`Case 3:21-cv-02470-EMC Document 77 Filed 11/08/21 Page 8 of 22
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`satisfying the first two prongs of the test.” Schwarzenegger, 374 F.3d at 802.
`
`A defendant “purposefully direct[s]” [its] activities at the forum if [it]: (1) committed an
`
`intentional act, (2) expressly aimed at the forum state, (3) causing harm that the defendant knows
`
`is likely to be suffered in the forum state.” Picot v. Weston, 780 F.3d 1206, 1214 (9th Cir. 2015)
`
`(internal quotations and citation omitted). “Failing to sufficiently plead any one of these three
`
`elements … is fatal to Plaintiff[s’] attempt to show personal jurisdiction.” Alexandria Real Estate
`
`Equities, Inc. v. Runlabs Ltd., No. 18-CV-07517-LHK, 2019 WL 4221590, at *7 (N.D. Cal. 2019)
`
`(internal quotations omitted).
`
`1.
`
`The Court Lacks Specific Jurisdiction Over Shopify, Inc. and Shopify USA
`
`Plaintiffs advance several theories in order to carry their burden to show (1) that the
`
`Shopify Defendants “purposefully directed” their activities towards California, and (2) that their
`
`claims “arise out of” Shopify’s forum-related activities.1 These arguments are addressed in turn.
`
`First, Plaintiffs allege the Court has “jurisdiction over Shopify [Inc.] … because [it]
`
`solicit[s] customers and transact[s] business in California.” FAC ¶ 31. In their Opposition brief,
`
`Plaintiffs further elaborate that “Shopify, Inc. undertook to power and administer the shopping
`
`website used by Ledger to engage in the advertisements and sales in California giving rise to 7%
`
`of Ledger’s worldwide business.” Opposition at 18. Plaintiffs argue these constitute “intentional
`
`acts” that were “expressly aimed at [California].” Picot, 780 F.3d at 1214.
`
`However, a finding purposeful direction cannot “be based on the mere fact that [a
`
`company] provides services to customers nationwide, including but not limited to California.”
`
`Caces-Tiamson, 2020 WL 1322889, at *3. “‘The placement of a product into the stream of
`
`commerce, without more, is not an act the defendant purposefully directed toward the forum
`
`state.’” Id. (quoting Asahi Metal Indus. Co., Ltd. v. Super. Ct. of Cal., 480 U.S. 102, 112 (1987)).
`
`
`1 Plaintiffs argue that that “Shopify USA is subject to specific jurisdiction for the same reasons as
`Shopify Inc.” because “Shopify USA and Shopify Inc. make no distinction between themselves in
`the public eye, using the same logos, trademarks, and websites, making it impossible at this
`juncture to know the extent of involvement in this data breach by each entity.” Opposition at 14
`n.8. The Court does not address whether Plaintiffs have adequately alleged that jurisdictional
`contacts may be imputed between these affiliated companies, see Ranza, 793 F.3d at 1073,
`because Plaintiffs fail to establish this court has specific jurisdiction over Shopify, Inc., and thus
`Plaintiffs’ derivative arguments as to Shopify USA also fail.
`8
`
`Northern District of California
`
`United States District Court
`
`
`
`Case 3:21-cv-02470-EMC Document 77 Filed 11/08/21 Page 9 of 22
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Yet that is the essence of Plaintiffs’ allegations herein. See FAC ¶ 156 (Plaintiffs allege that
`
`Shopify, Inc. is a “global entit[y], that conduct[s] business nationwide and globally, servicing
`
`consumers in the United States and in many foreign counties. [It] also provide[s] services in
`
`virtually every state and … target[s] world-wide customers.”).
`
`Plaintiffs’ attempt to graft the alleged “purposeful direction” of Ledger’s activity to make
`
`7% of its global sales in California on to Shopify, Inc. does not establish the Court’s specific
`
`jurisdiction over Shopify, Inc. However, “the Supreme Court has explained that the contacts
`
`supporting purposeful direction ‘must be the defendant’s own choice.’” Cisco Sys., Inc. v. Dexon
`
`Computer, Inc., 2021 WL 2207343, at *3 (N.D. Cal. 2021) (quoting Ford Motor Co. v. Mont.
`
`Eighth Jud. Dist. Ct., 141 S. Ct. 1017, 1025 (2021)); Helicopteros Nacionales de Colombia, S.A.
`
`v. Hall, 466 U.S. 408, 417 (1984) (“[The] unilateral activity of another party or a third person is
`
`not an appropriate consideration when determining whether a defendant has sufficient contacts
`
`with a forum State to justify an assertion of jurisdiction”). Plaintiffs make no allegations that the
`
`fact that Shopify, Inc. provided “a software product” to Ledger that “allow[ed] [Ledger] to easily
`
`operate [an] online store[],” FAC ¶ 75, to sell to “consumers worldwide,” FAC ¶ 155, shows that
`
`Shopify, Inc. made a choice to direct acts towards California. Similarly, Plaintiffs’ allegation that
`
`Shopify’s “terms of service obligate it to ‘take all reasonable steps’ to protect the disclosure of
`
`confidential information, including “names, addresses and other information regarding customers
`
`and prospective customers,” FAC ¶ 77, is based on Plaintiff’s concession that the only reason
`
`Shopify had any interaction with Plaintiffs is because “Ledger used Shopify’s services,” id. ¶ 76
`
`(emphasis added). Cf. SKAPA Holdings LLC v. Seitz, 2021 WL 672091, at *5 (D. Ariz. 2021)
`
`(When assessing specific jurisdiction, “the analysis must be [restricted to] the defendant’s ‘own
`
`contacts’ with the forum.”) (quoting Walden v. Fiore, 571 U.S. 277, 289 (2014)). Ledger’s acts
`
`cannot be imported to Shopify for jurisdictional purposes.
`
`Second, Plaintiffs contend that personal jurisdiction lies over Shopify Inc. because
`
`“substantial events leading up to the breach at issue have occurred in California.” FAC ¶ 26.
`
`Plaintiffs refer to additional facts contained in declarations asserting jurisdictional facts to
`
`elaborate that “Shopify, Inc. provided access to Plaintiffs’ information to TaskUs, Inc., located in
`
`9
`
`Northern District of California
`
`United States District Court
`
`
`
`Case 3:21-cv-02470-EMC Document 77 Filed 11/08/21 Page 10 of 22
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`California, and that conduct led directly to the breaches harming Plaintiff Seirafi and other class
`
`members in California.” Opposition at 18 (citing Docket No. 56-1 (“McIntomny Decl.”) ¶ 11).
`
`Plaintiffs further contend that “Shopify, Inc. permitted the customer data—the disclosure/loss of
`
`which gives rise to the liability—to be accessible to and accessed by at least one culpable
`
`individual who was indicted in federal court in California. Id. (citing Docket No. 67-1
`
`(“Economides Decl.”), Exh. 10); FAC ¶ 81.
`
`Plaintiffs, however, misrepresent the content of the declarations and complaint, and fail to
`
`support their assertion that Shopify, Inc. engaged in activity in California leading up to and during
`
`the breach. The McIntomny Declaration, prepared by a Senior Clerk at Shopify, Inc., explains that
`
`Shopify, Inc. did not contract with TaskUs to process user data, but rather, Shopify International
`
`Limited, a separate entity based in Dublin, Ireland, did so. McIntomny Decl. ¶ 11. Furthermore,
`
`there is no evidence in the declaration or elsewhere that Shopify Inc. (or any other entity)
`
`“reposited [Plaintiffs’] data in California,” Opposition at 19, or “provided access to” that data in
`
`California, id. at 18. Cf. McIntomny Decl. ¶ 11. Rather, Jennifer Routledge, Senior Lead for
`
`Vendor Partnerships for Shopify, Inc. declares, “TaskUs, Inc. contracted with Shopify
`
`International Limited to provide all of its services, including services involving any Shopify Inc.
`
`data, and to remotely access any data necessary for provision of those services, only from sites
`
`outside of the United States.” Docket No. 70-1 (“Routledge Decl.”) ¶ 2 (emphasis added).
`
`Shopify, Inc.’s supplemental declarations reject Plaintiffs’ assertion that it was “a California
`
`company that then implemented the breach,” Opposition 19, and state that the breach was
`
`accomplished by independent contractors of TaskUs located in the Philippines. See McIntomny
`
`Decl. ¶¶ 11-12. And although TaskUs has a California address, Shopify Inc. included a copy of
`
`the agreement through which Shopify International Limited (headquartered in Dublin, Ireland)
`
`contracted for services to be performed by TaskUs, which states that "The Services will be
`
`provided in the Territory of the Philippines and at the following Site: 17th Floor, 24-7 McKinley
`
`Building, 24th St. 7th Ave, BGC, Taguig City, Philippines." Docket No. 54-6 at 29. Properly
`
`characterized and contextualized by the undisputed facts contained in these declarations, none of
`
`Plaintiffs’ contentions are sufficient for Plaintiffs to meet their burden to show that Shopify, Inc.
`
`10
`
`Northern District of California
`
`United States District Court
`
`
`
`Case 3:21-cv-02470-EMC Document 77 Filed 11/08/21 Page 11 of 22
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`“purposefully directed” any acts towards California.
`
`Moreover, Plaintiffs’ allegation at FAC ¶ 81 does not in fact allege that “Shopify Inc.
`
`permitted the customer data … to be accessible to and accessed” by anyone in California, but
`
`rather that a California man “paid an employee of a Shopify vendor to provide him with Shopify’s
`
`merchant data.” FAC ¶ 81; see also Economides Decl., Exh 10 (Indictment in United States v.
`
`Heinrich, 8:21-cr-22-JLS (C.D. Cal. 2021), Docket No. 16). Indeed, as Plaintiffs’ allegation
`
`concedes and the criminal indictment confirms (consistent with Shopify’s declaration), the
`
`California-based defendant was not an employee of Shopify’s or even TaskUs; his connection to
`
`the data breach is that he corresponded over the internet and solicited “a Philippines-based
`
`employee of a third-party contractor who provided customer support services for the Victim
`
`Company” to steal data. United States v. Heinrich, 8:21-cr-22-JLS (C.D. Cal. 2021), Docket No.
`
`16 at 2; see also id. at 3-13. The fact that a resident of California was indicted on allegations that
`
`he paid other individuals to steal data from Shopify Inc. in the Philippines does not show that
`
`Shopify Inc. purposefully directed acts at California.
`
`Finally, Plaintiffs argue that Shopify, Inc. purposefully directed activity towards California
`
`by omission: “Shopify, Inc. failed to warn Plaintiff Seirafi and Class Members in California about
`
`the breach, and those acts of concealment caused additional harm as those individuals were left
`
`vulnerable to hackers who had obtained the data that Ledger was supposed to protect.” Opposition
`
`at 18. This theory, too, fails to provide a basis to conclude that Shopify, Inc. purposefully directed
`
`its activity towards California. Any alleged decision to communicate—or not to communicate—
`
`with individuals affected by the data breach would presumably have been made by Shopify, Inc. at
`
`its principal place of business in Ottawa, Canada. There are no facts alleged that Shopify, Inc.
`
`made its decision regarding notification in California or that it specifically targeted California in
`
`its decision not to provide communications about the breach, nor do any facts presented by
`
`Plaintiffs suggest that California-residents were uniquely harmed or entitled to a warning about the
`
`breach more than anyone else affected by the breach residing in any other jurisdiction. See Caces-
`
`Tiamson, 2020 WL 1322889, at *3 (“Ms. Caces-Tiamson cannot establish even a prima facie case
`
`of specific jurisdiction because, as Equifax argues, ‘any and all actions which Equifax did or
`
`11
`
`Northern District of California
`
`United States District Court
`
`
`
`Case 3:21-cv-02470-EMC Document 77 Filed 11/08/21 Page 12 of 22
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`allegedly did not take with respect to its data security systems’ would presumably have occurred
`
`in Georgia, where Equifax has its principal place of business. The fact that Ms. Caces-Tiamson
`
`suffered injury in California (i.e., where she resides) as a result of Equifax's actions or omissions is
`
`not enough to support specific jurisdiction.”) (internal citations omitted).
`
`Thus, because Plaintiffs fail to show (1) that the Shopify, Inc. “purposefully directed” their
`
`activities towards California, and (2) that their claims “arise out of” Shopify’s forum-related
`
`activities demonstrate, the Court concludes that it lacks specific jurisdiction over Shopify Inc (and,
`
`correspondingly, over Shopify USA, see supra n.2). Accordingly, the Shopify Defendants are
`
`dismissed from this action.
`
`2.
`
`The Court Lacks Specific Jurisdiction Over Ledger
`
`a.
`
`Ledger Did Not Purposefully Direct Its Activities Towards California
`
`As noted above, a defendant “purposefully direct[s]” [its] activities at the forum if [it]: (1)
`
`committed an intentional act, (2) expressly aimed at the forum state, (3) causing harm that the
`
`defendant knows is likely to be suffered in the forum state.” Picot, 780 F.3d at 1214 (internal
`
`quotations and citation omitted). Ledger concedes it committed an “intentional act” by offering
`
`hardware wallets for sale on its internationally accessible website, including to customers in
`
`California. Docket No. 58 (“Ledger MTD”) at 8; see Loomis v. Slendertone Distribution, Inc.,
`
`420 F. Supp. 3d 1046, 1068 (S.D. Cal. 2019). However, Plaintiffs fail to demonstrate the second
`
`two prongs of the purposeful direction test: they neither show that Ledger “expressly aimed” it
`
`activities at California, nor that Ledger caused harm it knew was likely to be suffered in
`
`California.
`
`b.
`
`Ledger Did Not Expressly Aim Activity At California
`
`First, Plaintiffs do not adequately allege that Ledger “expressly aimed” any acts at
`
`California. Plaintiffs allege that “[t]his Court” has personal jurisdiction over Ledger “because it
`
`solicits customers, including Plaintiffs and Class members, in the Un