Full opinion text
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT ADOBE SYSTEMS INC.’S MOTION TO DISMISS LUCY H. KOH, United States District Judge In this consolidated litigation, Plaintiffs Christian Duke (“Duke”), Joseph Kar (“Kar”), Christina Halpain (“Halpain”), Jacob McHenry (“McHenry”), Anne McGlynn (“McGlynn”), and Marcel Page (“Page”), individually and on behalf of those similarly situated (collectively, “Plaintiffs”) bring claims against Defendant Adobe Systems, Inc. (“Adobe”) arising out of an intrusion into Adobe’s computer network in 2018 and the resulting data breach. Consol. Compl. (“Compl.”) ECF No. 39. Pending before the Court is Adobe’s Motion to Dismiss, in which Adobe seeks dismissal of all of Plaintiffs’ claims. (“Mot.”) ECF No. 45. Plaintiffs have filed an Opposition, (“Opp’n”) ECF No. 47, and Adobe has filed a Reply, (“Reply”) ECF No. 50. Having considered the submissions of the parties and the relevant law, the Court hereby GRANTS IN PART and DENIES IN PART Adobe’s Motion to Dismiss. I. BACKGROUND A. Factual Allegations Except where indicated, the facts in this section are taken from Plaintiffs’ Complaint and accepted as true for the purposes of this Motion. 1. Adobe’s Products and Services Adobe is a multinational software company that sells and licenses printing, publishing, multimedia, and graphics software. Compl. ¶ 17. Adobe sells a wide range of products, including Photoshop (a widely-used digital, imaging program) and Cold-Fusion (used by web developers to build websites and Internet applications). Id. ¶ 19. Adobe’s products and services are available in two forms. Some Adobe software, such as ColdFusion, is sold through licenses, where customers pay a single licensing fee to use the software. Id. Other Adobe products are available through Adobe’s subscription-based “Creative Cloud,” where customers pay a monthly fee to use Adobe’s products and services. Id. Adobe collects a variety of customer information. Customers of licensed-based products must register their products, which requires customers to provide Adobe with their e-mail addresses and create a username and password for Adobe’s website. Id. Some of these customers purchased their licenses online from Adobe directly, and thus also provided Adobe with their credit card numbers and expiration dates, as well as other billing information. E.g. id. ¶¶ 19, 78, 96. Creative Cloud customers are required to keep an active credit card on file with Adobe, which is charged automatically according to the customer’s subscription plan. Id. ¶ 19. In addition, some Creative Cloud customers store their files and work products in Adobe’s “cloud.” E.g., id. ¶ 84. As a result of the popularity of Adobe’s products, Adobe has collected personal information in the form of names, e-mail and mailing addresses, telephone numbers, passwords, credit card numbers and expiration dates from millions of customers. Id. ¶¶ 22, 50-55. All customers of Adobe products, including Creative Cloud subscribers, are required to accept Adobe’s End-User License Agreements (“EULA”) or General Terms of Use. Id. ¶ 29. Both incorporate Adobe’s Privacy Policy, which provides in relevant part: “[Adobe] provide[s] reasonable administrative, technical, and physical security controls to protect your information. However, despite our efforts, no security controls are 100% effective and Adobe cannot ensure or warrant the security of your personal information.” (“Agreement”) ECF No. 46-2 at 4. Adobe’s Safe Harbor Privacy Policy, which supplements Adobe’s Privacy Policy, similarly provides that “Adobe ... uses reasonable physical, electronic, and administrative safeguards to protect your personal information from loss; misuse; or unauthorized access, disclosure, alteration, or destruction.” Compl. ¶ 32. Adobe makes similar representations regarding its security practices on its websites. Id. ¶¶ 33-39. 2. The 2013 Data Breach In July 2013, hackers gained unauthorized access to Adobe’s servers. Id. ¶ 48. The hackers spent several weeks inside Adobe’s network without being detected. Id. By August 2013, the hackers reached the databases containing customers’ personal information, as well as the source code repositories for Adobe products. Id. The hackers then spent up to several weeks removing customer data and Adobe source code from Adobe’s network, all while remaining undetected. Id. The data breach did not come to light until September, when independent security researchers discovered stolen Adobe source code on the Internet. Id. ¶ 49. Adobe announced the data breach on October 3, 2013. Id. ¶ 50. Adobe announced that the hackers accessed the personal information of at least 38 million customers, including names, login IDs, passwords, credit and debit card numbers, expiration dates, and mailing and e-mail addresses. Id. ¶¶ 50-52. Adobe confirmed that the hackers copied the source code for a number of its products, including ColdFusion. Id. ¶53. Adobe subsequently disclosed that the hackers were able to use Adobe’s systems to decrypt customers’ credit card numbers, which had been stored in an encrypted form. Id. ¶ 57. The Court will refer to this sequence of events as the “2013 data breach.” Following the 2013 data breach, researchers concluded that Adobe’s security practices were deeply flawed and did not conform to industry standards. Id. ¶ 59. For example, though customers’ passwords had been stored in encrypted form, independent security researchers analyzing the stolen passwords discovered that Adobe’s encryption scheme was poorly implemented, such that the researchers were able to decrypt a substantial portion of the stolen passwords in short order. Id. ¶ 63. Adobe similarly failed to employ intrusion detection systems, properly segment its network, or implement user or network level system controls. Id. ¶ 62. As a result of the 2013 data breach, Adobe offered its customers one year of free credit monitoring services and advised customers to monitor their accounts and credit reports for fraud and theft. Id. ¶¶ 54, 56. 3. The Plaintiffs Plaintiffs are customers of Adobe licensed products or Creative Cloud subscribers who provided Adobe with their personal information. Plaintiffs Kar and Page purchased licensed products directly from Adobe and provided Adobe with their names, email addresses, credit card numbers, other billing information, and other personal information. Id. ¶¶ 77-78, 95-96. Plaintiff McHenry purchased an Adobe licensed product, and provided Adobe with a username and password. Id. ¶¶ 98-99. Plaintiffs Duke, Halpain, and McGlynn subscribed to Adobe’s products, and provided Adobe with their names, email addresses, credit card numbers, other billing information, and other personal information. Id. ¶¶ 74-75, 83-84, 90. Plaintiffs Duke, Kar, Halpain, and McGlynn are California citizens and residents. Id. ¶¶ 10-12, 14. Adobe informed all Plaintiffs that their personal information had been- compromised as a result of the 2013 data breach. Id. ¶¶ 76, 80, 85, 92, 97, 100. Following the 2013 data breach, Plaintiffs Kar and Halpain purchased additional credit monitoring services. Id. ¶¶ 81, 86. B. Procedural History The seven cases underlying this consolidated action were filed in this Court between November 2013 and January 2014. See ECF No. 1; Case No. 13-CV-5611, ECF No. 1; Case No. 13-CV-5596, ECF No. 1; Case No. 13-CV-5930, ECF No. 1; Case No. 14-CV-14, ECF No. 1; Case No. 14-CV-30, ECF No. 1; Case No. 14-CV-157, ECF No. 1. The Court related the individual eases in December 2013 and January 2014, ECF Nos. 19, 22, 26, and consolidated them on March 13, 2014, ECF No. 34. Plaintiffs filed their Consolidated Complaint on April 4, 2014. ECF No. 39. Adobe filed its Motion to Dismiss on May 21, 2014, ECF No. 45, with an accompanying Request for Judicial Notice, (“Def. May 21 RJN”) ECF No. 46. Plaintiffs filed their Opposition on June 11, 2014, ECF No. 47, with an accompanying Request for Judicial Notice, (“PI. RJN”) ECF No. 48. Adobe filed its Reply on July 2, 2014, ECF No. 50, along with a second Request for Judicial Notice, (“Def. July 2 RJN”) ECF No. 51. II. LEGAL STANDARDS A. Rule 12(b)(1) A defendant may move to dismiss an action for lack of subject matter jurisdiction pursuant to Federal Rule of Civil Procedure 12(b)(1). A motion to dismiss for lack of subject matter jurisdiction will be granted if the complaint on its face fails to allege facts sufficient to establish subject matter jurisdiction. See Savage v. Glendale Union High Sch., 343 F.3d 1036, 1039 n. 2 (9th Cir.2003). If the plaintiff lacks standing under Article III of the U.S. Constitution, then the court lacks subject matter jurisdiction, and the case must be dismissed. See Steel Co. v. Citizens for a Better Env’t, 523 U.S. 83, 101-02, 118 S.Ct. 1003, 140 L.Ed.2d 210 (1998). In considering a Rule 12(b)(1) motion, the Court “is not restricted to the face of the pleadings, but may review any evidence, such as affidavits and testimony, to resolve factual disputes concerning the existence of jurisdiction.” McCarthy v. United States, 850 F.2d 558, 560 (9th Cir.1988). Once a party has moved to dismiss for lack of subject matter jurisdiction under Rule 12(b)(1), the opposing party bears the burden of establishing the court’s jurisdiction, see Chandler v. State Farm Mut. Auto. Ins. Co., 598 F.3d 1115, 1122 (9th Cir.2010), by putting forth “the manner and degree of evidence required” by whatever stage of the litigation the case has reached, Lujan v. Defenders of Wildlife, 504 U.S. 555, 561, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992); see also Barnum Timber Co. v. Envtl. Prot. Agency, 633 F.3d 894, 899 (9th Cir.2011) (at the motion to dismiss stage, Article III standing is adequately demonstrated through allegations of “specific facts plausibly explaining” why the standing requirements are met). B. Rule 8(a) Rule 8(a)(2) of the Federal Rules of Civil Procedure requires a complaint to include “a short and plain statement of the claim showing that the pleader is entitled to relief.” A complaint that fails to meet this standard may be dismissed pursuant to Federal Rule of Civil Procedure 12(b)(6). The Supreme Court has held that Rule 8(a) requires a plaintiff to plead “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). “The plausibility standard is not akin to a probability requirement, but it asks for more than a sheer possibility that a defendant has acted unlawfully.” Id. (internal quotation marks omitted). For purposes of ruling on a Rule 12(b)(6) motion, a court “accept[s] factual allegations in the complaint as true and construe[s] the pleadings in the light most favorable to the nonmoving party.” Manzarek v. St. Paul Fire & Marine Ins. Co., 519 F.3d 1025, 1031 (9th Cir.2008). However, the Court need not accept as true allegations contradicted by judicially noticeable facts, Shwarz v. United States, 234 F.3d 428, 435 (9th Cir.2000), and the “[C]ourt may look beyond the plaintiffs complaint to matters of public record” without converting the Rule 12(b)(6) motion into one for summary judgment, Shaw v. Hahn, 56 F.3d 1128, 1129 n. 1 (9th Cir.1995). Nor is the Court required to “‘assume the truth of legal conclusions merely because they are cast in the form of factual allegations.’ ” Fayer v. Vaughn, 649 F.3d 1061, 1064 (9th Cir.2011) (per curiam) (quoting W. Mining Council v. Watt, 643 F.2d 618, 624 (9th Cir.1981)). Mere “conclusory allegations of law and unwarranted inferences are insufficient to defeat a motion to dismiss.” Adams v. Johnson, 355 F.3d 1179, 1183 (9th Cir.2004); accord Iqbal, 556 U.S. at 678, 129 S.Ct. 1937. Furthermore, plaintiffs may plead themselves out of court if they “plead facts which establish that [they] cannot prevail on [their] ... claim.” Weisbuch v. Cnty. of L.A., 119 F.3d 778, 783 n. 1 (9th Cir.1997) (internal quotation marks and citation omitted). C. Rule 9(b) Claims sounding in fraud or mistake are subject to the heightened pleading requirements of Federal Rule of Civil Procedure 9(b), which requires that a plaintiff alleging fraud “must state with particularity the circumstances constituting fraud.” Fed. R. Civ. P. 9(b); see Kearns v. Ford Motor Co., 567 F.3d 1120, 1124 (9th Cir.2009). To satisfy Rule 9(b)’s heightened standard, the allegations must be “specific enough to give defendants notice of the particular misconduct which is alleged to constitute the fraud charged so that they can defend against the charge and not just deny that they have done anything wrong.” Semegen v. Weidner, 780 F.2d 727, 731 (9th Cir.1985). Thus, claims sounding in fraud must allege “an account of the time, place, and specific content of the false representations as well as the identities of the parties to the misrepresentations.” Swartz v. KPMG LLP, 476 F.3d 756, 764 (9th Cir.2007) (per curiam) (internal quotation marks omitted). “The plaintiff must set forth what is false or misleading about a statement, and why it is false.” In re Glenfed, Inc. Sec. Litig., 42 F.3d 1541, 1548 (9th Cir.1994) (en banc), superseded by statute on other grounds as stated in Ronconi v. Larkin, 253 F.3d 423, 429 n. 6 (9th Cir.2001). D. Leave to Amend If the Court determines that the complaint should be dismissed, it must then decide whether to grant leave to amend. Under Rule 15(a) of the Federal Rules of Civil Procedure, leave to amend “should be freely granted when justice so requires,” bearing in mind that “the underlying purpose of Rule 15 ... [is] to facilitate decision on the merits, rather than on the pleadings or technicalities.” Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir.2000) (en banc) (internal quotation marks omitted). Nonetheless, a court “may exercise its discretion to deny leave to amend due to 'undue delay, bad faith or dilatory motive on part of the movant, repeated failure to cure deficiencies by amendments previously allowed, undue prejudice to the opposing party ..., [and] futility of amendment.’ ” Carvalho v. Equifax Info. Servs., LLC, 629 F.3d 876, 892-93 (9th Cir.2010) (alterations in original) (quoting Foman v. Davis, 371 U.S. 178, 182, 83 S.Ct. 227, 9 L.Ed.2d 222 (1962)). III. DISCUSSION Plaintiffs assert four causes of action in their Complaint. Adobe seeks dismissal of all four claims. The.Court will address each claim and Adobe’s corresponding objections in turn. ■ A. Customer Records Act Claim Plaintiffs’ first cause of action is for injunctive relief on behalf of the California Plaintiffs for violations of Sections 1798.81.5 and 1798.82 of the California Civil Code (“CRA”). The CRA provides in relevant part that: A business that owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Cal. Civ. Code § 1798.81.5(b). Section 1798.82, for its part, requires businesses to “disclose any breach of the security of the system following discovery or notification of the breach ... in the most expedient time possible and without unreasonable delay.” Cal. Civ. Code § 1798.82(a). Plaintiffs allege that Adobe did not and does not maintain “reasonable security practices” to protect customer data, in violation of Section 1798.81.5 of the CRA, and did not promptly notify customers following the 2013 data breach, in violation of Section 1798.82 of the CRA. Compl. ¶¶ 112-113. Plaintiffs request injunctive relief pursuant to Section 1798.84(e) of the CRA, which provides that “[a]ny business that violates, proposes to violate, of has violated this title may be enjoined.” Plaintiffs also base their request for relief on the “unlawful” prong of California’s Unfair Competition Law (“UCL”), Cal. Bus. & Prof. Code § 17200 et seq., which allows plaintiffs to “borrow” violations of other laws and treat them as unlawful competition that is independently actionable. Cel-Tech Common’s, Inc. v. L.A. Cellular Tel. Co., 20 Cal.4th 163, 180, 83 Cal.Rptr.2d 548, 973 P.2d 527 (1999). Adobe argues that Plaintiffs do not allege injury-in-fact resulting from Adobe’s alleged violation of the CRA and thus do not have Article III standing to bring their CRA claim. Mot. at 6-7. For the same reasons, Adobe contends that Plaintiffs .do not have statutory standing under Section 1798.84(e), which also requires a showing of injury. Id. As a result, Adobe contends that Plaintiffs’ CRA claim must be dismissed for lack of jurisdiction. The Court addresses both contentions in turn, beginning, as it must, with Article III standing. 1. Article III Standing To have Article III standing, a plaintiff must plead and prove that she has suffered sufficient injury to satisfy the “ease or controversy” requirement of Article III of the United States Constitution. See Clapper v. Amnesty Int’l USA, — U.S. -, 133 S.Ct. 1138, 1146, 185 L.Ed.2d 264 (2013) (“ ‘One element of the case-or-controversy requirement’ is that plaintiffs ‘must establish that they have standing to sue.’ ” (quoting Raines v. Byrd, 521 U.S. 811, 818, 117 S.Ct. 2312, 138 L.Ed.2d 849 (1997))). To satisfy Article III standing, a plaintiff must therefore allege: (1) injury-in-fact that is concrete and particularized, as well as actual or imminent; (2) that the injury is fairly traceable to the challenged action of the defendant; and (3) that the injury is re-dressable by a favorable ruling. Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139, 149, 130 S.Ct. 2743, 177 L.Ed.2d 461 (2010); Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 180-81, 120 S.Ct. 693, 145 L.Ed.2d 610 (2000). “The party invoking federal jurisdiction bears the burden of establishing these elements ... with the manner and degree of evidence required at the successive stages of the litigation.” Lujan, 504 U.S. at 561, 112 S.Ct. 2130. In a class action, named plaintiffs representing a class “must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong and which they purport to represent.” Worth v. Seldin, 422 U.S. 490, 502, 95 S.Ct. 2197, 45 L.Ed.2d 343 (1975). “[I]f none of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class.” O’Shea v. Littleton, 414 U.S. 488, 494, 94 S.Ct. 669, 38 L.Ed.2d 674 (1974). In the instant case, Plaintiffs allege that they have all suffered at least one of three types of cognizable injuries-in-fact: (1) increased risk of future harm; (2) cost to mitigate the risk of future harm; and/or (3) loss of the value of their Adobe products. Opp’n at 7-11. The Court begins by assessing the adequacy Plaintiffs’ alleged injuries. The Court will then address Adobe’s argument that even if Plaintiffs have Article III standing to bring a claim based on Adobe’s alleged violation of Section 1798.81.5 (the “reasonable” security measures provision), Plaintiffs do not have standing to bring a claim based on Adobe’s alleged violation of Section 1798.82 (the notification provision), because Plaintiffs do not allege that they suffered any particular injury stemming from Adobe’s failure to reasonably notify Plaintiffs of the 2013 data breach. Mot. at 7. a. Increased Risk of Harm Plaintiffs claim that they are all at increased risk of future harm as a result of the 2013 data breach. Opp’n at 7. Adobe counters that such “increased risk” is not a cognizable injury for Article III standing purposes. Mot. at 10. The Ninth Circuit addressed Article III standing in the context of stolen personal information in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir.2010). In Krottner, a thief stole a laptop from Starbucks containing the unencrypted names, addresses, and social security numbers of roughly 97,000 Starbucks employees. Id. at 1140. Some of the affected employees subsequently sued Starbucks for negligence and breach of implied contract. Id. Starbucks argued that the employees did not have standing because there was no indication that any of the employees’ personal information had been misused or that the employees had suffered any economic loss as a result of the theft. Id. at 1141-42. The Ninth Circuit disagreed, holding instead that “the possibility of future injury may be sufficient to confer standing” where the plaintiff is “immediately in danger of sustaining some direct injury as the result of the challenged conduct.” Id. at 1142 (alteration omitted) (internal quotation marks omitted). As to the specific facts before it, the Ninth Circuit held that the Starbucks employees alleged “a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data.” Id. at 1143. Based on this “credible threat of real and immediate harm,” the Ninth Circuit found that the employees “sufficiently alleged an injury-in-fact for purposes of Article III standing.” Id. Adobe does not dispute that Krottner is directly on point. See Mot. at 11; Reply at 3. However, Adobe contends that subsequent Supreme Court authority forecloses the approach the Ninth Circuit took to standing in Krottner. Reply at 3. Specifically, Adobe claims that the Supreme Court’s decision in Clapper v. Amnesty International USA expressly rejected “[a]negations of possible future injury” as a basis for Article III standing, requiring instead that a “threatened injury [] be certainly impending to constitute injury in fact.” Mot. at 10 (citing Clapper, 133 S.Ct. at 1147). Adobe argues that following Clapper district courts in data breach cases regularly conclude that increased risk of future harm is insufficient to confer Article III standing under the “certainly impending” standard. Id. (citing In re Sci. Applications Int’l Corp. Backup Tape Data Theft Litig. (“SAIC ”), 45 F.Supp.3d 14, 2014 WL 1858458 (D.D.C. May 9, 2014); Strautins v. Trustwave Holdings, Inc., 27 F.Supp.3d 871, 2014 WL 960816 (N.D.Ill. Mar. 12, 2014); Galaria v. Nationwide Mut. Ins. Co., 998 F.Supp.2d 646 (S.D.Ohio 2014); Polanco v. Omnicell, Inc., 988 F.Supp.2d 451 (D.N.J.2013); In re Barnes & Noble Pin Pad Litig., No. 12-8617, 2013 WL 4759588 (N.D.Ill. Sep. 3, 2013); Yunker v. Pandora Media, Inc., No. 11-3113, 2013 WL 1282980 (N.D.Cal. Mar. 26, 2013)). Adobe claims that the only ease to hold otherwise, In re Sony Gaming Networks & Customer Data Security Breach Litigation, 996 F.Supp.2d 942 (S.D.Cal.2014), has been “relegated to a ‘but see ’ reference.” Mot. at 11 (citing SAIC, 45 F.Supp.3d at 28, 2014 WL 1858458, at *8). Adobe encourages this Court to conclude that Clapper implicitly overruled Krottner and to join the district courts that have rejected the “increased risk of harm” theory of standing in Clapper's wake. Id. at 10-11. For the following reasons, the Court declines to do so. Clapper addressed a challenge to Section 702 of the Foreign Intelligence Surveillance Act of 1978 (“FISA”), 50 U.S.C. § 1881a. 133 S.Ct. at 1142. Respondents were U.S.-based attorneys, human rights, labor, legal, and media organizations who alleged that their work required them to communicate with • individuals outside the United States who were likely to be targets of surveillance under Section 702. Id. at 1145. The respondents asserted injury based on “an objectively reasonable likelihood that their communications [would] be acquired [under FISA] at some point in the future.” Id. at 1146. As an initial matter, thé Supreme Court held that the “objectively reasonable likelihood” standard was inconsistent with precedent requiring that “threatened injury must be certainly impending to constitute injury in fact.” Id. at 1147 (emphasis added) (quoting Whitmore v. Arkansas, 495 U.S. 149, 158, 110 S.Ct. 1717, 109 L.Ed.2d 135 (1990)). The Supreme Court emphasized that “allegations of possible future injury are not sufficient.” Id. (internal quotation marks omitted). Turning to the respondents’ theory of injury, the Supreme Court found that it was both too speculative to constitute “certainly impending” injury and too attenuated to be “fairly traceable” to Section 702. Id. at 1147-48. As the Supreme Court noted, the respondents did not allege that any of their communications had actually been intercepted, or even that the Government sought to target them directly. Id. at 1148. Rather, the respondents’ argument rested on the “highly speculative fear” that: (1) the Government will decide to target the communications of non-U.S. persons with whom they communicate; (2) in doing so, the Government will choose to invoke its authority under [Section 702] rather than utilizing another method of surveillance; (3) the Article III judges who serve on the Foreign Intelligence Surveillance Court will conclude that the Government’s proposed surveillance procedures satisfy [Section 702]’s many safeguards and are consistent with the Fourth Amendment; (4) the Government will succeed in intercepting the communications of respondents’ contacts; and (5) respondents will be parties to the particular communications that the Government intercepts Id. The Supreme Court held that this “highly attenuated” chain of possibilities did not result in a “certainly impending” injury. Id. The Court observed that the first three steps of the chain depended on the independent choices of the Government and the Foreign Intelligence Surveillance Court, yet the respondents could only speculate as to what decision those third parties would take at each step. Id. at 1149-50 (“[W]e have been reluctant to endorse standing theories that require guesswork as to how independent decision-makers will exercise their judgment....”). Moreover, respondents could not show with any certainty that their communications with the foreign persons allegedly under surveillance would be intercepted. Id. As a result, the overall chain of inferences was “too speculative” to constitute a cognizable injury. Id. at 1143. The Supreme Court acknowledged that its precedents “do not uniformly require plaintiffs to demonstrate that it is literally certain that the harms they identify will come about” in order to have standing. Id. at 1150 n. 5 (emphasis added). Rather, in some cases, the Supreme Court has found standing “based on a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.” Id. (citing Monsanto, 561- U.S. at 153-54, 130 S.Ct. 2743; Pennell v. City of San Jose, 485 U.S. 1, 8, 108 S.Ct. 849, 99 L.Ed.2d 1 (1988); Blum v. Yaretsky, 457 U.S. 991, 1000-01, 102 S.Ct. 2777, 73 L.Ed.2d 534 (1982); Babbitt v. Farm Workers, 442 U.S. 289, 298, 99 S.Ct. 2301, 60 L.Ed.2d 895 (1979)). The Supreme Court declined to overrule that line of cases. However, the Court concluded in Clapper that “to the extent that the ‘substantial risk’ standard is relevant and is distinct from the ‘clearly impending’ requirement, respondents fall short of even that standard, in light of the attenuated chain of inferences necessary to find harm here.” Id. Clapper did not change the law governing Article III standing. The Supreme Court did not overrule any precedent, nor did it reformulate the familiar standing requirements of injury-in-fact, causation, and redressability. Accord Sony, 996 F.Supp.2d at 961 (“[T]he Supreme Court’s decision in Clapper did not set forth a new Article III framework, nor did the Supreme Court’s decision overrule previous precedent_”). Clapper merely held that the Second Circuit had strayed from these well-established standing principles by accepting a too-speculative theory of future injury. See 133 S.Ct. at 1146 (characterizing the Second Circuit’s view of standing as “novel”). In the absence of any indication in Clapper that the Supreme Court intended a wide-reaching revision to existing standing doctrine, the Court is reluctant to conclude that Clapper represents the sea change that Adobe suggests. Moreover, Clapper’s discussion of standing arose in the sensitive context of a claim that other branches of government were violating the Constitution, and the U.S. Supreme Court itself noted that its standing analysis was unusually rigorous as a result. Id. at 1147 (“Our standing inquiry has been especially rigorous when reaching the merits of the dispute would force us to decide whether an action taken by one of the other two branches of the Federal Government was unconstitutional.” (alteration omitted) (internal quotation marks omitted)). “[District courts should consider themselves bound by [ ] intervening higher authority and reject the prior opinion of [the Ninth Circuit] as having been effectively overruled” only when the intervening higher authority is “clearly irreconcilable with [the] prior circuit authority.” Miller v. Gammie, 335 F.3d 889, 900 (9th Cir.2003) (en banc). The Court does not find that Krottner and Clapper are clearly irreconcilable. Krottner did use somewhat different phrases to describe the degree of imminence a plaintiff must allege in order to have standing based on a threat of injury, ie., “immediate[ ][ ] danger of sustaining some direct injury,” and a “credible threat of real and immediate harm.” 628 F.3d at 1142-43. On the other hand, Clapper described the harm as “certainly impending.” 133 S.Ct. at 1147. However, this difference in wording is not substantial. At the least, the Court finds that Krottner’s phrasing is closer to Clapper’s “certainly impending” language than it is to the Second Circuit’s “objective reasonable likelihood” standard that the Supreme Court reversed in Clapper. Given that Krottner described the imminence standard in terms similar to those used in Clapper, and in light of the fact that nothing in Clapper reveals an intent to alter established standing principles, the Court cannot conclude that Krottner has been effectively overruled. In any event, even if Krottner is no longer good law, the threatened harm alleged here is sufficiently concrete and imminent to satisfy Clapper. Unlike in Clapper, where respondents’ claim that they would suffer future harm rested on a chain of events that was both “highly attenuated” and “highly speculative,” 133 S.Ct. at 1148, the risk that Plaintiffs’ personal data will be misused by the hackers who breached Adobe’s network is immediate and very real. Plaintiffs allege that the hackers deliberately targeted Adobe’s servers and spent several weeks collecting names, usernames, passwords, email addresses, phone numbers, mailing addresses, and credit card numbers and expiration dates. Compl. ¶¶ 48, 50. Plaintiffs’ personal information was among the information taken during the breach. Id. ¶¶ 76, 80, 85, 92, 97, 100. , Thus, in contrast to Clapper, where there was no evidence that any of respondents’ communications either had been or would be monitored under Section 702, see 133 S.Ct. at 1148, here there is no need to speculate as to whether Plaintiffs’ information has been stolen and what information was taken. Neither is there any need to speculate as to whether the hackers intend to misuse the personal information stolen in the 2013 data breach or whether they will be able to do so. Not only did the hackers deliberately target Adobe’s servers, but Plaintiffs allege that the hackers used Adobe’s own systems to decrypt customer credit card numbers. Compl. ¶ 57. Some of the stolen data has already surfaced on the Internet, and other hackers have allegedly misused it to discover vulnerabilities in Adobe’s products. Id. ¶¶ 49, 70. Given this, the danger that Plaintiffs’ stolen data will be subject to misuse can plausibly be described as “certainly impending.” Indeed, the threatened injury here could be more imminent only if Plaintiffs could allege that their stolen personal information had already been misused. However, to require Plaintiffs to wait until they actually suffer identity theft or credit card fraud in order to have standing would run counter to the well-established principle that harm need not have already occurred or be “literally certain” in order to constitute injury-in-fact. Clapper, 133 S.Ct. at 1150 n.- 5; see also, e.g., Monsanto, 561 U.S. at 153-54, 130 S.Ct. 2743 (finding that a “substantial risk of gene flow” from genetically engineered alfalfa crops to non-genetically engineered alfalfa crops was sufficient to confer Article III standing). The cases Adobe cites in which district courts have relied on Clapper to dismiss data breach cases on standing grounds are factually distinct from the present case. In SAIC, the case on which Adobe most heavily relies,, a thief broke into a car in San Antonio, Texas and stole the car’s GPS and stereo, as well as encrypted backup data tapes containing personal medical information for over four million U.S. military members and their families. 45 F.Supp.3d at 20-21, 2014 WL 1858458, at *2. As the SAIC court found, the thief would need to have recognized the data tapes for what they were, obtained specialized equipment to read the tapes, broken the encryption protecting the data on the tapes, and then obtained specialized software to read the data, all before being in any position to misuse the data. Id. at 24-25, at *6. Such a chain of possibilities, the SAIC court held, was as attenuated as the chain the Supreme Court rejected in Clapper, especially given the more likely possibility that the thief had simply sold the GPS and stereo and discarded the data tapes “in a landfill somewhere in Texas.” Id. The facts of SAIC stand in sharp contrast to those alleged here, where hackers targeted Adobe’s servers in order to steal customer data, at least some of that data has been successfully decrypted, and some of the information stolen in the 2013 data breach has already surfaced on websites used by hackers. Adobe’s other authorities are similarly distinct. The thief in Polanco also stole a laptop out of a car. 988 F.Supp.2d at 456. Again, there was no allegation that the thief targeted the laptop for the data contained therein, and the plaintiff “essentially concede[d]” that she had not alleged “any misuse of her [personal information] or [] that she [wa]s now at an increased risk for the misuse of her information in the future based on the theft of the laptop.” Id. at 467. In both Strautins and Barnes & Noble, it was unclear if the plaintiffs’ information had been taken at all. 27 F.Supp.3d at 879-81, 2014 WL 960816, at *6-7; 2013 WL 4759588, at *4. Finally, in Yunker, the plaintiff did not allege that he had provided any sensitive information (such as a credit card number or a social security number) or that anyone had breached the defendant’s servers. 2013 WL 1282980, at *5. The case with facts closest to those at issue here is Galaria. In that case, hackers obtained a variety of personal information, though not credit card information, from the servers of an insurance company. Galaria, 998 F.Supp.2d at 649-50, 2014 WL 689703, at *1. The court declined to find standing based on increased risk of future harm, reasoning that whether plaintiffs would be harmed depended on the decision of the unknown hackers, who may or may not attempt to misuse the stolen information. Id. at *6. The Court finds this reasoning unpersuasive — after all, why would hackers target and steal personal customer data if not to misuse it?— and declines to follow it. Regardless, Ga-lana’s reasoning lacks force here, where Plaintiffs allege that some of the stolen data has already been misused. See Compl. ¶¶49, 70. In sum, the Court finds that Plaintiffs’ allegations of a concrete and imminent threat of future harm suffice to establish Article III injury-in-fact at the pleadings stage under both Krottner and Clapper. b. Cost to Mitigate In addition, Plaintiffs allege that Plaintiffs Halpain and Kar have standing based on the reasonable costs they incurred to mitigate the increased risk of harm resulting from the 2013 data breach. Opp’n at 10; see Compl. ¶¶ 80-81, 86-87 (alleging that Halpain and Kar paid for data monitoring services). The Supreme Court held in Clapper that plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” 133 S.Ct. at 1151. In so holding, the Supreme Court rejected the Clapper respondents’ argument that they had standing because they had taken on costly and burdensome measures to protect the confidentiality of their communications. Id. Even where the fear of harm was not “fanciful, paranoid, or otherwise unreasonable,” the Supreme Court noted, plaintiffs cannot secure a lower standard for standing “simply by making an expenditure based on [that] fear.” Id. As this last quote indicates, the Supreme Court’s primary concern was that the Article III standing standard would be “water[ed] down” if a plaintiff who otherwise lacked standing could manufacture an injury-in-fact “for the price of a plane ticket.” Id. (internal quotation marks omitted); accord SAIC, 45 F.Supp.3d at 26, 2014 WL 1858458, at *7 (“Put another way, the [Supreme] Court has held that plaintiffs cannot create standing by ‘inflicting harm on themselves’ to ward off an otherwise speculative injury.” (quoting Clapper, 133 S.Ct. at 1151)). Therefore, in order for costs incurred in an effort to mitigate the risk of future harm to constitute injury-in-fact, the future harm being mitigated must itself be imminent. As the Court has found that all Plaintiffs adequately alleged that they face a certainly impending future harm from the theft of their personal data, see supra Part III.A.l.a, the Court finds that the costs Plaintiffs Halpain and Kar incurred to mitigate this future harm constitute an additional injury-in-fact. For the foregoing reasons, the Court finds that Plaintiffs have plausibly alleged that the substantial risk of harm Plaintiffs face following the 2013 data breach constitutes a cognizable injury-in-fact. The costs Plaintiffs Halpain and Kar incurred to mitigate this risk of harm constitute an additional cognizable injury. The Court further finds that Plaintiffs plausibly allege both that these injuries are “fairly traceable” to Adobe’s alleged failure to maintain “reasonable” security measures in violation of Section 1798.81.5 and that the relief sought would redress these injuries. The Court therefore concludes that Plaintiffs have adequately pleaded that they have Article III standing to, bring a CRA claim for violations of Section 1798.81.5. c. Section 1798.82 Adobe argues that even if Plaintiffs have adequately alleged injury-in-fact stemming from Adobe’s alleged failure to implement reasonable security measures, Plaintiffs have not alleged any injury traceable to Adobe’s alleged failure to reasonably notify customers of, the 2013 data breach in violation of Section 1798.82, because Plaintiffs do not allege that they suffered any incremental harm as a result of the delay. Mot. at 7. The Court agrees that Plaintiffs do not allege any harm resulting from the delay in their Complaint, and Plaintiffs do not address this argument in their Opposition except to argue that they have statutory (as opposed to Article III) standing to bring a Section 1798.82 claim. See Opp’n at 11. Article Ill’s standing requirements are mandatory and separate from any statutory standing requirements. Article III standing is also claim- and relief-specific, such that a plaintiff must establish Article III standing for each of her claims and for each form of relief sought. See Daimler Chrysler Corp. v. Cuno, 547 U.S. 332, 352 126 S.Ct. 1854, 164 L.Ed.2d 589 (2006) (“[O]ur standing cases confirm that a plaintiff must demonstrate standing for each claim he seeks to press.”); id. (“We have insisted ... that a plaintiff must demonstrate standing separately for each form of relief sought.” (internal quotation marks omitted)). Plaintiffs’ claim that Adobe failed to reasonably notify its customers of the 2013 data breach is distinct from Plaintiffs’ claim that Adobe failed to maintain reasonable data security measures — in that the claims arise under different statutory provisions and challenge different Adobe conduct — and Plaintiffs seek different injunctive relief to remedy each violation. Compare Compl. ¶ 116 (seeking injunction ordering Adobe to implement various security measures), with id. ¶ 117 (seeking injunction ordering Adobe to notify customers affected by the 2013 data breach who have not yet received notice that their data was stolen). Thus, the Court concludes that Plaintiffs must separately establish Article III standing under Section 1798.82. However, by failing to allege any injury resulting from a failure to provide reasonable notification of the 2013 data breach, Plaintiffs have not plausibly alleged that they have standing to pursue a Section 1798.82 claim. Accordingly, the Court GRANTS Adobe’s Motion to Dismiss Plaintiffs’ Section 1798.82 claim for lacking of Article III standing. Because Plaintiffs may be able to cure this deficiency in an amended complaint, this dismissal is without prejudice. 2. Statutory Standing The CRA also contains a statutory standing requirement. Section 1798.84, the remedies provision of the CRA, provides that “[a]ny customer injured by a violation of this title may institute a civil action to recover damages,” Cal. Civ. Code § 1798.84(b), and the California Court of Appeal has held that this injury requirement applies “regardless of the remedies [a plaintiff] seek[s],” Boorstein v. CBS Interactive, Inc., 222 Cal.App.4th 456, 466-67, 165 Cal.Rptr.3d 669 (2013); accord Murray v. Time Inc., 554 FedAppx. 654, 655 (9th Cir.2014). Therefore, where a plaintiff fails to allege a cognizable injury, the plaintiff “lacks statutory standing” to bring a claim under Section 1798.84, “regardless of whether [the] allegations are sufficient to state a violation of the [statute].” Boorstein, 222 Cal.App.4th at 467, 165 Cal.Rptr.3d 669 (internal quotation marks omitted). Although Section 1798.84 does not define what qualifies as an injury under the statute, other courts in the Ninth Circuit have found that an injury that satisfies Article Ill’s injury-in-fact standard suffices to establish statutory injury under the CRA. See, e.g., Miller v. Hearst Commc’ns, Inc., No. 12-733, 2012 WL 3205241, at *6 (C.D.Cal. Aug. 3, 2012); Boorstein v. Men’s Journal LLC, No 12-771, 2012 WL 2152815, at *3-4 (C.D. Cal. June 14, 2012). As Adobe does not contend, and as the Court has no reason to believe, that the CRA’s statutory standing requirements are more stringent than Article' Ill’s, the Court finds that Plaintiffs’ allegátions of injury-in-fact satisfy the CRA’s statutory standing requirement for the same reasons these allegations satisfy Article III. See supra Part III.A.1. In summary, the Court DENIES Adobe’s Motion to Dismiss Plaintiffs’ CRA claim for violations of Section 1798.81.5. The Court GRANTS Adobe’s Motion to Dismiss Plaintiffs’ CRA claim for violations of Section 1798.82 without prejudice. B. Declaratory Relief Plaintiffs’ second cause of action is for declaratory relief on behalf of all Plaintiffs. Compl. ¶¶ 118-124. As a preliminary matter, the parties disagree over whether the federal Declaratory Judgment Act, 28 U.S.C. § 2201, applies, as Adobe contends, or if the California Declaratory Relief Act, Cal. Civ. Proc. Code § 1060, applies, as Plaintiffs contend. Compare Reply at 5 n.4, with Opp’n at 14. The Court finds that the federal Declaratory Judgment Act governs in this case. Although district courts in the Ninth Circuit have at times applied the California Declaratory Relief Act when sitting in diversity, see Valley Forge Ins. Co. v. APL Co. Pte. Ltd., No. 09-9328, 2010 WL 960341, at *4 n. 5 (C.D.Cal. Mar. 16, 2010) (citing cases), other district courts apply the federal Act, see, e.g., DeFeo v. Procter & Gamble Co., 831 F.Supp. 776, 779 (N.D.Cal.1993) (“The propriety of granting declaratory relief in federal court is a procedural matter.... Therefore, the Declaratory Judgment Act is implicated even in diversity cases ..,” (citations omitted)). For its part, the Ninth Circuit has indicated, although not explicitly held, that the federal Declaratory Judgment Act should apply. In Golden Eagle Insurance Co. v. Travelers Cos., 103 F.3d 750, 753 (9th Cir.1996), overruled on other grounds by Gov’t Emps. Ins. Co. v. Dizol, 133 F.3d 1220 (1998) (en banc), the Ninth Circuit stated that although “[t]he complaint [plaintiff] filed in state court was for declaratory relief under California’s declaratory relief statute,” “[w]hen [defendant] removed the case to federal court, based on diversity of citizenship, the claim remained one for declaratory relief, but the question whether to exercise federal jurisdiction to resolve the controversy became a procedural question of federal law.” Finally, the U.S. Supreme Court has emphasized the procedural nature of the Declaratory Judgment Act, which further supports the conclusion that the federal Act applies. See Skelly Oil Co. v. Phillips Petroleum Co., 339 U.S. 667, 671, 70 S.Ct. 876, 94 L.Ed. 1194 (1950) (“ ‘[T]he operation of the Declaratory Judgment Act is procedural only.’” (quoting Aetna Life Ins. Co. v. Haworth, 300 U.S. 227, 240, 57 S.Ct. 461, 81 L.Ed. 617 (1937))). The Court will therefore consider Plaintiffs’ declaratory relief claim under the federal Declaratory Judgment Act. In any event, as Plaintiffs acknowledge, whether the state or federal statute applies makes little difference as a practical matter, as the two statutes are broadly equivalent. See Opp’n at 14. The federal Declaratory Judgment Act provides that “[i]n a case of actual controversy within its jurisdiction ... any court of the United States ... may declare the rights and other legal relations of any interested party seeking such declaration, whether or not further relief is or could be sought.” 28 U.S.C. § 2201(a). To fall within the Act’s ambit, the “case of actual controversy” must be “ ‘definite and concrete, touching the legal relations of parties having adverse legal interests,’ ... ‘real and substantial’ and ‘admi[t] of specific relief through a decree of a conclusive character, as distinguished from an opinion advising what the law would be upon a hypothetical state of facts.’ ” MedImmune, Inc. v. Genentech, Inc., 549 U.S. 118, 127, 127 S.Ct. 764, 166 L.Ed.2d 604 (2007) (alteration in original) (quoting Aetna Life, 300 U.S. at 240-241, 57 S.Ct. 461). Plaintiffs seek a declaration that: (a) Adobe fails to fulfill its existing contractual obligation to provide reasonable security measures; and (b) to comply with its contractual obligations, Adobe must implement specified additional security measures. Compl. ¶ 124. Adobe moves to dismiss Plaintiffs declaratory relief claim on three grounds. First, Adobe asserts that Plaintiffs have not suffered an injury-in-fact and therefore lack standing. Mot. at 13. Second, Adobe contends that what Plaintiffs actually seek is an impermissible advisory opinion that lays the foundation for future litigation, rather than adjudication of an actual controversy between the parties. Id. at 13-14. Third, Adobe argues that Plaintiffs’ declaratory relief claim is actually a breach of contract claim in disguise, and that the claim fails because Plaintiffs have failed to plead all the elements of a breach of contract claim. Id. at 15. The Court addresses each contention in turn. 1. Article III Standing Adobe first claims that, just as the California Plaintiffs fail to allege injury-in-fact for purposes of their CRA claim, the California Plaintiffs fail to allege a cognizable injury-in-fact for purposes of declaratory relief. Mot. at 13; see also Dizol, 133 F.3d at 1222-23 (“A lawsuit seeking federal declaratory relief must first present an actual case or controversy within the meaning of Article III, section 2 of the United States Constitution.... It must also fulfill statutory jurisdictional prerequisites.” (citation omitted)). In addition, Adobe claims that the non-California Plaintiffs do not allege any injury whatsoever. Mot. at 13. Adobe argues that therefore none of the Plaintiffs alleges injury-in-fact that is fairly traceable to Adobe’s failure to abide by its contractual obligations. Id. The Court finds that Plaintiffs have adequately pleaded that they have Article III standing to bring a claim for declaratory relief. First, as discussed above, the Court finds that all Plaintiffs have plausibly alleged that they face a substantial, “certainly impending” risk of harm from the 2013 data breach. See supra Part III.A. l.a. This alleged injury is fairly traceable to Adobe’s failure to abide by its contractual obligation to provide “reasonable ... security controls,” Agreement at 4, and will plausibly be redressed by the declaratory relief Plaintiffs seek. Accordingly, the Court declines to dismiss Plaintiffs’ declaratory relief claim for lack of Article III standing. 2. Presence of an Actionable Dispute Adobe next seeks dismissal of Plaintiffs’ declaratory relief claim on the ground that Plaintiffs do not fulfill the Declaratory Judgment Act’s statutory jurisdictional requirements. Adobe contends that there is no actionable dispute over whether Adobe is in breach of its contractual obligation to provide “reasonable _ security controls,” given that the Agreement expressly provides that no security measure is “100%” effective and that “Adobe cannot ensure or warrant the security of your personal information.” Mot. at 14. Adobe further contends that Plaintiffs do not allege that a declaration of rights is necessary at this time. Id. Adobe asserts that Plaintiffs’ claim is consequently unripe, and is instead a request for an impermissible advisory opinion. Id. Adobe contends that what Plaintiffs actually seek is an advantage for future litigation by obtaining an “advance ruling.” Id. A claim for relief under the Declaratory Judgment Act requires a dispute that is: (1) “definite and concrete, touching the legal relations of parties having adverse legal interests”; (2) “real and substantial”; and (3) “admit[ting] of specific relief through a decree of a conclusive character, as distinguished from an opinion advising what the law would be upon a hypothetical state of facts.” MedImmune, 549 U.S. at 127, 127 S.Ct. 764 (internal quotation marks omitted). The Supreme Court has admitted that “not ... the brightest of lines” separates cases that satisfy the statutory jurisdictional requirements and those that do not. Id. The central question, however, is whether “ ‘the facts alleged, under all the circumstances, show that there is a substantial controversy, between parties having adverse legal interests, of sufficient immediacy and reality to warrant the issuance of a declaratory judgment.’ ” Id. (quoting Md. Cas. Co. v. Pac. Coal & Oil Co., 312 U.S. 270, 273, 61 S.Ct. 510, 85 L.Ed. 826 (1941)). The Court finds that Plaintiffs have adequately alleged the existence of an actionable dispute for purposes of the Declaratory Judgment Act. Plaintiffs have plausibly alleged the existence of a “definite and concrete” dispute over the meaning and the scope of Adobe’s contractual obligation to provide “reasonable” security measures. See Compl. ¶¶ 120-123. According to the Complaint, although “Adobe maintains that its security measures were adequate and remain adequate,” there were in fact a number of standard industry practices that Adobe failed to follow. Id. ¶¶ 62, 123-124. Although Adobe contends that there can be no actionable dispute concerning the adequacy of Adobe’s security controls because the Agreement expressly provides that no security measure is “100%” effective, Mot. at 14, this disclaimer does not reheve Adobe of the responsibility (also contained in the Agreement) to provide “reasonable” security, see Agreement at 4; Compl. ¶ 120. The remaining jurisdictional prerequisites for a declaratory relief claim are met here as well. The dispute over the reasonableness of Adobe’s security controls touches on the parties’ legal relations, and the parties’ legal interests are adverse. See MedImmune, 549 U.S. at 127, 127 S.Ct. 764. Plaintiffs plausibly allege that they face a substantial risk of future harm if Adobe’s security shortcomings are not redressed, making this dispute sufficiently real and immediate, and the dispute underlying Plaintiffs’ declaratory relief claim concerns Adobe’s current security practices, rather than a hypothetical set of acts or omissions. See id. Adobe contends that Plaintiffs seek an impermissible advisory opinion, claiming that Plaintiffs admit that declaratory relief is necessary “only so that users ... who suffer identity theft ... will not have to individually re-litigate the technical issue of Adobe’s security obligations.” Mot. at 14 (emphasis removed) (citing Compl. ¶ 5). Adobe is correct that declaratory relief claims brought solely for the purpose of gaining an advantage for future litigation are impermissible. See Calderon v. Ashmus, 523 U.S. 740, 747, 118 S.Ct. 1694, 140 L.Ed.2d 970 (1998). However, Plaintiffs are not seeking an advance ruling on whether Adobe’s security practices in 2013 were reasonable at that time. Rather, the dispute is over Adobe’s current practices. Compl. ¶ 124 (“Plaintiffs ... seek a declaration [ ] that Adobe’s existing security measures do not comply with its contractual obligations-” (emphasis added)). Thus, the Court finds that Plaintiffs’ declaratory relief claim does not merely seek an advisory opinion for use in future breach of contract actions. The Court concludes that Plaintiffs have plausibly alleged that they satisfy the statutory jurisdictional requirements for obtaining declaratory relief. Adobe is not entitled to dismissal of Plaintiffs’ claim on •this basis. 3. Breach of Contract Claim in “Disguise” Adobe’s third and final challenge to Plaintiffs’ declaratory relief claim is that Plaintiffs are “seeking a declaration that Adobe has breached its contractual obligations” without having alleged all the elements of a breach of contract claim. Mot. at 15. Relying on Gamble v. GMAC Mortgage Corp., No. 08-5532, 2009 WL 400359 (N.D.Cal. Feb. 18, 2009), and Household Financial Services, Inc. v. Northern Trade Mortgage Corp., No. 99-2840, 1999 WL 782072 (N.D.Ill. Sept. 27, 1999), Adobe contends that Plaintiffs’ claim therefore falls outside the scope of the Declaratory Judgment Act. Id. Adobe miseharacterizes Plaintiffs’ declaratory relief claim. In both Gamble and Household Financial, the plaintiffs sought a judicial decree stating that the defendants had breached their contractual obligations. Gamble, 2009 WL 400359, at *2 (“[P]laintiffs want the court to issue a declaratory judgment declaring that defendants breached the forbearance agreements”); Household Fin., 1999 WL 782072, at *3 (“Plaintiff does not request the court to clarify the parties’ rights under the loan purchase agreement. Rather, plaintiff requests a judicial declaration that defendant breached the agreement.”). That is not what Plaintiffs seek here. As discussed above, Plaintiffs seek a declaration clarifying Adobe’s ongoing contractual obligation to provide reasonable security. Opp’n at 15; Compl. ¶ 124 (“Plaintiffs ... seek a declaration [ ] that Adobe’s existing security measures do not comply with its contractual obligations .... ” (emphasis added)). Plaintiffs’ claim thus requests precisely the type of relief that the Declaratory Judgment Act is supposed to provide: a declaration that will prevent future harm from ongoing and future violations before the harm occurs. See, e.g. Minn. Min. & Mfg. Co. v. Norton Co., 929 F.2d 670, 673 (Fed.Cir.1991) (“In promulgating the Declaratory Judgment Act, Congress intended to prevent avoidable damages from being incurred by a person uncertain of his rights and threatened with damage by delayed adjudication.”). As the Court finds that Plaintiffs are not seeking a declaration that Adobe was in breach of a contract at the time of the 2013 data breach, the Court concludes that Plaintiffs are not required to plead the elements of a breach of contract claim. The Court therefore declines to dismiss Plaintiffs’ declaratory relief claim on this basis. For the foregoing reasons, the Court finds that Plaintiffs have plausibly pleaded that they fulfill both Article Ill’s standing requirements and the statutory jurisdictional requirements of the Declaratory Judgment Act. The Court also finds that Plaintiffs have plausibly stated a claim for declaratory relief. Accordingly, the Court DENIES Adobe’s Motion to Dismiss Plaintiffs’ declaratory relief claim. C. UCL Injunction Claim Plaintiffs’ third cause of action is for injunctive relief under the UCL on behalf of all Plaintiffs (“UCL injunction claim”). See Compl. ¶¶ 125-132. The UCL creates a cause of action for business practices that are: (1) unlawful, (2) unfair^ or (3) fraudulent. Cal. Bus. & Prof. Code § 17200 et seq. The UCL’s coverage is “sweeping,” and its standard for wrongful business conduct is “intentionally broad.” In re First Alliance Mortg. Co., 471 F.3d 977, 995 (9th Cir.2006) (internal quotation marks omitted). Each prong of the UCL provides a separate and distinct theory of liability. Lozano v. AT & T Wireless Servs., Inc., 504 F.3d 718, 731 (9th Cir.2007). To assert a UCL claim, a private plaintiff must have “suffered injury in fact and ... lost money or property as a result of the unfair competition.” Rubio v. Capital One Bank, 613 F.3d 1195, 1203 (9th Cir.2010) (quoting Cal. Bus. & Prof. Code § 17204). Plaintiffs assert claims under both the “unfair” and “unlawful” prongs of the UCL. Compl. ¶ 126. Adobe seeks dismissal of Plaintiffs’ UCL injunction claim on three grounds. First, Adobe contends that Plaintiffs lack standing to bring this claim. Mot at 16. Second, Adobe contends that Plaintiffs imper-missibly seek a contract remedy without bringing a breach of contract claim. Id. Finally, Adobe contends that Plaintiffs have failed to allege any conduct that is unfair or unlawful within the meaning of the UCL. Id. The Court addresses each of Adobe’s contentions below. 1. Standing Adobe argues that, just as with Plaintiffs’ CRA and declaratory relief claims, Plaintiffs lack Article III standing to bring their UCL injunction claim because no Plaintiff has suffered an injury-in-fact. Id. For the same reason, Adobe contends that Plaintiffs lack statutory standing to bring a claim under the UCL. Id. The Court finds that Plaintiffs have Article III standing to bring their UCL injunction claim for the same reasons that Plaintiffs have Article III standing to bring their CRA and declaratory relief claims. See supra Part III.A.l; Part III.B.l. Adobe further argues that Plaintiffs lack statutory standing under the UCL. Mot. at 16. In order to establish standing for a UCL claim, plaintiffs must show they personally lost money or property “as a result of the unfair competition.” Cal. Bus. & Prof. Code § 17204; Kwikset Corp. v. Superior Court, 51 Cal.4th 310, 330, 120 Cal.Rptr.3d 741, 246 P.3d 877 (2011). “There are innumerable ways in which economic injury from unfair competition may be shown. A plaintiff may (1) surrender in a transaction more, or acquire in a transaction less, than he or she otherwise would have; (2) have a present or future property interest diminished; (3) be deprived of money or property to which he or she has a cognizable claim; or (4) be required to enter i