[BreachExchange] Defending Novel Theories In Data-Breach Litigation

[Audrey McNeil]

http://www.jdsupra.com/legalnews/defending-novel-
theories-in-data-breach-64028/

The success of a data-breach lawsuit often turns on whether the plaintiff
has standing to sue. Showing actual injury can be especially hard when the
only alleged damage consists of a risk of future identity theft.

Data-breach plaintiffs are therefore looking for new avenues into the
courtroom. One of these avenues is an “overpayment” theory.

This theory rests on the premise that the price of a product or service
includes a payment for measures to protect the buyer’s personal
information. When a data breach compromises that information, the buyer
alleges that he or she has overpaid for the product or service because the
seller failed to provide the agreed-upon measures.

This theory has seen mixed success.

Courts have rejected the theory in cases that involve the purchase of
physical products, where privacy and data security factor only into the
processing of the buyer’s payment, rather than the product itself. Examples
include data-breach lawsuits against Chinese food restaurants, grocery
stores, and brick-and-mortar bookstores for failing to protect credit- and
debit-card information.

Courts have accepted the theory, however, in cases involving the purchase
of online services, such as paid subscriptions to social networks and
digital magazines. The purchases of these online offerings—unlike the
purchase of physical products—were governed by terms of service that
included explicit privacy and data security commitments.

A federal court in Chicago recently issued a decision that straddles these
two lines of cases. The case, In re VTech Data Breach Litigation, involved
physical products whose features included connectivity to an online service.

A Toy Story

VTech Electronics North America sold learning toys for young children.
These toys, which included tablet computers and other handheld electronics,
connected to VTech’s online application store, from which customers could
purchase and download games, books, music, and videos. Some toys could also
connect to an online service that enabled children to exchange text,
picture, and voice messages with their parents’ cellphones.

To access these services, customers had to register for online accounts
with VTech. Parents who registered provided personal information about
themselves and their children to VTech. Parents also had to agree to terms
and conditions that incorporated VTech’s privacy policy. In that policy,
VTech promised to protect personal information through certain
data-security measures.

In 2015, a hacker infiltrated VTech’s servers and downloaded the personal
information of over ten million adults and children. The
plaintiffs—purchasers of VTech’s toys who had also registered for the
online services—sued VTech and alleged that the hack resulted from VTech’s
failure to live up to its data security promises. Their complaint asserted
various claims, including one for breach of contract.

The plaintiffs alleged that their injuries consisted of an economic harm:
receiving a product worth less than the one for which they paid. According
to the plaintiffs, the “product” they paid for included the toys, the
online service, and the promised data-security measures.

You Only Get What You Pay For

VTech rejected that characterization of the transaction and moved to
dismiss for lack of standing and for failure to state a claim.

According to VTech, buyers participated in two transactions:

a purchase transaction involving the plaintiffs’ payment for a standalone
physical toy, and
the plaintiffs’ registration for the online services, an optional but
separate—and free—offering.

Because VTech had only made data-security promises in the second
transaction, VTech argued that the plaintiffs could not establish any
“overpayment” for the physical toys that would constitute an injury-in-fact
for Article III purposes.

For the same reason, VTech argued, the plaintiffs could not establish a key
element of their breach of contract claim, namely, that both parties
understood and intended that a portion of the purchase price for the toys
would be allocated to protecting personal information collected through the
online service.

Overpayment for Data Security can be an Injury-in-Fact

The court denied VTech’s arguments as to standing.

The court observed that economic injury can result “from being given a
different, less valuable product than the one that was promised and paid
for,” and that such an injury meets Article III’s injury-in-fact
requirement. By alleging such an injury—one consisting of overpayment for
VTech’s toys and the associated online services—the plaintiffs had
satisfied Article III’s injury-in-fact requirement.

The court also noted, however, that whether an injury-in-fact had been
sufficiently alleged was separate and distinct from whether the complaint
plausibly stated a claim that would entitle the plaintiffs to recover
damages.

But the Plaintiffs Didn’t Pay for Data Security

Turning to that question, the court acknowledged the parties’ disagreement
as to what the purchase contract included, but held that VTech had the
better of that argument. To that end, it agreed with VTech that “there is a
difference between selling a product that combines both a physical toy and
a service, and selling a physical toy whose features may be supplemented by
a separate service that VTech provided for free.”

The court then concluded that VTech had done the latter. To support that
conclusion, the court observed that the toys functioned without the online
services. In addition, the online-services terms did not suggest that the
plaintiffs “purchased” the online services, or that the parties intended to
incorporate those terms into the purchase contract for the toys.

The court thus held that the plaintiffs had failed to show that both
parties understood a portion of the purchase price for the toys would be
allocated to the protection of personal information submitted through the
online services.

The court concluded this failure was fatal to the plaintiffs’ breach of
contract claim, and granted VTech’s motion to dismiss.

Implications for the Data Breach Litigants

VTech contains some important lessons for data breach litigants.

First, it suggests that overpayment theories can succeed where other injury
theories have failed, provided that a plaintiff plausibly alleges some
connection between a purchased product or service itself and a defendant’s
data-security duties.

It also confirms, however, that claims premised on an overpayment theory of
damages remain vulnerable to challenge under Rule 12(b)(6). That’s
especially true if a defendant can show that terms of service that include
data-security promises are not part of a purchase transaction, but rather a
separate and distinct event for which it does not collect any payment at
all.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170718/b22b4a33/attachment.html>