[BreachExchange] Framing Unfair And Deceptive Trade Practices Claims In Data-Breach Lawsuits

Audrey McNeil audrey at riskbasedsecurity.com
Tue May 15 21:50:35 EDT 2018


We wrote last year about an interesting data-breach lawsuit in federal
court in Chicago involving internet-connected toys. The case, called In re
VTech Data Breach Litigation, arose after hackers stole personal
information that parents supplied when they registered for online accounts
with the toy manufacturer, called VTech Electronics.

The plaintiffs, we noted, overcame a standing challenge by VTech by
alleging a novel theory of injury. Instead of focusing, like many
data-breach plaintiffs do, on the risk of future identity theft caused by
the data breach, they instead alleged they “overpaid” for the toys and the
accompanying online services because VTech failed to use reasonable
data-security measures.

That argument was good enough to establish an “injury in fact” and get the
plaintiffs over Article III’s standing hurdle. But the court still
dismissed their complaint under Rule 12(b)(6). It found that the plaintiffs
could not make out a breach of contract claim because they could not show
that the price they paid for the toys included a payment for data security

The plaintiffs then filed a new, amended complaint. That amended complaint
included a claim under Illinois’s Consumer Fraud and Deceptive Business
Practices Act (the “ICFA”).

VTech again moved to dismiss under Rule 12(b)(6).

This post examines how the court handled that motion; we’ll call the new
decision VTech II. As we’ll see, the decision teaches an important lesson
on the framing of unfair and deceptive trade practices claims when the
claim concerns a data breach.

The ICFA: Unfairness vs. Deception

The ICFA extends to two broad categories of conduct: deception and
unfairness.  The pleading standards for each category, however, are

When an ICFA claim relies on deceptive conduct, the plaintiff must allege
the deceptive conduct with particularity. In federal court, a
deception-based ICFA claim must satisfy Federal Rule of Civil Procedure
Rule 9(b)’s heightened pleading standard.

ICFA claims that allege “unfair” conduct, by contrast, need only satisfy
the relaxed pleading standards of Rule 8.

Here the plaintiffs’ ICFA claim alleged that VTech’s failure to protect
their personal information from the hackers was both unfair and deceptive.

So which pleading standard applied to those allegations?

Show me the details

VTech argued that Rule 9(b)’s heightened pleading standard applied to all
of the plaintiffs’ ICFA allegations.

Those allegations, VTech observed, all asserted that VTech engaged in
misrepresentations, omissions, and fraudulent conduct when it sold products
and services without providing reasonable data security. Although the
plaintiffs also characterized that conduct as “unfair,” they alleged no
separate conduct to support their unfairness claim.

And as for their deception claim, the plaintiffs, said VTech, failed to
plead that claim with the requisite particularity. Although the plaintiffs
had generally alleged that VTech promised reasonable data security, they
failed identify specific misrepresentations that they read and relied on
when they purchased VTech’s products.

Lies, damned lies, and unfairness

The plaintiffs had two arguments in response.

First, they countered that their deception allegations satisfied Rule 9(b)
because they identified specific misrepresentations and omissions on the
products’ packaging.

Second, the plaintiffs argued that they had properly pleaded a separate
unfairness claim under the ICFA. To that end, they argued that VTech’s
failure to provide reasonable data security violated two independent duties:

- an ethical duty to safeguard its customers’ personal information; and
- a statutory duty under a federal law called the Children’s Online Privacy
Protection Act.

Two ICFA theories cannot occupy the same space at the same time

The court sided with VTech.

The court first concluded that Rule 9(b) applied to all of the plaintiffs’
ICFA allegations. The ICFA claims, explained the court, were primarily
based on VTech’s alleged misrepresentations that its toys were safe and
secure—and a corresponding failure to disclose that they were not in fact
safe. The conduct alleged to be “unfair”—disregarding ethical and statutory
duties to protect customers’ information—completely overlapped with the
allegedly deceptive conduct.

Thus, reasoned the court, the plaintiffs could not make out a separate
unfairness claim to avoid Rule 9(b)’s heightened pleading standard:
“plaintiffs cannot rely on the same conduct to establish separate unfair
and deceptive theories under the ICFA.”

Having concluded that Rule 9(b) applied to the ICFA claim, the court went
on to find that the plaintiffs had failed to meet that rule’s demanding
standards. The amended complaint, explained the court, failed to identify
any specific misrepresentation that the plaintiffs relied on or any omitted
facts that VTech should have included to avoid a misrepresentation.

The court therefore dismissed the ICFA claim.

Lessons for Litigants

VTech II reinforces a key point we’ve discussed before: properly framing an
unfair and deceptive trade practices claim can make the difference between
survival and dismissal.

In particular, when the law requires plaintiffs to allege a
misrepresentation-based claim with particularly (as with the ICFA and its
North Carolina counterpart section 75-1.1), data-breach plaintiffs must
carefully consider whether they’ve got the goods to meet that standard
before alleging deceptive conduct.

When they don’t, data-breach defendants like VTech can use a failed
deception claim to sink any related unfairness claim.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180515/6ef9a2bd/attachment.html>

More information about the BreachExchange mailing list