[BreachExchange] MyFitnessPal Data Breach Lawsuit Sent to Arbitration

Destry Winant destry at riskbasedsecurity.com
Fri Mar 1 03:41:21 EST 2019


Many consumers have become painfully aware of the risks that data
breaches pose in a digital world. And now, their legal claims may not
be ultimately decided by a judge or jury but sent off to arbitration.

Earlier this month, a federal judge in California did just that and
sent a proposed class action data breach case to arbitration. U.S.
District Judge Fernando M. Olguin held that the plaintiff had “clearly
and unmistakably delegated the arbitrability issue to the arbitrator,”
and granted a motion to compel arbitration filed by defendant Under
Armour Inc. The lawsuit alleges that Under Armour failed to secure its
MyFitnessPal nutrition application against a data security breach.

In April 2018, the putative class action complaint was filed by a
MyFitnessPal user in California state court after Under Armour
disclosed – a month earlier – that “an unauthorized party acquired
data associated with MyFitnessPal user accounts” and that
“approximately 150 million user accounts were affected.”  According to
Under Armour, the compromised information included usernames, email
addresses, and hashed passwords.

At the time, commenters noted that the incident was then considered
one of the largest reported data security breaches in history.

MyFitnessPal is a smartphone application that allows users to track
their physical activity and diets. Under Armour, the American
sportswear company, acquired MyFitnessPal for approximately $475
million in 2015.

After removing the case to federal court, Under Armour sought to
compel arbitration, arguing that MyFitnessPal’s terms and conditions
not only required that plaintiff’s claims be arbitrated but that
plaintiff could only bring her claims on an individual basis. Under
Armour argued that the MyFitnessPal app required all users to accept
its terms and conditions before using it.

Judge Olguin observed that so-called “clickwrap” agreements, in which
online users click “OK,” “Accept,” or “Agree” to accept the terms of
an agreement, are generally sufficient to provide a user with notice
of the terms of an agreement. The court also held that the
incorporation of the American Arbitration Association Rules in the
MyFitnessPal app’s terms and conditions was sufficient to delegate the
question of whether plaintiff’s claims are arbitrable to an

This isn’t the first time a data breach case has been sent to
arbitration. In another case filed in California, a federal judge held
that a class action arising from the 2016 data breach involving Uber
Technologies Inc. must also go to arbitration. The court granted
Uber’s motion to compel arbitration in the class action suit brought
after the 2016 data breach, which affected 57 million Uber riders and
600,000 Uber drivers.

The case caption is Rebecca Elizabeth Murray v. Under Armour, et al.,
18-cv-4032 (FMO) (C.D. Cal.).

We will continue to monitor cases in this developing area.

More information about the BreachExchange mailing list