[ad_1]
U.S. District Court
Where a putative class action has been brought over a data breach, the complaint should not be dismissed for lack of standing, as the plaintiffs have plausibly shown injury in fact and they meet the requirements of Article III causation.
“LastPass sells encrypted digital ‘vaults’ in which customers can store personal information. LastPass claims no one other than the customer — not even LastPass — has access to a vault’s decrypted contents. In August 2022, a third party hacked into a LastPass employee’s home computer, accessed LastPass’s development environment, and acquired a copy of customers’ encrypted vault files. The hacker also exfiltrated customers’ account information and metadata, which were not encrypted. Plaintiffs are LastPass customers whose data was compromised during the data breach. They bring this putative class action against LastPass and its former parent company, GoTo Technologies USA, Inc., alleging twenty-two causes of action. Defendants move to dismiss all counts under Rule 12(b)(1) for lack of standing, and under Rule 12(b)(6) for failure to state a claim. …
“Defendants contend Plaintiffs have not alleged a sufficient ‘injury in fact’ to support standing. Alternatively, they argue that they did not cause any cognizable ‘injury in fact’ the Plaintiffs suffered. …
“… First, parties agree the data breach resulted from a deliberate attack on LastPass’s development environment. Second, Plaintiffs plausibly allege actual and attempted misuse of their compromised data, including theft from online wallets, fraudulent credit card charges, unauthorized applications for loans and credit cards, sale of information on the ‘dark web,’ and increased phishing attempts and spam messages. Finally, at least some stolen data was highly sensitive. Vaults contained Plaintiffs’ Social Security numbers, driver’s license numbers, and login credentials to banking and financial accounts. The vaults also housed unencrypted copies of Plaintiffs’ names, billing addresses, email addresses, and other metadata. Plaintiffs have plausibly shown they face a real and imminent threat of misuse of their data, so their lost time constitutes injury in fact. …
“… Plaintiffs claim Defendants’ lack of internal cybersecurity protocols enabled a hacker to obtain an employee’s credentials, access LastPass’s internal development environment, and exfiltrate both encrypted vault files and unencrypted account information and metadata. They also allege Defendants’ substandard password-encryption algorithms allowed bad actors then to easily use ‘brute force’ to decrypt Plaintiffs’ vaults. Finally, Plaintiffs assert Defendants delayed notifying them of the breach’s full scope, stymying Plaintiffs’ ability to mitigate the data breach’s harm effectively and increasing their exposure. Plaintiffs have shown an ‘obvious temporal connection’ between the data breach and actual misuse of some of their data. … Moreover, they have plausibly alleged third parties obtained their sensitive information from the data breach and not from elsewhere. … As a result, the Court denies the motion to dismiss for lack of standing. …
“… Neither the consolidated complaint nor Plaintiffs’ brief argues GoTo should be vicariously liable for LastPass’s conduct. As a result, the motion to dismiss is allowed as to all claims against GoTo. …
“… LastPass argues Plaintiffs have not demonstrated proximate cause, and alternatively, that the economic loss doctrine precludes Plaintiffs’ recovery in tort. The Court addresses the economic loss doctrine first.
“… Plaintiffs allege economic injuries. Thus, unless an exception applies, the economic loss doctrine bars their negligence claim.
“Plaintiffs counter that the duties at issue are independently ‘imposed by several state and federal laws’ such the FTC Act and the Massachusetts Data Security statute (‘Chapter 93H’). … But these statutes do not establish a duty cognizable in negligence. … Plaintiffs also have not shown a special or fiduciary relationship exists that would give rise to negligence claims not barred by the economic loss doctrine. Thus, LastPass’s motion to dismiss is allowed as to Plaintiffs’ negligence and negligence per se claims (Count I). …
“Plaintiffs claim LastPass negligently misrepresented the quality of its data security. … LastPass responds that Federal Rule of Civil Procedure 9(b)’s heightened pleading standard applies, and Plaintiffs fail to meet it. Alternatively, LastPass argues the merger clause in its ‘terms of service’ precludes recovery for negligent misrepresentation. …
“… Regardless of whether Rule 9(b) applies, Plaintiffs have alleged enough to state a plausible claim. …
As a result, the motion to dismiss is denied as to Debt Cleanse’s negligent misrepresentation claim against LastPass but is otherwise allowed (Count II). …
“Plaintiffs allege LastPass violated implied contractual duties to safeguard their data. All Plaintiffs (paying and nonpaying) agreed to the ‘terms of service,’ which require LastPass to provide ‘appropriate’ safeguards for Plaintiffs’ sensitive information. LastPass does not dispute that it is bound by those terms. … The motion to dismiss is allowed as to Plaintiffs’ breach of implied contract claim (Count IV). …
“Plaintiffs allege LastPass breached a fiduciary duty to maintain their personal information securely by failing to prevent the data breach. …
“Plaintiffs have not plausibly alleged a fiduciary relationship with LastPass. …
“… Thus, the motion to dismiss is allowed as to the fiduciary duty claim (Count V). …
“Next, Plaintiffs allege LastPass breached the implied covenant of good faith and fair dealing by providing inadequate cybersecurity, failing to timely and adequately notify Plaintiffs, and continuing to collect subscription fees after it discovered the breach. …
“Plaintiffs have alleged LastPass acted with a ‘lack of good faith’ by waiting four months to provide fulsome notice of the data breach. … Thus, the motion to dismiss is denied as to Plaintiffs’ good-faith-and-fair-dealing claim (Count VI). …
“For the reasons stated above, Defendants’ motion to dismiss (Dkt. 92) is allowed as to all claims against GoTo. The motion to dismiss is allowed as to Plaintiffs’ claims against LastPass for negligence (Count I), breach of implied contract (Count IV), breach of fiduciary duty (Count V), unjust enrichment (Count VII), declaratory relief (Count VIII), and violations of the Arizona Consumer Fraud Act (Count XI), Illinois Deceptive Trade Practices Act (Count XIX), New York General Business Law (Count XX), Oklahoma Consumer Protection Act (Count XXI), and Pennsylvania Unfair Trade Practices and Consumer Protection Law (Count XXII). The motion to dismiss is denied as to Plaintiffs’ claims against LastPass, for breach of contract (Count III), breach of the covenant of good faith and fair dealing (Count VI), and violations of Chapter 93A (Counts IX & X), California Customer Records Act (Count XIV), California Consumer Privacy Act (Count XV), Illinois Personal Information Protection Act (Count XVII), and Illinois Consumer Fraud and Deceptive Business Practices Act (Count XVIII). With respect to Plaintiffs’ claim against LastPass for negligent misrepresentation (Count II), the motion to dismiss is denied as to Debt Cleanse but allowed as to other Plaintiffs. With respect to Plaintiffs’ claims against LastPass under the California Unfair Competition Law (Count XII), California Consumer Legal Remedies Act (Count XIII), and Florida Deceptive and Unfair Trade Practices Act (Count XVI), the motion to dismiss is allowed as to allegations of fraudulent misrepresentations, but otherwise is denied.”
In Re LastPass Data Security Incident Litigation (Lawyers Weekly No. 02-358-24) (41 pages) (Saris, J.) (Civil Action No. 22-12047) (July 30, 2024).
[ad_2]
Source link