“Data Security” by Blogtreprenuer is licensed under CC BY 2.0.
Blythe McGregor, Associate Member, University of Cincinnati Law Review
Consumers purchase and use phone cases to protect their devices from wear, tear, and damage. When purchasing cases online, customers often provide personal information such as home addresses, phone numbers, email addresses, and financial information to a seller. Customers may not realize that, along with their cell phones, their personal information may also need protection.
In February 2020, customers of Slickwraps, Inc., a company specializing in skin-tight cases for tech accessories, became especially vulnerable to data theft.[1] When a slickwraps.com hacker emailed around 400,000 consumers “We have your data” from a corporate email address, these consumers were put on notice of a breach.[2] The email made it clear that the hacker did not intend to use the information for harm, but wanted to inform recipients that anyone could access the information and use it for any purpose.[3] Although consumers were notified in a unique way, corporate data breaches are not at all uncommon. As of January 2020, an estimated 7.9 billion records were exposed since the beginning of 2019.[4] In a complaint filed on March 12, 2020, a handful of slickwraps.com users affected by the hack initiated a class action lawsuit against Slickwraps alleging that this breach, unlike many other corporate breaches, was wholly avoidable.[5]
Almedia et al v. Slickwraps, Inc.
Three named plaintiffs filed a class action complaint in the Eastern District of California alleging a data breach case that was beyond the typical.[6] The data breach affected about 858,000 customers: more than double the amount notified via email of the breach by the aforementioned hacker. The information breached included the customers “names, physical addresses, phone numbers, purchase histories, and unique email addresses.”[7] The complaint also alleged that photos customers had uploaded to make a personalized phone case were released.[8] Slickwraps, the defendant, claimed that no passwords or payment information was compromised.[9] Plaintiffs allege that Slickwraps’ security policy was “woefully lax” and that the company was well aware of its insufficiency.[10] Not long before the breach, a cybersecurity analyst publicly announced that the analyst had been able to access the customers’ personal information from the Slickwraps website.[11] The analyst described how, through the site’s phone case customization page, anyone was able to access the company’s entire network and access all its information.[12] The analyst also tried to alert Slickwraps directly by sending the company a direct message on Twitter and emailing the CEO, but the company allegedly ignored the warnings and took no action.[13]
Class members were Slickwraps customers whose data was exposed as a result of the breach.[14] The complaint proposed certification of either a class of all persons whose data was compromised, or a class of all people residing in California whose data was compromised.[15] The class action lawsuit seeks to hold Slickwraps liable for “inadequate safeguarding” of information and failing to provide notice to customers that their information had been made vulnerable.[16] Specifically, plaintiffs assert claims of negligence, intrusion into private affairs, negligence per se, breach of express contract, breach of implied contract, and deprivation of rights under the California Unfair Competition Law and California Consumer Privacy Act.[17] The complaint alleges that Slickwraps knew or should have known of the importance of the personal data stored, and in storing this information the company assumed a legal duty to keep information secure.[18] Plaintiffs assert that even though Slickwraps knew of the breach for several days, they only decided to inform the public when they became afraid of liability for inaction.[19] Also, although the CEO eventually emailed a notification about the breach and an apology, there is no information on the website or elsewhere about the breach, thus leaving many affected customers unaware of the situation.[20] As to the negligence claim, plaintiffs claim that a duty to protect against a security breach was imposed by Federal Trade Commission cyber-security guidelines, e-commerce industry standards, and California law.[21] This duty was allegedly breached by Slickwraps’ failure to implement reasonable measures.[22]
Plaintiffs seek compensatory damages, reimbursement of out of pocket mitigation measures, such as credit monitoring fees, and injunctive relief in the form of Slickwraps’ implementation of security monitoring systems.[23] The complaint expresses that, in addition to the immediate loss of privacy suffered by plaintiffs, class members will suffer a heightened risk of fraud and identity theft for years to come.[24]
Recent Related Caselaw
Recent data breach cases raise issues related to standing and the ability to state a claim for data privacy cases like Almeida. Specifically, data breach case defendants often assert that plaintiffs have not suffered an injury in fact, as required to establish standing, and that defendants do not have a duty of care, as required to successfully assert a claim for negligence. These recent cases may be instructive regarding the potential for the Almeida plaintiffs’ success in winning their claim. For example, the Ninth Circuit considered a similar case in 2018: In Re Zappos.com, Inc.[25] Much like the Almeida plaintiffs, customers’ personal account data was compromised when a hacker infiltrated an online retailer’s website.[26] The district court dismissed certain plaintiffs’ claims for lack of standing, holding that plaintiffs whose information had yet to be used fraudulently had not suffered an injury in fact, as required for Article III standing.[27] Those plaintiffs appealed.[28] The Ninth Circuit concluded that the district court erred because a plaintiff has standing to sue if “there is a substantial risk that the harm will occur.”[29] Zappos was factually distinct from Almeida because the Zappos plaintiffs’ credit and debit card information was compromised.[30] The Ninth Circuit considered the sensitive nature of customers’ bank account data during its standing analysis.[31] The Ninth Circuit also expressed that when plaintiffs allege that the full extent of an injury resulting from a data breach may not be experienced until some time after the breach occurs, even if such harm has yet to occur, plaintiffs allege an injury in fact based on substantial risk.[32]
More recently, the Northern District of California in Bass v. Facebook faced a similar set of facts when Facebook users sued the social networking website alleging their personal information was taken by hackers due to the company’s failure to implement adequate security procedures.[33] Specifically, hackers accessed and stole users’ “access tokens,” the ability to log into the website multiple times without reentering a username and password, giving the hackers access to a multitude of personal information stored within each user’s account.[34] The court concluded that the plaintiffs’ increased risk of identity theft satisfied Article III standing’s injury in fact requirement.[35] One roadblock to establishing standing in this case was one plaintiff’s failure to show that his injury in fact was fairly traceable to the data breach.[36] Facebook had not notified the plaintiff that he had been a victim of the breach, although the company had notified other victims, and the plaintiff was unable to show any plausible link to the breach.[37] The court made it clear that notification by the company, even if the company did notify other victims, is not essential to a plausible allegation.[38]
Importantly, the Bass court discussed the factors that must be present for California courts to find a duty of care exists to support a negligence action.[39] These factors include:
the foreseeability of harm to the plaintiff, the degree of certainty that the plaintiff suffered injury, the closeness of the connection between the defendant’s conduct and the injury suffered, the moral blame attached to the defendant’s conduct, the policy of preventing future harm, the extent of the burden to the defendant and the consequences to the community of imposing a duty to exercise care with resulting liability for breach, and the availability, cost, and prevalence of insurance for the risk involved.[40]
Analysis
It is likely that the Almeida complaint successfully states a claim and establishes standing. No clear injury has yet occurred, especially since the hacker made clear in his or her email he or she would not use the information obtained for harm. However, the Bass court required only an increased risk of identity theft to establish injury in fact, whereas, the Zappos court required a substantial risk that the injury will occur. Almeida plaintiffs likely established that there is an increased risk of substantial harm. The hacker had access to personal information such as name, address, and phone number, thus increasing the likelihood that an identity theft crime will injure all members of the proposed class. Thus, under the Bass standard, plaintiffs likely established an injury in fact. However, if the higher Zappos standard is applied, it may be more difficult to prove injury in fact, although the standard likely would still be met. The Slickwraps hacker accessed a large amount of personal information, even if this personal information was not financially sensitive. Although some of this information may be publicly available, there is likely not evidence that all of this information was publicly available for the hundreds of thousands of customers affected. Also, personal photographs that customers had uploaded to the customization tool were compromised, many of which likely were not otherwise available to the public. Because of the sheer mass of customer information compromised, and the private nature of the information viewed as a whole, plaintiffs likely successfully established that a substantial harm will result from the breach.
It is also likely that plaintiffs will establish that Slickwraps had a duty to protect customers’ secure information. This is a unique case: a seemingly friendly “cybersecurity analyst” hacked the website and warned Slickwraps of vulnerabilities. This situation provides a very strong basis for finding that the data breach was wholly foreseeable to Slickwraps. Even if the analyst had not warned Slickwraps, any time that a company is storing personal information, a duty to protect sensitive information exists. This is evident in the Bass case, where Facebook’s use and storage of private information was evidence that plaintiff placed trust in the social network, thus giving rise to a duty to protect that information.[41] The complaint also alleges that a duty is established under the Federal Trade Commission Act, California Civil Code, and industry standards.[42]
Additionally, because of the clear notice given by the cybersecurity analyst and Slickwraps’ choice to continue business as usual, courts should impose additional liability and punitive damages. Data breaches are common, and hackers are becoming more advanced, making security procedures tougher to successfully implement.[43] When alerted to a weakness in security, ecommerce vendors should have an additional duty to make efforts to strengthen the current cybersecurity system immediately, and to notify consumers of the threat of breach so all involved can take protective action.
Conclusion
The Almeida facts provide a twist on a classic corporate data breach case by alleging strong evidence that Slickwraps knew or should have known about the vulnerability on its website. Situations like this may become more common as hacking ability and knowledge is used to detect cybercrime rather than commit it.[44] When the private, personal information of hundreds of thousands of consumers is compromised, each consumer is at higher risk of identity theft and an injury in fact is established. Additionally, when outside analysts or hackers identify vulnerabilities and bring them to a company’s attention, victims of a data breach can provide very convincing evidence of a neglected duty of care should the company fail to act. This should expose a company to increased liability for resulting harm.
[1] Ben Kochman, Phone Case Co. Sued After Hackers Say ‘We Have Your Data’, Law 360 (March 13, 2020), https://www.law360.com/classaction/articles/1253070/phone-case-co-sued-after-hackers-say-we-have-your-data-.
[2] Id.
[3] Complaint, Almeida v. Slickwraps Inc., 2:20-at-00256, (E.D. Cal. March 12, 2020).
[4] All Data Breaches in 2019 & 2020 – An Alarming Timeline, Selfkey (March 5, 2020), https://selfkey.org/data-breaches-in-2019/.
[5] Complaint, supra note 3, at 1.
[6] Id. at 2.
[7] Id. at 3.
[8] Id. at 4.
[9] Igor Bonifacic, Vinyl Cover Maker Slickwraps Coughs Up Customer Info in Data Breach, Engadget (Feb. 21, 2020), https://www.engadget.com/2020/02/21/slickwraps-data-breach/.
[10] Complaint, supra note 3, at 3.
[11] Id.
[12] Id. at 4.
[13] Id.
[14] Id. at 35.
[15] Id.
[16] Id. at 8.
[17] Id.
[18] Id. at 21.
[19] Id. at 17.
[20] Id. at 18.
[21] Id. at 40.
[22] Id.
[23] Id. at 8.
[24] Id. at 9.
[25] In re Zappos.com, Inc., 888 F.3d 1020 (9th Cir. 2018).
[26] Id. at 1023.
[27] Id. at 1024.
[28] Id.
[29] Id. at 1029.
[30] Id. at 1023.
[31] Id. at 1027.
[32] Id. at 1028-29.
[33] Bass v. Facebook, Inc., 394 F. Supp. 3d 1024 (N.D. Cal. 2019); see also Adkins v. Facebook, Inc., No. C 18-05982-WHA, 2019 WL 7212315 (N.D. Cal. Nov. 26, 2019).
[34] Bass, 394 F. Supp. 3d at 1029-30.
[35] Id. at 1035.
[36] Id.
[37] Id. at 1035-36.
[38] Id. at 1036.
[39] Id. at 1039.
[40] Id.
[41] Id.
[42] Complaint, supra note 3, at 40.
[43] Paul Rubens, Cybersecurity: Defending ‘Unpreventable’ Cyber Attacks, BBC (Feb. 3, 2015), https://www.bbc.com/news/business-31048811.
[44] Taylor Armerding, Hackers Needed to Defeat Hackers, Forbes (Sept. 5, 2019), https://www.forbes.com/sites/taylorarmerding/2019/09/05/hackers-needed-to-defeat-hackers/#7811b5177823.