The success of a data-breach lawsuit often turns on whether the plaintiff has standing to sue. Showing actual injury can be especially hard when the only alleged damage consists of a risk of future identity theft.
Data-breach plaintiffs are therefore looking for new avenues into the courtroom. One of these avenues is an “overpayment” theory.
This theory rests on the premise that the price of a product or service includes a payment for measures to protect the buyer’s personal information. When a data breach compromises that information, the buyer alleges that he or she has overpaid for the product or service because the seller failed to provide the agreed-upon measures.
This theory has seen mixed success.
Courts have rejected the theory in cases that involve the purchase of physical products, where privacy and data security factor only into the processing of the buyer’s payment, rather than the product itself. Examples include data-breach lawsuits against Chinese food restaurants, grocery stores, and brick-and-mortar bookstores for failing to protect credit- and debit-card information.
Courts have accepted the theory, however, in cases involving the purchase of online services, such as paid subscriptions to social networks and digital magazines. The purchases of these online offerings—unlike the purchase of physical products—were governed by terms of service that included explicit privacy and data security commitments.
A federal court in Chicago recently issued a decision that straddles these two lines of cases. The case, In re VTech Data Breach Litigation, involved physical products whose features included connectivity to an online service.
A Toy Story
VTech Electronics North America sold learning toys for young children. These toys, which included tablet computers and other handheld electronics, connected to VTech’s online application store, from which customers could purchase and download games, books, music, and videos. Some toys could also connect to an online service that enabled children to exchange text, picture, and voice messages with their parents’ cellphones.
In 2015, a hacker infiltrated VTech’s servers and downloaded the personal information of over ten million adults and children. The plaintiffs—purchasers of VTech’s toys who had also registered for the online services—sued VTech and alleged that the hack resulted from VTech’s failure to live up to its data security promises. Their complaint asserted various claims, including one for breach of contract.
The plaintiffs alleged that their injuries consisted of an economic harm: receiving a product worth less than the one for which they paid. According to the plaintiffs, the “product” they paid for included the toys, the online service, and the promised data-security measures.
You Only Get What You Pay For
VTech rejected that characterization of the transaction and moved to dismiss for lack of standing and for failure to state a claim.
According to VTech, buyers participated in two transactions:
- a purchase transaction involving the plaintiffs’ payment for a standalone physical toy, and
- the plaintiffs’ registration for the online services, an optional but separate—and free—offering.
Because VTech had only made data-security promises in the second transaction, VTech argued that the plaintiffs could not establish any “overpayment” for the physical toys that would constitute an injury-in-fact for Article III purposes.
For the same reason, VTech argued, the plaintiffs could not establish a key element of their breach of contract claim, namely, that both parties understood and intended that a portion of the purchase price for the toys would be allocated to protecting personal information collected through the online service.
Overpayment for Data Security can be an Injury-in-Fact
The court denied VTech’s arguments as to standing.
The court observed that economic injury can result “from being given a different, less valuable product than the one that was promised and paid for,” and that such an injury meets Article III’s injury-in-fact requirement. By alleging such an injury—one consisting of overpayment for VTech’s toys and the associated online services—the plaintiffs had satisfied Article III’s injury-in-fact requirement.
The court also noted, however, that whether an injury-in-fact had been sufficiently alleged was separate and distinct from whether the complaint plausibly stated a claim that would entitle the plaintiffs to recover damages.
But the Plaintiffs Didn’t Pay for Data Security
Turning to that question, the court acknowledged the parties’ disagreement as to what the purchase contract included, but held that VTech had the better of that argument. To that end, it agreed with VTech that “there is a difference between selling a product that combines both a physical toy and a service, and selling a physical toy whose features may be supplemented by a separate service that VTech provided for free.”
The court then concluded that VTech had done the latter. To support that conclusion, the court observed that the toys functioned without the online services. In addition, the online-services terms did not suggest that the plaintiffs “purchased” the online services, or that the parties intended to incorporate those terms into the purchase contract for the toys.
The court thus held that the plaintiffs had failed to show that both parties understood a portion of the purchase price for the toys would be allocated to the protection of personal information submitted through the online services.
The court concluded this failure was fatal to the plaintiffs’ breach of contract claim, and granted VTech’s motion to dismiss.
Implications for the Data Breach Litigants
VTech contains some important lessons for data breach litigants.
First, it suggests that overpayment theories can succeed where other injury theories have failed, provided that a plaintiff plausibly alleges some connection between a purchased product or service itself and a defendant’s data-security duties.
It also confirms, however, that claims premised on an overpayment theory of damages remain vulnerable to challenge under Rule 12(b)(6). That’s especially true if a defendant can show that terms of service that include data-security promises are not part of a purchase transaction, but rather a separate and distinct event for which it does not collect any payment at all.
Author: Alex Pearce