Courts across the country continue to grapple with thorny questions surrounding the legal implications of cyber-attacks. Recently, a federal court in California considered whether a plaintiff could assert a claim against a company when a cyber-criminal acquired his personal information from the company and then used that information to steal his cryptocurrency. The district court engaged in a highly fact-specific assessment of the allegations, allowing some claims to proceed but dismissing others.
In Fraser v. Mint Mobile, LLC, the plaintiff’s personal information was exposed in a data breach affecting customers of Mint’s wireless cellular services. 2022 WL 1240864, at *1 (N.D. Cal. Apr. 27, 2022). Around one to three days later, a cyber-criminal used the plaintiff’s stolen information to assume control over his cellular service by porting it to a new carrier. Significantly, the plaintiff alleged that he had set up PIN verification on his Mint account just three days prior, and that Mint “bypassed this enhanced security when it allowed the porting out of his account.” Shortly thereafter, the cyber-criminal allegedly used the plaintiff’s hijacked cellular service to steal the equivalent of $466,000 in cryptocurrency from him. The plaintiff sued Mint for the loss, asserting a dozen claims under various federal and state laws.
Mint moved to dismiss the complaint, challenging proximate causation as to all claims given the intervening acts of cyber-criminals. The district court found that proximate causation had been adequately pled because the data breach exposed the plaintiff’s personal information, the criminal activities happened in the span of a few days and followed a “logical progression,” and Mint supposedly bypassed the plaintiff’s PIN verification setup. The district court held that it was plausible that Mint’s conduct directly and foreseeably created or increased the risk of the harm that befell the plaintiff.
Turning to specific claims, the district court allowed the plaintiff to proceed with contract claims based on either Mint’s user policies or, in the alternative, implied-in-fact contracts promising confidentiality and security. The district court also allowed the plaintiff to proceed with negligence claims, concluding the parties plausibly had a “special relationship” based on the factors set forth in J’Aire Corporation v. Gregory, 24 Cal. 3d 799 (1979). However, the district court dismissed the plaintiff’s claims for restitution under California’s Unfair Competition Law because it was a third party, not Mint, that had wrongfully acquired the plaintiff’s cryptocurrency. The district court also dismissed the plaintiff’s claim under the Computer Fraud and Abuse Act because the stolen cryptocurrency did not “constitute loss related to a computer or system,” and further dismissed the plaintiff’s requests for punitive damages.