A recent class action refiled in federal court against Shopify highlights a growing trend  of lawsuits against companies related to the theft of cryptocurrency, particularly as a result of internal company threats.  See Forsberg et al v. Shopify, Inc. et al, 1:22-cv-00436 (D. Del.).  Despite not itself being a repository for or facilitating the sale of any cryptocurrency, the plaintiffs in the Shopify case allege that Shopify is liable for a theft of cryptocurrency after Shopify experienced a data breach caused by its own employees, which exposed a customer list for a cryptocurrency hardware wallet vendor, Ledger SAS.  As cryptocurrency storage and related transactions increasingly feature in companies’ online presence, there is likely to be a growing risk posed by threat actors motivated to target crypto-related assets and data, and more litigation activity in this space.

According to the complaint, the Shopify case arose from a 2020 data breach.  In the cryptocurrency space, actual units of currency (e.g., bitcoin) are stored in digital “wallets” that are protected by “private keys.”  Private keys are access codes known only to the owner of the wallet.  Owners of cryptocurrency can store these private keys in internet-accessible databases and/or in physical devices or storage spaces that are not connected to the internet. 

Plaintiffs allege that Ledger SAS is a vendor of these physical devices and that it used Shopify as its e-commerce platform.  Because of this, they contend that Shopify possessed a list of customers who had purchased Ledger devices, including full names, emails, and physical addresses, and that this information allegedly was leaked by “two rogue members of [Shopify’s] support team” at the behest of a hacker.  Plaintiffs aver that Shopify’s alleged negligence in failing to prevent the data breach, coupled with allegedly delayed notice, allowed hackers to use the information to launch phishing attacks against plaintiffs and putative class members resulting in the loss of cryptocurrency and other injuries.  While Shopify and Ledger initially succeeded in securing dismissal of the lawsuit on personal jurisdiction grounds when it was filed in federal district court in California, a different set of named plaintiffs have since refiled these claims in the district of Delaware, where Shopify USA is incorporated.

Due to the nature of cryptocurrency valuations, the individual damages claims in these cases have the potential to exceed the more nominal individual amounts in a typical data breach case where the primary payout is identity theft protection services.  Furthermore, cryptocurrency transactions often are non-reversible, so unlike thefts from traditional online banking services, it may be difficult or impossible to claw back stolen crypto funds.  Other cases have been filed recently involving similar theories relating to data breaches that allegedly resulted in the theft of cryptocurrency, including in the Northern and Central Districts of California, suggesting that this area will continue to face increasing litigation activity.

 This post has been updated.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ashley Simonsen Ashley Simonsen

Ashley Simonsen is a litigator whose practice focuses on defending complex class actions and mass torts in state and federal courts across the country.

Ashley represents clients in the technology, consumer brands, financial services, and sports industries through all stages of litigation, including trial…

Ashley Simonsen is a litigator whose practice focuses on defending complex class actions and mass torts in state and federal courts across the country.

Ashley represents clients in the technology, consumer brands, financial services, and sports industries through all stages of litigation, including trial, with a strong track record of success on early dispositive motions. Her practice encompasses advertising, antitrust, product defect, and consumer protection matters. Ashley regularly advises companies on arbitration clauses in consumer agreements and related issues, including mass arbitration risks and issues arising under McGill v. Citibank, N.A. And she is one of the nation’s leading experts on “true lender” issues and the related “valid when made” doctrine.

Ashley has been recognized three times by Law360 as an “MVP” (in Class ActionsTechnology, and Banking) and as a “Rising Star” (in Banking). Her successful representation of Meta earned her a 2021 “Top Verdict” recognition from the Daily Journal. She has also been included in the Daily Journal’s list of the “Top 100 Lawyers” and “Top Women Lawyers” in California, named a “Lawyer on the Fast Track” and “Women Leader in Tech Law” by The Recorder, and recognized twice as a Leader of Influence: Litigators & Trial Lawyers by the Los Angeles Business Journal. Before practicing law, Ashley was an associate at Lehman Brothers in New York where she advised banks on balance sheet management and interest rate hedging strategies.

Photo of Kathryn Cahoy Kathryn Cahoy

Kate Cahoy uses her substantial class action experience to help clients develop strategic and innovative solutions to their most challenging litigation matters. She regularly defends clients in complex, high-stakes class action disputes involving privacy, antitrust, and consumer protection claims and has achieved significant victories…

Kate Cahoy uses her substantial class action experience to help clients develop strategic and innovative solutions to their most challenging litigation matters. She regularly defends clients in complex, high-stakes class action disputes involving privacy, antitrust, and consumer protection claims and has achieved significant victories for clients in the technology, entertainment, consumer product, and financial services industries. In addition, Kate has substantial experience litigating cases brought under California’s Section 17200 and other consumer protection, competition, and privacy laws, including the Sherman Act, California Consumer Privacy Act (CCPA), California Invasion of Privacy Act (CIPA), Wiretap Act, Stored Communications Act, Children’s Online Privacy Protection Act (COPPA), Video Privacy Protection Act (VPPA), and common law and constitutional rights of privacy, among others.

Photo of Mike Nonaka Mike Nonaka

Michael Nonaka is co-chair of the Financial Services Group and advises banks, financial services providers, fintech companies, and commercial companies on a broad range of compliance, enforcement, transactional, and legislative matters.

He specializes in providing advice relating to federal and state licensing and…

Michael Nonaka is co-chair of the Financial Services Group and advises banks, financial services providers, fintech companies, and commercial companies on a broad range of compliance, enforcement, transactional, and legislative matters.

He specializes in providing advice relating to federal and state licensing and applications matters for banks and other financial institutions, the development of partnerships and platforms to provide innovative financial products and services, and a broad range of compliance areas such as anti-money laundering, financial privacy, cybersecurity, and consumer protection. He also works closely with banks and their directors and senior leadership teams on sensitive supervisory and strategic matters.

Mike plays an active role in the firm’s Fintech Initiative and works with a number of banks, lending companies, money transmitters, payments firms, technology companies, and service providers on innovative technologies such as bitcoin and other cryptocurrencies, blockchain, big data, cloud computing, same day payments, and online lending. He has assisted numerous banks and fintech companies with the launch of innovative deposit and loan products, technology services, and cryptocurrency-related products and services.

Mike has advised a number of clients on compliance with TILA, ECOA, TISA, HMDA, FCRA, EFTA, GLBA, FDCPA, CRA, BSA, USA PATRIOT Act, FTC Act, Reg. K, Reg. O, Reg. W, Reg. Y, state money transmitter laws, state licensed lender laws, state unclaimed property laws, state prepaid access laws, and other federal and state laws and regulations.

Photo of Sam Greeley Sam Greeley

Samuel Greeley is an associate in the firm’s Washington, DC office representing clients in complex civil litigation and government investigations. Sam’s practice focuses on a broad range of high-stakes issues facing companies in the tech sector, including class actions, antitrust investigations and litigation…

Samuel Greeley is an associate in the firm’s Washington, DC office representing clients in complex civil litigation and government investigations. Sam’s practice focuses on a broad range of high-stakes issues facing companies in the tech sector, including class actions, antitrust investigations and litigation, and federal agency enforcement matters. This includes advising clients on issues relating to cryptocurrency and digital assets, and how they can stay ahead of the quickly evolving enforcement and litigation landscape. He has also defended clients from class actions and white collar investigations in other industries, including life sciences and healthcare.