Courts across the country continue to grapple with thorny questions surrounding the legal implications of cyber-attacks.  Recently, a federal court in California considered whether a plaintiff could assert a claim against a company when a cyber-criminal acquired his personal information from the company and then used that information to steal his cryptocurrency.  The district court engaged in a highly fact-specific assessment of the allegations, allowing some claims to proceed but dismissing others. 

In Fraser v. Mint Mobile, LLC, the plaintiff’s personal information was exposed in a data breach affecting customers of Mint’s wireless cellular services.  2022 WL 1240864, at *1 (N.D. Cal. Apr. 27, 2022).  Around one to three days later, a cyber-criminal used the plaintiff’s stolen information to assume control over his cellular service by porting it to a new carrier.  Significantly, the plaintiff alleged that he had set up PIN verification on his Mint account just three days prior, and that Mint “bypassed this enhanced security when it allowed the porting out of his account.”  Shortly thereafter, the cyber-criminal allegedly used the plaintiff’s hijacked cellular service to steal the equivalent of $466,000 in cryptocurrency from him.  The plaintiff sued Mint for the loss, asserting a dozen claims under various federal and state laws.

Mint moved to dismiss the complaint, challenging proximate causation as to all claims given the intervening acts of cyber-criminals.  The district court found that proximate causation had been adequately pled because the data breach exposed the plaintiff’s personal information, the criminal activities happened in the span of a few days and followed a “logical progression,” and Mint supposedly bypassed the plaintiff’s PIN verification setup.  The district court held that it was plausible that Mint’s conduct directly and foreseeably created or increased the risk of the harm that befell the plaintiff.

Turning to specific claims, the district court allowed the plaintiff to proceed with contract claims based on either Mint’s user policies or, in the alternative, implied-in-fact contracts promising confidentiality and security.  The district court also allowed the plaintiff to proceed with negligence claims, concluding the parties plausibly had a “special relationship” based on the factors set forth in J’Aire Corporation v. Gregory, 24 Cal. 3d 799 (1979).  However, the district court dismissed the plaintiff’s claims for restitution under California’s Unfair Competition Law because it was a third party, not Mint, that had wrongfully acquired the plaintiff’s cryptocurrency.  The district court also dismissed the plaintiff’s claim under the Computer Fraud and Abuse Act because the stolen cryptocurrency did not “constitute loss related to a computer or system,” and further dismissed the plaintiff’s requests for punitive damages.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Megan Rodgers Megan Rodgers

Megan Rodgers is a litigator who focuses her practice on high-stakes commercial disputes, with a particular focus on mass torts, class actions, advertising, privacy, product defect, and consumer protection matters.

Megan is called upon for her ability to navigate especially complex cases and…

Megan Rodgers is a litigator who focuses her practice on high-stakes commercial disputes, with a particular focus on mass torts, class actions, advertising, privacy, product defect, and consumer protection matters.

Megan is called upon for her ability to navigate especially complex cases and to successfully take cases from pre-trial through jury verdicts, and she was recently recognized by the Daily Journal in its “Top 40 Under 40” feature.

Read more about Megan RodgersEmail
Show more Show less
Photo of Kathryn Cahoy Kathryn Cahoy

Kate Cahoy uses her substantial class action experience to help clients develop strategic and innovative solutions to their most challenging litigation matters. She specializes in defending clients in complex, high-stakes class action disputes involving privacy, antitrust, and consumer protection claims and has achieved…

Kate Cahoy uses her substantial class action experience to help clients develop strategic and innovative solutions to their most challenging litigation matters. She specializes in defending clients in complex, high-stakes class action disputes involving privacy, antitrust, and consumer protection claims and has achieved significant victories for clients in the technology, entertainment, consumer product, and financial services industries. In addition, Kate has substantial experience litigating cases brought under California’s Section 17200 and other consumer protection, competition, and privacy laws, including the Sherman Act, California Consumer Privacy Act (CCPA), California Invasion of Privacy Act (CIPA), Wiretap Act, Stored Communications Act, Children’s Online Privacy Protection Act (COPPA), Video Privacy Protection Act (VPPA), and common law and constitutional rights of privacy, among others.

Read more about Kathryn CahoyEmail
Show more Show less
Photo of Kanu Song Kanu Song

Kanu Song is a litigator specializing in complex commercial disputes, including intellectual property litigation, class actions, and claims brought under consumer protection and competition laws, such as California’s Unfair Competition Law (B. & P.C. § 17200).

She works with clients in the technology…

Kanu Song is a litigator specializing in complex commercial disputes, including intellectual property litigation, class actions, and claims brought under consumer protection and competition laws, such as California’s Unfair Competition Law (B. & P.C. § 17200).

She works with clients in the technology, entertainment, consumer brands, food, drug, and cosmetic industries through all stages of litigation, with a strong track record of success on early resolution and dispositive motions.

Read more about Kanu SongEmail
Show more Show less