This past week, co-defendants in a class action related to the theft of cryptocurrency engaged in their own lawsuit over alleged security failures.  IRA Financial Trust, a retirement account provider offering crypto-assets, sued class action co-defendant Gemini Trust Company, LLC, a crypto-asset exchange owned by the Winklevoss twins, following a breach of IRA customer accounts.  IRA claims that Gemini failed to secure a “master key” to IRA’s accounts, and that hackers were able to exploit this alleged security flaw to steal tens of millions of dollars of cryptocurrency.  This lawsuit demonstrates the growing trend of cryptocurrency thefts resulting from cyber breaches, and ensuing litigation activity.

Continue Reading Litigation Between FinTech Companies Follows Class Action Over Cryptocurrency Theft

A recent class action filed in federal court against YouTube is the latest in a growing list of class actions against companies regarding their automatic renewal practices.

The suit alleges that YouTube and its parent company Google (together, “YouTube”) failed to provide the requisite disclosures and authorizations in connection with their subscription services, including YouTube TV, YouTube Music, and YouTube Premium, as required by Oregon’s Automatic Renewal Law (“ARL”) and in violation of Oregon’s Unlawful Trade Practices Act (“UTPA”).  See Walkingeagle, et al. v. Google LLC, et al., No. 3:22-cv-763 (D. Or.).  According to the complaint, YouTube enjoyed rapid growth in their user-base by employing “dark patterns” in their user interfaces to “trick” users into doing things they might not otherwise do, including signing up for recurring services (and bills).

Continue Reading YouTube Hit with Auto-Renewal Suit Over Its Online Subscriptions Services

A California federal district court recently granted in part the dismissal of certain federal and state privacy claims, including a California Consumer Privacy Act (“CCPA”) claim, in Hayden v. The Retail Equation, Inc., No. 8:20-cv-01203 (C.D. Cal.).  Plaintiffs in Hayden alleged that twelve retailers unlawfully shared customer data with a computer software firm, The Retail Equation (“TRE”), which in turn created “customer risk scores” to identify potentially fraudulent customer returns.  This customer risk score was alleged to include information about the customers’ purchase histories, information gleaned from social media, as well as personal information, including name, government identification card or passport information, address, sex, race, and date of birth.  TRE and the retailers sought dismissal of: (1) the Fair Credit Reporting Act (“FCRA”) claim; (2) the CCPA claim; (3) the California invasion of privacy claim; (4) the Unfair Competition Law (“UCL”) claim; and (5) unjust enrichment claim.  The Court dismissed all but the invasion of privacy claim.

Continue Reading Court Grants in Part Dismissal of Certain Privacy Claims, Including CCPA Claim, Against The Retail Equation and Retailers

A recent class action refiled in federal court against Shopify highlights a growing trend  of lawsuits against companies related to the theft of cryptocurrency, particularly as a result of internal company threats.  See Forsberg et al v. Shopify, Inc. et al, 1:22-cv-00436 (D. Del.).  Despite not itself being a repository for or facilitating the sale of any cryptocurrency, the plaintiffs in the Shopify case allege that Shopify is liable for a theft of cryptocurrency after Shopify experienced a data breach caused by its own employees, which exposed a customer list for a cryptocurrency hardware wallet vendor, Ledger SAS.  As cryptocurrency storage and related transactions increasingly feature in companies’ online presence, there is likely to be a growing risk posed by threat actors motivated to target crypto-related assets and data, and more litigation activity in this space.

Continue Reading Companies Increasingly Facing Class Actions Connected to Cryptocurrency Theft

Courts across the country continue to grapple with thorny questions surrounding the legal implications of cyber-attacks.  Recently, a federal court in California considered whether a plaintiff could assert a claim against a company when a cyber-criminal acquired his personal information from the company and then used that information to steal his cryptocurrency.  The district court

Last week, a federal court in Illinois dismissed a putative class action complaint alleging violations of the Illinois Biometrics Information Privacy Act (“BIPA”) for engaging in “impermissible group pleading.”  The ruling serves as a reminder that a complaint that fails to plead specific facts as to each defendant does not meet the Rule 8 pleading

The Fourth Circuit’s opinion last week in In re Marriott International, Inc., — F.4th —-, No. 21-1802 (4th Cir. Apr. 21, 2022), could prove useful to companies facing data breach class actions.  Following a data breach of the Starwood guest reservation system, Marriott investors brought securities claims alleging that the purported failure to disclose vulnerabilities in Starwood’s IT systems rendered certain public statements false or misleading.

Continue Reading Fourth Circuit Holds Statements About Importance of Data Security Not Actionable

In the wake of rulings upholding federal regulators’ “valid when made” rules, a new lawsuit serves as a reminder that state regulators and class-action plaintiffs’ lawyers may continue to challenge the bank partnership lending model under the “true lender” doctrine.

Continue Reading Fintech Lawsuit Highlights True Lender Risk for Bank Partnership Lending Model

An Illinois federal district court recently rejected dismissal of Illinois Biometric Information Privacy Act (“BIPA”) claims in In re Clearview AI, Inc., Consumer Privacy Litigation, No. 21-cv-135 (N.D. Ill.).  The Clearview plaintiffs alleged that Clearview violated their privacy rights without their knowledge and consent by scraping more than three billion photographs of facial images from the internet and using artificial intelligence algorithms on the images to harvest individuals’ unique facial biometric identifiers and corresponding biometric information.  Clearview sought dismissal of the BIPA claims under the First Amendment, extraterritoriality doctrine, dormant commerce clause, and BIPA’s express exemption for  photographs.  The court rejected these grounds, and declined to dismiss the BIPA claims.

Continue Reading Court Rejects Dismissal of Illinois Biometric Information Privacy Act Against Clearview in Pending Multidistrict Litigation

Last week, in Doe #1 et al. v. MG Freesites Ltd. et al., No. 7:21-cv-00220-LSC, 2022 WL 407147 (N.D. Ala. Feb. 9, 2022), the Northern District of Alabama permitted plaintiffs to proceed with a proposed class action against Pornhub for allegedly profiting from child sex trafficking and exploitation videos uploaded to its platform.  The claims were brought under the Trafficking Victims Protection Reauthorization Act (“TVPRA”) and federal child sexual abuse material statutes.  U.S. District Judge L. Scott Coogler rejected Pornhub’s defense that section 230 of the federal Communications Decency Act shields it from liability for plaintiffs’ claims.  Section 230 generally immunizes “interactive computer service[s]” from liability for content provided by third parties.  47 U.S.C. § 230(c).

Continue Reading Rejecting CDA 230 Defense, District Court Allows TVPRA Claims to Proceed Against Pornhub