Blizzard Entertainment (Blizzard) scored a victory recently when a California federal court dismissed claims by video game users who alleged that they were harmed when hackers accessed their email addresses, security questions, and scrambled passwords in a data breach of Blizzard Entertainment’s website “Battle.net.” The court agreed with Blizzard’s arguments that the users’ alleged harm — increased risk of future identity theft and diminution of the value of their video games — was insufficient to maintain their claims.
The case, Bell v. Blizzard Entertainment, Inc., was initiated in November 2012 in the Central District of California by a putative class of 10 million customers of Blizzard, a publisher and marketer of several popular video game titles, including World of Warcraft, StarCraft, and Diablo. Customers must create a Battle.net account before playing the games. The customers alleged that they had been harmed by a data breach occurring in August 2012 when Battle.net was hacked. This breach provided hackers access to customers’ email addresses, security question answers, cryptographically scrambled passwords, and information that could potentially compromise Mobile Authenticators, an optional, downloadable application that provided customers with an extra layer of security at no cost. Specifically, the customers alleged that Blizzard failed to adequately secure customers’ data, and that they had experienced previous data breaches.
On July 11, the Court ruled on Blizzard’s motion for judgment on the pleadings, siding primarily with Blizzard and dismissing all but one of the plaintiffs’ claims. Specifically, the Court held that (i) plaintiffs’ claims were contract-based, precluding a claim for unjust enrichment; (ii) the information obtained by hackers was not “personal information” as defined under Delaware’s data breach law, precluding a negligence per se claim; and (iii) there was no legal basis for plaintiffs’ claim that “personal information” can be bailed, precluding a bailment claim.
With respect to their negligence and breach of contact claims, the Court again agreed with Blizzard by finding that plaintiffs failed to demonstrate that they were harmed by Blizzard’s conduct. In support, the Court held (i) that increased risk of future harm of identity theft is insufficient to support a negligence claim; and (ii) that purported diminution in the value of plaintiffs’ video games was too speculative to support a claim for breach of contract. The Court dismissed each of those counts.