Finding that the plaintiffs failed to prove any harm from a data breach suffered by toymaker VTech, a federal court judge granted the company’s motion to dismiss consolidated litigation brought by eight parents and 14 children.
The Hong Kong-based toy company offers a “Kid Connect” service that allows parents to use smartphones to talk to kids who use VTech toy tablets and other devices. But in 2015, a hacker gained access to the company’s servers and captured the names, email addresses, home addresses and passwords of more than 4.8 million parents and the names, genders and birthdays of approximately 6.4 million children. The hacker also gained access to chat logs between kids and their parents, kid selfies, and voice recordings.
In addition to legislative inquiries, the data breach triggered consolidated litigation in Illinois federal court alleging that the company failed to employ reasonable data security to protect its customers, resulting in an increased risk of identity theft to adults as well as harm to children if predators accessed their information.
VTech moved to dismiss the action for failure to state a claim. U.S. District Court Judge Manish S. Shah granted the motion, finding that the plaintiffs were unable to establish that they suffered actual harm as a result of the breach and that their alleged injuries were too “speculative” for the lawsuit to move forward.
“Plaintiffs fail to make the connection between the data breach they allege and the identity theft they fear,” the court said. “Specifically, plaintiffs do not explain how the stolen data would be used to perpetrate identity theft.”
In some situations, a data breach can result in an increased risk of identity theft sufficient to confer standing, Judge Shah wrote, referencing cases against P.F. Chang’s and Neiman Marcus in which the plaintiffs alleged that they incurred fraudulent charges on their financial statements and spent time and money protecting themselves against future charges.
But unlike those data breaches, “the data stolen here did not include credit-card or debit-card information, or any other information that could easily be used in fraudulent transactions,” the court said. “It is unclear how the disclosure of plaintiffs’ names, addresses, birthdates, and VTech account information would increase the risk of fraudulent transactions on plaintiffs’ credit cards or fraudulent accounts being opened in their names.”
The plaintiffs also did not allege that any fraudulent transactions have occurred, that they actually engaged in mitigation efforts (such as purchasing credit monitoring services) or that the personal information was stolen by individuals who intended to misuse it. In fact, the complaint included a news article that quoted the hacker as saying he did not intend to sell or publish the data, the court noted.
“With respect to this data breach, plaintiffs have not plausibly alleged a substantial risk of harm sufficient to confer standing,” the court said. As for future harm to their children from predators, the plaintiffs failed to allege that the hacker was a predator or that the hacker disseminated the information broadly to predators or anyone else who would harm children.
“Harm need not be literally certain to confer standing, but allegations of future harm based on poor data security, without allegations to support an inference that someone with potentially malicious intent will access the data, is too speculative to confer standing,” Judge Shah wrote.
To read the memorandum opinion and order in In re VTech Data Breach Litigation, click here.
Why it matters: The court took a firm stance on Article III’s injury-in-fact requirement, finding that the plaintiffs’ allegations failed to connect the data breach with their fears of identity theft or harm to the children involved and were too speculative to move the suit forward.