Delta Air Lines was hit with a class action lawsuit last week shortly after it announced that customers’ credit card details could have been stolen in a 2017 malware attack.

In a complaint filed in the California Central District Court on 6 April, passengers accused Delta of falling short of various state and federal regulations, industry standards and common law requirements to protect their data after a third-party company that provides the carrier’s online chat bots was hacked.

On 4 April, Silicon Valley software vendor [24]7.ai, which provides online customer communications services for Delta and US department store Sears, announced that it had become aware of “an incident potentially affecting the online customer payment information” between 26 September and 12 October 2017. Sears announced that it had been aware of the breach since mid-March.

The complaint, brought by Delta passenger Arthi Naini on behalf of customers who made reservations for flights during the period of the hack, says the airline was in breach of its duty to disclose details of the incident to affected parties “within reasonable time”.

The complaint asked Judge Christina Snyder to certify both a Californian and US-wide class of plaintiffs, both to be represented by Naini and her counsel Bobby Saadian of Wilshire Law Firm in Los Angeles  

The proposed California class brought three claims under the state’s Unfair Competition Law, alleging that Delta was aware that its data protection measures were not up to scratch and that by continuing to gather customer information it had deliberately engaged in fraudulent business practices and false advertising that amounted to “unfair competition.”

On behalf of the so-called Nationwide class, Naini gave a state-by-state itemisation of trade practices statutes, claiming Delta was in violation of all 50 by “failing to properly implement adequate, commercially reasonable security measures”. 

The suit also claims – on behalf of both proposed classes – that when the customers made their reservations with Delta they entered into “implied contracts” under which the airline had a duty to protect their personal and financial information. Following Delta’s alleged failure to hold up its side of the bargain, the plaintiffs say they suffered damages from “imminent, immediate, and continuing risk of harm from identity theft and identity fraud”.

The suit asks the court to enjoin Delta from engaging in further alleged wrongful conduct and to restore any of the customers’ lost revenues as a result of the breach. It also asks for “an award of actual damages and compensatory damages, in an amount to be determined.”

Speaking at the IATA Legal Symposium in Bangkok earlier this year, co-chair of Crowell & Moring’s cybersecurity practice Jeffrey Poston noted that US Supreme Court precedent provided a strong defence against data breach suits because it holds that stolen data isn’t enough to prove actual damages.

Poston claimed that data breaches have less potential to do long-term damage to companies’ reputations now that the public has become desensitised to them but said that what people found harder to forgive was a poor response by the company when a breach occurred. “You take a bigger reputational hit if you’re not prepared to respond and if you fail to respond efficiently and comprehensively,” he said.

In the United States District Court for the Central District of California

Naini v Delta Air Lines

  • Judge Christina Snyder

Counsel to Arthi Naini

  • Wilshire Law Firm

Bobby Saadian