No Harm, No Lawsuit: Court Dismisses VTech Litigation

In November, 2015, this site noted a breach involving VTech. At the time, Motherboard reported:

The hacked data includes names, email addresses, passwords, and home addresses of 4,833,678 parents who have bought products sold by VTech, which has almost $2 billion in revenue. The dump also includes the first names, genders and birthdays of more than 200,000 kids.

What’s worse, it’s possible to link the children to their parents, exposing the kids’ full identities and where they live, according to an expert who reviewed the breach for Motherboard.

On November 30, VTech confirmed the breach but reassured consumers that the data involved would not be sufficient to engage in fraud or identity theft. The following day, the unknown hacker contacted Motherboard to tell them that VTech had also left children’s photos and chat logs between parents and children unsecured.

Two weeks later, the hacker was arrested.

In response to the breach, VTech subsequently changed their EULA to include a statement, ““You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties.”

And also in response to the breach, some customers sued.

Richard P. Lawson of Manatt Phelps and Phillips LLP has an update on the litigation, writing, in part:

In addition to legislative inquiries, the data breach triggered consolidated litigation in Illinois federal court alleging that the company failed to employ reasonable data security to protect its customers, resulting in an increased risk of identity theft to adults as well as harm to children if predators accessed their information.

VTech moved to dismiss the action for failure to state a claim. U.S. District Court Judge Manish S. Shah granted the motion, finding that the plaintiffs were unable to establish that they suffered actual harm as a result of the breach and that their alleged injuries were too “speculative” for the lawsuit to move forward.

“Plaintiffs fail to make the connection between the data breach they allege and the identity theft they fear,” the court said. “Specifically, plaintiffs do not explain how the stolen data would be used to perpetrate identity theft.”

Read more on Lexology.

About the author: Dissent