eBay Files Motion in Data Breach Case

Online auction company eBay has filed a motion to dismiss a class action lawsuit against it for an alleged data breach, claiming the plaintiff failed to state a claim.

“Plaintiff brings this putative class action seeking to capitalize on a cyberattack on eBay’s computer network in which criminal hackers accessed a database containing non-financial eBay user information and encrypted passwords,” the Sept. 30 motion to dismiss states.

The company states that plaintiff Collin Green’s claims fail because he has not alleged any cognizable injury whatsoever, and he thus lacks Article III standing.

“Plaintiff does not allege that he has been injured by misuse of the stolen information,” the motion states. “He does not allege that anyone has used his password, or that anyone has even tried to commit identity fraud with his information—let alone that anyone has actually succeeded in doing so — and that he has thereby suffered harm.”

U.S. District Court in New Orleans

Instead, Green relies on vague, speculative assertions of possible future injury—that maybe at some point in the future, he might be harmed, according to the motion.

“In fact, he concedes that an injury may never materialize, alleging explicitly that he may ‘never [be] subject to active identity fraud,’” the motion states. “But the speculative possibility of future injury does not constitute injury-in-fact.”

Because the plaintiff has not alleged specific facts constituting an injury that is present or “certainly impending,” the plaintiff lacks standing and the complaint must be dismissed, according to the motion.

Separately, the plaintiff’s complaint fails to state a claim upon which relief can be granted, according to the motion.

The company claims that the plaintiff takes a “shotgun” approach to pleading his claims, asserting no fewer than 10 causes of action, including one under a statute that does not provide a private right of action and another under a statute that was repealed before the complaint was filed.

“In sum, plaintiff has not alleged facts showing that he has standing to bring this case or that he has any legally sufficient claim even if he did have standing,” the motion states. “Because any further amendment would be futile given the fundamental problems with plaintiff’s allegations, the complaint should be dismissed with prejudice.”

In February or March, eBay’s files were accessed by identity thieves, without eBay’s permission. The thieves, at a minimum, had access to and reportedly copied customer names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth.

Green claims eBay did not notify its customers of the security breach until May 21, only after the security breach had been reported by independent Internet sources.

Green claims the security breach was the result of eBay’s inadequate security in regard to protecting identity information of its millions of customers.

The company’s failure to properly secure this information has caused, and is continuing to cause, damage to its customers, according to the suit.

Green claims eBay claims it encrypted passwords, but only in the least safe method.

“According to industry reports, eBay chose to use the cheaper security method of encryption as opposed to hashing, with full knowledge that hashing was much more secure and preferred by security experts,” the complaint states. “Once a hacker steals the encryption key, the complex nature of a ‘strong’ encrypted password is irrelevant as the hacker can simply reveal the password with the encryption key.”

With hashing, the hacker still cannot access the password, according to the suit.

Green claims eBay breached its implied contract, breached its fiduciary duty, violated the Gramm-Leach-Bliley Act, violated multi-state privacy laws and violated the federal Fair Credit Reporting Act.

Green is seeking class certification and compensatory and consequential damages with pre- and post-judgment interest. He is represented by Charles F. Zimmer II, Eric H. O’Bell and Bradley T. Oster of O’Bell Law Firm LLC.

The defendant is represented by Kerry J. Miller, Joseph N. Mole and Heather McArthur of Frilot LLC; and Matthew D. Brown, Michael G. Rhodes and Benjamin Kleine of Cooley LLP.

The case has been assigned to District Judge Susie Morgan.

Hi Tech Crime Solutions