Cryptocurrency cybersecurity lawsuit against French digital wallet company

The customer lists held by the vendors and the personal information that users enter to obtain digital wallets or create cryptocurrency exchange accounts are enviable targets for hackers. Such data can be used to launch targeted phishing schemes and related scams to trick holders into divulging their private keys or unknowingly transfer anonymous cryptographic assets to hackers. One recent case involves a lawsuit filed by customers who bought a hardware wallet to protect cryptocurrency assets and are seeking compensation for damages they allegedly suffered as a result of data breaches that exposed their personal information.

A recent Ninth Circuit decision examined whether a federal court had personal jurisdiction over a foreign cryptocurrency wallet provider, an issue that can be important when arguing in this area given the borderless nature of the world of cryptocurrencies and services. related. (Baton vs. Ledger SASNo. 21-17036 (9th Cir. Dec. 1, 2022) (unpublished)).

In the case, the plaintiffs purchased hardware wallets to store cryptographic assets. Following data breaches that allegedly exposed personal information provided in connection with wallet purchases (such as names, email addresses, mailing addresses, and telephone numbers), the plaintiffs filed a lawsuit against Ledger SAS (“Ledger”), the French company that manufactured and sold the wallet and Shopify Inc., (“Shopify”), the Canadian company that provided e-commerce services for Ledger’s store, and its US subsidiary (collectively, “Defendants”) . The plaintiffs filed various claims in California District Court, including malpractice and California and other state consumer claims based on their allegation that Ledger failed to take reasonable care to protect their personal information.

In proceeding with their dismissals, the defendants argued that the court lacked personal jurisdiction over them: Shopify Inc. argued that it is a Canadian company that is not registered to do business in California and has no employees in California, and that the “rogue” individuals who were responsible for a data breach of Shopify, Inc.’s platform (including, presumably, some of Ledger’s customer transactional records) were not Shopify employees, but foreign contractors; Ledger said it is a French company with no California or US employees. The district court allowed the motions and dismissed the appeal for lack of personal jurisdiction over the defendants. The lower court found no specific jurisdiction over Shopify simply because it provided a software product that enabled Ledger to operate an online store for consumers around the world, as Ledger, not Shopify, made the choice aware that he intentionally directs his product to the California forum. . Second, the court denied, as “speculative” and “unjustified,” the plaintiffs’ request for judicial review asking for information, inter alia, on the existence of employees who might work with the “rogue” contractors involved in a breach and the alleged activities of a particular California-based data protection officer at Shopify. As for Defendant Ledger, the lower court similarly held that merely operating a universally accessible website on its own is generally insufficient to satisfy the requirement that Ledger “expressly directed” his conduct to California.

The Ninth Circuit reversed the rejection of the appeal, affirming in part, and overturning in part, the lower court’s findings on jurisdiction. (Baton vs. Ledger SAS, No. 21-17036 (9th Cir. Dec. 1, 2022) (unpublished)). The appeals court found that the court had personal jurisdiction over Ledger due to sales of him in the state, totaling approximately 70,000 portfolios sold to Californians, generating millions of dollars in revenue. The court also said that Ledger’s website is designed to collect applicable California sales tax for buyers whose IP addresses are located in California. Taken together, these facts establish a “profitable value” because Ledger’s contacts with the forum cannot be described as “chance, isolated or incidental”. The court also said that the plaintiffs’ claims “arise from” those wallet sales as the personal information was collected for e-commerce and marketing purposes. However, the court limited the potential universe of claims that the putative class of plaintiffs could bring based on the existence of a broad forum select clause in Ledger’s terms which mandates”[a]any dispute, controversy, difference or claim arising out of or relating to” the terms will be brought exclusively before the French courts. The court held that the select-of-court clause applied, except for claims under California consumer laws filed by California residents, holding that such claims could not be dismissed on public policy grounds.

With respect to Shopify, the Ninth Circuit agreed that these minutes do not support personal jurisdiction, but found that the lower court wrongly denied the plaintiffs’ requests for discovery of jurisdiction and an opportunity to change the claim to following this discovery. The court noted that Shopify USA employs a number of people who work remotely from California and that apparently one of those employees, at the material time, held the title of “Vice President, Legal; Data Protection Officer.” According to the appellate court, it is reasonable to infer that Shopify’s California data protection officer “may have played a role related to the data breach because he appears to have overseen relevant privacy policies and Shopify’s response,” but that additional facts were needed to determine whether such activities were conducive to the exercise of jurisdiction.

2022 saw a record increase in the number of cryptocurrency-related hacking incidents (one report found over $3 billion worth of stolen cryptocurrencies from January to October). Security incidents have particularly affected decentralized protocols, including cross-chain bridges and the smart contracts underpinning DeFi, some of which may have been built on flawed code. These hacking incidents are occurring during the long-lasting cryptocurrency winter crisis, which has been exacerbated by recent high-profile crashes and bankruptcies in the industry. One would expect more lawsuits being filed by users against vendors for crypto assets stolen by hackers.

Furthermore, this case signals that cryptocurrency-related activities outside the United States may be subject to jurisdiction within the country, despite limited contacts within its borders. Given the size of the US market, this may be a risk worth taking. To minimize the risk, depending on the particular activity, steps may be taken to reduce the likelihood of such a discovery.

Jonathan Mollod also contributed to this article.

© 2023 Proskauer Rose LLP. National Law Review, Volume XIII, Number 18

Add a Comment

Your email address will not be published. Required fields are marked *