Crypto cybersecurity lawsuit against French digital wallet company

Customer lists maintained by service providers and personal information entered by users to obtain digital wallets or set up crypto exchange accounts are enviable targets for hackers. Such data can be used to launch targeted phishing schemes and related scams to trick holders into revealing their private keys or unwittingly hand over anonymized crypto assets to hackers. One recent case involves a lawsuit brought by users who purchased a hardware wallet to secure cryptocurrency assets and are seeking compensation for damages they allegedly suffered after a data breach exposed their personal information.

A recent Ninth Circuit decision analyzed whether a federal court has personal jurisdiction over a foreign crypto-asset wallet provider, an issue that can be important when litigating in this area, given the borderless nature of the world of crypto-assets and related services. (Baton vs. Ledger SASno. 21-17036 (9th Cir. Dec. 1, 2022) (unpublished)).

In the case, plaintiffs purchased hardware wallets to store crypto assets. Following a data breach that allegedly exposed personal information provided in connection with wallet purchases (eg, names, email addresses, mailing addresses, and phone numbers), plaintiffs filed suit against Ledger SAS (“Ledger”), a French company that manufactured and sold wallets and Shopify Inc., (“Shopify”) a Canadian company that provided e-commerce services for Ledger’s store, and its US subsidiary (collectively, the “Defendants”). The plaintiffs filed various claims in a California district court, including negligence and consumer claims in California and other states based on their claims that Ledger failed to exercise reasonable care in securing their personal information.

In dismissing the suit, the defendants argued that the court lacked personal jurisdiction over them: Shopify Inc. claimed that it was a Canadian corporation not registered to do business in California and had no employees in California, and that they were “rogue” individuals who were responsible for one Shopify, Inc. data breach. (including, allegedly, some Ledger customer transaction records) were not Shopify employees, but foreign contractors; Ledger claimed it was a French company with no employees in California or the US. The district court granted the motions and dismissed the action for lack of personal jurisdiction over the defendants. The lower court did not find specific jurisdiction over Shopify simply because it provided the software product that enabled Ledger to operate an online store for consumers worldwide, since Ledger, not Shopify, made a conscious choice to purposefully direct its product toward the California forum. Second, the court rejected as “speculative” and “unwarranted” the plaintiffs’ motion for jurisdictional discovery seeking information about, among other things, the existence of employees who may have worked with “rogue” contractors involved in one violation and the alleged activities of a certain California-based Data Protection Officer at Shopify. As to defendant Ledger, the lower court similarly found that merely operating a universally accessible website is generally insufficient to satisfy the requirement that Ledger “expressly direct” its conduct at California.

The Ninth Circuit reversed the dismissal of the claim, affirming in part and reversing in part the lower court’s jurisdictional findings. (Baton vs. Ledger SAS, no. 21-17036 (9th Cir. Dec. 1, 2022) (unpublished)). The appeals court found that the court had personal jurisdiction over Ledger because of its sales in the state, totaling about 70,000 wallets sold to Californians, generating millions of dollars in revenue. The court also noted that Ledger’s website was designed to collect the applicable California sales tax for customers whose IP addresses are in California. Taken together, such facts establish “intentional benefit” because Ledger’s contacts with the forum cannot be characterized as “incidental, isolated, or incidental.” The court also stated that the plaintiffs’ claims “arise out of” that wallet sale since the personal information was collected for e-commerce and marketing purposes. Nevertheless, the court limited the potential universe of claims that a putative class of plaintiffs could bring based on the existence of a broad forum selection clause in Ledger’s terms that mandates “[a]any dispute, controversy, difference or claim arising out of or relating to the terms may be submitted exclusively to the French courts. The court held that the forum selection clause was enforceable except with respect to claims under California’s consumer protection laws brought by California residents, concluding that such claims could not be waived on grounds of public policy.

As to Shopify, the Ninth Circuit agreed that the current record does not support personal jurisdiction, but held that the lower court erred in denying the plaintiffs’ requests for jurisdictional discovery and the ability to amend the complaint after such discovery. The court noted that Shopify USA employs a number of people who work remotely from California, and that apparently one of those employees, at the relevant time, held the title of “Vice President, Legal; Data Protection Officer.” According to the appeals court, it’s reasonable to conclude that Shopify’s California data protection officer “may have played a role in the data breach because he appears to have overseen the relevant privacy policies and Shopify’s response,” but that more facts are needed to determine determined whether such activities support the execution of competences.

2022 saw a record rise in cryptocurrency-related hacking incidents (one report found over $3 billion in stolen cryptocurrency from January to October). Security incidents have particularly affected decentralized protocols, including inter-chain bridges and the smart contracts that underpin DeFi, some of which may be built on imperfect code. These hacking incidents occur during the protracted winter crisis in cryptocurrency, which has been exacerbated by recent collapses and high-level bankruptcies in the industry. One would expect more lawsuits filed by users against service providers over crypto assets stolen by hackers.

Moreover, this case signals that cryptography-related companies outside the United States may be subject to domestic jurisdiction, regardless of limited contacts within its borders. Given the size of the US market, this might be a risk worth taking. To reduce the risk, depending on the particular job, there may be steps that can be taken to reduce the likelihood of such a finding.

Jonathan Mollod also contributed to this article.

© 2023 Proskauer Rose LLP. National Law Review, Volume XIII, Number 18

Leave a Comment

Your email address will not be published. Required fields are marked *