Crypto Cybersecurity Lawsuit Against French Digital Wallet Firm

The customer lists maintained by providers and the personal information users enter to obtain digital wallets or set up accounts on cryptocurrency exchanges are coveted targets for hackers. Such data is used to initiate targeted phishing schemes and related scams, tricking owners into divulging their private keys or unknowingly transferring anonymized crypto assets to hackers. There is a possibility that In a recent case, a lawsuit was filed by a customer seeking relief for damages allegedly suffered after a data breach that purchased hardware his wallet to protect crypto assets and exposed personal information. It contains.

A recent Ninth Circuit decision analyzed whether federal courts have personal jurisdiction over foreign cryptocurrency wallet providers. This is an issue that could be significant when litigating in this space given the borderless nature of the world of crypto assets and related services. (Baton v. Ledger SASNo. 21-17036 (9th Cir. 1 December 2022) (unpublished)).

In this case, the plaintiff purchased a hardware wallet to store crypto assets. Following a data breach that allegedly leaked personal information (name, email address, address, phone number, etc.) provided in connection with the purchase of a wallet, the plaintiff filed a complaint with a French company that manufactured and sold the wallet. We have filed a lawsuit against a Ledger SAS (“Ledger”). wallets and Shopify Inc. (“Shopify”), the Canadian company that provided e-commerce services to Ledger’s store, and its US subsidiaries (collectively, the “Defendants”). Plaintiffs have brought various claims in the California District Court, including negligence and consumer claims in California and elsewhere, based on allegations that Ledger failed to take reasonable care to protect personal information. I did.

Defendants argued that the court lacked personal jurisdiction over them in their motions to dismiss. Shopify Inc., a Canadian company that is not registered to do business in California and has no employees in California, is responsible for one data breach on Shopify, Inc.’s platform (a Ledger customer allegedly including some of the transaction records) were foreign contractors, not Shopify employees. Ledger claimed to be a French company with no California or US employees. The district court granted the petition and dismissed the action for lack of personal jurisdiction over the defendants. The lower court denied specific jurisdiction over Shopify simply because Ledger provided a software product that enabled consumers around the world to operate online stores. , among other things, makes plaintiffs’ requests for jurisdictional discovery for information about the existence of employees who may have worked with “rogue” contractors involved in certain violations and the alleged activities “speculative.” was dismissed as “inappropriate” and “unjustified”. Shopify’s certain California-based data protection officer. We have determined that simply operating a website that is accessible to is generally not sufficient.

The Ninth Circuit reversed the dismissal of the action, partially affirming and partially overruling the lower court’s finding of jurisdiction. (Baton v. Ledger SAS, No. 21-17036 (9th Cir. 1 December 2022) (unpublished)). The Court of Appeals ruled that he had personal jurisdiction over Ledger because a total of about 70,000 purses sold in California generated millions of dollars in revenue from being sold to Californians. . The court also said that Ledger’s website is designed to collect California sales tax applicable to buyers whose IP addresses are in California. Taken together, such facts establish “intentional use”. This is because Leisure’s contact with forums cannot be characterized as “random, isolated, or accidental.” The court also said that the plaintiffs’ claims “attributed” to the sale of these wallets, as the personal information was collected for e-commerce and marketing purposes. Nevertheless, the court found that the putative class of plaintiffs was “[a]Any dispute, controversy, difference or claim “arising from or relating to the Terms” shall be brought exclusively in the French courts. The court held that the choice-forum clause was enforceable, except for claims under the California Consumer Law brought by California residents, and waived such claims on grounds of public policy. I decided it was not possible.

With respect to Shopify, the Ninth Circuit agreed that the current record does not uphold personal jurisdiction, but the lower court has amended the plaintiffs’ finding of jurisdiction and the complaints following such finding. determined that you had mistakenly declined a request for an opportunity to The court found that Shopify USA employs a number of employees who work remotely from California, and one of those employees was, at the time, the “Vice President of Legal Affairs; Data Protection Officer.” While it’s reasonable to speculate that state Shopify’s data protection officer “may have played a role in the data breach as it appears to have overseen relevant privacy policies and Shopify’s response,” it is more likely that A number of facts were needed to determine whether such activity supported the exercise of jurisdiction.

2022 saw a record increase in the number of crypto-related hacking incidents (one report found over $3 billion in cryptocurrency stolen from January to October) . Security incidents have particularly affected decentralized protocols such as cross-chain bridges and the smart contracts underlying his DeFi, some of which may be built with incomplete code. These hacking incidents come during a persistent crypto winter recession, exacerbated by recent high-profile industry collapses and bankruptcies. We expect to see more lawsuits filed by users against providers over crypto assets stolen by hackers.

Additionally, the case demonstrates that crypto-related businesses outside the United States may fall under domestic jurisdiction despite limited contact within borders. , this might be worth the risk. To minimize risk, there may be steps that your particular business can take to reduce the likelihood of such discovery.

Jonathan Mollod also contributed to this article.