Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

In re VTech Data Breach Litigation

United States District Court, N.D. Illinois, Eastern Division

July 5, 2017

In Re VTech Data Breach Litigation


          Manish S. Shah United States District Judge.

         Plaintiffs bought children's toys made by an affiliate of defendant VTech Electronics North America, LLC. Those toys featured access to an online library of educational software, games, and other content, and some provided a communication platform through which parents and their children could send each other messages. Using those online features required the submission of plaintiffs' personally identifiable information, which was stored on servers operated by VTech. Due to VTech's inadequate security, a hacker was able to access those servers and copied plaintiffs' data. Plaintiffs seek to represent a class of consumers and filed this suit alleging both present and future harm resulting from the data breach and VTech's response to that breach. VTech moves to dismiss for lack of subject-matter jurisdiction and for failure to state a claim. For the following reasons, the motion is granted.

         I. Legal Standards

         A court must dismiss an action if it determines, at any time, it lacks subject-matter jurisdiction, Fed.R.Civ.P. 12(h)(3), and a defendant may move to dismiss an action for lack of subject-matter jurisdiction. Fed.R.Civ.P. 12(b)(1). The plaintiff bears the burden of proving that jurisdiction is proper. Transit Express, Inc. v. Ettinger, 246 F.3d 1018, 1022 (7th Cir. 2001) (citation omitted). One component of subject-matter jurisdiction is Article III standing-the requirement that plaintiffs present an actual case or controversy. See Silha v. ACT, Inc., 807 F.3d 169, 172-73 (7th Cir. 2015). “[A] plaintiff need only show the existence of facts that could, consistent with the complaint's allegations, establish standing.” Apex Digital, Inc. v. Sears, Roebuck & Co., 572 F.3d 440, 443 (7th Cir. 2009) (citations omitted).

         To survive a motion to dismiss under Rule 12(b)(6), a complaint must contain factual allegations that plausibly suggest a right to relief. Virnich v. Vorwald, 664 F.3d 206, 212 (7th Cir. 2011) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 554, 558 (2009)). “The purpose of a motion to dismiss is to test the sufficiency of the complaint, not to decide the merits.” Triad Assocs., Inc. v. Chicago Hous. Auth., 892 F.2d 583, 586 (7th Cir. 1989). With a 12(b)(6) motion, a court may only consider allegations in the complaint, documents attached to the complaint, and documents that are both referred to in the complaint and central to its claims. Levenstein v. Salafsky, 164 F.3d 345, 347 (7th Cir. 1998). The court must construe all factual allegations as true and draw all reasonable inferences in the plaintiff's favor, but the court need not accept legal conclusions or conclusory allegations. Virnich, 664 F.3d at 212 (citing Ashcroft v. Iqbal, 556 U.S. 662, 680-82 (2009)).

         II. Facts[1]

         Defendant VTech Electronics North America, LLC marketed and distributed digital learning toys for preschool and grade school children.[2] [44] ¶ 2. VTech designed these toys, including tablets, smartphones, and other handheld touch-sensitive products, to connect to its online application store, the Learning Lodge, and touted that connectivity as an important feature of the products in their marketing. [44] ¶¶ 2, 3, 8, 10. The Learning Lodge allowed customers to purchase and download content like educational games, books, music, and videos. [44] ¶¶ 2, 3, 7, 10. Customers could buy applications stored on physical cartridges, as well, but those cartridges often required software updates from the Learning Lodge to work. [44] ¶ 11. VTech priced its products at a premium in part due to their ability to access the Learning Lodge. [44] ¶ 8. Some of VTech's higher-priced toys also supported its Kid Connect service, which allowed parents and their children to communicate by text message using the Kid Connect-enabled device and a cell phone. [44] ¶¶ 3, 14-15. And for an additional fee, customers could purchase Premium Kid Connect service, which enabled communication in the form of picture and voice messages (in addition to text messages) and provided access to group bulletin boards. [44] ¶ 15.

         To access those online services, or to receive software updates for the toys, customers had to affirmatively agree to certain terms and conditions and register for online accounts with VTech.[3] [44] ¶¶ 9, 16, 22. Registration required the submission of personally identifying information, including parents' names, home addresses, email addresses, passwords, and credit or debit card information. [44] ¶ 16. Once a parent activated an account, VTech allowed the parent to create a user profile for the child by providing VTech with the child's name, password, birthdates, gender, and photographs. [44] ¶ 17. VTech stored that information, as well as the content of any messages exchanged over the Kid Connect platform, on its servers. [44] ¶¶ 15, 71.

         Plaintiffs are eight adults who purchased VTech's Learning Lodge-enabled products, and fourteen children who used those products. [44] ¶¶ 56, 63, 71, 80, 88, 95, 103-04, 113, 121-22, 125-26. Most of plaintiffs' products also supported the Kid Connect service, and one plaintiff paid for the Premium Kid Connect service. Id. All plaintiffs created online accounts and user profiles and submitted personally identifiable information to VTech. Id.

         Plaintiffs allege that VTech's handling of their data was governed by the terms and conditions to which they agreed prior to registration-i.e., before they submitted their personal information and before they formally accepted the terms of online service. [44] ¶ 22. Plaintiffs do not specify which set of terms and conditions they are referring to-the Terms and Conditions of Learning Lodge, the Terms and Conditions of VTech Kid Connect, or both. But it makes little difference, since both documents incorporate by reference VTech's Privacy Policy, which lies at the heart of plaintiffs' claims. [44] ¶ 22; [62-1]; [62-2]. The Privacy Policy informed them that:

The security of your personal information is important to VTech, and VTech is committed to handling your information carefully. In most cases, if you submit your PII to VTech directly through the Web Services it will be transmitted encrypted to protect your privacy using HTTPS encryption technology. Any Registration Data submitted in conjunction with encrypted PII will also be transmitted encrypted. Further, VTech stores your PII and Registration Data in a database that is not accessible over the Internet.

         [44] ¶ 22. The Privacy Policy also said that any submitted information about children “is treated and handled in the same manner as the information we collect about you.” Id. Despite these promises, VTech neither used encryption when transmitting customers' data nor stored that data in a place inaccessible from the internet, putting it at risk of theft. [44] ¶¶ 5, 32, 33.

         In November 2015, a hacker infiltrated VTech's servers and downloaded personally identifiable information relating to 4.8 million adult accounts and 6.3 million child profiles. [44] ¶¶ 4, 25. The hacker reached out to a journalist, who shared the data with a data security consultant and notified VTech. [44] ¶¶ 37, 51. Once it was alerted, VTech confirmed to the public that customer data had been exposed, and clarified a few days later that the data included parents' names, email and mailing addresses, IP addresses, download and purchase histories, passwords, and the secret questions and answers used for password retrieval. [44] ¶¶ 26-27. The data also included children's names, genders, birthdates, photos, and Kid Connect communications, including text, image, and audio recordings, between the children and their parents. [44] ¶¶ 26-27. The children's home addresses can be easily determined by anyone with access to the data. [44] ¶¶ 18, 26. As a result of the data breach, plaintiffs fear that they are exposed to an increased risk of identity theft and will be for years to come. [44] ¶¶ 52, 53. They also fear that harm may befall the children if predators gain access to their information. [44] ¶ 49.

         In response to the Data Breach, VTech suspended all access to its online services for nearly two months while it investigated the breach and changed its data security protocols. [44] ¶¶ 6, 41. Access to the Learning Lodge has since been restored for certain products, but the Kid Connect service remains disabled. [44] ¶ 6. And although VTech insists that its system is now secure, plaintiffs believe that it is still plagued by fundamental security flaws. [44] ¶¶ 42, 44.

         Plaintiffs allege that, had they known of VTech's inadequate data security measures, or that VTech would suspend access to the online services for an extended period of time, they would have paid less for the products or would not have purchased them at all. [44] ¶ 24. They also allege that inadequate security makes the products worth less than the products that plaintiffs were promised. [44] ¶ 44. Plaintiffs bring claims for breach of contract, breach of the implied covenant of good faith and fair dealing, breach of the implied warranty of merchantability, and violation of the Illinois Consumer Fraud and Deceptive Business Practices Act.[4]And they bring a separate cause of action for declaratory relief.

         III. Analysis

         A. Article III Standing

         VTech seeks dismissal of the complaint for lack of Article III standing. To establish standing under Article III, a plaintiff must show that they have “(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 136 S.Ct. 1540, 1547 (2016) (citing Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61 (1992)). The parties focus on the injury-in-fact requirement. A plaintiff must have “suffered ‘an invasion of a legally protected interest' that is ‘concrete and particularized' and ‘actual or imminent, not conjectural or hypothetical.'” Spokeo, 136 S.Ct. at 1548 (quoting Lujan, 504 U.S. at 560). Plaintiffs argue that they suffered injuries in the form of (1) future harm and the time and expense of protecting themselves from that harm, (2) economic loss due to purchasing a product that turned out to be less valuable than it was held out to be, and (3) the emotional distress resulting from the public exposure of sensitive data concerning their children.

         1. Future Harm and Mitigation Expenses

         Allegations showing a “substantial risk” of future harm can establish Article III standing. Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir. 2015) (citing Clapper v. Amnesty Int'l USA, 568 U.S. 398, 133 S.Ct. 1138, 1150 n.5 (2013)). When that harm is imminent, mitigation expenses qualify as actual injuries that support Article III standing. Remijas, 794 F.3d at 694. Plaintiffs argue that, because a hacker breached VTech's network and stole their personally identifiable information, they faced a threat of future harm sufficient to confer standing. And while they suggest that that threat relates to multiple types of harm, they do not specifically address anything other than identity theft. They also argue that they would have acted reasonably in protecting themselves from identity theft by expending time and money to monitor their financial statements and credit reports. Plaintiffs rely on Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139 (2010), in which a substantial risk of harm (that ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.