A class action alleging PayPal breached FTC guidelines on data protection has been filed after the information of 35,000 users was compromised in a cyberattack.
The lawsuit was filed last week in the Northern District of California by two plaintiffs, one from Texas and one from Nebraska. They accuse the payments giant of negligence in its protection of consumer data.
Nine separate charges make up the complaint, with PayPal accused of breaking multiple state consumer protection laws, breaching contracts, unjust enrichment, negligence, and negligence per se. The complaint also cites failure to meet a number of guidelines laid down by the National Institute of Standards and Technology’s Cybersecurity Frameworks.
The negligence per se charge essentially means that PayPal is accused of breaching a duty of care imposed by a specific law, rather than one set down by a more general legal duty of care.
Harms suffered
The plaintiffs cite a number of harms they have suffered due to the data breach. These include having to spend time dealing with the effects of the breach, being exposed to a sharply increased risk of fraud and identity theft, and incurring substantial costs for credit monitoring and related services.
PayPal discovered it had been subject to a cyberattack just before the Christmas holidays in 2022. Further investigation revealed it had taken place between December 6 and December 8 and notice of the attack was sent out on January 19.
The lawsuit is asking for an as yet unspecified amount of money in damages and as equitable relief, as funding for lifetime credit monitoring and for identity theft insurance. Due to the difficulties in naming the large number of victims, the judge has also been asked to designate the lawsuit as a class action.
Millions of dollars
Data breach class actions have yielded some big figures as settlements can reach many millions of dollars. The stakes became clear when Equifax was ordered to pay over $380m in an initial settlement after 147 million Americans had their personal and financial information accessed following a data breach.
The settlement also included an additional $125m to cover any required payment of out-of-pocket losses, and will see Equifax potentially pay out a further, eye watering, $2 billion if all 147 million members of the class action sign up for credit monitoring.
Other notable settlements include;
- Home Depot ($200m);
- Capital One ($190m);
- Uber ($148m);
- Morgan Stanley ($120m);
- Yahoo ($85m).
In 2021, the Supreme Court attempted to set a standard for data privacy class actions brought under the Fair Credit Reporting Act (FCRA). The TransUnion LLC v Ramirez case saw 8,000 customers of TransUnion file a class actions for violation of the FCRA. A total of 1,853 had their credit reports distributed to third parties, and the Court found that only that group had standing to bring a lawsuit.
The California Privacy Protection Act (CCPA) provides for statutory damages of between $100 and $750 per consumer per incident or actual damages – whichever is the greater.
Congress is also currently considering a federal bill, the American Data Privacy and Protection Act, which would pre-empt state privacy laws and limit any private right of action.