Framing Unfair and Deceptive Trade Practices Claims in Data-Breach Lawsuits
Ellis & Winters
We wrote last year about an interesting data-breach lawsuit in federal court in Chicago involving internet-connected toys. The case, called In re VTech Data Breach Litigation, arose after hackers stole personal information that parents supplied when they registered for online accounts with the toy manufacturer, called VTech Electronics.
The plaintiffs, we noted, overcame a standing challenge by VTech by alleging a novel theory of injury. Instead of focusing, like many data-breach plaintiffs do, on the risk of future identity theft caused by the data breach, they instead alleged they “overpaid” for the toys and the accompanying online services because VTech failed to use reasonable data-security measures.
That argument was good enough to establish an “injury in fact” and get the plaintiffs over Article III’s standing hurdle. But the court still dismissed their complaint under Rule 12(b)(6). It found that the plaintiffs could not make out a breach of contract claim because they could not show that the price they paid for the toys included a payment for data security measures.
The plaintiffs then filed a new, amended complaint. That amended complaint included a claim under Illinois’s Consumer Fraud and Deceptive Business Practices Act (the “ICFA”).
VTech again moved to dismiss under Rule 12(b)(6).
This post examines how the court handled that motion; we’ll call the new decision VTech II. As we’ll see, the decision teaches an important lesson on the framing of unfair and deceptive trade practices claims when the claim concerns a data breach.
The ICFA: Unfairness vs. Deception
The ICFA extends to two broad categories of conduct: deception and unfairness. The pleading standards for each category, however, are different.
When an ICFA claim relies on deceptive conduct, the plaintiff must allege the deceptive conduct with particularity. In federal court, a deception-based ICFA claim must satisfy Federal Rule of Civil Procedure Rule 9(b)’s heightened pleading standard.
ICFA claims that allege “unfair” conduct, by contrast, need only satisfy the relaxed pleading standards of Rule 8.
Here the plaintiffs’ ICFA claim alleged that VTech’s failure to protect their personal information from the hackers was both unfair and deceptive.
So which pleading standard applied to those allegations?
Show me the details
VTech argued that Rule 9(b)’s heightened pleading standard applied to all of the plaintiffs’ ICFA allegations.
Those allegations, VTech observed, all asserted that VTech engaged in misrepresentations, omissions, and fraudulent conduct when it sold products and services without providing reasonable data security. Although the plaintiffs also characterized that conduct as “unfair,” they alleged no separate conduct to support their unfairness claim.
And as for their deception claim, the plaintiffs, said VTech, failed to plead that claim with the requisite particularity. Although the plaintiffs had generally alleged that VTech promised reasonable data security, they failed identify specific misrepresentations that they read and relied on when they purchased VTech’s products.
Lies, damned lies, and unfairness
The plaintiffs had two arguments in response.
First, they countered that their deception allegations satisfied Rule 9(b) because they identified specific misrepresentations and omissions on the products’ packaging.
Second, the plaintiffs argued that they had properly pleaded a separate unfairness claim under the ICFA. To that end, they argued that VTech’s failure to provide reasonable data security violated two independent duties:
- an ethical duty to safeguard its customers’ personal information; and
- a statutory duty under a federal law called the Children’s Online Privacy Protection Act.
Two ICFA theories cannot occupy the same space at the same time
The court sided with VTech.
The court first concluded that Rule 9(b) applied to all of the plaintiffs’ ICFA allegations. The ICFA claims, explained the court, were primarily based on VTech’s alleged misrepresentations that its toys were safe and secure—and a corresponding failure to disclose that they were not in fact safe. The conduct alleged to be “unfair”—disregarding ethical and statutory duties to protect customers’ information—completely overlapped with the allegedly deceptive conduct.
Thus, reasoned the court, the plaintiffs could not make out a separate unfairness claim to avoid Rule 9(b)’s heightened pleading standard: “plaintiffs cannot rely on the same conduct to establish separate unfair and deceptive theories under the ICFA.”
Having concluded that Rule 9(b) applied to the ICFA claim, the court went on to find that the plaintiffs had failed to meet that rule’s demanding standards. The amended complaint, explained the court, failed to identify any specific misrepresentation that the plaintiffs relied on or any omitted facts that VTech should have included to avoid a misrepresentation.
The court therefore dismissed the ICFA claim.
Lessons for Litigants
VTech II reinforces a key point we’ve discussed before: properly framing an unfair and deceptive trade practices claim can make the difference between survival and dismissal.
In particular, when the law requires plaintiffs to allege a misrepresentation-based claim with particularly (as with the ICFA and its North Carolina counterpart section 75-1.1), data-breach plaintiffs must carefully consider whether they’ve got the goods to meet that standard before alleging deceptive conduct.
When they don’t, data-breach defendants like VTech can use a failed deception claim to sink any related unfairness claim.
Author: Alex Pearce