On June 28, 2018, Adidas released a statement announcing that it recently “became aware that an unauthorized party claims to have acquired limited data associated with certain Adidas consumers.” Adidas believed the breach was limited to contact information, usernames and encrypted passwords, and not any stored credit card or fitness information, relating to millions of its customers.
Subsequently, on July 3, 2018, a plaintiff, on behalf of himself and all others similarly situated, filed a complaint in the San Diego County Superior Court. The complaint set forth five separate counts: 1) negligence; 2) breach of contract; 3) breach of implied contract; 4) violation of the California Customer Records Act; and 5) unlawful and unfair business practices under the California Business and Professions Code.
The named plaintiff—Christian Duke—alleges that his claims are typical of the class because “[his] information, like that of other members of the class, was misused and/or disclosed by [Adidas] and requires responsive efforts.” As further justification for the class, he also notes that, individually, the putative-class’s damages may be insufficient to warrant the costs of litigation.
With regard to the breach, Duke alleged that Adidas failed to implement appropriate security processes, including that it:
[F]ail[ed] to ensure that the companies with which it shared members’ Personal Information implemented and maintained adequate security measures to safeguard such information, including encryption, implementation of multi-factor authentication, and usage of behavior monitoring technology to detect unusual activity and transfers of data.
Plaintiff further claims that Adidas failed to timely notify those members whose information had been compromised—despite the representations in Adidas’s statement that it was notifying customers within roughly forty-eight hours of being made aware of the breach. The complaint also asks the court to require Adidas to “notify customers of any future data breaches by email within 24 hours of a breach or possible breach.” (Emphasis supplied.) Plaintiff further seeks compensatory damages, statutory damages, and equitable relief, along with fees and costs.
Last Friday, September 7, 2018, Adidas removed the action to the United States District Court for the Southern District of California, where it is now pending before District Judge Larry Alan Burns. It will be interesting to see what challenges Adidas is able to raise, based on the Ninth Circuit’s fairly liberal view of standing in data breach cases. See, e.g., Ree v. Zappos.com, Inc. (In re Zappos.com, Inc.), 888 F.3d 1020, 1027 (9th Cir. 2018) (finding standing where “the information taken in the data breach […] gave hackers the means to commit fraud or identity theft”). It will also be fascinating to see if the court has the opportunity to consider Plaintiff’s claim for more stringent breach notification requirements—a rather unique remedy. We’ll keep an eye on this case as it potentially makes its way through the Southern District of California.