Data Breach Case Based on Industry Standards Fails

A federal court recently decided that when there’s an implied contract between a consumer and a business, the consumer needs to provide specific facts beyond the business not meeting industry standards in a data breach case to keep their case going after a motion to dismiss.

A hacker accessed the defendant’s network, obtaining personal member information. Due to the breach, the plaintiffs claim they incurred identity theft-related expenses, such as credit card fraud, spam emails, and unwanted calls. This situation is typical in class action lawsuits.

The court dismissed the claim that the defendant did not follow industry standards when storing their members' private data using hashed and salted passwords designed to keep a person’s password identity secure. The court explained that without detailed allegations specifying which security measures the defendant allegedly failed to implement, the plaintiffs simply couldn't back up their claims of breaking an implied contract. They found that a vague statement about the actions being against industry standards wasn't enough to prove their point.