Two days ago, StockX was sued in a data breach class action in the Southern District of Florida. The alleged claim is that StockX failed to secure and safeguard the personally identifiable information that was collected and maintained on the e-commerce platform. There is also a claim that StockX failed to provide timely and adequate notice to customers about the data incident.
What is StockX
I know of StockX because it comes up on my Instagram feed to buy and sell Jordan sneakers (yes, I bought ONE pair of Jordans and now the internet thinks I am a Jordan fanatic). StockX markets itself as the "Stock Market of Things." Essentially, StockX is an e-commerce platform for urban fashion enthusiasts (e.g. sneaker-heads). It acts like a middleman between buyers and sellers.
Before allowing a consumer to make a purchase, StockX requires users to create an online profile and input personal information such as a user’s name, email address, password, payment information and other related profile information.
The Alleged Data Breach
In August 2019, several media outlets reported that more than 6.8 million records were stolen from StockX's website in May of 2019.
In the Complaint, there is an allegation that despite knowing its records had been hacked, StockX did not inform its users and instead tried to hide the fact by sending out a notification telling its users to reset their passwords citing “system updates.”
This is where the plot thickens.
Before the Complaint was filed, TechCrunch reported the following:
An unnamed data breached seller contacted TechCrunch claiming more than 6.8 million records were stolen from the site in May by a hacker. The seller declined to say how they obtained the data.
In a dark web listing, the seller put the data for sale for $300. One person at the time of writing already bought the data.
The seller provided TechCrunch a sample of 1,000 records. We contacted customers and provided them information only they would know from their stolen records, such as their real name and username combination and shoe size. Every person who responded confirmed their data as accurate.
The Complaint was filed within days of TechCrunch's report.
What Are the Claims?
The class members are claiming that StockX has a duty to exercise reasonable care in safeguarding, securing and protecting customer information from being compromised, lost, stolen, misused, and/or disclosed to unauthorized parties. But, StockX allegedly did not provide adequate security for the data in its possession.
Most interesting is the allegation that StockX did not comply with various State's data breach notification laws. Those include:
a. California, Cal. Civ. Code §§ 1798.80 et. seq.;
b. Florida, Fla. Stat. § 501.171, et seq.,
c. Hawaii, Haw. Rev. Stat. § 487N-1–4 (2006);
d. Illinois, 815 Ill. Comp Stat. Ann. 530/1–/30 (2006);
e. Louisiana, La. Rev. Stat. § 51:3071-3077 (2005), and L.A.C. 16:III.701;
f. Michigan, Mich. Comp. Laws Ann. §§ 445.63, 445.65, 445.72 (2006);
g. New Hampshire, N.H. Rev. Stat. Ann. §§ 359-C:19–C:21, 358-A:4
(2006)., 332-I:1–I:610;
h. New Jersey, N.J. Stat. Ann. § 56:8-163–66 (2005);
i. North Carolina, N.C. Gen. Stat. §§ 75-65 (2005); as amended (2009);
j. Oregon, Or. Rev. Stat. §§ 646A.602, 646A.604, 646A.624 (2011);
k. Puerto Rico, 10 L.P.R.A. § 4051; 10 L.P.R.A. § 4052 (2005), as amended
(2008);
l. South Carolina, S.C. Code § 1-11-490 (2008); S.C. Code § 39-1-90
(2009);
m. Virgin Islands, 14 V.I.C. § 2208, et seq. (2005);
n. Virginia, Va. Code Ann. § 18.2-186.6 (2008); Va. Code Ann. § 32.1–
127.1:05 (2011); and,
o. the District of Columbia, D.C. Code § 28-3851 to 28-3853 (2007).
In an August 8, 2019 post on StockX's website, there was the following statement:
On July 26, 2019, we were alerted to suspicious activity potentially involving our customer data. We immediately launched a forensic investigation and engaged experienced third-party data experts to assist. Though our investigation remains ongoing, forensic evidence to date suggests that an unknown third-party was able to gain access to certain customer data, including customer name, email address, address, username, hashed passwords, and purchase history. From our investigation to date, there is no evidence to suggest that customer financial or payment information has been impacted.
For my Jordans
Let us not forget, StockX was the victim of a cyber-crime, yet it is being sued. Of course, these are just allegations (the Plaintiffs' side of the story). We will see how StockX responds.
StockX may argue that all or most of these purported class members have not actually been harmed by the alleged breach; therefore, they do not have standing to sue StockX. This is a common issue that every jurisdiction is grappling with: how to prove actual or concrete harm in a data breach.
Based on the Eleventh Circuit's 2019 opinion in Muransky v. Godiva Chocolatier, Inc., there is a chance that the Southern District will find proper standing in this case and allow the parties to proceed through litigation.
It may seem like just another data breach case, but this is one I find interesting (because of my Jordans).
~ Florida Cyber Lawyer, Robert Stines, Esq., CIPP
Comments