CURRENT MONTH (February 2020)
Data Privacy
Court Enforces Arbitration Clause in Fortnite Data Breach Class Action
By John Ottaviani
A Fortnite user filed a class action suit alleging that the game had a security flaw that allowed hackers to steal debit card information. However, he will be forced to arbitrate his claims individually, according to the decision in Heidbreder v. Epic Games, Inc., No: 5:19-cv-348-BO (E.D.N.C. Feb. 3, 2020).
The court had no trouble finding that someone using the plaintiff’s Epic Games account agreed to the terms of an End User License Agreement, containing an arbitration clause. But the plaintiff argued the agreement should not be enforced for 3 reasons: (1) his minor son, who lacked contractual capacity and now disaffirms the agreement, agreed to the EULA; (2) the claims in the lawsuit did not fall within the scope of the arbitration provision, and (3) the arbitration clause was unconscionable.
Chief Judge Boyle rejected all three arguments. With respect to the claim that the minor accepted the EULA, the court found that the minor “was acting as [the father’s] agent and had both actual and apparent authority” to accept the terms and sign the EULA. A key fact in this conclusion was the fact that, although the father created the account, it was used exclusively by his son every day for over a year. The argument that the claims in suit fall outside the scope of the arbitration provision failed, because the arbitration provision expressly stated that “ … whether a dispute is subject to arbitration under this Agreement will be determined by the arbitrator rather than a court.” Finally, the court rejected the unconscionability claims, in part because the plaintiff had an “opt out” period of 30 days after accepting the terms.
NY Federal Court Requires Insurer to Cover Fraudulent Transfer
By Emily Bryant-Alvarez, Morris Nichols Arsht & Tunnell LLP
The United States District Court for the Southern District of New York recently held that an insurance provider, AIG, had to cover settlement costs arising from a third-party email “spoofing” attack that resulted in the fraudulent transfer of nearly $6 million from an investment fund over a period of three weeks. SS&C Technology Holdings, Inc. v. AIG Specialty Insurance Co., No. 19-7859 (S.D.N.Y. Jan. 29, 2020). Unknown third parties used “spoof” email domains to send requests to SS&C, a financial technology provider. The company, believing the requests to be from Tillage, processed wire transfers of funds from Tillage’s accounts to certain bank accounts in Hong Kong. These transfers resulted in the folding of Tillage Commodities Fund and led to litigation and an eventual settlement between Tillage and SS&C.
While AIG had agreed to pay SS&C’s defense costs, it denied coverage of the settlement. As a result, SS&C filed suit against AIG for breach of its indemnity policy and for breach of the implied covenant of good faith and fair dealing. The court agreed with SS&C, finding that AIG’s indemnity policy did not exclude coverage of this type of third party attack. The court, however, did not find that AIG acted in bad faith, noting that it is common for an insurance carrier to assert all possible reasons for exclusion under its insurance policy for fear of a party asserting waiver later on in the process. Accordingly, the court granted summary judgment in favor of SS&C on its breach of contract claim, and in favor of AIG, dismissing SS&C’s bad faith claim.
FTC Releases 2019 Privacy and Security Report
By Michael Fitzpatrick, Drexel University Thomas R. Kline School of Law
The Federal Trade Commission released its annual privacy and security update for 2019 and reported a record year. The FTC’s efforts to promote competition, and protect and educate consumers was specifically highlighted by the Commission’s enforcement actions in 2019. The FTC levied a $5 billion penalty against Facebook for violating its 2012 FTC privacy order and imposed new restrictions on the business’s operations. In regards to violations of the Children’s Online Privacy Protection Act (COPPA), the FTC obtained a $170 million penalty against YouTube and Google, and also found Retina-X, a stalking app, to have violated COPPA by enabling its apps to be used for illegitimate purposes. In cases involving the EU-U.S. Privacy shield framework, the FTC brought 13 cases against companies alleged to have made false promises related to the Privacy Shield. On the data security front, the FTC, working with the 50 states and territories, as well as the Consumer Financial Protection Bureau, announced a global settlement totaling $700 million with Equifax related to the company’s 2017 data security breach that affected approximately 147 million consumers. In addition to its enforcement actions, the FTC hosted four privacy-related events in 2019.