Many consumers have become painfully aware of the risks that data breaches pose in a digital world. And now, their legal claims may not be ultimately decided by a judge or jury but sent off to arbitration.
Earlier this month, a federal judge in California did just that and sent a proposed class action data breach case to arbitration. U.S. District Judge Fernando M. Olguin held that the plaintiff had “clearly and unmistakably delegated the arbitrability issue to the arbitrator,” and granted a motion to compel arbitration filed by defendant Under Armour Inc. The lawsuit alleges that Under Armour failed to secure its MyFitnessPal nutrition application against a data security breach.
In April 2018, the putative class action complaint was filed by a MyFitnessPal user in California state court after Under Armour disclosed – a month earlier – that “an unauthorized party acquired data associated with MyFitnessPal user accounts” and that “approximately 150 million user accounts were affected.” According to Under Armour, the compromised information included usernames, email addresses, and hashed passwords.
At the time, commenters noted that the incident was then considered one of the largest reported data security breaches in history.
MyFitnessPal is a smartphone application that allows users to track their physical activity and diets. Under Armour, the American sportswear company, acquired MyFitnessPal for approximately $475 million in 2015.
After removing the case to federal court, Under Armour sought to compel arbitration, arguing that MyFitnessPal’s terms and conditions not only required that plaintiff’s claims be arbitrated but that plaintiff could only bring her claims on an individual basis. Under Armour argued that the MyFitnessPal app required all users to accept its terms and conditions before using it.
Judge Olguin observed that so-called “clickwrap” agreements, in which online users click “OK,” “Accept,” or “Agree” to accept the terms of an agreement, are generally sufficient to provide a user with notice of the terms of an agreement. The court also held that the incorporation of the American Arbitration Association Rules in the MyFitnessPal app’s terms and conditions was sufficient to delegate the question of whether plaintiff’s claims are arbitrable to an arbitrator.
This isn’t the first time a data breach case has been sent to arbitration. In another case filed in California, a federal judge held that a class action arising from the 2016 data breach involving Uber Technologies Inc. must also go to arbitration. The court granted Uber’s motion to compel arbitration in the class action suit brought after the 2016 data breach, which affected 57 million Uber riders and 600,000 Uber drivers.
The case caption is Rebecca Elizabeth Murray v. Under Armour, et al., 18-cv-4032 (FMO) (C.D. Cal.).
We will continue to monitor cases in this developing area.