Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

District Court: Applying Michigan law is contrary to California’s interest in protecting citizens in data breach case

Courts Privacy/Cyber Risk & Data Security Data Breach Class Action Arbitration State Issues

Courts

On June 15, the U.S. District Court for the Eastern District of Michigan denied an e-commerce company’s request to compel arbitration after reviewing whether Michigan or California state law applied to class claims concerning a 2019 data breach. After four actions against the company were consolidated and transferred from California court to Michigan, a separate putative class action was filed in the U.S. District Court for the Northern District of California related to the data breach. Members in this putative class action brought claims against the company for allegedly failing to protect California residents’ confidential and personal information from the 2019 data breach. The class sought public injunctive relief under California’s Consumer Records Act (CRA) and Unfair Competition Law, arguing, among other things, that the potential for “future injury to the general public” remains because the company has not changed its practices.

The court initially granted the company’s motion to compel arbitration according to its terms of service and privacy policy, which contained a mandatory arbitration clause as well as a clause requiring parties to apply Michigan law to all claims or disputes. However, because the order applied to the originally amended consolidated class action complaint that did not include the newest California putative class action, the court reopened the case in order to determine which state law applied to the California class’s claims. In denying the company’s motion to compel arbitration, the court cited to McGill v. Citibank (covered by a Buckley Special Alert here, which held that a waiver of the plaintiff’s substantive right to seek public injunctive relief is not enforceable) and determined that applying Michigan law is “contrary” to California’s “materially greater interest in protecting its citizens”—particularly because the alleged violations are ongoing. The court rejected the company’s argument that McGill did not apply in this case because the putative class is seeking an injunction that would only benefit a narrow subset of individuals whose data was stolen rather than the general public. According to the court, rejecting the putative class’s claims for this reason would allow the company “to continue engaging in inadequate data protection practices in violation of the Unfair Competition and CRA and leave consumers unable to adjudicate their claims based on those practices on behalf of the public.” The putative class’s proposed 12-point injunction would, among other things, require the company to hire third-party security auditors and implement other reasonable and appropriate security practices and procedures, which would benefit all future customers, not only those harmed in the 2019 data breach, the court stated, adding that the proposed class has “nothing to personally gain from an injunction requiring [the company] to employ safer data practices” because their data was already compromised.