InfoBytes Blog
9th Circuit revives data breach class action against French cryptocurrency wallet provider
On December 1, the U.S. Court of Appeals for the Ninth Circuit affirmed in part and reversed in part a district court’s dismissal of a putative class action brought against a French cryptocurrency wallet provider and its e-commerce vendor for lack of personal jurisdiction. As previously covered by InfoBytes, plaintiffs—customers who purchased hardware wallets through the vendor’s platform between July 2017 and June 2020—alleged violations of state-level consumer protection laws after a 2020 data breach exposed the personal contact information of thousands of customers. Plaintiffs contended, among other things, that when the breach was announced in 2020, the wallet provider failed to inform them that their data was involved in the breach, downplayed the seriousness of the attack, and did not disclose that the attack on its website and the vendor’s data theft were connected. The district court held that it did not have jurisdiction over the French wallet provider, and ruled, among other things, that the plaintiffs did not establish that the wallet provider “expressly aimed” its activities towards California in a way that would establish specific jurisdiction, and “did not cause harm in California that it knew was likely to be suffered there.” The district court further held that the fact that the vendor was headquartered in California at the time the breach occurred was not sufficient to establish general jurisdiction because the vendor moved to Canada before the class action was filed. “Courts have uniformly held that general jurisdiction is to be determined no earlier than the time of filing of the complaint,” the district court wrote, dismissing the case with prejudice.
On appeal, the 9th Circuit concluded that dismissal was improper because the French wallet provider’s contracts with California were sufficient to establish jurisdiction under the “purposeful availment” framework. The appellate court explained that because the French wallet provider sold roughly 70,000 wallets in the state, collected California sales tax, and shipped wallets directly to California addresses, the “facts suffice to establish purposeful availment because [the French wallet provider’s] contacts with the forum cannot be characterized as ‘random, isolated, or fortuitous.’” However, the 9th Circuit limited the claims to only those brought by California residents under the state’s consumer protection laws. A forum-selection clause in the French wallet provider’s privacy policy and terms of use documents provided that disputes would be subject to the exclusive jurisdiction of French courts, the appellate court said, which was enforceable except with respect to the class claims of California residents brought under California law “because it violated California public policy against waiver of consumer rights under California’s Consumer Legal Remedies Act.”
The 9th Circuit also determined that the district court abused its discretion in disallowing any jurisdictional discovery concerning the defendant e-commerce vendor. Explaining that the e-commerce vendor employs more than 200 people who work remotely from California, including a data-protection officer (DPO) who may have played a role related to the data breach, the appellate court wrote that “[b]ecause more facts are needed to determine whether those activities support the exercise of jurisdiction, we reverse the district court’s denial of jurisdictional discovery with respect to the DPO’s role and responsibilities and his relationship to [the e-commerce vendor], which processed and stored the data.”