A recent class action refiled in federal court against Shopify highlights a growing trend of lawsuits against companies related to the theft of cryptocurrency, particularly as a result of internal company threats. See Forsberg et al v. Shopify, Inc. et al, 1:22-cv-00436 (D. Del.). Despite not itself being a repository for or facilitating the sale of any cryptocurrency, the plaintiffs in the Shopify case allege that Shopify is liable for a theft of cryptocurrency after Shopify experienced a data breach caused by its own employees, which exposed a customer list for a cryptocurrency hardware wallet vendor, Ledger SAS. As cryptocurrency storage and related transactions increasingly feature in companies’ online presence, there is likely to be a growing risk posed by threat actors motivated to target crypto-related assets and data, and more litigation activity in this space. According to the complaint, the Shopify case arose from a 2020 data breach. In the cryptocurrency space, actual units of currency (e.g., bitcoin) are stored in digital “wallets” that are protected by “private keys.” Private keys are access codes known only to the owner of the wallet. Owners of cryptocurrency can store these private keys in internet-accessible databases and/or in physical devices or storage spaces that are not connected to the internet.
Plaintiffs allege that Ledger SAS is a vendor of these physical devices and that it used Shopify as its e-commerce platform. Because of this, they contend that Shopify possessed a list of customers who had purchased Ledger devices, including full names, emails, and physical addresses, and that this information allegedly was leaked by “two rogue members of [Shopify’s] support team” at the behest of a hacker. Plaintiffs aver that Shopify’s alleged negligence in failing to prevent the data breach, coupled with allegedly delayed notice, allowed hackers to use the information to launch phishing attacks against plaintiffs and putative class members resulting in the loss of cryptocurrency and other injuries. While Shopify and Ledger initially succeeded in securing dismissal of the lawsuit on personal jurisdiction grounds when it was filed in federal district court in California, a different set of named plaintiffs have since refiled these claims in the district of Delaware, where Shopify USA is incorporated.
Due to the nature of cryptocurrency valuations, the individual damages claims in these cases have the potential to far exceed the more nominal individual amounts in a typical data breach case where the primary payout is identity theft protection services. Furthermore, cryptocurrency transactions often are non-reversible, so unlike thefts from traditional online banking services, it may be difficult or impossible to claw back stolen crypto funds. Other cases have been filed recently involving similar theories relating to data breaches that allegedly resulted in the theft of cryptocurrency, including in the Northern and Central Districts of California, suggesting that this area will continue to face increasing litigation activity.