ABA seeks to toss suit over limited data breach, saying allegations based on 'implausible assertion'
“Simply because the incident occurred, plaintiffs assume that ABA breached some undefined implied contract and violated [New York and Texas laws] through unidentified deceptive acts,” the ABA said in a dismissal motion. Image from Shutterstock.
The ABA is seeking to dismiss a data-breach lawsuit filed against the association, saying the plaintiffs are relying on “the implausible assertion” that the March 2023 incident exposed the plaintiffs’ personal and financial data.
The plaintiffs, Tiffany Troy and Eric John Mata, based their federal suit on “information and belief.” Yet the only information that the plaintiffs cited is the ABA’s April 20 notice to members, which didn’t say anything about personal, financial or other information being stolen or accessed by the cyberhackers, according to the ABA dismissal motion filed Nov. 21 in U.S. District Court for the Eastern District of New York.
The notice said the breach exposed information for member logins to the old ABA website before 2018 and the ABA Career Center since 2018. The breach exposed usernames and “hashed and salted” passwords—meaning that random characters were added to the passwords—that may have been used to access some online accounts, the notice said.
Troy and Mata joined the ABA in 2018 and 2022, respectively, which means that they did not change their ABA-assigned username and password for the old ABA website. Nor did they allege that they provided or stored financial information with the ABA Career Center, the ABA said.
“Simply because the incident occurred, plaintiffs assume that ABA breached some undefined implied contract and violated [New York and Texas laws] through unidentified deceptive acts,” the ABA said.
The plaintiffs fail to plausibly allege forming a contract with the ABA for data security or that the ABA breached any such contract, the ABA says. They also fail to identify materially misleading of deceptive acts by the ABA, the motion said.
The ABA motion also said the plaintiffs’ claimed that damages are “implausible and speculative.” One of the plaintiffs’ damages claims is based on LifeLock security protection, but they didn’t buy it until five months after filing suit, the ABA says.
Law360 covered the ABA’s dismissal motion and the plaintiffs’ Nov. 21 reply to the motion. The plaintiffs are seeking class action status.
Troy said she received several spam text messages after the hack, and someone tried to use her business credit card to spend more than $1,000 at Best Buy. Mata also received three spam phone calls and two spam emails.
The “temporal proximity” to the data leak suggests that it was the cause, the reply to the dismissal motion said.
“The hackers who accessed this personal information have wasted no time in putting it to nefarious use,” Troy and Mata said in the reply.
The plaintiffs said they entered into an implied contract as dues-paying ABA members and purchasers of ABA products, and the ABA exaggerated the stringency of its security measures.
The ABA, which does not comment on pending litigation, is represented by Greenberg Traurig in the suit. The plaintiffs are represented by Troy Law.