Data breach suit against ABA tossed by federal judge
A federal judge in New York has dismissed a proposed class action lawsuit filed against the ABA by two members who feared that their data was exposed in a March 2023 data breach.
A federal judge in New York has dismissed a proposed class action lawsuit filed against the ABA by two members who feared that their data was exposed in a March 2023 data breach.
U.S. District Judge Nicholas G. Garaufis of the Eastern District of New York dismissed the suit in an April 30 opinion. The dismissal was without prejudice, meaning that the plaintiffs can file an amended complaint.
Reuters and Law360 had coverage.
The ABA disclosed in April 2023 that a hacker had acquired usernames and “hashed and salted” passwords used to access online accounts on the old ABA website before 2018 and the ABA Career Center since 2018.
Hashing and salting passwords adds random characters to a plain text password. The ABA then converts the password to cybertext.
Garaufis said the plaintiffs failed to specify what security measures the ABA should have taken besides hashing and salting passwords.
Plaintiffs Tiffany Troy and Eric John Mata had alleged breach of an implied contract to safeguard data, violation of state consumer fraud laws, and deceptive practices under New York and Texas laws.
The plaintiffs contended that the ABA failed to comply with reasonable security standards, and the situation was worse because the ABA’s information technology department was poorly managed.
After the breach, the plaintiffs said, they received more than the usual number of spam texts, emails and phone calls. Troy also said someone tried to use her credit card to make an unauthorized purchase at Best Buy. Troy replaced her credit card and purchased Norton Lifelock identity theft protection.
Garaufis ruled that:
• The plaintiffs’ claims for breach of implied contract and deceptive practices in New York failed because they did not point to security measures that the ABA failed to implement. There are no factual allegations suggesting that the ABA’s use of hashed and salted passwords fell below industry standards, he said.
• The deceptive practices claim under Texas law failed because the plaintiffs failed to plead which of 34 deceptive practices banned by the statute were allegedly violated by the ABA. The court “need not undertake the exercise of determining which of plaintiffs’ factual allegations fit within which laundry list violation,” Garaufis said.
• The plaintiffs claimed that the ABA failed to take corrective action for more than 10 days and provided inadequate disclosure. But the ABA’s privacy policy does not promise notification as soon as a breach happens, “and no reasonable consumer would be misled to think otherwise,” Gaurafis said. Nor do the plaintiffs allege that they actually saw or read the privacy policy before the breach.
• The consumer protection claims on behalf of class members must be dismissed because the plaintiffs’ individual claims were tossed, Garaufis said.