North Carolina District Court Dismisses Filters Fast’s Motion to Dismiss Against Proposed Data Breach Class Action

North Carolina District Court Dismisses Filters Fast’s Motion to Dismiss Against Proposed Data Breach Class Action

On July 19, 2021, the United States District Court, Western District of North Carolina dismissed Filters Fast LLC’s motion to dismiss filed against a proposed data breach class action. The Court held that the plaintiffs had demonstrated adequate harm to prove Article III standing. McCreary v. Filters Fast, LLC, 3:20-cv-595-FDW-DCK (W.D.N.C. July 19, 2021)

The proposed class action arose due to a data breach through Filters Fast’s shopping website, between the years July 2019 and July 2020. The plaintiffs claimed that the said data breach happened solely due to Filters Fast’s negligence and failure to adopt reasonable security measures and thereby allowed cyber criminals to access the company’s database for nearly a year, install malicious code on its website and steal the personal and financial data of several customers. As per the complaint, Filters Fast discovered the alleged data security incident in February 2020, and later an investigation revealed that hackers had added malicious code to its website on July 15, 2019. The said code allowed unauthorized access to data of atleast 323,000 customer’s names, shipping and billing addresses and payment card details.

In response, Filters Fast filed a motion to dismiss the proposed class action and argued that the plaintiffs could not establish their standing in the class action suit, to sue in federal court as they did not assert any concrete harm. However, the Court disagreed with Filters Fast and agreed with the plaintiffs’ allegation of misuse of their payment cards as a result of the breach. The Court noted that although the plaintiffs did not allege an economic injury due to the data breach, the plaintiffs satisfied their claim of misuse of their personal data. The Court observed that “[t]hese allegations of actual misuse bring the ‘actual and threatened harm’ alleged by Plaintiffs ‘out of the realm of speculation and into the realm of sufficiently imminent and particularized harm.”

Apart from the class action in question, Filters Fast had to enter into a settlement agreement, dated May 18, 2021, with the New York Attorney General as a result of an investigation conducted by the New York state related to the same breach. In the Matter of Investigation by Letitia James v Filters Fast LLC, Assurance No. 21-015 (May 17, 2015). As per the settlement, Filters Fast agreed to pay $200,000 to the state. In addition to the same, the Filters Fast will be required to (1) execute and enforce systems and security measures to prevent future data breaches; (2) create a security program to ensure regular updates and report to Filters Fast’s CEO; (3) execute an incident response and data breach notification plan to identify, contain, eradicate and recover from breaches; and (4) ensure that third-party security assessments take place over the next five years.

Through the judgment, the Court had set a lower standard for allowing a data breach class action, than the other data breach class action suit being litigated simultaneously. With the increasing data breach instances, class action against the same are on an increasing trend and the above discussed judgment welcomes the same by setting a lower standard for satisfying the injury in a data breach class action.