The Complaint:
In March 2020, a class action lawsuit was filed against Zynga – a widely popular mobile gaming company – stemming from a data breach that exposed the personal information of 173 million users. The lawsuit was brought on behalf of a nationwide class of Zynga users, bifurcated into two subclasses: an "Adult Subclass" and a "Minor Subclass." The lawsuit alleges statutory violations and common law tort claims based on Zynga's alleged failure to adequately protect the users' personally identifiable information ("PII") and inadequate notification procedures.
The breach exposed personally identifiable information ("PII"), such as users' names, email addresses, login IDs, password reset tokens, Facebook IDs, Zynga account IDs, and passwords secured with SHA-1 cryptography, "an encryption method that 'has been considered outdated and insecure since before Zynga was even founded.'" Complaint ¶ 42. According to the Complaint, this was the tenth largest data breach of all time. The breached information exposes Zynga users to an increased chance of identity theft and criminal misuse of their personal information.
This alleged harm was compounded by Zynga's failure to adequately notify its users of the breach. In response to the data breach, Zynga posted a statement on its website indicating that "certain player account information may have been illegally accessed."[1] This notice was purportedly inadequate because it concealed scope of the breach and did not indicate they type of information that was compromised. The Complaint further alleges that Zynga failed to provide adequate notice of the breach when it posted the notice on its website instead of e-mailing users affected by the breach. Zynga has also been criticized for dismissing the breach as "one of the unfortunate realities of doing business today"[2] when it was using outdated methods to protect its users' personal information.
Issues to Watch For:
1. Should Companies Store Users' Plain-Text Passwords?
The Complaint alleges that Zynga's storing of Plaintiffs' plain-text passwords increased the risk of a breach. When a hacker accesses a user's email address and plain-text password, there is an increased risk of exposure because many users have the same password for multiple accounts. Although Zynga used an encryption method that made the passwords more difficult for hackers to exploit, some data privacy experts believe Zynga did not do enough. In discussing Zynga's breach, one expert said that "[i]n today's day and age, no company should be storing cleartext passwords . . . the breach of this nature can lead to other accounts of individuals being compromised."[3]
2. Does a Minor's PII Deserve More Protection Than an Adult's?
A related issue likely to arise during this litigation is whether Zynga owed a heightened duty of care to the Minor Subclass of Plaintiffs affected by the breach. According to the Complaint, minors are at an increased risk of harm following a data breach because they are less likely to discover the breach and take measures to mitigate their harm. If the court finds that minors' personal information deserves greater protection than adults, it will impact how companies protect information or restrict who may access the company's service.
3. Should Zynga Be Required to Notify Those Affected by the Breach Via E-mail?
The Plaintiffs' Complaint faults Zynga for its failure to notify the affected users of the breach via e-mail. Instead, Zynga posted a notice of the breach on its website. This, according to the Complaint, was insufficient because only those users who happened to visit Zynga's website or heard about it in the news would have knowledge of the breach. Further, Plaintiffs allege that Zynga had the ability to send an e-mail notification to its users because providing an e-mail address is a prerequisite for using Zynga's services.
Even if Zynga could have – or should have – notified its users of the breach via email, was it required to do so? Probably not. In fact, notice by e-mail is generally not authorized in most states, unless it is done in compliance with the federal eSIGN statute or the e-mail complies with nuanced, state-specific requirements. Wyoming is the only state that would allow Zynga to provide its residents e-mail notice without qualification. Every other state requires that certain conditions are met before a company may notify users of a data breach via email.
Under Ohio law, Zynga was not required to notify its Ohio consumers of the breach via e-mail. Ohio law gives Zynga the choice to provide written, telephonic, or electronic notice if the parties' typically communicate via electronic means. If Zynga wanted to notify its users via email in accordance with Ohio law, it would have to show that the cost of providing notice would exceed $250,000, or that more than 500,000 Ohioans' data was compromised. Assuming Zynga qualified for e-mail notice in Ohio, it would also have to post the notification on its website and notify major news outlets whose audience exceeds 75-percent of the state's population.
Simply put, Zynga took the path of least resistance. E-mail notification is not required and could expose Zynga to additional liability if it fails to meet the patchwork of state-specific requirements.
4. Will Zynga's Arbitration Agreement and Class Action Waiver Hold?
Under Zynga's Terms of Service, users agreed to resolve all disputes through binding arbitration. Users also waived their right to bring a claim against Zynga in a class, consolidated, or representative action. Zynga will likely raise these provisions in its answer.
The Plaintiffs' Complaint tries to get around Zynga's arbitration and waiver provisions as they apply to the subclass of minors. The Complaint alleges that their status as minors makes Zynga unable to enforce its Terms of Service against them. Zynga could rebut this allegation with another provision in its Terms of Service, which provides that users under the age of 18 represent that their legal guardian has reviewed and agreed to its terms. Since the minor's complaint against Zynga is brought "by and through his natural parent," it will be interesting to see whether the minor Plaintiff can disaffirm his agreement. The Complaint does not address how the Adult Subclass is able to bring a class action lawsuit in light of their agreement with Zynga.
[1] Player Security Announcement, Zynga Inc. (Sept. 12, 2019).
[2] Id.
[3] Jay Jay, Zynga served class-action lawsuit for Words with Friends data breach, Teiss (Mar. 05, 2020).
