A Chicago federal judge has pulled the plug on a class action suit against electronic toymaker VTech, which alleged VTech did not protect parents' and childrens' personal data from a hacker, saying plaintiffs failed to show how the security breach harmed them.
The July 5 ruling was issued by Judge Manish Shah, of U.S. District Court for Northern Illinois. The decision favored VTech Electronics in a suit brought against the company by 22 plaintiffs. VTech is headquartered in Hong Kong, with its North American operations based in suburban Arlington Heights.
VTech makes digital learning toys for children, which includes smartphones and tablets. VTech offered online services, Kid Connect and The Learning Lodge, to which its products could connect. Customers could use these services to download content, acquire applications and updates, browse the Internet and send text, voice and image messages. Access to group bulletin boards was also available.
Customers had to furnish personal data, such as names, ages, addresses and photos, to sign on to these services. Children, as well as their parents, would also transmit similar information through VTech's online services.
On Nov. 14, 2015, a hacker broke into VTech's servers and downloaded the personal data for more than 2.8 million children and parents. The hacker contacted a reporter, who published a news story about the breach.
Several suits were filed in succeeding weeks; the suits were consolidated a few months later. Plaintiffs include eight adults and 14 children. The adults alleged that because of VTech's inadequate security measures, they fear they are at increased risk of identity theft and their children could suffer harm at the hands of predators.
Plaintiffs claimed that, although VTech promised in its customer privacy policy to encrypt customer data during transmission and store the data in a place inaccessible to the Internet, the company did not do so.
VTech filed a motion to dismiss the suit, which Judge Shah granted.
Shah concluded plaintiffs did not show how they were harmed. Rather, they only made contentions that were "speculative."
"Plaintiffs fail to make the connection between the data breach they allege and the identify theft they fear. Specifically, plaintiffs do not explain how the stolen data would be used to perpetrate identify theft," Shah said.
If increased risk of identity theft has occurred, plaintiffs failed to say what costs they've incurred mitigating the risk, the judge said.
Shah also noted the personal data did not include financial data, such as credit card numbers.
Shah further pointed out that in the news story about the hacking, the hacker said he was not going to do anything with the information.
"Frankly, it makes me sick that I was able to get all of this stuff," the hacker was quoted in the article.
A status hearing is set for July 14. Shah noted in his dismissal ruling that it is customary to give plaintiffs the chance to keep their action going by amending their suit.
Plaintiffs are represented by the following firms: Stephan, Zouras LLP, of Chicago; The Hinton Law Firm, of New York; Morgan & Morgan Complex Litigation Group, of Tampa, Fla.; Rosen Law Firm, of New York; Abbott Law Group, of Jacksonville, Fla.; Wexler Wallace, of Chicago; Hefner Hurst, of Chicago; Keller Rohrback LLP, of Seattle; and Lieff, Cabraser, Heimann & Bernstein, of New York and San Francisco.
VTech is defended by Steptoe & Johnson, of New York and Chicago.