Baton v. Ledger SAS
740 F.Supp.3d 847
N.D. Cal.2024Background
- Plaintiffs are purchasers of Ledger hardware wallets whose personal identifying information (PII) was exposed in a 2020 breach after rogue TaskUs employees conspired with a third party to exfiltrate Shopify-hosted merchant data; over 270,000 Ledger users’ contact data was published online.
- Plaintiffs sued Ledger (France), Shopify (platform/vendor), and TaskUs (customer‑support vendor) asserting UCL, CLRA, negligence, NY GBL § 349, and related claims on behalf of several proposed national and state subclasses; TaskUs was later added as a defendant.
- The Ninth Circuit previously found specific jurisdiction over Ledger but enforced Ledger’s forum‑selection clause except as to California resident consumer class claims; it also remanded for jurisdictional discovery as to Shopify’s Data Protection Officer (DPO).
- After jurisdictional discovery, the district court found personal jurisdiction over Shopify (based on the DPO’s significant, California‑based role) and over TaskUs (which was headquartered in California during the breach), but held that Ledger’s French forum clause does not bar Plaintiffs’ UCL claim in California.
- The court held plaintiffs have Article III standing generally (though Seirafi lacks standing to seek prospective injunctive relief against Ledger), struck the overbroad California Consumer Subclass (leave to amend), and resolved Rule 12(b)(6) arguments: some UCL theories survive against Ledger; CLRA and UCL fraud prong claims against Ledger are dismissed; negligence and NY § 349 claims survive against TaskUs but negligence per se is dismissed.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Article III standing (disclosure of PII) | Seirafi: publication of name/email/address tied to Ledger ownership is a concrete privacy/invasion injury and increased risk of phishing/extortion; also benefit‑of‑the‑bargain overpayment injury | Ledger: exposure of basic contact info is not a concrete injury absent identity theft or monetary loss; hardware wallet remained secure | Court: standing exists — disclosure of PII tied to ownership of Ledger (indicating crypto wealth) is a concrete privacy injury; benefit‑of‑bargain and lost‑value allegations also plausible; some emotional‑distress/dob/asset‑type allegations conceded/dismissed |
| Standing for injunctive relief | Plaintiffs seek injunctive relief against Ledger and TaskUs to fix security and correct misrepresentations | Ledger: past harm only; no realistic threat of future deception; TaskUs: rogue employees fired absolve risk | Court: Seirafi lacks standing for injunctive relief against Ledger (not seeking to repurchase/rely); Plaintiffs have standing to seek injunctive relief against TaskUs (ongoing risk/alleged inadequate security) |
| Personal jurisdiction over Shopify and TaskUs | Plaintiffs: Shopify’s DPO worked from California and oversaw privacy/security responses; TaskUs headquartered in CA during breach | Shopify/TaskUs: contacts insufficient (remote work fortuitous or not purposefully directed); Shopify is Canadian; TaskUs moved to Texas | Court: specific jurisdiction over Shopify (DPO’s significant, California‑based role and connection to claims); general/specific jurisdiction over TaskUs (headquartered in CA during breach) |
| Forum‑selection clause (Ledger’s French clause) | Plaintiffs: clause unenforceable for California consumer claims under California public policy favoring consumer class actions (Doe/AOL) and practical barriers in France | Ledger: clause governs and should send most claims to France; UCL lacks anti‑waiver text so clause should apply to UCL | Court: ledger’s clause does NOT bar Plaintiffs’ UCL claim here (French class procedures and remedies unlikely to vindicate California consumer rights); Shopify, as closely related vendor/agent, may invoke Ledger’s clause and is dismissed in favor of France |
| Sufficiency of UCL/CLRA fraud and misrepresentation claims against Ledger | Seirafi alleges misleading security advertising and breach disclosures | Ledger: many statements are puffery or relate only to hardware (not e‑commerce PII); privacy policy disclaimed perfect security; July disclosures were not false or knowingly misleading | Court: UCL “unfair” and “unlawful” prongs survive (e.g., failure to implement reasonable security); CLRA and UCL fraud‑prong claims dismissed for failure to plead particularized actionable misrepresentations (leave to amend) |
| Negligence and NY GBL § 349 claims against TaskUs; negligence per se | Plaintiffs: TaskUs owed duty as vendor handling PII, breached by inadequate security/oversight and late/absent notice; injuries (phishing, crypto losses) flow from breach; § 349 covers consumer‑oriented omissions | TaskUs: no special relationship/duty to plaintiffs; superseding criminal acts break causation; negligence per se cannot rest on FTCA (no private right) | Court: negligence and NY § 349 claims plausibly pled (special relationship, foreseeability, proximate causation); negligence per se dismissed (FTCA lacks private right); declaratory/injunctive remedies for TaskUs permitted as tied to ongoing risk |
Key Cases Cited
- Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) (standing requires concrete and particularized injury)
- TransUnion LLC v. Ramirez, 594 U.S. 33 (2021) (public dissemination of private information can be a concrete injury under Article III)
- Burger King Corp. v. Rudzewicz, 471 U.S. 462 (1985) (purposeful availment and reasonableness factors for personal jurisdiction)
- Walden v. Fiore, 571 U.S. 277 (2014) (jurisdictional contacts must be defendant’s contacts with the forum, not plaintiff‑centered contacts)
- M/S Bremen v. Zapata Off‑Shore Co., 407 U.S. 1 (1972) (forum‑selection clauses are generally enforceable unless unreasonable or contravene public policy)
- Doe 1 v. America Online, Inc., 552 F.3d 1077 (9th Cir. 2009) (forum‑selection clauses unenforceable where they contravene California public policy protecting consumer class actions and CLRA anti‑waiver)
- Daimler AG v. Bauman, 571 U.S. 117 (2014) (standard for general jurisdiction — defendant must be essentially at home in the forum)
- Picot v. Weston, 780 F.3d 1206 (9th Cir. 2015) (purposeful direction test for tort claims in personal jurisdiction analysis)