From Casetext: Smarter Legal Research

In re VTech Data Breach Litig.

UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION
Jul 5, 2017
No. 15 CV 10889 (N.D. Ill. Jul. 5, 2017)

Summary

describing Razor as holding that a term unavailable to a consumer until after purchase "might be unconscionable, especially if [the plaintiff] was not given an opportunity to review and reject that term by returning the product without incurring financial loss"

Summary of this case from Davidson v. Apple, Inc.

Opinion

No. 15 CV 10889 No. 15 CV 10891 No. 15 CV 11620 No. 15 CV 11885

07-05-2017

IN RE VTECH DATA BREACH LITIGATION


MEMORANDUM OPINION AND ORDER

Plaintiffs bought children's toys made by an affiliate of defendant VTech Electronics North America, LLC. Those toys featured access to an online library of educational software, games, and other content, and some provided a communication platform through which parents and their children could send each other messages. Using those online features required the submission of plaintiffs' personally identifiable information, which was stored on servers operated by VTech. Due to VTech's inadequate security, a hacker was able to access those servers and copied plaintiffs' data. Plaintiffs seek to represent a class of consumers and filed this suit alleging both present and future harm resulting from the data breach and VTech's response to that breach. VTech moves to dismiss for lack of subject-matter jurisdiction and for failure to state a claim. For the following reasons, the motion is granted.

I. Legal Standards

A court must dismiss an action if it determines, at any time, it lacks subject-matter jurisdiction, Fed. R. Civ. P. 12(h)(3), and a defendant may move to dismiss an action for lack of subject-matter jurisdiction. Fed. R. Civ. P. 12(b)(1). The plaintiff bears the burden of proving that jurisdiction is proper. Transit Express, Inc. v. Ettinger, 246 F.3d 1018, 1022 (7th Cir. 2001) (citation omitted). One component of subject-matter jurisdiction is Article III standing—the requirement that plaintiffs present an actual case or controversy. See Silha v. ACT, Inc., 807 F.3d 169, 172-73 (7th Cir. 2015). "[A] plaintiff need only show the existence of facts that could, consistent with the complaint's allegations, establish standing." Apex Digital, Inc. v. Sears, Roebuck & Co., 572 F.3d 440, 443 (7th Cir. 2009) (citations omitted).

To survive a motion to dismiss under Rule 12(b)(6), a complaint must contain factual allegations that plausibly suggest a right to relief. Virnich v. Vorwald, 664 F.3d 206, 212 (7th Cir. 2011) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 554, 558 (2009)). "The purpose of a motion to dismiss is to test the sufficiency of the complaint, not to decide the merits." Triad Assocs., Inc. v. Chicago Hous. Auth., 892 F.2d 583, 586 (7th Cir. 1989). With a 12(b)(6) motion, a court may only consider allegations in the complaint, documents attached to the complaint, and documents that are both referred to in the complaint and central to its claims. Levenstein v. Salafsky, 164 F.3d 345, 347 (7th Cir. 1998). The court must construe all factual allegations as true and draw all reasonable inferences in the plaintiff's favor, but the court need not accept legal conclusions or conclusory allegations. Virnich, 664 F.3d at 212 (citing Ashcroft v. Iqbal, 556 U.S. 662, 680-82 (2009)). II. Facts

Bracketed numbers refer to entries on the district court docket. The facts are largely taken from the operative complaint, [44].

Defendant VTech Electronics North America, LLC marketed and distributed digital learning toys for preschool and grade school children. [44] ¶ 2. VTech designed these toys, including tablets, smartphones, and other handheld touch-sensitive products, to connect to its online application store, the Learning Lodge, and touted that connectivity as an important feature of the products in their marketing. [44] ¶¶ 2, 3, 8, 10. The Learning Lodge allowed customers to purchase and download content like educational games, books, music, and videos. [44] ¶¶ 2, 3, 7, 10. Customers could buy applications stored on physical cartridges, as well, but those cartridges often required software updates from the Learning Lodge to work. [44] ¶ 11. VTech priced its products at a premium in part due to their ability to access the Learning Lodge. [44] ¶ 8. Some of VTech's higher-priced toys also supported its Kid Connect service, which allowed parents and their children to communicate by text message using the Kid Connect-enabled device and a cell phone. [44] ¶¶ 3, 14-15. And for an additional fee, customers could purchase Premium Kid Connect service, which enabled communication in the form of picture and voice messages (in addition to text messages) and provided access to group bulletin boards. [44] ¶ 15.

Plaintiffs also named as defendants VTech Holdings, Ltd. and VTech Electronics, Ltd., which designed and manufactured the toys, but the parties stipulated to the dismissal of those defendants. See [59].

To access those online services, or to receive software updates for the toys, customers had to affirmatively agree to certain terms and conditions and register for online accounts with VTech. [44] ¶¶ 9, 16, 22. Registration required the submission of personally identifying information, including parents' names, home addresses, email addresses, passwords, and credit or debit card information. [44] ¶ 16. Once a parent activated an account, VTech allowed the parent to create a user profile for the child by providing VTech with the child's name, password, birthdates, gender, and photographs. [44] ¶ 17. VTech stored that information, as well as the content of any messages exchanged over the Kid Connect platform, on its servers. [44] ¶¶ 15, 71.

The complaint includes only an excerpt of the terms and conditions to which plaintiffs agreed, but VTech submitted copies of the Terms and Conditions of Learning Lodge, [62-1], the Terms and Conditions of VTech Kid Connect, [62-2], and the VTech Privacy Policy, [62-3], which is incorporated by reference into each of the first two documents. Plaintiffs do not object to the introduction of those exhibits, and refer to them in their response brief. Because the terms are referred to in the complaint and central to plaintiffs' claims, VTech's exhibits will be considered on this motion.

Plaintiffs are eight adults who purchased VTech's Learning Lodge-enabled products, and fourteen children who used those products. [44] ¶¶ 56, 63, 71, 80, 88, 95, 103-04, 113, 121-22, 125-26. Most of plaintiffs' products also supported the Kid Connect service, and one plaintiff paid for the Premium Kid Connect service. Id. All plaintiffs created online accounts and user profiles and submitted personally identifiable information to VTech. Id.

Plaintiffs allege that VTech's handling of their data was governed by the terms and conditions to which they agreed prior to registration—i.e., before they submitted their personal information and before they formally accepted the terms of online service. [44] ¶ 22. Plaintiffs do not specify which set of terms and conditions they are referring to—the Terms and Conditions of Learning Lodge, the Terms and Conditions of VTech Kid Connect, or both. But it makes little difference, since both documents incorporate by reference VTech's Privacy Policy, which lies at the heart of plaintiffs' claims. [44] ¶ 22; [62-1]; [62-2]. The Privacy Policy informed them that:

The security of your personal information is important to VTech, and VTech is committed to handling your information carefully. In most cases, if you submit your PII to VTech directly through the Web Services it will be transmitted encrypted to protect your privacy using HTTPS encryption technology. Any Registration Data submitted in conjunction with encrypted PII will also be transmitted encrypted. Further, VTech stores your PII and Registration Data in a database that is not accessible over the Internet.
[44] ¶ 22. The Privacy Policy also said that any submitted information about children "is treated and handled in the same manner as the information we collect about you." Id. Despite these promises, VTech neither used encryption when transmitting customers' data nor stored that data in a place inaccessible from the internet, putting it at risk of theft. [44] ¶¶ 5, 32, 33.

In November 2015, a hacker infiltrated VTech's servers and downloaded personally identifiable information relating to 4.8 million adult accounts and 6.3 million child profiles. [44] ¶¶ 4, 25. The hacker reached out to a journalist, who shared the data with a data security consultant and notified VTech. [44] ¶¶ 37, 51. Once it was alerted, VTech confirmed to the public that customer data had been exposed, and clarified a few days later that the data included parents' names, email and mailing addresses, IP addresses, download and purchase histories, passwords, and the secret questions and answers used for password retrieval. [44] ¶¶ 26-27. The data also included children's names, genders, birthdates, photos, and Kid Connect communications, including text, image, and audio recordings, between the children and their parents. [44] ¶¶ 26-27. The children's home addresses can be easily determined by anyone with access to the data. [44] ¶¶ 18, 26. As a result of the data breach, plaintiffs fear that they are exposed to an increased risk of identity theft and will be for years to come. [44] ¶¶ 52, 53. They also fear that harm may befall the children if predators gain access to their information. [44] ¶ 49.

In response to the Data Breach, VTech suspended all access to its online services for nearly two months while it investigated the breach and changed its data security protocols. [44] ¶¶ 6, 41. Access to the Learning Lodge has since been restored for certain products, but the Kid Connect service remains disabled. [44] ¶ 6. And although VTech insists that its system is now secure, plaintiffs believe that it is still plagued by fundamental security flaws. [44] ¶¶ 42, 44.

Plaintiffs allege that, had they known of VTech's inadequate data security measures, or that VTech would suspend access to the online services for an extended period of time, they would have paid less for the products or would not have purchased them at all. [44] ¶ 24. They also allege that inadequate security makes the products worth less than the products that plaintiffs were promised. [44] ¶ 44. Plaintiffs bring claims for breach of contract, breach of the implied covenant of good faith and fair dealing, breach of the implied warranty of merchantability, and violation of the Illinois Consumer Fraud and Deceptive Business Practices Act. And they bring a separate cause of action for declaratory relief.

Jurisdiction arises under the Class Action Fairness Act, because minimal diversity existed between the parties at the time the complaint was filed (plaintiffs are citizens of California, Georgia, Illinois, Massachusetts, New York, and Washington, and dismissed defendant VTech Electronics Limited is a citizen of China); the total number of members of the class is greater than 100; and the amount in controversy exceeds $5,000,000. See 28 U.S.C. § 1332(d)(2)(A), (C). The citizenship of the only remaining defendant, VTech Electronics North America, LLC, is not yet properly alleged.

III. Analysis

A. Article III Standing

VTech seeks dismissal of the complaint for lack of Article III standing. To establish standing under Article III, a plaintiff must show that they have "(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision." Spokeo, Inc. v. Robins, 136 S.Ct. 1540, 1547 (2016) (citing Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61 (1992)). The parties focus on the injury-in-fact requirement. A plaintiff must have "suffered 'an invasion of a legally protected interest' that is 'concrete and particularized' and 'actual or imminent, not conjectural or hypothetical.'" Spokeo, 136 S.Ct. at 1548 (quoting Lujan, 504 U.S. at 560). Plaintiffs argue that they suffered injuries in the form of (1) future harm and the time and expense of protecting themselves from that harm, (2) economic loss due to purchasing a product that turned out to be less valuable than it was held out to be, and (3) the emotional distress resulting from the public exposure of sensitive data concerning their children.

1. Future Harm and Mitigation Expenses

Allegations showing a "substantial risk" of future harm can establish Article III standing. Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir. 2015) (citing Clapper v. Amnesty Int'l USA, 568 U.S. 398, 133 S.Ct. 1138, 1150 n.5 (2013)). When that harm is imminent, mitigation expenses qualify as actual injuries that support Article III standing. Remijas, 794 F.3d at 694. Plaintiffs argue that, because a hacker breached VTech's network and stole their personally identifiable information, they faced a threat of future harm sufficient to confer standing. And while they suggest that that threat relates to multiple types of harm, they do not specifically address anything other than identity theft. They also argue that they would have acted reasonably in protecting themselves from identity theft by expending time and money to monitor their financial statements and credit reports. Plaintiffs rely on Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139 (2010), in which a substantial risk of harm (that might not have occurred in fact) would impose mitigation costs, thereby satisfying the injury-in-fact requirement. Id. at 155. But plaintiffs do not explain how the data breach subjected them to a substantial risk of identity theft and corresponding mitigation costs.

In certain situations, a data breach can result in an increased risk of identity theft sufficient to confer standing. See, e.g., Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963, 967 (7th Cir. 2016); Remijas, 794 F.3d at 693. In both Lewert and Remijas, the plaintiffs alleged the theft of their payment-card information, and that the theft resulted in some of them finding fraudulent charges on their financial statements. In Lewert, the court held that a substantial risk of harm from the data breach could be plausibly inferred, "because a primary incentive for hackers is 'sooner or later[ ] to make fraudulent charges or assume those consumers' identities[.]'" Lewert, 819 F.3d at 967 (quoting Remijas, 794 F.3d at 693). The court also held that the time and money the plaintiffs spent protecting themselves against future identity theft and fraudulent charges also qualified as injuries for the purposes of Article III. Id. at 967; see also Remijas, 794 F.3d at 694 ("An affected customer, having been notified by Neiman Marcus that her card is at risk, might think it necessary to subscribe to a service that offers monthly credit monitoring.").

Plaintiffs here fail to make the connection between the data breach they allege and the identity theft they fear. Specifically, plaintiffs do not explain how the stolen data would be used to perpetrate identity theft. Unlike the data breaches in Lewert and Remijas, the data stolen here did not include credit-card or debit-card information, or any other information that could easily be used in fraudulent transactions. See Lewert, 819 F.3d at 967 ("We recognized in Remijas that the information stolen from payment cards can be used to open new cards in the consumer's name."). It is unclear how the disclosure of plaintiffs' names, addresses, birthdates, and VTech account information would increase the risk of fraudulent transactions on plaintiffs' credit cards or fraudulent accounts being opened in their names. Plaintiffs say the dissemination of their VTech usernames, passwords, and secret questions and answers could compromise their other online accounts, such as with eBay or PayPal. But again, they do not provide a logical explanation as to how the disclosure of their VTech login credentials would make fraudulent charges or identity theft likely. Perhaps plaintiffs used the same username and password for all of their online accounts, and knowledge of their VTech account credentials gave the hacker access to their PayPal accounts. This is speculation, and plaintiffs do not make such allegations. Plaintiffs have not shown an increased risk of identity theft due to a data breach because they do not allege how the stolen data would aid identity thieves in their efforts.

VTech also notes that plaintiffs do not allege that any fraudulent transactions occurred, or that the personal information was stolen by individuals who intended to misuse it. In Lewert and Remijas, the data breach had already resulted in fraudulent charges for some plaintiffs, making it more likely that other plaintiffs would eventually suffer the same harm. But plaintiffs have alleged no such fallout from the VTech breach. And plaintiffs do not show any other indication that their risk of identity theft increased due to the data breach. The Seventh Circuit assumed in Remijas that hackers steal consumers' private information to make fraudulent charges or assume those consumers' identities, but an article cited in this complaint calls that assumption into question for purposes of this litigation. According to the article, the hacker told the article's author that he did not intend to sell or publish the data. [44] ¶ 34. Plaintiffs directly quote the hacker as saying, "Frankly, it makes me sick that I was able to get all of this stuff." [44] ¶ 36. To the extent that plaintiffs are worried that other hackers may have accessed their data in a different data breach, that is the sort of speculative harm that cannot meet the injury-in-fact requirement. See Clapper, 133 S. Ct. at 1155 (rejecting standing theory based on a speculative chain of events). With respect to this data breach, plaintiffs have not plausibly alleged a substantial risk of harm sufficient to confer standing.

While they do not discuss it in their brief, plaintiffs also allege in the complaint a threat of future harm to the children from predators. But again, plaintiffs do not allege that the hacker is a predator, or that the hacker disseminated the information broadly, to predators or anyone else who would harm the children. Harm need not be literally certain to confer standing, but allegations of future harm based on poor data security, without allegations to support an inference that someone with potentially malicious intent will access the data, is too speculative to confer standing.

Neither the complaint nor plaintiffs' brief makes clear that plaintiffs actually engaged in mitigation efforts, such as reviewing financial statements or purchasing credit-monitoring services, to protect against identity theft. But without imminent harm, mitigation expenses do not meet the injury-in-fact requirement, anyway. Id. To the extent plaintiffs allege a nonzero amount of time or money spent to protect themselves from future harm, those efforts do not qualify as actual injuries and do not support Article III standing.

2. Economic Injury

Plaintiffs allege present injury in the form of benefit-of-the-bargain damages resulting from their breach of contract claim, because the products they received were worth less than the products they were promised. "[F]inancial injury in the form of an overcharge can support Article III standing." Remijas, 794 F.3d at 694-95 (citing In re Aqua Dots Products Liab. Litig., 654 F.3d 748, 751 (7th Cir. 2011)). The court in Remijas noted that many of the cases applying that principle involve products liability claims against defective or dangerous products, where a consumer would not have paid a premium price for a product had he known of the defect or dangerous condition. Id. at 695. Plaintiffs rely in part on In re Aqua Dots, which involved such a products liability claim, but they explicitly argue that their claims are not rooted in products liability or tort law, but rather contract law. And they focus on cases that do not address Article III standing. For example, they cite to McManus v. Fleetwood Enterprises, 320 F.3d 545 (5th Cir. 2003), a case addressing class certification, which held that a plaintiff may be entitled to benefit-of-the-bargain damages in a breach of implied warranty of merchantability action under Texas law, where the defendant represented that a product had a capability that it did not in fact have. They also refer to International Brotherhood of Teamsters, Local 734 Health & Welfare Trust Fund v. Philip Morris Inc., 196 F.3d 818 (7th Cir. 1999), which explained that consumers' economic loss due to inflated pricing or lowered product quality resulting from antitrust violations conferred prudential standing under antitrust laws. Id. at 823 (citing Reiter v. Sonotone Corp., 442 U.S. 330 (1979)). Neither of those cases directly supports plaintiffs' argument, but that argument has merit nonetheless. Economic injury can result from being given a different, less valuable product than the one that was promised and paid for, and such an injury meets Article III's injury-in-fact requirement. See Carlsen v. GameStop, Inc., 833 F.3d 903, 909-10 (8th Cir. 2016) (holding that the difference in value between a subscription to an online magazine that plaintiff paid for and the subscription he received—a subscription with inadequate privacy protection—constituted an injury-in-fact for purposes of Article III). Whether the complaint plausibly states a claim that would entitle plaintiffs to recover damages is a separate question. See, e.g., Bd. of Educ. of Oak Park & River Forest H.S. Dist. No. 200 v. Kelly E., 207 F.3d 931, 934 (7th Cir. 1999) (rejecting a challenge to standing and noting that "a party's failure to establish a claim for relief differs from a deficiency in subject-matter jurisdiction"). Plaintiffs' allegations of overpayment present a concrete and particularized injury sufficient to confer Article III standing.

Plaintiffs also argue, in a footnote, that the emotional distress caused by the release of their children's data meets the injury-in-fact requirement. Where only an unspecified risk of future financial harm is alleged, emotional distress in the wake of a data security breach is insufficient to establish standing. See Reilly v. Ceridian Corp., 664 F.3d 38, 44 (3d Cir. 2011). Plaintiffs do not provide any authority or explanation that supports a different conclusion when the emotional distress results from non-imminent physical harm to children. Because plaintiffs have Article III standing on other grounds, whether their emotional distress confers standing need not be addressed.

B. Breach of Contract

To state a claim for breach of contract, plaintiffs must allege: "(1) the existence of a valid and enforceable contract; (2) substantial performance by the plaintiff; (3) a breach by the defendant; and (4) resultant damages." Reger Dev., LLC v. Nat'l City Bank, 592 F.3d 759, 764 (7th Cir. 2010) (quoting W.W. Vincent & Co. v. First Colony Life Ins. Co., 351 Ill.App.3d 752, 759 (1st Dist. 2004)). Plaintiffs allege that they entered into a contractual relationship with VTech when they purchased the toys, receiving in return for the purchase price 1) effective and industry-standard data security measures, and 2) access to and use of the online services without meaningful interruptions. They further allege that the children who used the toys are entitled to relief as third-party beneficiaries to the contracts. Plaintiffs say that VTech breached its contractual obligations in two ways: 1) by failing to implement industry-standard data security measures to protect plaintiffs' information, and 2) by suspending access to the online services. VTech counters that the children cannot assert claims for breach of contract, that agreed-upon contractual provisions expressly authorized its conduct, and that the complaint does not plausibly allege actual damages.

1. The Minor Plaintiffs

"Illinois follows the 'intent to benefit' rule; that is, third-party beneficiary status is a matter of divining whether the contracting parties intended to confer a benefit upon a nonparty to their agreement." XL Disposal Corp. v. John Sexton Contractors Co., 168 Ill.2d 355, 361 (1995). But "there is a strong presumption that parties to a contract intend that the contract's provisions apply to only them and not to third parties." Quinn v. McGraw-Hill Cos., Inc., 168 F.3d 331, 334 (7th Cir. 1999) (quoting 155 Harbor Drive Condominium Ass'n v. Harbor Point, Inc., 209 Ill.App.3d 631, 647 (1st Dist. 1991)) (emphasis in original). Only express language in a contract identifying the third-party beneficiary or "an implied showing where 'the implication that the contract applies to third parties [is] so strong as to be practically an express declaration'" will suffice. Id.

Plaintiffs argue that the fact that the contracts relate to children's toys reflects an intent to benefit those children. Plaintiffs also point out that the Learning Lodge terms acknowledge that children will use the Learning Lodge when it states, "These terms and conditions create an agreement between VTech and an adult parent/guardian of any minor child who uses the Learning Lodge." [62-1] § 1.1. But in other areas of the agreements, the terms expressly, and repeatedly, state that the contracts are between VTech and adults, and that the online services are intended for adult use. See [62-1] § 1.1; [62-2] § 2.2; [62-3] § 7.1. In light of the presumption against a contract's application to third-parties, combined with the contractual language limiting the contracts' application to VTech and adults, the children who used VTech's products are not third-party beneficiaries of the contracts. Thus, they may not recover under plaintiffs' breach of contract claims.

2. Breach

Plaintiffs allege that VTech breached its contractual obligations to implement particular data security measures. The complaint does not identify the source of VTech's alleged promises, but in their response brief, plaintiffs clarify that the relevant provisions relating to data security appear in the Learning Lodge terms and in the Privacy Policy. Specifically, they argue that VTech breached express promises to store personally identifiable information offline, to use encryption when transmitting data, and to take reasonable precautions to keep data safe. The parties do not agree on the interpretation and scope of some of those promises, but VTech does not deny that the Learning Lodge terms and the Privacy Policy included data security provisions, and that the complaint alleges that VTech breached those provisions.

Plaintiffs' other theory of breach relates to the temporary (and in some cases ongoing or permanent) suspension of the Learning Lodge and Kid Connect services. Plaintiffs argue that VTech made express, contractual promises to provide those services. VTech denies that it made such promises, and indeed, plaintiffs do not identify any provision in the Learning Lodge terms, Kid Connect terms, or Privacy Policy in support of their argument. Further, VTech argues that its conduct cannot constitute breach, because the Learning Lodge terms expressly authorized it to suspend access to the online services. The document states, in capital letters: "VTech reserves the right to alter or remove the Learning Lodge or suspend or terminate your use in any way, at any time, for any reason, without prior notification, and will not be liable in any way for possible consequences of such changes." [62-1] § 2.7.

Instead of identifying a provision in the online services agreements, plaintiffs base their breach of contract theory on pictures of the packaging of two of the products, which lists the Learning Lodge and Kid Connect services and an "Extensive Learning Software Library" among the product's features. VTech notes that the complaint neither includes those pictures nor alleges reliance on product packaging in relation to the provision of online services. Plaintiffs may not amend the complaint in their briefing on a motion to dismiss, see, e.g., Bissessur v. Indiana University Board of Trustees, 581 F.3d 599, 603 (7th Cir. 2009), so the pictures will be disregarded. But the complaint does suggest that VTech's alleged promise to provide functional online services became a basis of plaintiffs' bargains due to VTech's marketing campaign, which promoted the toys' access to the Learning Lodge as an important feature. See [44] ¶ 8. The complaint explicitly alleges that the toys were "priced at a premium in part due to their ability to access the Learning Lodge," [44] ¶ 8, that plaintiffs purchased "an indivisible ecosystem of goods and services," [44] ¶ 20, and that VTech agreed to provide, in exchange for the purchase price, both the physical toy and the toys' access to the Learning Lodge and Kid Connect services. [44] ¶¶ 156, 160. According to plaintiffs, they paid for access to and use of the Learning Lodge and Kid Connect services when they bought the toys (and before they expressly accepted the terms during online registration).

Plaintiffs also attach to their brief the user manual for a VTech toy that promotes the use of the Learning Lodge service and offers free content from its software library. See [73-1] at 2, 17. VTech objects to the document's consideration on a motion to dismiss, because the complaint makes no mention of it. VTech's objection makes no practical difference, because the document's references to the Learning Lodge are not, as plaintiffs suggest, express promises that VTech will provide access to the online services. Thus, the document does not support plaintiffs' argument. But the objection is proper, and I disregard the document.

Part of the disconnect between the parties are their competing views of which contract or contracts are at issue. VTech views each plaintiff's initial purchase transaction as relating to the fully-functioning, physical toy itself, rather than a combination of the physical product and online services, and writes off the mention of online services in its product marketing as mere puffery, citing Carlson v. The Gillette Co., No. CV 14-14201-FDS, 2015 WL 6453147, at *6 (D. Mass. Oct. 23, 2015). VTech's claim of puffery is unpersuasive, but VTech is right that there is a difference between selling a product that combines both a physical toy and a service, and selling a physical toy whose features may be supplemented by a separate service that VTech provided for free. VTech sees the Learning Lodge and Kid Connect services as additional, optional services that VTech offered to plaintiffs after they purchased the toys, and it sees the Learning Lodge and Kid Connect terms as contracts unrelated to the original purchase transactions. As noted above, plaintiffs believe they purchased both the toys and the online services together, and that the contracts between the parties that were formed at the time of purchase incorporate the terms and conditions that plaintiffs later agreed to upon registering for the online services. See [73] at 21, [78] at 4, Tr. at 4:3-7.

There are a variety of ways to form a contract, and purchase contracts sometimes incorporate terms that a consumer reads after payment. See Hill v. Gateway 2000, Inc., 105 F.3d 1147, 1149 (7th Cir. 1997). But this is not such a case. The complaint does not allege facts sufficient to show that the initial purchase transaction included both the toy and VTech's furnishing of online services. VTech argues that users who registered for online services did not pay any more than those who did not. That argument is inconclusive, as people are free to pay for things that they do not use, and it cannot be inferred from the complaint that the online services were also available to people who did not pay anything at all. Nevertheless, the online services agreements on their face do not suggest that plaintiffs purchased VTech's services, or that the parties intended the terms to be incorporated into the purchase contract. Both the Learning Lodge terms and the Kid Connect terms say that they govern the use of the Learning Lodge and Kid Connect services, respectively, and that in the event a user does not accept the terms, she may not use the services. Neither agreement demands a return of the toy in such a scenario or offers a refund or partial refund of any purchase price. The Learning Lodge terms refer to the purchase of a "compatible VTech product," [62-1] § 2.1, but make no mention of a purchase of the online services. Plaintiffs seem to acknowledge that they paid for only the physical toys when they argue that "this action ultimately remains about—and Plaintiffs are suing to recover the money they paid for—the Toys themselves." [73] at 28-29.

The complaint does not allege facts showing that both parties understood that a portion of the purchase price was allocated to the provision of the online services. The complaint does allege that VTech priced its products based in part on their online capabilities, but that is not enough to show that plaintiffs purchased uninterrupted access to the Learning Lodge or Kid Connect services. VTech is right in that registration for online services is a separate and distinct event, unrelated to the purchase of the toys, and the online services agreements are likewise separate and distinct from the contract made at the point of purchase. Because plaintiffs did not enter into an online services contract at the time of purchase, the complaint does not plausibly allege that VTech breached a contractual obligation to provide those services.

Moreover, plaintiffs affirmatively agreed to a provision in the Learning Lodge terms giving VTech the right to suspend or terminate the online services. Plaintiffs argue that that provision is both procedurally and substantively unconscionable, because it allows VTech to market the toys as having specific features and then remove those features after purchase. But that argument is unpersuasive. Procedural unconscionability exists when a contractual term "is so difficult to find, read, or understand that the plaintiff cannot fairly be said to have been aware he was agreeing to it, and also takes into account a lack of bargaining power." Razor v. Hyundai Motor Am., 222 Ill.2d 75, 100 (2006) (citing Frank's Maintenance & Engineering, Inc. v. C.A. Roberts Co., 86 Ill.App.3d 980, 989 (1st Dist. 1980)). "Substantive unconscionability refers to those terms which are inordinately one-sided in one party's favor." Razor, 222 Ill.2d at 100 (citing Rosen v. SCIL, LLC, 343 Ill.App.3d 1075, 1081 (1st Dist. 2003)). Plaintiffs are right to suggest that a term that was unavailable to a consumer until after she purchased a product might be unconscionable, especially if she was not given an opportunity to review and reject that term by returning the product without incurring financial loss. See Razor, 222 Ill.2d at 100-01 (holding that a warranty disclaiming consequential damages was ineffective because the purchaser did not have the opportunity to see it until after she entered into the contract to purchase the product). Plaintiffs cite to Razor, but its holding applies only if the term in question is intended to govern the product purchased. Therefore, plaintiffs' theory of unconscionability depends on the contention that they purchased the online services together with the toy.

The provision upon which VTech relies is not unconscionable because, as explained above, what is pled is insufficient to establish that online services are part of the purchase transaction. The termination provision and online services agreement do not govern the purchase of the toy. They instead govern the use of a separate service, which may be removed without changing the nature of the bargained-for toy. Plaintiffs had the option of enjoying (or returning) the toys without the use of the online services. And when they did enter into an agreement for the use of those services, the governing terms, including the provision at issue, were made available to them. That provision is enforceable, and VTech was within its rights to suspend the online services.

VTech also points to several exculpatory provisions in the Learning Lodge terms that disclaim liability for loss or damage relating to the use or inability to use the Learning Lodge or software downloaded through the Learning Lodge. See [62-1] §§ 2.4, 3.2, 5, 6. The Kid Connect terms contain similar provisions disclaiming liability due to unauthorized access to VTech's servers or damages relating to the use of the service. See [62-2] §§ 11.1, 12.2, 12.3. And VTech refers to a disclaimer in the Privacy Policy that says that "VTech is not responsible for the actions of others." [62-3] § 14. VTech believes that these exculpatory provisions are fatal to plaintiffs' claim. Plaintiffs correctly point out that warranty disclaimers that are inconsistent with an express warranty are ineffective. See Clemons v. Nissan N. Am., Inc., 2013 IL App (4th) 120943, ¶ 45; see also Jewelers Mut. Ins. Co. v. Firstar Bank Illinois, 213 Ill.2d 58, 65 (2004) ("A party cannot promise to act in a certain manner in one portion of a contract and then exculpate itself from liability for breach of that very promise in another part of the contract."). But plaintiffs do not identify any conflicting express warranty that they relied upon in purchasing the toy. They do, however, allege breach of the data security provisions in the online services agreements. To the extent that plaintiffs' claim is based on the breach of the data security provisions, the exculpatory provisions do not preclude recovery. To the extent it is based on the suspension of online services, the exculpatory provisions are enforceable and VTech adequately disclaims liability. The motion to dismiss is granted with respect to the breach of contract claim.

The parties do not explicitly discuss the suspension of the Kid Connect service, but a fair reading of the complaint suggests that users must agree to the Learning Lodge terms before they can access the Kid Connect service, and VTech's right to suspend access to the Learning Lodge necessarily gives it the right to suspend access to Kid Connect. The parties also leave the Premium Kid Connect service out of their discussion, even though one plaintiff paid an additional fee for that service. Nevertheless, the complaint does not allege that different terms apply to the Premium Kid Connect service.

C. Breach of Implied Covenant of Good Faith and Fair Dealing

VTech argues that plaintiffs' claim of breach of implied covenant of good faith and fair dealing is duplicative of their breach of contract claim and should be dismissed. Plaintiffs respond by saying they plead this claim in the alternative to their breach of contract claim. "[U]nder Illinois law the covenant of good faith and fair dealing is not an independent source of duties for the parties to a contract." Baxter Healthcare Corp. v. O.R. Concepts, 69 F.3d 785, 792 (7th Cir. 1995) (citations and quotation marks omitted). The implied covenant is used to interpret a contract. Martin v. Federal Life Ins. Co., 109 Ill.App.3d 596, (1st Dist. 1982). Plaintiffs may not plead this claim in the alternative to their breach of contract claim, because "[a] breach of the duty of good faith and fair dealing is a breach of contract." Unit Trainship, Inc. v. Soo Line R. Co., 905 F.2d 160, 163 (7th Cir. 1990). The claim is therefore dismissed.

D. Breach of Implied Warranty of Merchantability

To state a claim for breach of implied warranty of merchantability under the UCC, plaintiffs must allege "(1) a sale of goods (2) by a merchant of those goods, and (3) the goods were not of merchantable quality." Brandt v. Boston Scientific Corp., 204 Ill.2d 640, 645 (2003); 810 ILCS 5/2-314. To be merchantable, the goods must be, among other things, fit for the ordinary purpose for which such goods are used. 810 ILCS 5/2-314(2)(c). "Goods" are defined as "all things, including specially manufactured goods, which are movable at the time of identification to the contract for sale." Brandt, 204 Ill.2d at 645 (quoting 810 ILCS 5/2-105(1)). If the sales contract involved a mix of goods and services, a plaintiff bringing this claim must show that the "predominant thrust of the transaction was for goods and only incidentally for services." Ogden Martin Sys. of Indianapolis, Inc. v. Whiting Corp., 179 F.3d 523, 530 (7th Cir. 1999). Plaintiffs explicitly allege that the toys were not merchantable due to inadequate data security and the suspension of the online services.

The parties first dispute whether the claim involves a sale of goods, a sale of services, or a mix of both. As discussed above, two transactions occurred: one for the toy and one for the online services. VTech argues that plaintiffs' claim is based on alleged failures related to the online services, not the toys themselves, while plaintiffs insist that the online services were necessary to the full functioning of the toys. The allegations of the complaint make clear that the toys function without the online services. That is, the online services are a useful feature, but not an essential feature. For example, plaintiffs argue that access to the online services was required for the toys to function, but the complaint alleges that access was only "effectively required," because customers could not obtain software and hardware updates to the products without it. [44] ¶ 9. Plaintiffs do not allege, however, that those software and hardware updates were necessary to the functioning of the toy. Plaintiffs also allege that, though the Learning Lodge was not the only source for new content, certain applications purchased in the form of physical cartridges "routinely" required a software update from the Learning Lodge, and thus registration, before they could be played. [44] ¶ 11. But it is unclear how many applications were restricted in this way, and how many remained available with or without access to the online services. Plaintiffs allege repeatedly that many important features of the toys required access to the online services, but do not allege that removal of those features stopped plaintiffs from playing games or otherwise using their products. Instead, plaintiffs allege that their children were unable to use certain features or services (not that the children could not use the toys at all). [44] at ¶¶ 60, 65, 74, 116. Plaintiffs may subjectively value the features of the toys afforded by the online services highly, but the complaint does not establish that those features were central to the toys' functionality, or that plaintiffs' use of the toys was substantially limited by the loss of those features. Because the claim is based on a defective service, not a good, the complaint fails to state a claim for breach of the implied warranty of merchantability.

VTech also invokes a provision in the Kid Connect terms that explicitly disclaims liability for any implied warranty, but that disclaimer applies to only the Kid Connect service.

VTech also argues that the claim does not meet the privity requirement. "In order for a plaintiff to file a claim for economic damages under the UCC for the breach of an implied warranty, he or she must be in vertical privity of contract with the seller." Mekertichian v. Mercedes-Benz U.S.A., L.L.C., 347 Ill.App.3d 828, 832 (1st Dist. 2004). The cause of action is only available to a buyer "against his immediate seller." Rothe v. Maloney Cadillac, Inc., 119 Ill.2d 288, 292 (1988). Plaintiffs do not allege that they bought the products directly from VTech, but they argue that their claim fits the "direct relationship" exception to the privity requirement that was discussed in In re Rust-Oleum Restore Marketing, Sales Practices & Products Liability Litigation, 155 F.Supp.3d 772, 806-07 (N.D.Ill. 2016). In that case, the court noted that the complaint contained detailed allegations of the defendant's direct marketing campaign to consumers, including explicit statements from brochures and product packaging, and the plaintiffs' reliance on explicit representations made in the defendant's advertisements to justify giving plaintiffs an opportunity to establish privity through discovery. Id. Here, the complaint makes only vague references to VTech's marketing of the products, and does not explicitly allege that plaintiffs relied on that marketing. That is insufficient to establish an exception to the privity requirement. As a result, the motion to dismiss is granted with respect to the claim of breach of the implied warranty of merchantability.

E. Illinois Consumer Fraud and Deceptive Business Practices Act

To state a claim under the Illinois Consumer Fraud and Deceptive Business Practices Act, a plaintiff must allege "(1) a deceptive act or practice by the defendant, (2) the defendant's intent that the plaintiff rely on the deception, (3) the occurrence of the deception in the course of conduct involving trade or commerce, and (4) actual damage to the plaintiff (5) proximately caused by the deception." Avery v. State Farm Mut. Auto. Ins. Co., 216 Ill.2d 100, 180 (2005). "Recovery may be had for unfair as well as deceptive conduct." Robinson v. Toyota Motor Credit Corp., 201 Ill.2d 403, 417 (2002).

VTech invokes Federal Rule of Civil Procedure 9(b), and argues that the complaint does not satisfy that rule's heightened pleading requirements. Rule 9(b) applies to the claim if the alleged practices constitute fraudulent activity. See Pirelli Armstrong Tire Corp. Retiree Med. Benefits Trust v. Walgreen Co., 631 F.3d 436, 447 (7th Cir. 2011). And to meet Rule 9(b)'s requirement, the complaint must describe the "who, what, when, where, and how" of the fraud. United States ex rel. Lusby v. Rolls-Royce Corp., 570 F.3d 849, 854 (7th Cir. 2009). Plaintiffs argue that the complaint meets this standard, because it alleges that VTech misrepresented the online services as offering reasonable data security and lied about the specific precautions VTech would take. But plaintiffs do not allege any mention of data security being made at the point of purchase or in any of VTech's marketing or advertising efforts, and it is too much of a stretch to infer that any representations of data security were implicit when buying the product, or that VTech's inadequate data security constitutes a material omission at the point of purchase. The consumer-fraud claim is dismissed, and to the extent this claim is based on representations of data security made in the Privacy Policy, it is duplicative of the breach of contract claim and dismissed for that reason as well. See Avery, 216 Ill.2d at 169 ("A breach of contractual promise, without more, is not actionable under the Consumer Fraud Act.").

Plaintiffs also argue that the complaint alleges unfair practices in addition to deceptive acts. That is incorrect. Their claim is based on alleged misrepresentations and fraudulent and deceptive acts, not unfair practices.

F. Declaratory Judgment

Plaintiffs seek a declaration that VTech's data security measures are still inadequate, and that VTech must undertake certain steps to strengthen its data security and avoid future injury. As VTech notes, to the extent this claim seeks a remedy for a present injury, it seeks the same relief as plaintiffs' other claims. And as explained above, the complaint fails to state a claim for breach of contract based on a breach of VTech's data security obligations. Therefore, I decline to declare the adequacy of VTech's data security measures—such a declaration would not settle the legal relations between the parties.

IV. Conclusion

VTech's motion to dismiss, [61], is granted. The complaint is dismissed without prejudice for failure to state a claim. ENTER:

"District courts routinely do not terminate a case at the same time that they grant a defendant's motion to dismiss; rather, they generally dismiss the plaintiff's complaint without prejudice and give the plaintiff at least one opportunity to amend her complaint." Foster v. DeLuca, 545 F.3d 582, 584 (7th Cir. 2008). --------

/s/_________

Manish S. Shah

United States District Judge Date: July 5, 2017


Summaries of

In re VTech Data Breach Litig.

UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION
Jul 5, 2017
No. 15 CV 10889 (N.D. Ill. Jul. 5, 2017)

describing Razor as holding that a term unavailable to a consumer until after purchase "might be unconscionable, especially if [the plaintiff] was not given an opportunity to review and reject that term by returning the product without incurring financial loss"

Summary of this case from Davidson v. Apple, Inc.
Case details for

In re VTech Data Breach Litig.

Case Details

Full title:IN RE VTECH DATA BREACH LITIGATION

Court:UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION

Date published: Jul 5, 2017

Citations

No. 15 CV 10889 (N.D. Ill. Jul. 5, 2017)

Citing Cases

Kylie S. v. Pearson PLC

Whether a data breach exposes consumers to a material threat of identity theft turns on two factors that…

Jeong-Su Kim v. McDonald's U.S., LLC

However, the disclosure of such information does not expose Fus to a significant risk of identity theft or…