Plaintiffs 'Blindly Assume' Data Exposed, Says LastPass in Motion to Dismiss
The court should dismiss a fraud class action arising from a 2022 LastPass data breach because the plaintiffs lack standing and failed to plead facts sufficient to constitute plausible claims under Federal Rules of Civil Procedure 12(b)(6), said defendants GoTo Technologies and LastPass in their motion to dismiss Monday (docket 1:22-cv-12047) Monday in U.S. District Court for Massachusetts. The defendants also requested oral argument.
The case involving unauthorized access to GoTo’s LastPass password manager service “is not your typical data breach class action,” defendants said, saying the indicator of such litigation typically is the compromise of personally identifiable information (PII) or sensitive financial data. “No PII or sensitive data was compromised” by the LastPass incident, they said, and absent that, plaintiffs “merely assume or speculate that their PII and sensitive data was compromised, which dooms their Complaint.”
LastPass’ “zero-knowledge” security means encrypted data in user vaults “remains secret” and unknown to LastPass at all times, said the motion, saying only users can access their vaults by using a master password only they know to read data they stored there. LastPass “never receives vault data in unencrypted form,” the motion said. When the company reported the cyberattack, it said copies of user vaults were among the data that was stolen, but encrypted passwords, user names and other sensitive data “can never be decrypted or accessed without the user’s master password, which only the user knows,” it said.
Despite being given that information, plaintiffs “blindly assume that their encrypted vault data was exposed and subsequently misused (or will be misused),” said the motion. “As a result, all of them -- even, inexplicably, the business entities -- assert typical data breach injuries: actual, attempted, or impending misuse of their personal data; an increased risk of future harm and mitigation efforts (lost time and expenses); diminution in value of their personal data; loss of bargained-for services; and anxiety from loss of privacy,” said the motion.
Those alleged injuries are “fundamentally flawed” because they depend on LastPass reports and notifications sent to users about the incident, which state that plaintiffs’ encrypted PII and other sensitive data -- “the type of compromised data necessary to cause Plaintiffs’ purported injuries” -- remained encrypted, said the motion. “Plaintiffs cannot have it both ways: rely on LastPass’s voluntary disclosures about the Incident as a basis to sue but ignore the most critical part of those disclosures -- that their sensitive data was unimpacted," it said.
Plaintiffs’ “vaguely theorize” that since the incident, “someone, somewhere, somehow surely cracked their master passwords, decrypted their vaults to steal their usernames and passwords or other sensitive data, and have used or will use that data to cause them harm,” the motion said. “Flawed assumptions” and “tenuous, speculative theories” don’t plausibly plead an Article III injury-in-fact for standing to sue, it said.
To survive a motion to dismiss under Rule 12(b)(6), a plaintiff must show that allegations state “a plausible, not a merely conceivable, case for relief,” said the motion, citing Sepulveda-Villarini v. Department of Education of Puerto Rico. That pleading standard is “particularly demanding” in "complex, large-scale" data breach class action litigation, it said, citing Sony Gaming Networks & Customer Data Security Breach Litigation.