Dropbox Sued for Data Breach – Plaintiff Seeks Class Action

In May, we discussed the FTC’s investigation of whether Dropbox encrypts data stored according to industry best practices in order to decrease the risk of data breach and identity theft to its customers. 

On June 20^th, Dropbox announced that after a code change, it discovered that it had accidentally turned off password authentication for its 25 million users for four hours.  Upon discovery, Dropbox killed all of the sessions of those who were logged in at the time – which was “much less” than 1 percent of its users.  Dropbox notified customers of the incident and began their investigation. 

On June 22, 2011, Cristina Wong filed a Complaint against Dropbox in the U.S. District Court for the Northern District of California seeking better security of Dropbox’s site.  Plaintiff Wong alleges the following:

• Violation of California’s Unfair Competition Law, Business & Professions Code § 17200, et seq.;
• Invasion of privacy – intrusion, public disclosure of private facts, misappropriation of likeness and identity, and California Constitutional Right to Privacy;
• Negligence; and
• Breach of express and implied warranties. 

Plaintiff Wong, in addition to relief of damages, costs, injunctive relief and attorney fees, seeks lead plaintiff status for a class consisting of all current and former Dropbox users as of June 19 whose accounts were breached due to the June 20^th incident.

While Dropbox admits that customer accounts were open to the public for a short period of time, investigation is ongoing as to whether any customer accounts were actually accessed (for those customer accounts left open – Dropbox sent individual emails advising the individual to review their account activity log during the open time period and to report any inappropriate activity).  In Plaintiff’s Complaint, Plaintiff Wong does not specify an actual injury – only that she suffered injury in fact and lost property and money as a result of Dropbox’s conduct.