Fortnite has been a wild ride for Epic Games and has taken the entire industry by storm. Its audience, however, may have gotten more than it bargained for when it learned at the start of the year that a massive security breach potentially exposed credit card data, personal information, and even voice chat audio of anyone registered for the game, which at the time was more than 200 million people.
After Cybersecurity firm Check Point alerted Epic Games to the vulnerabilities in Fortnite, Epic quickly moved to address the issue. “As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others,” Epic advised back in January.
That response simply wasn’t good enough, according to law firm Franklin D. Azar & Associates, which filed a class action lawsuit in U.S. District Court in North Carolina. As reported by Polygon, the class action has more than 100 members in it.
“Check Point notified Epic Games of the vulnerability in November of 2018. Not until two months later did Epic Games acknowledge the flaw. Epic Games did not disclose how many accounts were affected by the data breach,” the law firm stated.
“…affected Fortnite users have suffered an ascertainable loss in that they have had fraudulent charges made to their credit or debit cards and must undertake additional security measures, some at their own expense, to minimize the risk of future data breaches including cancelling credit cards associated with their Epic Games/Fortnite accounts and changing passwords for those accounts.”
Azar & Associates goes on to say that “Fortnite users have no guarantee that [Epic’s] security measures will in fact adequately protect their personal information.”
Proving exactly what kind of loss Fortnite users suffered may be the real challenge here, according to Richard Hoeg, attorney at Hoeg Law.
“While there might be more [than failure to notify], it could suggest that they have found relatively few plaintiffs that can actually tie erroneously charges or account losses to the breach at issue,” Hoeg remarked to GameDaily. “If you look at the article that the firm put out, they were/are looking for people with specific fraudulent charges. That’s because that is the clearest way to show damages. Failure to notify is a violation of many state’s data protection laws (remembering for this purpose that the federal government really doesn’t have laws specifically aimed at data protection), but because damages are difficult to prove for a failure, such statutes often specify a ‘relatively’ small penalty for such failure.
“Along the same lines, there are various ways in which companies can notify consumers of a breach, many of which can be done by email and on the company’s own website. Given the publicity of the breach here, that might also constitute a partial defense.”
Brandon J Huffman, attorney with Odin Law and Media, agrees that it’s hard to pinpoint how many Fortnite players were truly impacted by this breach. “This is a highly technical claim and potential damages could vary dramatically (factors like whether purchases were made fraudulently, whether there were actual losses, etc.) The law firm references some fraudulent activities and accounts for sale, but we don’t (yet) know if those activities are in any way connected to this particular breach,” he told GameDaily.
Although Azar & Associates did not explicitly mention the damages they’re seeking on behalf of the class, the circumstances would appear to dictate that it’s in the multiple millions of dollars. Not only did the firm cite its own experience in class actions against big corporations such as Facebook, Google, and others, but Hoeg pointed to the federal nature of the claim.
“It’s in federal court based on ‘diversity’ (parties from two or more states). That’s why you see the reference to ‘more than 100’ in the class. That’s what’s required to make a federal claim, but it should not be read as stating the full breadth of the class… In order to make a federal claim they likely also specified that they were seeking $5M+ in damages. (The federal government is not interested in adjudicating ‘small’ cases.)”
How far this class action against Epic Games actually goes is hard to say at this point. Huffman reminded us that Epic has a strong legal track record dealing with claims against Fortnite, so Epic could refuse to settle.
“Given Epic’s litigation track-record, if they feel they did not do anything wrong, I suspect they will not settle. To be clear: if they implemented security, remedied the issue and provided reasonable notice, there may not be much in the way of a claim,” he explained, adding that those pesky end user license agreements could make the whole thing a moot issue.
“Epic might be able to show they did nothing ‘wrong.’ The EULA also has a waiver of class actions, so there is a good chance the whole fight would be over that,” he said.
Hoeg said that there’s a chance that this claim even gets kicked out of court with Epic “likely saying that they either did notify, or that the breach was of a type that they were still compiling the information necessary to notify the appropriate parties without alarming those unaffected.”
He continued, “Generally speaking, the law does not require you to have a completely impervious data infrastructure, just that you took reasonable industry standard type approaches to protecting the data. If notice is truly the only thing at issue here, and Epic can’t get it kicked out, they would likely settle.”
As big as Fortnite has become, even if there is a payout from this class action, players shouldn’t expect very much. Hoeg said: “As with most class actions, the settlement would largely accrue to the lawyers, with any class members getting only a small amount of money on an individualized basis. This isn’t Equifax or Target or the like, so the amount at issue is likely relatively small.”
If the EULA does become the sticking point in this case, it’s understandable that some affected players would be angry about it. Nowadays, we all blindly agree to massively long EULAs before we’re able to proceed with any online game or service. You literally cannot proceed until you’ve clicked “I accept,” and that may feel like an injustice to consumers.
“Unfortunately, not much [can be done],” Huffman said. “Some provisions in a EULA will be of questionable enforceability (mandatory arbitration being most commonly litigated), but that is a long fight.”
Hoeg added, “These are topics I discuss a lot on Virtual Legality, but they are undoubtedly what the law calls ‘contracts of adhesion’. In other words, they are not negotiated by the parties and basically have to be accepted as is by the user. Courts have historically been more likely to look askance at terms in contracts of adhesion given the lack of negotiation, and I would anticipate that to continue was we move forward in the digital age.
“For now, though, users are basically stuck with the bulk of the terms contained in such a document, and while business[es] have incentive to not do anything too onerous or off-market in those documents, it will take a legal action by someone that doesn’t care about settlement funds to really have a court look at the issue at some point in the future.”
In an age where seemingly no information is private or safe, players have to stay vigilant. The EULA may be offensive, but as Huffman said, players can still “decline to save payment information in the platform, monitor their credit cards and their credit reports closely – all the same precautions as any other breach.”
Fortnite was probably the biggest story of 2018. While there has been evidence of some slowdown this year, it’ll be interesting to see what impact, if any, this class action has on user acquisition and retention.