Millions of account passwords were accessed, but the legal grounds of the suit may be too thin to hold up in court, one attorney told us.
Last year, perennial mobile studio Zynga was the victim of a massive data breach that saw the leak of a reported 170 million account passwords (218 million, if hacker Gnosticplayers is to be believed) across Words With Friends and Draw Something. Now, six months later, two individuals are suing Zynga over the breach, arguing that Zynga “failed to reasonably safeguard” user information.
The class action lawsuit claims that Zynga engaged in negligent behavior that put the plaintiffs’ personal account information at risk. For Richard Hoeg, attorney at Hoeg Law in Michigan, it may be difficult for courts to justify a ruling on such grounds.
“So the claim here is basically that Zynga was negligent in protecting the information,” Hoeg told GameDaily. “The primary difficulty here is that Zynga isn’t responsible for nefarious acts, so this kind of suit is a bit like suing a bank for being robbed.”
The premise of the suit, Hoeg said, relies on the fact that Zynga didn’t meet industry standards for data protection, or didn’t meet the obligations set forth in its own privacy policies, which could take the form of not controlling password access, not protecting personal information in more secured databases, or any number of potential oversights.
“Basically, it’s as if you are a bank that refuses to hire security guards and/or use security cameras (things that your customers would expect) then you were negligent. This would then be exacerbated if you promised your customers you were taking those measures,” Hoeg explained.
If Zynga can prove it’s not liable for such attacks, and that their protections met the promises presented in the company’s privacy policies, then the plaintiffs will have a hard time presenting a strong case. Where they might have an advantage, however, is the fact that minors are likely to have been affected by the data breach.
“Effectively, they are saying that these issues are even worse because so many kids were involved,” Hoeg said. “Many courts will apply a heightened standard when children’s data is involved, though it is primarily an argument in equity rather than in law, in most instances.”
Another potential strong point for the plaintiffs’ case involves statutory requirements. If Zynga knew about the breach and waited too long to notify those affected, then the company could be liable for damages.
Looking forward, Hoeg said it’s tough to predict what might happen in this case. “Predictions here are almost impossible,” he said. “It depends so much on what exactly Zynga was doing to protect the data, and if they made representations about their efforts that were clearly false. This is effectively a call for discovery, and that will really tell the story.”
It’s likely that Zynga will try to settle this case before such discovery can kick in, though. Whether that’s through summary dismissal or an out-of-court settlement remains to be seen. GameDaily reached out to Zynga for comment, but a spokesperson said that the company does not comment on legal matters.
For Zynga, the suit is arriving on the heels of its most lucrative quarter ever. Last year, the mobile company rode Words With Friends and Empires & Puzzles to $1.3 billion in revenue. A number of mergers and acquisitions over the last few years have also served as catalysts in Zynga’s big “turnaround.” So while the data breach and lawsuit are certainly PR roadbumps, the company clearly boasts the resources to weather the storm.
Data breaches like this are an unfortunate side effect of the digital age, and companies that grow too big too fast are particularly attractive targets for cyber criminals. Protecting user data should be a top priority for conglomerates like Zynga. Hopefully, being the target of the reported 10th-largest cyber attack ever opens its eyes to a need for more security.
For more stories like this one delivered straight to your inbox, please subscribe to the GameDailyBiz Digest!/* =$comments; */?>