Adobe Security-Breach Case Picks Up Speed

     SAN JOSE, Calif. (CN) – Adobe will face the bulk of a class action stemming from “shoddy security protocols” that led to a massive data breach, a federal judge ruled Thursday.
     After hackers stole the credit card and log-in data of 38 million people from Adobe’s systems last year, consumers behind the sprawling consolidated action faulted Adobe for ignoring industry experts – and its own history of data breaches.
     Adobe had originally reported that the 2013 breach affected just 3 million.
     The San Jose-based tech giant asked U.S. District Judge Lucy Koh to dismiss the action – which includes claims for violating the Customer Records Act, declaratory relief and unfair business practices – arguing the plaintiffs lacked standing because they could not show an actual injury.
     But while Koh agreed Adobe’s users could not show the company failed to notify them of the breach in a reasonable amount of time, she found their costs of dealing with the data breach and the threat of future harm very real.
     “There is no need to speculate as to whether the hackers intend to misuse the personal information stolen in the 2013 data breach or whether they will be able to do so,” Koh wrote in the 41-page opinion. “Not only did the hackers deliberately target Adobe’s servers, but plaintiffs allege that the hackers used Adobe’s own systems to decrypt customer credit card numbers. Some of the stolen data has already surfaced on the Internet, and other hackers have allegedly misused it to discover vulnerabilities in Adobe’s products. Given this, the danger that plaintiffs’ stolen data will be subject to misuse can plausibly be described as ‘certainly impending.’ Indeed, the threatened injury here could be more imminent only if plaintiffs could allege that their stolen personal information had already been misused. However, to require plaintiffs to wait until they actually suffer identity theft or credit card fraud in order to have standing would run counter to the well-established principle that harm need not have already occurred or be ‘literally certain’ in order to constitute injury-in-fact.”
     Two of the plaintiffs failed to show they had paid a premium for Adobe’s products and had an expectation of premium security – a key component of a state unfair competition claim, Koh said. But the others had, paying as much as $580 for Adobe Illustrator and monthly rates for the company’s Creative Cloud subscription service.
     In addition those unfair-business-practice claims, Adobe must also face claims that it violated its obligation to warn customers of apparently subpar security systems, the court found. Adobe had argued that its problems were well publicized and that consumers should have been aware of the issues as a result.
     “The court is not convinced,” Koh wrote. “It is one thing to have a poor reputation for security in general, but that does not mean that Adobe’s specific security shortcomings were widely known. None of the press reports Adobe identifies discusses any specific security deficiencies, and plaintiffs expressly allege that the extent of Adobe’s security shortcomings were revealed only after the 2013 data breach. Given that prior reports of Adobe’s security problems were highly generic, the court cannot say that Adobe did not have exclusive knowledge of its failure to implement industry-standard security measures. Furthermore, the exact nature of what was in the public domain regarding Adobe’s security practices is a question of fact not properly resolved on a motion to dismiss.”
     The plaintiffs have 30 days to cure the small deficiencies in their complaint but cannot add more claims, the judge concluded.

%d bloggers like this: