A Feb. 28, 2022, McGuireWoods alert discussing a recent case concerning non-fungible tokens (NFTs) and breach-of-contract claims suggested that future litigation over digital assets — especially as it relates to tort claims under deceptive trade practices — was likely on the horizon. Less than a week later, that prediction came true.
Cryptocurrency (crypto) is a digital currency without a physical form. It is generally decentralized and not issued by a government or a bank. Crypto is a tradable digital asset built on blockchain technology online. Since 2009, when bitcoin was initially released and introduced, over 1,000 cryptocurrencies have been developed and released. More than 380 crypto exchanges currently exist online as well.
Information Security and Uphold HQ
Uphold HQ Inc. brands itself as a multi-asset digital money platform offering financial services. It serves over 184 countries across more than 80 traditional and crypto currencies. Its website also details Uphold’s “state-of-the-art security” and asserts that “[w]e obsess about” security.
Uphold’s security is under scrutiny due to a negligence lawsuit filed by three plaintiffs seeking class certification. Theodore Rider, Jesse Smith and Gilles Boevi brought this suit for negligence resulting from an alleged failure of Uphold’s multifactor authentication method to protect their crypto wallets from being hacked and stolen. The plaintiffs allege that Uphold’s security practices fell below the standard of the industry and that Uphold’s inadequacies resulted in a breach of the duty of reasonable care.
Each plaintiff details how Uphold’s security practices led to their loss of approximately $60,000, collectively. Particularly, the plaintiffs allege that Boevi’s story exemplifies the experience of others in the putative class of victims. Boevi received an email on Aug. 1, 2021, from Uphold informing him that someone had initiated a transaction affecting his holdings, but he had not initiated the transaction and he could not log onto his Uphold account. He quickly learned that someone had disabled his two-factor authentication. Boevi immediately contacted Uphold’s support, and alleges that, although support acknowledged his messages, it failed to freeze his account to prevent further transactions. Two hours after Boevi first notified Uphold of the transactions, the unauthorized user transferred all of Boevi’s crypto — valued at $26,176.21 — out of his account. According to Boevi, 11 minutes after the final transaction, Uphold support froze his account.
After it froze Boevi’s account, Uphold conducted an internal investigation and concluded it was in no way responsible for the loss. The email transmitting information about the investigation informed Boevi that the unauthorized user changed Boevi’s two-factor authentication device. Uphold offered no recourse and suggested that Boevi take the matter to his local law enforcement. Boevi’s experience was replicated in the cases of both Rider and Smith — their two-factor authentication methods were changed without their permission, and they lost $22,000 and $12,000, respectively. Following these breaches of security and thefts, the plaintiffs allege, Uphold has not disclosed or publicly acknowledged this vulnerability, leaving users unwittingly exposed to the risk.
The plaintiffs bring claims for negligence, negligence per se, violations of New York consumer law, unjust enrichment, breach of contract, breach of warranty, and negligent misrepresentation. To prevail on a negligence claim, plaintiffs must prove: (1) duty; (2) breach; (3) causation; and (4) damages. See Sawyer v. Wight, 196 F.Supp. 2d 220 (E.D.N.Y. 2002). The plaintiffs allege that the duty here was created by Uphold accepting and storing the plaintiffs’ private information and crypto wallets. As a result, Uphold owed the plaintiffs a duty of reasonable care. Uphold breached this duty by knowingly disregarding standard information security principles and permitting unauthorized users to change two-factor authentication methods without contacting the user. Because of this breach, the unauthorized users accessed the accounts and stole the crypto, resulting in loss of plaintiffs’ assets.
Negligence per se is a different cause of action wherein the duty and breach elements of a negligence claim are satisfied by the violation of a statute. See Cretcher v. United States Bank N.A., 2021 U.S. Dist. LEXIS 52815, at * 8 (E.D.N.Y. March 19, 2021). Here, the plaintiffs allege that Uphold violated Section 5 of the Federal Trade Commission Act (FTCA), which bars unfair and deceptive acts and practices “in or affecting commerce.” The plaintiffs allege that Uphold violated the FTCA by failing to maintain appropriate security, misrepresenting the strength of its security measures, and misleading users into believing that it monitored their accounts for potential fraud 24/7. Likewise, the plaintiffs’ claims for violations of New York consumer law rely on deceptive acts or practices in the state of New York. New York General Business Law 349 prohibits deceptive acts or practices in the conduct of any business, trade or commerce, or in the furnishing of any service in the state of New York.
Every jurisdiction prohibits unfair or deceptive trade practices and false advertising. State laws are generally modeled after the FTCA. Over the past several years, the plaintiffs’ bar has begun making claims for deceptive trade practices as a general basis for liability, akin to basic negligence. Some states permit enhanced penalties for deceptive trade practices litigation, including attorney’s fees, which are attractive to plaintiffs’ counsel. In New York alone, deceptive trade practice litigation has increased from 60 deceptive trade practice class actions filed in 2017, to more than 200 filed in 2021. In this case, the court will broach the subject of deceptive trade practices as they apply to digital assets and crypto exchanges. Crypto cases will likely continue to increase the number of deceptive trade practices class actions filed nationwide.
Similarly, the elements of a breach-of-warranty claim are: (1) existence of the warranty; (2) breach of the warranty; and (3) damages proximately caused by the breach. See Gerrity v. R.J. Reynolds Tobacco Co., 399 F. Supp. 2d 87 (D. Conn. 2005). The plaintiffs allege that Uphold promised to users on its website, smart phone application and promotional materials that it was an industry leader in account security and that it maintained numerous safeguards to protect against unauthorized account access.
Finally, a successful claim for negligent misrepresentation must show: (1) the defendant had a duty as a result of a special relationship to give correct information; (2) the defendant made a false representation that he or she should have known was incorrect; (3) the defendant knew that the plaintiff desired the information for a serious purpose; (4) the plaintiff intended to rely and act upon it; and (5) the plaintiff reasonably relied on it to his or her detriment. See Ritani, LLC v. Aghjayan, 970 F. Supp. 2d 232 (S.D.N.Y. 2013). As noted above, the plaintiffs allege that all representations about Uphold’s security were false, that the plaintiffs would not have used Uphold’s services had they known the security measures were inadequate, and that they relied on Uphold’s misrepresentations when they stored their crypto on Uphold’s exchange, resulting in the loss of their crypto when unauthorized users exploited Uphold’s inadequate security to breach the plaintiffs’ accounts.
This lawsuit will highlight how traditional legal principles such as negligence apply to the digital world. The case, although built from legal principles familiar to clients, will dive into the world of crypto and online security. Crypto exchanges can face class action lawsuits for failure to provide adequate security measures. These exchanges must adhere to the rules of the analog world or they will face the consequences of lawsuits alleging deceptive trade practices, negligence, breach of contract and warranty, misrepresentation, and violations of state and federal law.
Expect the uptick in deceptive trade practices class actions described above to continue to increase with the rise in litigation over digital assets. The continued rise of digital assets and crypto will result in increased litigation in areas of settled law as they apply to new digital instruments.
McGuireWoods’ experienced litigation teams remain ready to defend clients against any claims that may arise.