Data breach class actions: Ninth Circuit addresses forum selection and personal jurisdictional issues in case against foreign defendants

Takeaway:  Businesses oftentimes rely on contractual provisions to shield themselves from litigation risk.  But some provisions are more effective than others.  In Baton v. Ledger SAS, No. 21-17036, 2022 WL 17352192 (9th Cir. Dec. 1, 2022) (per curiam), a Ninth Circuit panel reviewed a forum selection clause requiring that disputes against a French company be litigated exclusively in French courts.  The panel enforced the clause as to all claims—with a huge exception based on California public policy for “‘California resident plaintiffs bringing class action claims under California consumer law.’”  2022 WL 17352192, at *2 (citation omitted).  By contrast, class action waivers in arbitration clauses are generally not subject to state public policies and are usually effective at eliminating the risk of consumer class action litigation.

In Baton, Edward Baton and other named plaintiffs purchased cryptocurrency “hardware wallets” manufactured by the French company Ledger SAS.  In doing so, they agreed to terms and conditions, a privacy policy, and terms of use containing a broad forum selection clause mandating that disputes with Ledger be subject to the exclusive jurisdiction of courts in France.

Alleging that a data breach exposed the personal information they disclosed to Ledger in making their purchases, Baton and the others filed a putative class action against Ledger, a Canadian company, Shopify (Ledger’s e-commerce service provider for its on-line store), and Shopify (USA), Shopify’s Delaware-based subsidiary, asserting California consumer law and negligence claims.

The district court dismissed the complaint for lack of personal jurisdiction and also denied plaintiffs’ request to conduct jurisdictional discovery.  Plaintiffs appealed, and a Ninth Circuit panel reversed the district court’s ruling in substantial part.

First, the panel reversed the district court and held that personal jurisdiction existed over Ledger, explaining that “Ledger has sold about 70,000 wallets directly to Californians, generating millions of dollars in revenue; its website is designed to collect the applicable California sales tax for buyers whose IP addresses are in California; and it ships the wallets directly to California addresses.”  2022 WL 17352192, at *1.

Then, citing the Ninth Circuit’s decision in Doe 1 v. AOL LLC, 552 F.3d 1077, 1084 (9th Cir. 2009) (per curiam), the panel held that Ledger’s forum selection clause was unenforceable with respect to plaintiffs’ California consumer law claims, given California’s public policy against the contractual waiver by its residents of the right to bring class actions under California consumer law.  2022 WL 17352192, at *2.  The panel otherwise enforced the forum selection clause by affirming the dismissal of the remaining claims against Ledger.

As for the Shopify defendants, the panel ruled that the district court abused its discretion in not allowing jurisdictional discovery, given that the Shopify defendants did business and allegedly had employees who worked remotely in California.  Id.

Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their