30 July 2024. In a significant legal development, plaintiffs in the consolidated action against LastPass for claims resulting from its 2022 data breach—which compromised the encrypted digital vaults of LastPass customers and exposing sensitive personal information—defeated a motion to dismiss that will allow their case to proceed. Claims against its former parent company, GoTo Technologies USA, Inc., were dismissed.
U.S. District Judge Patti B. Saris affirmed that plaintiffs have plausibly demonstrated injury in fact. The plaintiffs, customers whose data was compromised during the breach, allege that the data breach led to actual and attempted misuse of their data, including theft from online wallets, fraudulent credit card charges, unauthorized applications for loans, sale of information on the dark web, and increased phishing attempts.
However, the Court agreed to dismiss claims against GoTo Technologies USA Inc., finding that no consumer had transacted directly with GoTo or relied on its representations. Additionally, the judge denied certain other claims against LastPass, including specific negligence claims and claims brought under consumer protection laws in several states.
Impact on Plaintiffs
This development means that the nine lawsuits consolidated in 2023 will move forward, allowing plaintiffs to hold LastPass accountable for breach of contract, breach of the covenant of good faith and fair dealing, the California Customer Records Act, California Consumer Privacy Act, Illinois Personal Information Protection Act, and Illinois Consumer Fraud and Deceptive Business Practices Act.
Along with co-counsel, Tycko & Zavareei attorneys Sabita J. Soneji and Cort Carlson represent some plaintiffs in the consolidated class action. Ms. Soneji was appointed to leadership in the consolidated class action last year and co-led the briefing that directly led to this win.
The case is In re LastPass Data Security Incident Litigation, Case No. 1:22-cv-12047, in the U.S. District Court for the District of Massachusetts.