If you haven’t heard of Fortnite . . . it's time to come from under your rock.
Fortnite is an online video game developed by Epic Games that was released in 2017. Fortnite Battle Royale is a free version where up to 100 players fight to the last person standing. It is a huge success drawing about 200 million players and reportedly earns hundreds of millions of dollars per month.
How does a free game rake in hundreds of millions? It is monetized through the use of “VBucks”, which is in-game currency that can be purchased with real-world funds. VBucks is used to buy in-game items like character models, in-game apparel, and dance moves (yes, dance moves). Anyone who plays free game apps should be familiar with this business model.
The Cyber Incident
As a free online game, players are required to create an account with personally identifiable information (“PII”). For convenience when purchasing VBucks, players store payment information, such as credit card numbers, on the game’s servers.
According to the Complaint filed in civil Court, in November 2018, a cybersecurity firm alerted Epic Games to a vulnerability in Fortnite’s system that allowed unauthorized parties to access and extract PII, payment information, and other sensitive data associated with Fortnite players’ accounts.
After hijacking a respective player’s Fortnite account, a cyber-criminal is then able to make in-game purchases of Vbucks in order to resell the same on the criminal black market. Apparently, Vbucks currency is a lucrative item for cybercriminals.
The Lawsuit
As with most other data breaches, there was an eventual lawsuit.
In February 2019, Eric Krohm filed a class action lawsuit on behalf of other players and asserted claims for violating the Illinois Consumer Fraud and Deceptive Business Practices Act, breach of contract, breach of implied contract, and negligence. Krohm alleged that in response to learning about the cyber vulnerability, he took time and effort to mitigate the risk of identity theft, including changing passwords and paying for credit monitoring services. He also allegedly experienced mental anguish and anxiety from the fear of identity theft and fraud.
Krohm originally filed the lawsuit in State Court in Cook County, Illinois. Epic Games, for strategic reasons, then removed the case to federal court in Illinois. Once in federal court, the case was transferred to the Eastern District of North Carolina pursuant to a forum selection clause in the End User License Agreement (“EULA”). This was Epic Games preferred battleground.
After removing the case to North Carolina, Epic Games immediately filed a motion to dismiss all of Krohm’s claims, or in the alternative, asked the Court to compel arbitration pursuant to the arbitration provision of the EULA.
Krohm Wants His Preferred Battleground
Typically, plaintiffs such as Krohm have to prove they have been harmed by the wrongful acts of the defendant (such as Epic Games). If a plaintiff has not been harmed (physically, emotionally or financially) then that plaintiff does not have “standing” to sue the defendants – i.e., no harm, no foul.
This is called Article III Standing. Article III of the US Constitution limits federal courts jurisdiction to certain “Cases” and “Controversies.” Standing requires injury-in-fact. Meaning, an injury that is “concrete, particularized, and actual or imminent.”
Usually, defendants argue that plaintiffs do not have standing. Without standing, the Court must dismiss the case for lack of jurisdiction (a result defendants want).
This case, however, involved a peculiar role reversal. Krohm wanted the case returned to Illinois state court. To achieve this, he argued that he does not have Article III Standing because he has not pled a proper injury-in-fact. Meaning, he wanted the Court to dismiss the case, but without prejudice, which would allow him to refile in State Court.
Epic Games argued the opposite. Epic Games argued that Krohm alleged sufficient injuries for Article III Standing. Presumably, Epic Games removed the case to Federal Court for a good reason and wanted the case to stay in Federal Court, even if it meant arguing that Krohm was actually harmed by the vulnerability in the game.
The Court agreed with Krohm: he had not suffered an injury in-fact. The Court stated,
[Krohm’s] complaint contains no facts showing, or even suggesting, that his personal data has been used as a result of the cyber vulnerability. For that matter, [Krohm’s] complaint does not even state that his data was taken, only that [Epic Game’s] Fortnite had a cyber vulnerability that could have allowed hackers to access his data. [Krohm’s] only harms are “time and effort to mitigate the risk of identity theft” and “anxiety and anguish[.]” Anxiety and anguish resulting from data breaches do not confer standing. And without a single fact alleged to show that future harms are certainly impending, the money, time, and effort spent by Krohm are merely self-imposed harms in response to a speculative threat. Fortnite allegedly has “tens of millions of active monthly users[.]” The threat of future injury is wholly speculative and insufficient for standing. Krohm v. Epic Games, Inc., 2019 WL 4861101, at *2 (E.D.N.C., 2019)(citations omitted).
Krohm strategically lost the battle, but not the war.
The Court agreed that it does not have Article III jurisdiction over this case, and therefore could not provide the relief that Epic Games requested (dismiss for failure to state a claim or compel arbitration). Instead, the Court dismissed Krohm’s claims without prejudice for lack of jurisdiction.
This meant that Krohm could re-file his case in Illinois state court (where he wants to be). So rather than receiving a fatal blow in Federal Court, Krohm lives to fight another day on his preferred battleground.
Well played Krohm!!
~ Florida Cyber Lawyer, Robert Stines, Esq., CIPP
