Google Play Defeats Lawsuit Over Unauthorized Bank Charges–Harvey v. Google

In March 2013, Susan Harvey bought a game via Google Play, which required her to electronically link her bank account. She alleges that hundreds of unauthorized charges hit her bank account, totaling thousands of dollars. Google allegedly offered to make her whole, but she sued Google anyway, alleging that because “‘Google failed to implement and maintain reasonable security procedures and practices,’ hackers ‘obtain[ed] her Information and…post[ed] fraudulent transactions on Plaintiff«s̈ account.'” Her primary claim was under the Electronic Funds Transfer Act (the EFTA, 15 U.S.C. § 1693) with several ancillary state claims.

This turns into a surprisingly easy case. The EFTA has a one-year statute of limitations. The unauthorized charges allegedly started April 15, 2013 and ran through May 2014. Harvey discovered the problem in August 2014 and filed her complaint April 15, 2015. The court says that EFTA statutes of limitation caselaw is “sparse” but concludes that it started ticking on April 15, 2013, when the first violation allegedly occurred. That meant she needed to file suit by April 15, 2014, which she missed by a year. Harvey argued that each unauthorized charge reset the period, but the court rejects that argument based on other EFTA caselaw.

She also argued that the limitation period should be tolled until she discovered the issue in August 2014. The court shows zero sympathy, noting that she alleged there were 1000 unauthorized charges which would have all shown up on her bank account statements. Thus,

If Harvey had exercised due diligence, she should have discovered the injury either by looking at her Google account or even more simply, looking at her bank statements. It would not have taken much to discover that over the first 12 months of charges, there were hundreds of debits amounting to thousands of dollars on her bank statements.

Having rejected the EFTA claim on statute of limitations grounds, the court declines to exercise supplemental jurisdiction over the state law claims, sending her to state court if she wants (and assuming she won’t have further statute of limitations problems). Given that it’s not clear how she suffered any financial harm from the unauthorized charges, it’s unclear how much progress she’ll make on the other claims if she keeps pursuing them. For now, I’m putting this case into the category of privacy/security lawsuits where the plaintiff suffered no harm, so what exactly is the fight about?

For those of you celebrating, MERRY CHRISTMAS!

Case citation: Harvey v. Google, 2015 WL 9268125 (N.D. Cal. Dec. 21, 2015). The complaint.