Coinbase hack shows the law probably won’t protect you: Here’s why

Coinbase is facing a flurry of lawsuits after disclosing a data breach that compromised nearly 70,000 customer accounts, with estimated losses reaching as high as $400 million.

The exchange says overseas customer support agents were bribed into helping scammers gain unauthorized access to user data in December 2024. The company disclosed the attack to the public in May.

There were some reports that Coinbase had updated its user agreement just before announcing the breach, with critics accusing the company of adding an arbitration clause that limits class actions. Coinbase maintains that a class action waiver has long been part of its terms.

Charlyn Ho, founder and CEO of the law and consulting firm Rikka, says such clauses are standard in the US, where user agreements are typically enforceable. But those terms and conditions may not hold the same weight in other jurisdictions.

To understand the legal obligations crypto exchanges face when handling sensitive data, Magazine spoke with Ho in the US, Catherine Smirnova of Digital & Analogue Partners in Europe and Joshua Chu of the Hong Kong Web3 Association.

The discussion has been edited for clarity and brevity.

Magazine: Is there a federal law in the US that defines or governs data breaches?

Ho: What actually is a breach is not legally uniformly agreed upon, but in the layperson’s mind, any kind of revelation or unauthorized access of data is a breach.

We do not have a federal data breach statute. We have 50 states that all have their individual breach notification rules. The Coinbase one was notified in Maine.

There are overlapping rules. For example, if you’re a publicly traded company you’re subject to the Securities and Exchange Commission’s (SEC) jurisdiction. The cybersecurity regulations that recently went into effect require disclosures to investors or shareholders on an 8-K within certain time frames. We don’t have a singular GDPR-esque statute.

Magazine: Who should be held responsible when a crypto platform is breached? 

Ho: In the US, we have almost complete freedom of contract. Generally, contracts are held to be enforceable unless it’s unconscionable or there’s an extreme imbalance of power — like an adult and a child. But in general, the courts in the US will respect consenting adults who have an opportunity to read these terms.

If you look at Coinbase’s terms, there’s a limitation of liability that basically says it won’t be liable for lost profits, loss of data or any loss, damage, corruption or breach of data.

When you click through it, you accept these terms. As long as the consent was valid, then you’re bound by them. Unfortunately, a lot of consumers will find that they’re not going to be able to recover a lot. Coinbase did say that they will reimburse people that were scammed. Coinbase is doing that out of their desire to have good relationships with their customers. But legally speaking, they don’t have to do that.

Magazine: How will this be treated outside of the US? 

Chu (HK): The data owner or the party that has custody of the data will usually be held responsible, though it depends on the locality of the user in question. 

As a litigation lawyer, I can say that regardless of whether something is written into a contract, many issues can still be argued in court. There are legal limits to what a company can carve out through its terms and conditions. You’ll often see language like ‘to the maximum extent permitted by applicable law’ in user agreements. Some of these carve-outs simply don’t hold up. 

Take the GDPR [legislation in Europe] for example. Its legal scope is mandatory. When it comes to processing the personal data of EU residents, it doesn’t matter what a contract says. GDPR is regulatory, not contractual, which means businesses can’t use their terms and conditions to override or exclude those obligations.

Smirnova (EU):  What really stands out in Europe is that regulation is layered. Crypto exchanges aren’t only bound by sector-specific laws — they’re also subject to GDPR, consumer protection laws and broader EU regulations like the single market framework.

All of these rules still apply to crypto exchanges. Consumer protection laws, for example, protect users even if they’ve…