Protect your business from creative data-breach plaintiffs’ attorneys

Awareness is half the battle As more companies become victims of data security breaches, plaintiffs in data-breach cases have devised new and creative arguments under a variety of legal theories in a constant attempt to expand the scope of liability for companies or business owners. Businesses should consult with counsel on ways to limit damages […]

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Awareness is half the battle

As more companies become victims of data security breaches, plaintiffs in data-breach cases have devised new and creative arguments under a variety of legal theories in a constant attempt to expand the scope of liability for companies or business owners. Businesses should consult with counsel on ways to limit damages in the event of a future data breach and proactively defend against the new causes of action arising from data-breach incidents. This article outlines the recent arguments plaintiffs have made against businesses in the event of a data breach and how courts have addressed them in light of companies’ actions and contracts they entered into with plaintiffs.

Although courts have taken different approaches when addressing certain arguments, some unifying themes are now starting to surface. Just recently, in Spokeo, Inc. v. Robins, the Supreme Court of the United States finally weighed in on one of the key issues in data-breach cases: standing to sue. The Supreme Court held that a plaintiff does not automatically meet the requirement to assert an injury-in-fact when a statute grants the plaintiff to sue to vindicate a statutory right. Article III standing requires a particularized and concrete injury even where a statute allows a person to sue for a statutory violation. The Supreme Court also clarified that this holding “does not mean, however, that the risk of real harm cannot satisfy the requirement of concreteness.” Accordingly, although this ruling will limit the number of claims alleging abstract or no injuries, it possibly leaves room for plaintiffs to make general allegations of future or increased harm that many courts have found to be insufficient.

Breach of contract
In breach-of-contract claims, plaintiffs have generally alleged that a company owed a contractual obligation to protect personal information and failed to do so. In data-breach cases, courts have dismissed complaints where plaintiffs failed to identify any specific contractual obligations companies actually owed regarding the plaintiffs’ data.

In some instances, courts have upheld breach-of-contract claims, such as where employment contracts require employees to provide their personal information in exchange for employment. Employers should limit their liability by including a provision in their employment contracts that limits damages to direct harm. Further, courts have declined to treat corporate policies about data-security practices as enforceable contracts.

Data-breach plaintiffs also often face difficulty in alleging more than just consequential damages in a breach-of-contract claim, especially where the contract between the parties includes a provision limiting damages to direct harm. However, in cases where plaintiffs have alleged breach of an implied contract, their complaints have survived dismissal on the grounds that companies implicitly agreed to take reasonable steps to protect plaintiff’s information. Companies that do not enter into written contracts with plaintiffs to protect their information should still be cautious of verbally or implicitly agreeing to be responsible for plaintiffs’ information in the event of a data breach.

Negligence
In negligence claims, plaintiffs generally allege that businesses breached their duty to protect plaintiffs’ personal information by failing to provide adequate data security. To withstand dismissal, plaintiffs must adequately allege that companies owed them a duty and fell below a standard of care by failing to, for example, establish adequate practices on intrusion detection. The claim will fail in the absence of a duty that a company owed to plaintiff. For instance, courts have dismissed negligence claims against third parties where the third party retains the personal information that was improperly accessed, but did not have a direct relationship with the plaintiff.

Second, plaintiffs must overcome the economic-loss doctrine, which provides that there is no claim for negligence where the plaintiff only alleges economic damages unaccompanied by physical injury or property damage. Some courts have, however, applied a “special relationship” exception to the doctrine. A special relationship involves confidentiality or special trust. This exception generally involves one party taking advantage of or exercising undue influence over the other. To make such a showing, plaintiffs generally need to allege more than just a relationship created by contract. Accordingly, courts do not apply the special-relationship exception where plaintiffs can recover under a breach-of-contract claim.

The Fair Credit Reporting Act
Plaintiffs have also alleged violations of the Fair Credit Reporting Act (FCRA) in data -breach cases. To accomplish its purpose, the FCRA imposes obligations on consumer reporting agencies, users of consumer reports, and furnishers of information to consumer-reporting agencies.

In data-breach cases against consumer-reporting agencies, plaintiffs generally allege that companies willfully, recklessly, and/or negligently violated the FCRA by failing to implement measures to protect plaintiffs’ personal information. Companies have typically opposed these claims by arguing that plaintiffs do not have standing to bring a claim under the FCRA because they are relying on possible future injuries to support their claim and have not suffered any monetary loss. Again, the Supreme Court recently clarified that plaintiffs must still allege a concrete injury even where companies have violated statutory obligations. Merely stating that a company has violated the FCRA by providing incorrect information about the plaintiff will not satisfy the injury-in-fact requirement.

In addition, courts have dismissed FCRA claims where a company does not fit the definition of consumer-reporting agencies under the FCRA. The FCRA’s definition of “consumer reporting agency” has been limited to agencies that furnish consumer reports for consumer purposes. Accordingly, in data-breach cases where plaintiffs have not alleged that a company regularly compiles and distributes consumer reports, courts have granted dismissal.

Fraud
Courts often dismiss claims of fraud in data-breach cases because the plaintiffs are typically unable to meet the heightened pleading standard of Federal Rule of Civil Procedure (FRCP) 9(b). Second, such claims are often dismissed because the plaintiffs cannot sufficiently allege that a business engaged in fraudulent behavior, as the third party that compromised the company’s system is the actual culprit.

Other trends
Plaintiffs have also made claims of unjust enrichment in data-breach cases. However, many states do not provide for an independent unjust enrichment cause of action. In states, including New York, that allow an unjust-enrichment claim to be brought independently, such claims are dismissed where plaintiffs have adequate remedies at law or where there is an express contract between the plaintiffs and defendant. Courts also require plaintiffs to plead that a defendant knowingly received something of value which it should not have received.

In addition, plaintiffs have attempted to claim that companies breached the covenant of good faith and fair dealing by failing to protect plaintiffs’ information. Some states, including New York, do not provide for an independent claim for breach of good faith and fair dealing, and treat it as nothing more than a claim for breach of contract. Even in states that allow for such independent claims, the plaintiffs are rarely able to make the requisite showing that a company consciously tried to frustrate the common purpose of their contract by causing a data breach.

Conclusion
Although the law governing data breaches is still evolving, some unifying themes are emerging. Plaintiffs have been doggedly trying to expand the scope of liability using creative arguments under several legal theories, and the courts remain split on many key issues. Businesses and their attorneys should closely monitor developments in this nascent body of law.

Cliff Tsan is a member in the law firm of Bond, Schoeneck & King. He is co-chair of the firm’s cybersecurity and data privacy practice, as well as co-chair of the firm’s e-discovery and information management practice. Upnit Bhatti is an associate with Bond and focuses on litigation matters.

Clifford G. Tsan and Upnit K. Bhatti: