Updates and supplemental material to Chapter 5

Data Breach Litigation – Causes of Action

UPDATES TO SECOND EDITION
5.1 Typical Causes of Action

See updates to Chapter 15.6, Civil Litigation Arising from Ransomware Incidents, for a B2B case where plaintiff sued for loss of business when its provider of warehousing and delivery services shut down for an extended period in response to a ransomware attack.

5.1.6 Securities Fraud and Shareholder Derivative Class Actions

In 2024, the Alphabet case described in the book settled, with defendants agreeing to pay $350 million. In re: Alphabet Inc. Securities Litigation, n​o. 3:18-cv-06245​ (N.D. Calif.). The settlement was reached with the assistance of a mediator while a motion for class certification motion was pending.

5.2.1  Negligence

Under Illinois law, allegations of emotional harm are sufficient to satisfy the damages element of a negligence claim, including in the data breach context. Roper v. Rise Interactive Media & Analytics, LLC, 2024 U.S. Dist. LEXIS 65911 (N. D. Ill. Apr. 10, 2024). Also applying Illinois law: emotional harms such as anxiety and increased concerns for the loss of privacy are legally cognizable as present injury or damage to sustain a negligence claim. In re Gallagher, 631 F.Supp.3d 573, 587 (N.D. Ill. 2022).

Mitigation expenses satisfy the damages requirement of negligence. Tignor v. Dollar Energy Fund, Inc., 2024 U.S. Dist. LEXIS 146125 at *29 (W.D. Pa. Aug. 15, 2024) (citing Simona Opris v. Sincera Reprod. Med., 2022 U.S. Dist. LEXIS 94192, *18-19 (E.D. Pa. 2022) which, in turn cites other cases). The Simona Opris court also held that plaintiffs also satsified the damages element of a negligence claim with their allegation of loss of value to their personal information. 2022 U.S. Dist. LEXIS 94192, *20.

Where compromised data is limited to names, dates of birth, and driver's license or state identification numbers, that is insufficient to demonstrate imminent harm, and thus plaintiffs failed to allege a cognizable harm to satisfy the damages prong of a negligence claim. Durgan v. U-Haul Int'l Inc., No. CV-22-01565-PHX-MTL, 2023 U.S. Dist. LEXIS 193037 *5-11, 2023 WL 7114622 (D. Ariz. Oct. 27, 2023). Since there was no imminent harm, mitigation costs also don’t count as damages. Alleged diminution in value of plaintiffs’ PII didn’t count either: While the court found that there is a market for plaintiffs' PII because disclosure of that PII is, at times, necessary for their participation in the economic marketplace, plaintiffs had failed to allege that their ability to participate in that market had been impaired.

Finding duty of care and denying motion to dismiss negligence claim: Owens v. Smith, Gambrell and Russell International, LLP, 2024 U.S. Dist. LEXIS 96648 (C.D. Calif. May 30, 2024). Under California law, “courts have generally found that a business owes a duty of care to prevent breaches of sensitive data, even when the individuals whose data is at issue are not “customers or otherwise in privity” with the business.” Defendant had argued that the complaint did not adequately aver foreseeability because it did not allege facts showing that the defendant was on notice of specific cybersecurity defects in its systems. In response, the court said that foreseeability is not a requisite element of a negligence cause of action, but that the related principle of proximate cause is such an element, limiting defendant's liability to those foreseeable consequences that the defendant's negligence was a substantial factor in producing. However, the complaint had alleged that the defendant knew or should have known of the risks of collecting and storing personal information and knew or should have known of the risks and possible harm that could result from its failure to implement and maintain reasonable security measures. That was sufficient to “to state that it was reasonably foreseeable to Defendant that a data breach and resulting injuries could occur as a result of its data security practices.”

Applying Pennsylvania Supreme Court decision in Dittman on duty and on intervening criminal act to reject motion to dismiss negligence claim: Clemens v. ExecuPharm Inc., no. 20-3383 (E.D. Pa. June 22, 2023). 

Negligence claim dismissed in a case against two loan servicing companies and their parent company, where plaintiffs did not specifically allege how each defendant was responsible for acts or omissions related to the data breach. In re Lakeview Loan Servicing Data Breach Litig., 2023 U.S. Dist. LEXIS 224865 (S.D. Fla. Dec. 15, 2023).

To satisfy the causation prong of a negligence claim, proximate cause is sufficiently pled when it is alleged that the defendant failed to safeguard personal information. Simona Opris v. Sincera Reprod. Med., 2022 U.S. Dist. LEXIS 94192, *14 (E.D. Pa. 2022).

5.2.1.1 Is There a Duty of Care?

A nonprofit owed a duty of care to grantees in protecting their PII from data breaches. Tignor v. Dollar Energy Fund, Inc., 2024 U.S. Dist. LEXIS 146125 at *27 (W.D. Pa. Aug. 15, 2024) (“affirmative conduct associated with an increased risk of harm can yield a special relationship for tort purposes”). The fact that that third-party criminality caused the data breach did not eliminate the duty. Note the court’s formulation: the defendant’s affirmative conduct in collecting and storing her PII without the use of adequate security measures created a risk of foreseeable harm for third-party criminality, “which is enough to recognize a legal duty.” See also Wawa, Inc. Data Sec. Litig., 2021 U.S. Dist. LEXIS 86854, 2021 WL 1818494, at *7.

5.2.1.2  Negligence and the Economic Loss Rule

Addressing the economic loss rule: Alexander v. Wells Fargo Bank, N.A., 2023 U.S. Dist. LEXIS 139242 *6-9, 2023 WL 5109532 (Aug. 9, 2023) (economic loss rule required dismissal of a negligence claim to the extent it was based on monetary losses, but an injury of lost time was sufficiently pled, so motion to dismiss denied in that respect).

Finding economic loss rule inapplicable:

  • Tate v. Eyemed Vision Care, LLC, 2023 U.S. Dist. LEXIS 175840 (W.D. Ohio Sept. 29, 2023).

  • Alexander v. Wells Fargo Bank, 2023 U.S. Dist. LEXIS 214454 (S.D.Ca. Dec. 1, 2023) ("loss of time" and emotional distress including "fright," "shock," "nervousness," "worry," "anxiety," and "humiliation" constitute non-economic losses).

5.2.2 Negligence per se

In Clemens v. ExecuPharm Inc., 2023 U.S. Dist. LEXIS 107801 (E.D. Pa. June 22, 2023), the court, having declined to dismiss a negligence claim, did dismiss the negligence per se claim because, under Pennsylvania law, negligence per se is a theory of negligence, not a standalone claim. However, the court said that the plaintiff could employ a negligence per se theory to satisfy the duty and breach elements of general negligence.

5.2.3 Breach of Express Contract

Refusing to dismiss breach of contract claim, where the plaintiff had adequately alleged that Blackbaud’s customer (Trinity Health, the entity that entrusted data to Blackbaud) had incurred certain remediation costs (i.e., damages) as a result of the breach. Aspen American Insurance Co. vs. Blackbaud Inc., no. 3:22-cv-00044, 2023 U.S. Dist. LEXIS 94476 *16-24, 2023 WL 3737050 (N.D. Ind. May 31, 2023). Interestingly, plaintiff alleged that the contract at issue required Blackbaud to help facilitate Trinity’s notification of its customers and that, in failing to do so, Blackbaud had caused additional damage to Trinity. Extensive discussion of what damages are recoverable by the enterprise user of cloud services when its customers’ data is compromised due to the fault of the cloud provider.

In a case involving an alleged breach of an employment contract, where the defendant argued that any data security obligation under the contract ended when employment ended, the court found that it could not determine the parties’ reasonable intent as a matter of law at the 12(b)(6) stage and therefore it denied the motion to dismiss the contract claim. Clemens v. ExecuPharm Inc., no. 20-3383 (E.D. Pa. June 22, 2023).

In Moore v. Centrelake Med. Grp., Inc., 83 Cal. App. 5th 515, 538, 299 Cal. Rptr. 3d 544 (2022), review denied, 2022 Cal. LEXIS 7599  (Dec. 14, 2022), the California Court of Appeal rejected a lost value of PII theory in support of the damages element of a breach of contract claim, where plaintiffs failed to plead they “attempted or intended to participate in [the PII] market, or otherwise to derive economic value from their PII. Nor did they allege that any prospective purchaser of their PII might learn that their PII had been stolen in this data breach and, as a result, refuse to enter into a transaction with them, or insist on less favorable terms.” The appellate court rejected the Ninth Circuit's conclusion in In re Facebook Priv. Litig., 572 F. App'x 494 (9th Cir. 2014), which had allowed a lost value of PII allegation to suffice for the damages element of a California contract claim. 

5.2.4 Breach of Implied Contract

In a privacy case, distinguishing Gardiner v. Walmart and accepting a "loss of the benefit of the bargain" theory to establish an implied contract claim: C.M. v. MarinHealth Med. Grp., Inc., no. 23-CV-04179-WHO, 2024 WL 217841 (N.D. Cal. Jan. 19, 2024) (“this case arises in the context of paid healthcare services and is based on an ongoing relationship between the parties that plaintiff alleges was based in part, or that the amount he paid for the services was based in part, on MarinHealth's security promises. In this context, adequate consideration has been alleged for the implied contract claim.”). 

Dismissing implied contract claim with leave to amend: Owens v. Smith, Gambrell and Russell International, LLP, 2024 U.S. Dist. LEXIS 96648, *41-43 (C.D. Ca May 30, 2024). "An implied contract is one, the existence and terms of which are manifested by conduct." Cal. Civ. Code § 1621. The complaint had not contained any allegations about a course of conduct that may have given rise to the alleged implied contract.

Implied contract claim dismissed where plaintiff mortgagees were one step removed from mortgage servicer defendants because plaintiff’s PII was provided to defendant indirectly through plaintiffs' mortgage lenders. In re Lakeview Loan Servicing Data Breach Litig., 2023 U.S. Dist. LEXIS 224865 (S.D. Fla. Dec. 15, 2023).

Breach of implied contract claim dismissed where plaintiffs did not allege that they relied upon or read the privacy policy before entering into a business relationship with defendant (hence, no consideration) and did not allege that data security was part of the bargain (hence, no damages on a form of lost benefit of the bargain theory). Durgan v. U-Haul Int'l Inc., No. CV-22-01565-PHX-MTL, 2023 U.S. Dist. LEXIS 193037 *12-15, 2023 WL 7114622 (D. Ariz. Oct. 27, 2023) (“Plaintiffs purchased and sought physical storage and rental truck services, not data security.").

An implied contract claim failed where the plaintiff had failed to allege consideration: “’Consideration consists of a benefit to the promisor or a detriment to the promise.’…  Pennsylvania law is clear, however, that it is not enough for the promisee to suffer a legal detriment at the request of the promisor.  ‘The detriment incurred must be the 'quid pro quo', or the 'price' of the promise, and the inducement for which it was made.’” Tignor v. Dollar Energy Fund, Inc., 2024 U.S. Dist. LEXIS 146125 at *31-32 (W.D. Pa. Aug. 15, 2024). Where there was no inference that the defendant had benefitted from acquiring plaintiff's PII, the conveyance that PII to defendant did not satisfy the element of consideration. Without consideration, the defendant’s privacy policy was not sufficient to make a contract.

Other implied contract cases: 

  • That defendant has allegedly failed to comply with reasonable security standards when requiring plaintiffs to provide their names, emails, and/ or credit card information when making purchases was sufficient to allege the existence of an implied contract. However, the implied contract claim was dismissed because plaintiffs had failed to identify which "commercially reasonable security measure" defendant did not implement to protect their data. Troy v. American Bar Association, no. 1:23-cv-03053, 2024 U.S. Dist. LEXIS 78206, 2024 WL 1886753 (E.D.N.Y. Apr. 30, 2024).

  • Allegations of lost time adequate to satisfy damages element of implied contract claim: In re Gallagher, 631 F.Supp.3d 573, 587 (N.D. Ill. 2022).

  • Farmer v. Humana, Inc., 582 F. Supp. 3d 1176, 1187 (M.D. Fla. 2022) (agreeing with the analysis in In re Brinker, below).

  • In re Brinker Data Incident Litig., No. 3:18-CV-686-J-32MCR, 2020 WL 691848, at *5 (M.D. Fla. Jan. 27, 2020) (holding plaintiffs' allegations that defendant "solicited and invited" them to "eat at its restaurants and make purchases using their credit or debit cards" sufficient to allege an implicit agreement that defendant would protect sensitive credit card information) (internal quotation omitted). 

  • Torres v. Wendy's Int'l, LLC, No. 16-210, 2017 WL 8780453, at *3 (M.D. Fla. Mar. 21, 2017) (holding plaintiff's allegations that "defendant invited its customers to pay for their purchases with credit cards containing confidential information" sufficient to allege an implicit agreement to "protect its customers' confidential information as a reasonable and prudent merchant would").

  • Brush v. Miami BeachHealthcare Grp. Ltd., 238 F. Supp. 3d 1359, 1369 (S.D. Fla. 2017) (finding there was no implied contract where plaintiff contracted to receive healthcare services, not data security specifically).

  • In re Mednax Servs., Inc., Customer Data Sec. Breach Litig., 603 F. Supp. 3d 1183, 1221 (finding no implied contract because plaintiffs alleged no invitation or solicitation by defendants indicating that defendants implicitly assented to secure their personal information in exchange for payment of healthcare services).

5.2.5 Unjust enrichment

Unjust enrichment claim under Georgia law dismissed in case against a company providing data management services to health care providers. Miller v. NextGen Healthcare Inc., 1:23-cv-02043, 2024 U.S. Dist. LEXIS 131254 *10-11 (N.D. Ga. July 25, 2024). Under Georgia law, unjust enrichment claims lie only in those situations where a defendant has received a direct benefit from a plaintiff. The plaintiffs did not allege that they directly conferred any benefit to defendant NextGen. Instead, they alleged that they conferred a benefit to their healthcare providers and those providers conferred a benefit to NextGen. “This is insufficient to allege a claim for unjust enrichment.”

Dismissing unjust enrichment claim: Tate v. Eyemed Vision Care, LLC, 2023 U.S. Dist. LEXIS 175840 (W.D. Ohio Sept. 29, 2023).

A claim for unjust enrichment requires a direct relationship between the parties. That is, where consumers provided their data to Company A, which in turn disclosed it to Company B (as a data processor), and Company B suffered a breach, the consumers cannot sue Company B for unjust enrichment. In re United States Vision Data Breach Litig., No. 1:22-cv-06558, 2024 U.S. Dist. LEXIS 79565 at *11-13 (D. N.J. April 30, 2024); Robinson v. Maintech Inc., No. 23-4458, 2024 U.S. Dist. LEXIS 67131, 2024 WL 1598416, at *3 (D.N.J. Apr. 12, 2024).

5.2.6 State Laws Prohibiting Unfair or Deceptive Trade Practices

Another case ruling on claims under multiple state statutes (UDAP laws, breach notice laws, and reasonable security laws) is Miller v. NextGen Healthcare Inc., 1:23-cv-02043, 2024 U.S. Dist. LEXIS 131254 (N.D. Ga. July 25, 2024):

  • Georgia Uniform Deceptive Trade Practice Act – survives

  • California Customer Records Act (breach notice)  – dismissed – plaintiffs were not customers under the act

  • California Unfair Competition Law – dismissed as to one plaintiff (no economic harm), survives as to another plaintiff

  • Cal. Civ. Code § 1798.150(a)(1) (liquidated damages for failure to maintain reasonable security) – survives (processor is a “business” under the statute)

  • Illinois Personal Information Protection Act (breach notice) and Illinois Uniform Deceptive Trade Practices Act – dismissed (no allegation of events in Ill.)

  • Iowa Private Information Security Breach Protection Law – dismissed (no injury alleged from delay in notice)

  • Maine Unfair Trade Practices Act – dismissed (no reliance on any omission)

  • Maine Uniform Deceptive Trade Practices Act – dismissed (no events alleged in Maine)

  • New Jersey Customer Security Breach Disclosure Act – dismissed

  • New Mexico Unfair Practices Act – dismissed (no sale of data services to plaintiff)

  • New York General Business Law – dismissed (no cognizable injury, time and money spent on fraud protection do not qualify)

Pennsylvania Unfair Trade Practices and Consumer Protection Law – dismissed (no reliance)Dismissing claim under N.Y. G.B.L. § 349, which prohibits "[d]eceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service." Troy v. American Bar Association, no. 1:23-cv-03053, 2024 U.S. Dist. LEXIS 78206, 2024 WL 1886753 (E.D. N.Y. Apr. 30, 2024). Plaintiffs did not allege that they saw or read the privacy policy prior to the alleged harm. “In order to establish the requisite causal connection between the alleged misrepresentation and the resulting injury, ‘a plaintiff must plausibly allege that she actually viewed the misleading statement prior to making her decision to purchase, and must set forth where, when and how she came to view it.’” Also dismissed: claim under Texas Deceptive Trade Practices Act, TX. Bus. & Com.§ 17.46. “Finally, the DPTA is subject to the heightened pleading standard set forth in Federal Rule of Civil Procedure 9(b). … Thus, to allege a claim under the DPTA, Plaintiffs must state ‘with particularity the circumstances constituting ... mistake.’ Fed. R. Civ. P. 9(b).” "Because [Plaintiffs] fail[] to identify any specific provision of the DTPA of which defendant's alleged conduct would be in violation, [Plaintiffs'] attempt to make out a deceptive trade practices claim must fail."

Declining to dismiss a claim under the California UCL: Owens v. Smith, Gambrell and Russell International, LLP, 2024 U.S. Dist. LEXIS 96648, *34-38 (C.D. Ca May 30, 2024). “To establish standing for a UCL claim, a plaintiff must ‘demonstrate some form of economic injury.’” (The court here uses standing to refer not to Article III standing but rather to the damages element of a UCL claim.) The court found adequate economic injury in allegations of unreimbursed payments toward enhanced credit monitoring and in the allegation that the value of their personal information had diminished. 

Deprivation of money or property is a prerequisite to suit under Cal. Bus. & Prof. Code § 17204. Tate v. Eyemed Vision Care, LLC, 2023 U.S. Dist. LEXIS 175840 (W.D. Ohio Sept. 29, 2023), citing Dugas v. Starwood Hotels & Resorts Worldwide, Inc., No. 3:16-cv-14, 2016 WL 6523428, at *11 (S.D. Cal. Nov. 3, 2016).

Dismissing claim under the Arizona Consumer Fraud Act, which makes unlawful any deception, deceptive or unfair act or practice, fraud, false pretense, false promise, misrepresentation, or concealment, suppression or omission of any material fact with intent that others rely on such concealment, suppression or omission, in connection with the sale or advertisement of any merchandise: In re United States Vision Data Breach Litig., No. 1:22-cv-06558, 2024 U.S. Dist. LEXIS 79565 at *13-17 (D. N.J. April 30, 2024). The court concluded that general allegations of a promise to keep customers' PHI private are not adequate, and the plaintiffs’ failure to allege specific actions defendants did or did not take to protect their private information was fatal. The district court in Arizona had held in an earlier case that claims arising under the ACFA pertain to fraud and are thus subject to the pleading requirements of Rule 9(b) of the Federal Rules of Civil Procedure. In re Banner Health Data Breach Litig., No. 16-2696, 2017 U.S. Dist. LEXIS 221534, 2017 WL 6763548, at *6 (D. Ariz. Dec. 20, 2017). However, the court had also said that a plaintiff in a fraud-by-omission suit faces a slightly more relaxed burden, due to the fraud-by-omission plaintiff's inherent inability to specify the time, place, and specific content of an omission in quite as precise a manner.

For similar reasons, the court dismissed a claim under the New Jersey Consumer Fraud Act. In re United States Vision Data Breach Litig., No. 1:22-cv-06558, 2024 U.S. Dist. LEXIS 79565 (D. N.J. April 30, 2024). The U.S. Vision court also dismissed a claim under the Oklahoma Consumer Protection Act, which includes a safe harbor provision exempting from its application actions or transactions regulated under laws administered by a regulatory body or officer acting under statutory authority of this state or the United States. Since the data at issue was covered by HIPAA, the court ruled, the safe harbor applied.

Also dismissing a claim under the Arizona Consumer Fraud Act: Durgan v. U-Haul Int'l Inc., No. CV-22-01565-PHX-MTL, 2023 U.S. Dist. LEXIS 193037 *15-17, 2023 WL 7114622 (D. Ariz. Oct. 27, 2023) (the Arizona law does not have an unfairness prong; a claim must include a false promise or misrepresentation, citing multiple federal and Arizona state court cases.)

5.2.7 State Laws Requiring Reasonable Security Measures

Dismissing a claim under California Consumer Privacy Act (CCPA) Cal. Civ. Code § 1798.150(a), the statutory damages provision for failing to implement and maintain reasonable security procedures: Owens v. Smith, Gambrell and Russell International, LLP, 2024 U.S. Dist. LEXIS 96648, *28-30 (C.D. Ca May 30, 2024). Defendant received plaintiff’s data as part of a business-to-business transaction, and B2B transactions were categorically exempted under the CCPA at the time the data breach occurred in July 2021. Although the B2B exemption expired as of January 1, 2023, the court refused to apply the statute retroactively to conduct not covered at the time of the incident.

Separately, plaintiffs brought a claim under the California Customer Records Act (CCRA), Cal. Civ. Code §§ 1798.80 et seq, which also contains, at 1798.81, a reasonable security measures obligation. Section 1798.84(b) states that “[a]ny customer injured by a violation of this title may institute a civil action to recover damages.” However, the court ruled that plaintiffs were not “customers” of the defendant, a law firm that received PII from its clients. Rather, plaintiffs were customers of those clients. This meant plaintiffs could not sue defendants: “Section 1798.80(c) [defining ‘customer’] expressly limits the right to bring civil actions arising out of an alleged CCRA violation to customers who directly transacted with the affected business.” 2024 U.S. Dist. LEXIS 96648 at *33.

Rejecting motion to dismiss claim under Cal. Civ. Code § 1798.150(a): Durgan v. U-Haul Int'l Inc., No. CV-22-01565-PHX-MTL, 2023 U.S. Dist. LEXIS 193037 *15-17, 2023 WL 7114622 (D. Ariz. Oct. 27, 2023). It is interesting that the court had concluded that the compromised data (names, dates of birth, and driver's license or state identification numbers) was not sensitive enough to give rise to an imminent risk of harm for purposes of establishing damages under a negligence claim, but that data is covered under the narrow definition used by 1798.150. Allegations that defendant had failed to destroy data it no longer needed, stored data in an Internet-accessible environment without proper safeguards, and failed to follow fourteen other cybersecurity best-practices that plaintiff cited were sufficient to plead a "violation of the duty to implement and maintain reasonable security procedures and practices." In June, 2024, the court gave preliminary approval to a $5 million settlement.

Entities covered by HIPAA are exempt from Cal. Civ. Code § 1798.100(e). Tate v. Eyemed Vision Care, LLC, 2023 U.S. Dist. LEXIS 175840 (W.D. Ohio Sept. 29, 2023). They are also expressly exempt from 1798.81.5, as are financial institutions.

In Alexander v. Wells Fargo Bank, N.A., 2023 U.S. Dist. LEXIS 139242, 2023 WL 5109532 (Aug. 9, 2023), the court declined to dismiss a claim brought under Cal. Civ. Code § 1798.100 for failure to implement and maintain reasonable security procedures and practices. An unknown individual had accessed plaintiff’s accounts and switched plaintiff's contact information, such as his email address, changed his account pin numbers, and obtained new account cards to make purchases, almost cleaning out plaintiff’s account. The defendant tried to argue that there was no data breach; the court held in essence that the obligation of § 1798.100 goes beyond preventing data breaches. Likewise, under similar facts, a court declined to dismiss a claim under Cal. Civ. Code § 1798.150(a)(1), which allows "[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration . . . as a result of the business's violation of the duty to implement and maintain reasonable security procedures" to bring a civil action. Ramos v. Wells Fargo Bank, N.A., 2023 U.S. Dist. LEXIS 144796, 2023 WL 5310540 (Aug. 17, 2024).

5.2.7A Federal Statutes [New Subchapter]

Almost all federal privacy laws (HIPAA, GLBA, COPPA) lack a private right of action, so they cannot be the basis of claims in data breach cases (except as the basis for a negligence per se claim, see Chapter 5.2.2). However, the Driver’s Privacy Protection Act, 18 U.S.C. §§ 2721-2725, does include a private right of action and has been invoked in data breach cases. In Allen v. Vertafore, Inc., No. 21-20404, 2022 WL 765001 (5th Cir. Mar. 11, 2022), the appeals court held that the act of storing personal information on an unsecured external storage device where it was accessed without authorization by a third-party did not amount to a “knowing disclosure” under the DPPA. Upholding a claim, under different facts: In re GEICO Customer Data Breach Litig., 691 F. Supp. 3d 624 (E.D.N.Y. 2023). Regarding standing under the DPPA, see updates to Chapter 4.2.1.9.

5.2.8 State Breach Notification Laws

South Carolina's Data Breach Notification Act (SCDBNA) requires those "conducting business in this State and maintaining ... personal identifying information that the person does not own" to "notify the owner or licensee of the information of a breach of the security of the data immediately following discovery." Rise learned of the data breach on a Friday. Rise informed Edgepark of the breach the next business day, Monday. The statute requires the target of a data breach to notify the owner or licensee "immediately following discovery." Waiting three days—when the bad actors could very well be misusing the stolen information of ignorant consumers—does not constitute immediacy as a matter of law. Roper's SCDBNA claim may proceed. Roper v. Rise Interactive Media & Analytics, LLC, 2024 U.S. Dist. LEXIS 65911 (N. D. Ill. Apr. 10, 2024)

5.2.10.1 Breach of Fiduciary Care

Without adequate factual allegations to support an agency relationship, claim for breach of fiduciary duty must be dismissed. Aspen American Insurance Co. vs. Blackbaud Inc., no. 3:22-cv-00044, 2023 U.S. Dist. LEXIS 94476 *2-314, 2023 WL 3737050 (N.D. Ind. May 31, 2023).

Declining to dismiss breach of fiduciary duty claim: Miller v. NextGen Healthcare Inc., 1:23-cv-02043, 2024 U.S. Dist. LEXIS 131254 *17-19 (N.D. Ga. July 25, 2024) (“in some circumstances, the retention of private information that patients provided while seeking medical care can create a fiduciary duty under Georgia law”).

Under Pennsylvania law, to state a claim for breach of fiduciary duty, a plaintiff must establish that the parties were in a fiduciary relationship. An employer-employee relationship, without more, does not give rise to a fiduciary duty. Because plaintiff, a former employee of defendant, had failed to allege any circumstances that distinguished her situation from any other employer-employee relationship motion to dismiss granted with leave to amend with any facts that would establish the necessary heightened relationship. Clemens v. ExecuPharm Inc., no. 20-3383 (E.D. Pa. June 22, 2023).

Dismissing claims based on breach of fiduciary duty. In re Lakeview Loan Servicing Data Breach Litig., 2023 U.S. Dist. LEXIS 224865 (S.D. Fla. Dec. 15, 2023) (business or "arm's-length" relationships, such as those created through contract, typically do not imply a fiduciary duty). 

Multiple courts have held in data breach cases that there is no fiduciary duty case where no relationship between the parties existed. That is, where consumers provided their data to Company A, which in turn disclosed it to Company B (as a data processor), and Company B suffered a breach, the consumers cannot sue Company B under a fiduciary duty theory. In re United States Vision Data Breach Litig., No. 1:22-cv-06558, 2024 U.S. Dist. LEXIS 79565 (D. N.J. April 30, 2024) (citing other cases).

5.2.10.2 Breach of Confidence

Under Pennsylvania law, a “confidential relationship” exists when one party has reposed a special confidence in another to the extent that the parties do not deal with each other on equal terms. This occurs when there is an “overmastering dominance on one side, or weakness, dependence or justifiable trust, on the other.” A business association may be the basis of a confidential relationship “only if one party surrenders substantial control over some portion of his affairs to the other.” Because plaintiff had not alleged a confidential relationship, claim for breach of confidence dismissed with leave to amend. Clemens v. ExecuPharm Inc., no. 20-3383 (E.D. Pa. June 22, 2023).

5.2.10.3 Bailment

Dismissing bailment claim under Georgia law: “The Plaintiffs do not allege any requirement—contractual or legal—that NextGen had to return, destroy, or otherwise dispose of the Plaintiffs’ information within a certain period of time or upon the Plaintiffs’ demand. Without such an allegation, the Plaintiffs fail to allege the basic requirements of a bailment under O.C.G.A. § 44-12-40.”  Miller v. NextGen Healthcare Inc., 1:23-cv-02043, 2024 U.S. Dist. LEXIS 131254 *15-17 (N.D. Ga. July 25, 2024) (citing other breach cases dismissing bailment claims).

5.2.10.5 Invasion of Privacy

Allegations of failure to take adequate measures to protect against the intentional intrusion of a third party does not state a claim for intrusion on seclusion: Miller v. NextGen Healthcare Inc., 1:23-cv-02043, 2024 U.S. Dist. LEXIS 131254 *12-14 (N.D. Ga. July 25, 2024). Same: In re Accellion, Inc. Data Breach Litig., 2024 WL 333893, at *15 (N.D. Cal. Jan. 29, 2024) (applying California law to dismiss an intrusion upon seclusion claim related to a data breach).

Allegations that a nefarious third-party stole information and could theoretically further share the data in the future insufficient to qualify as a “public disclosure.” Roper v. Rise Interactive Media & Analytics, LLC, 2024 U.S. Dist. LEXIS 65911 (N. D. Ill. Apr. 10, 2024) (dismissing claim on 12(b)(6) motion; citing multiple other cases).

In Owens v. Smith, Gambrell and Russell International, LLP, the court rejected a motion to dismiss claims for intrusion upon seclusion and violation of the privacy right in violate Article 1, Section 1 of the California Constitution. 2024 U.S. Dist. LEXIS 96648, *38-41 (C.D. Ca May 30, 2024). Privacy claims under both the common law and the California Constitution require allegations of offensive conduct.  However, considering a range of factors identified in prior cases, “[c]ourts have refused to dismiss invasion of privacy claims at the motion to dismiss stage where, as here, a data breach involved medical information, because the disclosure of such information is more likely to constitute an ‘egregious breach of the social norms' that is 'highly offensive.’” Id. at *39 (citing other cases).

5.2.10.6 Negligent Misrepresentation

Dismissing a claim of negligent misrepresentation: Aspen American Insurance Co. vs. Blackbaud Inc., no. 3:22-cv-00044, 2023 U.S. Dist. LEXIS 94476 *16-24, 2023 WL 3737050 (N.D. Ind. May 31, 2023). Because Blackbaud was not a professional who was in the business of providing guidance or information, and because Trinity Health and Blackbaud were in privity of contract, the Court finds that the economic loss doctrine bars the negligent misrepresentation claim.

5.3 Arbitration

Keller v. Chegg, Inc., 2023 U.S. Dist. LEXIS 142809 (N.D. Ca. August 15, 2023)(case ordered to arbitration; discussion of routinely-updated Terms of Use and push notifications to customers with a pop-up screen requiring assent to the revised terms).

Patrick v. Running Warehouse LLC, no. 22-56078 (9th Cir. Feb. 12, 2024). Arbitration clause enforceable in data breach case. Hyperlink to terms of service containing arbitration clause, if the link is sufficiently conspicuous, is sufficient to create binding contract and plaintiff manifested assent by clicking the “Place Order” button, where website indicated that, by submitting an order, the consumer “agree[s] to our privacy policy and terms of use.” Discussion of “inquiry notice.”

Motion to dismiss granted in part, denied in part: Guy v. Convergent Outsourcing, Inc., 2023 U.S. Dist. LEXIS 125332 (July 20, 2023).

_________________________________________________________________

SUPPLEMENTAL MATERIAL TO THE SECOND EDITION (Cases and other materials too voluminous to include in the book)

5.1.1 Cases Brought on Behalf of Consumers

In at least one case, a complaint has survived that appears not to allege that the defendant’s network was breached but rather that the defendant failed to protect its customers against individual account takeovers using information obtained outside the defendant’s network. Order Granting in Part and Denying in Part Defendants’ Motion to Dismiss, Mehta v. Robinhood Financial LLC, Case no. 21-cv-01013-SVK, 2021 U.S. Dist. LEXIS 253790, 2021 WL 6882392 (N.D. Cal., Sept. 8, 2021). It appears that the attackers compromised the email accounts of individual Robinhood users and then used those compromised email accounts to effectuate a password reset on the users’ Robinhood accounts.  The court denied defendants' motion to dismiss claims for breach of contract, negligence, and violations of the California Customer Records Act, California Consumer Privacy Act, California’s constitutional right to privacy, and the unlawful and unfairness prongs of the state Unfair Competition Law (UCL). The court granted defendants' motion to dismiss claims under the Consumer Legal Remedies Act, the False Advertising Law, and the fraudulent prong of the UCL but with leave to amend. Additionally, defendants' motion to dismiss plaintiffs' claims for relief for alleged non-economic losses was denied. 

5.1.3  Disputes on Insurance Coverage

As explained in the book, cybersecurity insurance cases turn almost entirely on insurance law, and specifically on a close reading of the language in the relevant policy, rather than on anything that could be called cybersecurity law. Here is an incomplete list of cases, illustrating the types of interpretive questions involved:

  • Home Depot v. Steadfast Insurance Co., no. 1:21-cv-00242, 2023 U.S. Dist. LEXIS 143982, 2023 WL 5278049 (S.D. Ohio 2023) (where financial institutions sued Home Depot for the cost of replacing stolen cards, and where Home Depot settled the case, Home Depot’s effort to recoup the cost of the settlement under general commercial liability insurance policies failed where the policies had an electronic data exclusion that excluded loss of use of property that “arise[s] out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data”).

  • Yoshida Foods International LLC v. Federal Insurance Co., no. 3:21-cv-01455-HZ (D. Ore. 2022) (ransomware payment was a “direct loss” and a Fraudulent Instructions Exclusion was intended to apply to (and exclude from coverage) erroneous payments and thus did not cover the ransomware payment).

  • Fishbowl Solutions Inc. v. The Hanover Insurance Co., No. 0:21-cv-00794 (D. Minn. Nov. 2, 2022) (summary judgement for insured, with the court interpreting the words of a Technology Professional Liability Policy, which incorporated a Data Breach Coverage Form, including a “Cyber Business Interruption and Extra Expense” clause, to find that Fishbowl had incurred an actual loss of “business income,” which occurred during the “period of restoration,” “directly” resulting from a data breach, and which resulted in an “impairment” of business operations).

  • Star Title Partners of Palm Harbor LLC v. Illinois Union Insurance Co., 2022 U.S. App. LEXIS 24930 (11th Cir. Sept. 6, 2022) (under plain language of the Deceptive Transfer Fraud clause in the Cybercrime Endorsement of its Cyber Protection Policy, no coverage after plaintiff was fraudulently induced, by an unknown actor impersonating a mortgage lender, to wire funds to an incorrect account).

  • Ernst & Haas Management Co. v. Hiscox Inc., 23 F. 4th 1195 (9th Cir. 2022), rehearing en banc denied (Mar. 7, 2022) (a transfer of funds in response to a fraudulent email could be covered by either the computer fraud provision or the funds transfer fraud provision of a commercial crime insurance policy; distinguishing Pestmaster v. Travelers).

  • RealPage Inc. v. National Union Fire Insurance Co., 2021 U.S. App. LEXIS 37962, 2021 WL 6060972 (5th Cir. Dec. 22, 2021) (under a Commercial Crime Policy, in a case that began with a phishing attack, where funds were stolen from a third party payments processor, summary judgement for the insurer affirmed, on the grounds that the funds were not “held” by the insured).

  • Landry's, Inc. v. Ins. Co. of the Pa., 2021 U.S. App. LEXIS 21668, 2021 WL 3075937 (5th Cir. July 21, 2021) (insurer must defend Landry's in the underlying Paymentech litigation: hackers’ obtaining of credit card data involved a “publication” under the policy, as did hackers’ use of the data to make fraudulent purchases, and the publication involved an injury within the policy’s “arising out of . . . the violat[ion] [of] a person's right of privacy” language).

  • G&G Oil Co. of Indiana v. Continental Western Insurance Co., No. 20S-PL-617, 2021 Ind. LEXIS 182 (Ind. March 18, 2021). The “Computer Fraud” provision of the Policy’s Commercial Crime Coverage Part covered loss “resulting directly from the use of any computer to fraudulently cause a transfer of money.” G&G Oil suffered losses from a ransomware attack and filed a claim, which Continental denied. The court of appeals had affirmed summary judgment in favor of the insurer. The state supreme court found that G&G Oil’s losses resulted directly from the use of a computer, but it found that neither party had demonstrated it was entitled to summary judgment. Grant of summary judgment in favor of Continental reversed, denial of G&G Oil’s motion for summary judgment affirmed, and case remanded for further proceedings.

  • National Ink & Stitch LLC v. State Auto Property & Casualty Insurance Co., 435 F. Supp.  3d 679 (D. Md. 2020) (“business owners” property policy covered replacement of entire computer system following ransomware attack).

  • Medidata Solutions, Inc. v. Federal Insurance Co., 729 F. App’x 117 (2d Cir. 2018) (losses stemming from business email compromise covered under policy’s “Computer Violations” clause).

  • Pestmaster Servs., Inc. v. Travelers Cas. & Sur. Co. of Am., 656 F. App’x 332, 2016 WL 4056068 (9th Cir. 2016) (affirming denial of coverage under a computer fraud provision for losses stemming from business email compromise scheme).

  • Apache Corp. v. Great American Ins. Co., 662 F. App’x 252, 2016 WL 6090901 (5th Cir. 2016) (loss due to business email compromise scheme was not a covered occurrence under the computer fraud provision of a crime protection insurance policy).

  • State Bank of Bellingham v. BancInsure Inc., 823 F.3d 456 (8th Cir. 2016) (loss was covered under financial institution bond).

  • Travelers Indem. Co. of Am. v. Portal Healthcare Sols., LLC, 35 F. Supp. 3d 765, 768 (E.D. Va. 2014), aff’d, 644 F. App’x 245 (4th Cir. 2016) (Fourth Circuit affirmed a district court ruling that Travelers was required, under GCL policy, to defend Portal against a class action alleging failure to secure the plaintiffs’ medical data).

Other resources on cybersecurity insurance:

5.1.6 Securities Fraud and Shareholder Derivative Class Actions

Shareholder actions dismissed:

The Marriott/Starwood data breach produced five sets of cases consolidated in the U.S. District Court for Maryland: class action claims brought by consumers (processed on a “Consumer Track”), claims brought by the City of Chicago (the “Government Track”), class action claims on behalf of financial institutions, class action claims brought by a Marriott shareholder under Section 10(b)/Rule 10b-5 and Section 20(a) (the “Securities Track”), and claims brought by another shareholder as a derivative action (the “Derivative Track”). In June 2021, the district court dismissed the Securities Track case. In re: Marriott Int’l, Inc., Customer Data Security Breach Litigation, MDL No 19-md-2879, 543 F. Supp. 3d 96, 2021 U.S. Dist. LEXIS 110274 (D. Md. June 11, 2021). The court conducted an extensive analysis of 73 statements made by defendants during the class period, and found that the plaintiff had not adequately alleged that any was false or misleading. On top of that, the court found, the plaintiff had failed to adequately allege scienter or loss causation. The Fourth Circuit affirmed the dismissal, focusing just on the failure to adequately allege any false or misleading statements. Constr. Laborers Pension Trust for S. Cal. v. Marriott Int'l, Inc. (In re Marriott Int'l, Inc.), 31 F.4th 898 (4th Cir. 2022).

The district court also dismissed the derivative claims for failure to adequately plead the ownership and demand requirements for a derivative action under Federal Rule of Civil Procedure 23.1. In re Marriott Int'l, Inc., MDL No 19-md-2879, 2021 U.S. Dist. LEXIS 110301, 2021 WL 2401641 (D. Md. June 11, 2021). The court’s opinion includes a good discussion of several issues relevant to derivative actions, with citations to opinions from other jurisdictions: the requirements under Rule 23.1 for both “continuous ownership” and “contemporaneous ownership” to bring a derivative action; the inadequacy of conclusory allegations of ownership (alleging ownership at “all relevant times” is not adequate); the “continuing wrong” exception to the contemporaneous ownership requirement (which the court found inapplicable in this case); the demand requirement; and the concept of prudential jurisdiction in shareholder derivative actions and how it differs from subject matter jurisdiction.  The court also concluded, upon examination of the allegedly misleading statements in corporate filings, that the defendant failed to adequately allege claims under Exchange Act Section 10(b) and Rule 10-b, Exchange Act Section 20(a), or Exchange Act Section 14(a) and Rule 14a-9.

In another case arising out of the Marriott breach, the Delaware chancery court dismissed a derivative shareholder claim against Marriott executives and directors. Firemen's Retirement System of St. Louis v. Sorenson et al., No. 2019-0965, 2021 Del. Ch. LEXIS 234, 2021 WL 4593777 (Chancery Del. Oct. 5, 2021). The complaint alleged breach of fiduciary duty before and after Marriott’s acquisition of the Starwood reservation system. The court’s decision hinged on the rule that a stockholder plaintiff can pursue claims belonging to the corporation if (1) the corporation’s directors wrongfully refused a demand to authorize the corporation to bring the suit or (2) a demand would have been futile because the directors were incapable of impartially considering the demand. The plaintiff did not make a demand on Marriott’s Board, and the court dismissed because the complaint did not plead particularized factual allegations establishing that demand was excused.

The Delaware chancery also dismissed a derivative action against the directors of Solar Winds. CIL Pension Fund v. Bingle, 2021-0940-SG, 2022 Del. Ch. LEXIS 223, 2022 WL 4102492 (Chancery Del. Sept. 6, 2022). The court found that the directors did ensure that the company had at least a minimal reporting system about corporate risk, including cybersecurity, and they were not alleged to have ignored sufficient “red flags” of cyber threats to imply a conscious disregard of a known duty, indicative of scienter. “In other words, the directors failed to prevent a large corporate trauma, but the Plaintiffs have failed to plead specific facts from which I may infer bad faith liability on the part of a majority of the directors regarding that trauma.”

Other shareholder actions dismissed:

  • In re The Home Depot, Inc. Shareholder Derivative Litigation, NO. 1:15-CV-2999-TWT (N.D. Ga. Nov. 30, 2016) (dismissing shareholder derivative action).

  • Davis v. Steinhafel, No. 14-cv-203 (PAM/JJK), 2016 U.S. Dist. LEXIS 195486 (D. Minn. July 7, 2016) (dismissing derivative action by Target shareholders).

  • Palkon v. Holmes, No. 2:2014cv01234, 2014 U.S. Dist. LEXIS 148799, 2014 WL 5341880 (D.N.J. 2014) (dismissing shareholder derivative suit against the board of directors of Wyndham Worldwide).

  • In re: Heartland Payment Systems, Inc. Securities Litigation, Civ. No. 09-1043, 2009 U.S. Dist. LEXIS 114866, 2009 WL 4798148 (D. N.J. Dec. 7, 2009) (dismissing shareholders class action alleging false or misleading statements in violation of federal securities laws).

Cases surviving a motion to dismiss:

In re: Zoom Securities Litigation, no. 5:20-cv-02353, 2022 U.S. Dist. LEXIS 28265 (N.D. Ca. Feb. 16, 2022). A federal district court ruled that a Section 10(b)/Rule 10b-5 claim against Zoom and its CEO, for an allegedly false statement on security, was adequately alleged and could go forward. The statement, that Zoom offered end-to-end encrypted, was made in its Registration Statement and Prospectus. The court dismissed claims based on fourteen other statements.

Another Section 10(b)/Rule 10b-5 case surviving a 12(b)(6) motion was In re SolarWinds Corp. Sec. Litigation, 595 F. Supp. 3d 573 (W.D. Tex. 2022). See clarification at 2022 U.S. Dist. LEXIS 157730 (Aug. 19, 2022). Upon a close reading of the complaint, the court found that the plaintiffs had adequately alleged scienter, material misrepresentation, and causality with respect to the company and its VP of Security Architecture. One the other hand, the court found that plaintiffs had failed to effectively plead scienter against the CEO and dismissed a claim against him, with leave to amend. However, the court refused to dismiss a claim of control person liability against the CEO under Section 20(a) of the Exchange Act. The court also refused to dismiss control person claims against two private equity firms that each owned 40% of the company and had 3 board seats each. In December 2022, the lead plaintiff sought approval of a settlement that called for a $26 million payment to shareholders and no admission of wrongdoing.

Also surviving a motion to dismiss was In re ChoicePoint, Inc. Sec. Litig., No. 1:05-CV-00686-JTC, 2006 WL 8429145, 2006 U.S. Dist. LEXIS 97903 (N.D. Ga. Nov. 19, 2006) (securities fraud case; after denial of motion to dismiss, case settled in 2008).

See also:

5.2.1 Negligence

5.2.1.1  Is There a Duty of Care?

To the long list of cases finding a duty of care with respect to personal information, add:

  • Teeter v. Easterseals-Goodwill Northern Rocky Mountain Inc., 2023 U.S. Dist. LEXIS 35347, 2023 WL 2330241 (D. Mont. March 2, 2023) (applying Montana law, specifically the factors identified in Fisher v. Swift Transp. Co., 181 P.3d 601 (Mont. 2008), and recognizing that a further fact-intensive inquiry may be needed, court found that the complaint contained sufficient factual allegations to state a claim that a common law duty exists; plaintiff sued on behalf of a class of employees of the defendant, but court did not specifically say whether the duty was to employees or broader).

  • In re Mednax Servs., Inc., Customer Data Sec. Breach Litig., 603 F. Supp. 3d 1183 (S.D. Fla. 2022) ​(under Florida law, ​whenever one undertakes to provide a service to others, whether one does so gratuitously or by contract, a duty to act carefully arises​).

  • Weisenberger v. Ameritas Mut. Holding Co., 597 F. Supp. 3d 1351, 1360-63 (D. Neb. 2022) (concluding that Nebraska law provides that an actor, such as the defendant, ordinarily has a duty to exercise reasonable care when the actor's conduct creates a risk of physical harm, which here was the unauthorized intrusion into the defendant's negligently secured business records that caused the plaintiff's PII to be compromised). “Further, the conduct of an actor who has created a risk of harm can lack reasonable care insofar as it foreseeably combines with or permits the improper conduct of a third party.” The court also relied on the Restatement of Torts to conclude that when the defendant affirmatively acted to gather PII—effectively creating a "bailment" for information—and the defendant's act of gathering that information into a centralized database exposed the plaintiffs to risks that a reasonable person in the defendant's position would take into account, the defendant was obligated to take reasonable care. 

  • In re Blackbaud, Inc., Customer Data Breach Litigation, 567 F. Supp. 3d 667 (D. S.C. 2021) (interpreting South Carolina law). Blackbaud provided data collection and maintenance software solutions for administration, fundraising, marketing, and analytics to non-profits and other “social good entities.” Plaintiffs were patrons of Blackbaud’s customers rather than direct customers of Blackbaud. Nevertheless, the court held that Blackbaud’s contracts with the social good entities supported recognition of a common law duty to plaintiffs because the purpose of the contracts was to maintain and secure plaintiffs’ private information. The court went on to hold that, although as a general rule there is no duty to protect another from the conduct of third parties, plaintiffs had adequately alleged that Blackbaud had a duty to protect them from the criminal conduct of third parties based on Blackbaud’s own negligent conduct in creating the risk by failing to use reasonable security measures.

  • In re: Sonic Corp. Customer Data Security Breach Litigation (Financial Institutions), No. 1:17-md-2807 2021 U.S. Dist. LEXIS 168504, 2021 WL 4060369 (N.D. Ohio Sept. 7, 2021). Under Oklahoma law, the court found, there is generally no duty to anticipate and prevent the intentional or criminal acts of a third party. However, a duty does exist if a defendant’s “own affirmative act has created or exposed [Plaintiffs] to a recognizable high degree of risk of harm through such misconduct, which a reasonable [person] would have taken into account.” And that, the court concluded, is what was alleged: Sonic had created for its franchisees a permanently-enabled VPN tunnel that did not block foreign IP addresses and that did not use multi-factor authentication; it required franchisees to use middleware that did not support point-to-point encryption; and it caused delays in upgrading system components that left franchisees operating vulnerable systems. As to foreseeable risk of harm, it was adequately alleged that Sonic knew or should have known the risks in requiring franchisees to use such a vulnerable system. Duty found, hence negligence claim survives. The court also rejected, under Oklahoma law, the defendants’ argument that the hackers’ breach and data theft acted as supervening causes that cut off the defendants’ liability.

  • In re GE/CBPS Data Breach Litigation No. 1:20-cv-02903-KPF, 2021 U.S. Dist. LEXIS 146020 *21-22, 2021 WL 3406374 (S.D.N.Y., Aug. 4, 2021). Under New York law, employers have a duty to take reasonable precautions to protect the PII that they require from employees (citing other cases).

  • Mackey v. Belden, Inc., No. 4:21-CV-00149-JAR, 2021 U.S. Dist. LEXIS 145000, 2021 WL 3363174 (E.D. Mo. Aug. 3, 2021) (the special relationship between employer and employee under Missouri law imposes a duty on the employer to protect employees' PII provided as a condition of employment).

  • Flores-Mendez v. Zoosk, Inc., No. C 20-04929 WHA, 2021 WL 308543, at *3 (N.D. Cal. Jan. 30, 2021) (“to hold that Zoosk has no duty of care would suggest that companies may profit off users' data while cutting corners on privacy”).

  • Stasi v. Immediata Health Group Corp., No. 19cv2353 JM (LL), 2020 U.S. Dist. LEXIS 217097, 2020 WL 6799437, at *7 (S.D. Cal. Nov. 19, 2020) (citing cases that found that defendants had a duty to safeguard personal information and maintain adequate security measures).

Earlier cases going both ways:

  • Employer has a duty to exercise reasonable care to safeguard employees’ sensitive personal information stored by the employer on an internet-accessible computer system. Dittman v. UPMC, 649 Pa. 496, 196 A.3d 1036 (2018).

  • Duty of care. Brush v. Miami Beach Healthcare Grp. Ltd., 238 F. Supp. 3d 1359, 1365 (S.D. Fla. 2017) (“It is well-established that entities that collect sensitive, private data from consumers and store that data on their networks have a duty to protect that information[.]”).

  • Employer has a common law duty to exercise reasonable care in obtaining, securing, safeguarding, deleting, and protecting employees’ personal information. Hapka v. CareCentrix, Inc., 2016 U.S. Dist. LEXIS 175346 (D. Kan. Dec. 19, 2016).

  • Duty of care under Massachusetts and California Law. In re: Sony Gaming Networks and Customer Data Security Breach Litigation, 996 F. Supp. 2d 942, 966 (S.D. Cal. 2014). Note, however, that the court went on to dismiss the Massachusetts and California negligence claims based on the economic loss doctrine, discussed below.

  • No common law duty of care under Illinois law. Cooney v. Chicago Public Schools, 407 Ill. App. 3d 358, 943 N.E.2d 23, 347 Ill. Dec. 733 (Ill. App. 2010). Followed in Community Bank of Trenton v. Schnuck Markets, 887 F.3d 803, 816 (7th Cir. 2018); In re: Marriott International, Inc., Customer Data Security Breach Litigation, 440 F. Supp. 3d 447, 476-78 (D. Md. 2020) (applying Illinois law). NOTE: Based on Illinois’ 2017 adoption of a statutory provision requiring data collectors to “implement and maintain reasonable security measures to protect” records from “unauthorized access, acquisition, destruction, use, modification, or disclosure,” 815 ILCS 530/45(a), the Illinois Appellate Court in 2023 recognized that “the reasoning of the Cooney court no longer applies.” Flores v. Aon Corp., 2023 IL App (1st) 230140. See also Wittmeyer v. Heartland All. for Hum. Needs & Rts., No. 23 CV 1108, 2024 WL 182211, at *2 (N.D. Ill. Jan. 17, 2024); In re Arthur J. Gallagher Data Breach Litig., 631 F. Supp. 3d 573, 590 (N.D. Ill. 2022).

  • Employer has legal duty to protect employee data. Bell v. Michigan Council 25 AFSCME, 2005 Mich. App. LEXIS 353, 2005 WL 356306 (Michigan Court of Appeals, 2005).

Interesting case on the duty of care: Hiscox Insurance Co. v. Warden Grier LLP, No. 4:20-cv-00237 (W.D. Mo. Dec. 8, 2021). The defendant, a law firm, suffered a breach; the compromised data included records from the plaintiff, its client, an insurance company. Those records included data about the insurance company’s policyholders. As the case boiled down, the insurance company argued that the law firm should have fully analyzed the compromised files to identify all the individuals whose data was affected. Applying Missouri law, the court focused pretrial on the claim of professional negligence, specifically legal malpractice. It held that the question of whether the defendant had a duty to the plaintiff was a question of law, and the court ruled that yes, of course, a law firm owes its client a duty of due care. However, what specifically that duty entailed and whether it was breached in this case were questions of fact for the jury, “which, with the assistance of expert evidence, must decide whether, given the specific facts of this case, the standard of care” included the specific steps that the plaintiff alleged the defendant had failed to take. Motion to dismiss denied. On March 31, 2022, the jury returned a verdict in favor of the law firm. The verdict form gives no evidence of the jury’s thinking, but the defendant had argued that it was only a service provider and that it fulfilled its duty by notifying the insurance company of the breach and giving the insurance company access to the compromised files; under this argument, it was the plaintiff’s duty to figure out which policyholders were specifically affected and provide the notice. The defendant’s argument aligned with the Missouri breach notice law and the laws of other states.

Attacks on critical infrastructure may not involve any compromise of personal information. In negligence cases arising from such incidents, the plaintiff must focus elsewhere in alleging a duty. In Dickerson v. Colonial Pipeline Co., 1:21-cv-02098, 2022 U.S. Dist. LEXIS 238421, 2022 WL 18717801 (N.D. Ga. June 17, 2022), the court dismissed a negligence claim against Colonial Pipeline arising out of the 2021 ransomware attack that led the company to shut down the flow of gasoline through its system. None of the plaintiff’s theories sufficed to allege a cognizable statutory or common law duty owed by Colonial: as a public utility to continually provide service, based upon the voluntary undertaking doctrine (which requires an allegation of physical harm), based on industry standards (standards may be relevant to breach, but they do not create a duty), or arising out of a special relationship.

Also finding no duty was Kroeck v. UKG Inc., 2:22-cv-00066, 2022 U.S. Dist. LEXIS 170311, 2022 WL 4367348 (W.D. Pa. Sept. 21, 2022). The plaintiff worked for a hospital, which outsourced its payroll system, including timekeeping, to third-party providers, the defendants. The defendants suffered a ransomware attack disrupting their operations and, as a result, the plaintiff claimed, his hours were not properly recorded and his pay was not properly calculated. The court, applying Pennsylvania law, declined to extend the Dittman ruling of the state Supreme Court: “Pennsylvania law specifically recognizes those who collect sensitive information as having a duty to implement security measures to prevent the foreseeable harm of a data breach. Dittman, 196 A.3d at 1056 (imposing a common law duty on those who store ‘personal and financial information’ to protect that data). This duty would extend only to those individuals whose confidential information is kept on file. Here, as Defendants note, Mr. Kroeck has not alleged that Defendants possessed his personal and financial information. Therefore, the Court will grant Defendants’ Motion with respect to Count VI. However, the Court will provide him with leave to amend.” 2022 U.S. Dist. LEXIS 170311 at *16.

Many data breach cases raising negligence claims are brought in federal court, where federal judges must apply state law to state claims, and this may require federal courts to decide what state law is even before state courts have said what the law is. In what is perhaps an extreme case, the federal courts have consistently gone out ahead of Georgia state courts in finding a duty of care:

  • In 2016, the federal district court for the Northern District of Georgia concluded that Georgia recognizes a general duty “to all the world not to subject them to an unreasonable risk of harm.” In re The Home Depot, Inc., Customer Data Sec. Breach Litig., No. 1:14-MD-2583-TWT, 2016 U.S. Dist. LEXIS 65111, 2016 WL 2897520, at *3 (N.D. Ga. May 18, 2016).

  • In 2018, in McConnell v. Dep’t of Labor, 345 Ga. App. 669, 678-679, 814 S.E.2d 790 (2018), the Georgia Court of Appeals held that neither the Georgia Personal Identity Protection Act nor the Georgia Fair Business Practices Act gave rise to a duty to safeguard personal information.

  • In January 2019, the federal district court held that there was a duty of care where defendants knew of a foreseeable risk to the information of card issuing banks and failed to implement reasonable security measures. In re Equifax, Inc., 371 F. Supp. 3d 1150, 1166-1171 (N.D. Ga 2019) (financial institutions case). The court distinguished McConnell on the ground that, in that case, there was no allegation of foreseeable risk. Same for consumer plaintiffs: In re Equifax, Inc., Customer Data Sec. Breach Litig., 362 F. Supp. 3d 1295, 1326 (N.D. Ga. 2019) (consumer class action; “this Court concludes that, under traditional negligence principles, the Defendants owed a legal duty to the Plaintiffs to take reasonable precautions due to the reasonably foreseeable risk of danger of a data breach incident”).

  • Less than five months later, the Georgia Supreme Court affirmed the lower court ruling in McConnell and flatly rejected the notion that there is a general duty in Georgia law “to all the world not to subject [others] to an unreasonable risk of harm.” Georgia Dep’t of Labor v. McConnell, 305 Ga. 812, 815-816, 828 SE2d 352 (Ga. May 20, 2019). However, the court left open the possibility that a duty might arise from a “special relationship” between the plaintiff and the defendant.

  • Seven months after that, without specifically reaching the duty question, the Georgia Supreme Court allowed a breach case to go forward on a negligence claim. Collins v. Athens Orthopedic Clinic, S19G0007, 2019 WL 7046786 (Ga. Dec. 23, 2019).

  • In 2023, the federal Court of Appeals for the Eleventh Circuit held that, under Georgia law, where there was a special relationship, such as between employer and employee, the employer had a duty to protect the employee against reasonably foreseeable risks of harm, which included the acts of cybercriminals. Ramirez v. Paradies Shops, LLC, 69 F.4th 1213 (11th Cir. 2023).

5.2.1.2  Negligence and the Economic Loss Rule

Applying the economic loss rule to dismiss a negligence claim:

  • Salas v. Acuity-CHS, LLC, 2023 WL 2710180 (D. Del. Mar. 30, 2023).

  • Tucker v. Marietta Area Health Care, Inc., 2023 U.S. Dist. LEXIS 13974, 2023 WL 423504 (S.D. Ohio Jan. 26, 2023).

  • Armijo v. Ozone Networks, Inc., 2023 U.S. Dist. LEXIS 9223 (D. Nev. Jan. 19 2023).

  • In re Mednax Servs., Inc., Customer Data Sec. Breach Litig., 603 F. Supp. 3d 1183 (S.D. Fla. 2022) (economic loss rule did not bar recovery, because under Florida law, the rule applies only in the products liability context).  

  • Gardiner v. Walmart Inc., 2021 U.S. Dist. LEXIS 75079, 2021 WL 2520103 (N.D. Ca. March 5, 2021).

  • Finesse Express, LLC v. Total Quality Logistics, LLC, no. 1:20CV235, 2021 U.S. Dist. LEXIS 60648, 2021 WL 1192521 (S.D. Ohio Mar. 30, 2021).

  • Dugas v. Starwood Hotels & Resorts Worldwide, Inc., ​no. 3:16-cv-00014-GPC-BLM, 2016 U.S. Dist. LEXIS 152838, 2016 WL 6523428, at *12 (S.D. Cal. Nov. 3, 2016).

However, at least at the motion to dismiss stage, it may be easy to avoid the economic loss rule with a well-pleaded complaint. Thus, plaintiffs avoided the economic loss rule where they alleged “the loss of control over the use of their identity, harm to their constitutional right to privacy, lost time dedicated to the investigation of and attempt to recover the loss of funds and cure harm to their privacy, the need for future [ ] time dedicated to the recovery and protection of further loss, and privacy injuries associated with having their sensitive personal and financial information disclosed.” Mehta v. Robinhood Financial LLC, No. 21-cv-01013-SVK, 2021 U.S. Dist. LEXIS 253782, 2021 WL 6882377, at *6 (N.D. Cal. May 6, 2021) (citing other cases).

Another case holding that the economic loss rule did not bar a negligence claim:  In Re: Wawa Inc. Data Security Litigation, No 2:19-cv-06019, 2021 U.S. Dist. LEXIS 86854, 2021 WL 1818494 (E.D. Pa. May 6, 2021). The plaintiffs were financial institutions. The defendant operates a chain of convenience stores and gas stations. Hackers accessed its point-of-sale systems and installed malware that obtained customer payment card information. Plaintiffs and defendant were parties to the web of contracts that frame the payment card system, but plaintiffs did not claim breach of contract. Instead, the institutions maintained that, separate from any contract, Wawa owed them a common law duty to exercise reasonable care and that it breached that duty by failing to utilize proper security protocols that would have adequately protected sensitive payment card information. The district court found that, under Pennsylvania law, the economic loss doctrine does not apply where “the plaintiff can establish the defendant’s breach of a legal duty arising under common law that is independent of any duty assumed pursuant to contract.”  *20-21.

Declining to apply the economic loss rule:

  • Smallman v. MGM Resorts Int'l, No. 2:20-cv-00376, 2022 U.S. Dist. LEXIS 199399 (D. Nev. Nov. 2, 2022) (citing other district court opinions in the Ninth Circuit; “it is difficult to conceive how the dissemination of an individual's PII does not necessarily diminish their control over their digital and physical identity. Such an invasion implicates non-economic harms.”).

  • In re: Netgain Tech., LLC, No. 21-CV-1210 (SRN/LIB), 2022 U.S. Dist. LEXIS 98342, 2022 WL 1810606 (D. Minn. June 2, 2022) (economic loss rule did not bar the negligence claim, because the rule did not apply to sales of services (Minnesota, Wisconsin), because the duties did not arise solely from contract (South Carolina), and because the plaintiffs had alleged non-economic injuries (California, Nevada)). 

  • Griffey v. Magellan Health Inc., No. CV-20-01282-PHX-MTL, 2021 U.S. Dist. LEXIS 184591 * 20-21 (D. Az. Sep. 27, 2021) (citing the Arizona Supreme Court’s direction that the economic loss doctrine should be applied only in limited contexts).

·       Wallace v. Health Quest Sys., 2021 U.S. Dist. LEXIS 54557 *22-24, 2021 WL 1109727 (S.D.N.Y. 2021).

  • Flores-Mendez v. Zoosk, No. 20-04929, 2021 U.S. Dist. LEXIS 18799 *9, 2021 WL 308543 (N.D. Cal. Jan. 30, 2021) (“Plaintiffs allege their loss of time, risk of embarrassment, and enlarged risk of identity theft as harms and so do not allege pure economic loss.”).

  • Stasi v. Immediata Health Grp. Corp., 501 F. Supp. 3d 898, 913 (S.D. Cal. 2020) (concluding that the plaintiffs alleged non-economic harms in the form of the privacy injury they suffered, irrespective of whether they subsequently suffered identity fraud).

  • In re Capital One Consumer Data Sec. Breach Litig., 488 F. Supp. 3d 374, 393-401 (E.D. Va. 2020) (under California law, special relationship exception applies, so economic loss rule does not; under Florida law, economic loss doctrine extends only to product liability cases; under New York law, economic loss doctrine does not apply to data breach cases; under Texas law, an independent duty arises if a party negligently creates a dangerous situation, creating an exception to the economic loss rule; under Virginia law, assumption of duty exception applies; under Washington law, “special relationship” doctrine does not include relationships between businesses and consumers involving the disclosure of private information, so economic loss rule bars negligence claims under Washington state law).

5.2.1.5 Negligence Claims Dismissed for Failure to Plead Damages

In Griffey v. Magellan Health Inc., No. CV-20-01282-PHX-MTL, 2021 U.S. Dist. LEXIS 184591 * 20-21 (D. Az. Sep. 27, 2021), the court concluded that the plaintiffs' allegations of lost time addressing the data breach, continued risk to their PII and PHI, and the danger of future harm are not cognizable injuries for negligence claims. Allegations of out-of-pocket expenses spent on credit monitoring services in addition to the identity monitoring services provided by the defendant were insufficient where plaintiffs failed to also allege that the monitoring costs were reasonable and necessary.

Going the other way, under California law, is Mehta v. Robinhood Financial LLC, No. 21-cv-01013-SVK (N.D. Cal. Sept. 8, 2021). After stating the general rule that “California courts have indicated that “[s]peculative harm or the mere threat of future harm is insufficient to constitute actual loss” for purposes of establishing a claim of negligence, the court went on to rule that the plaintiffs’ allegations regarding time spent addressing a breach, the purchase of identity theft protection services, future expenses and time, loss of sensitive personal information, and loss of control over plaintiffs’ identity were sufficient to allege cognizable harm. Slip op. at 11-12. “Given the allegations and the lost time and expenses Plaintiffs allege that they have already incurred due to the data breach, the Court finds that future expenses and time is not too speculative to constitute cognizable injuries at the pleading stage.” Includes useful cites to other cases.

Distinguishing Pruchnicki, the district court in Smallman v. MGM Resorts International, no. 2:20-cv-00376, 2022 U.S. Dist. LEXIS 199399, 2022 WL 16636958 (D. Nev. Nov. 2, 2022), held that both benefit-of-the-bargain losses and diminution in value of PII constituted compensable harm. On the former, the court rejected defendant’s argument that the benefit-of-the-bargain theory could not survive a 12(b)(6) motion without more specific factual allegations showing how data security was a part of the bargain or how much of the money spent was for data security. On the latter, the court concluded that the data breach devalued Plaintiffs' PII by interfering with their fiscal autonomy, and it rejected defendant’s argument that, to allege diminution in value harm, plaintiffs must establish both the existence of a market for their PII and an impairment of their ability to participate in that market. The court held that lost time spent monitoring their accounts and otherwise mitigating the breach was not compensable damages but that money spent to mitigate the risk of harm was. On these questions, the opinion includes a good discussion of other cases going both ways, mostly in the 9th Circuit. The court also held that a substantial risk of future harm was compensable harm, but that doesn’t seem right; the court relied on standing cases, all of them pre-dating TransUnion.

5.2.2 Negligence per se

In Mehta v. Robinhood Financial LLC, Case no. 21-cv-01013-SVK (N.D. Cal. May 6, 2021), the court refused to dismiss a negligence per se claim based on California Civil Code sections 1798.82, et seq., and 1798.100, et seq., and the provisions of the California Constitution enshrining the right to privacy.

Dismissing a negligence per se claim based on Section 5 of the FTC Act: In re GE/CBPS Data Breach Litigation No. 1:20-cv-02903-KPF, 2021 U.S. Dist. LEXIS 146020 *27-28, 2021 WL 3406374 (S.D.N.Y., Aug. 4, 2021).

Under New York and Illinois law, dismissing negligence per se claims premised on Section 5 of the FTC and GLBA. Toretto v. Donnelley Fin. Sols., Inc., 583 F. Supp. 3d 570, 597-99 (S.D.N.Y. 2022).

5.2.3 Breach of Express Contract

Salas v. Acuity-CHS, LLC, 2023 U.S. Dist. LEXIS 54825​, 2023 WL 2710180 (D. Del. Mar. 30, 2023​)​ (express contract claims dismissed; plaintiff referred to defendant’s HIPAA privacy notices and explanation of benefits documents, but provided no detail as to their terms).

Tucker v. Marietta Area Health Care, Inc., 2023 WL 423504 (S.D. Ohio Jan. 26, 2023) (dismissing express contract claim).

5.2.4 Breach of Implied Contract

In In re GE/CBPS Data Breach Litigation No. 1:20-cv-02903-KPF, 2021 U.S. Dist. LEXIS 146020 *32, 2021 WL 3406374 (S.D.N.Y., Aug. 4, 2021), the court found that GE had an implied contract with its employees based on representations made in a GE guidance document, "The Spirit & The Letter," which set forth GE's Code of Conduct and summarized a range of compliance policies, including policies related to data protection, as well as in GE documents labeled Employee Data Protection Standards and Commitment to the Protection of Personal Information.

Dismissing implied contract claims:

  • In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., 2021 U.S. Dist. LEXIS 240360, 2021 WL 5937742 (D. N.J. Dec. 16, 2021) (“Defendants argue that the mere fact that Plaintiffs provided Personal Information does not suggest that Defendants agreed to guarantee the safety of that information, at least not without accompanying factual allegations to show mutual assent to those terms. The Court agrees.”).

  • Longnecker-Wells v. Benecard Services, Inc., 658 Fed. App’x 659 (3d Cir. 2016).

  • In re Barnes & Noble Pin Pad Litig., No. 12-cv-08617, 2016 WL 5720370, 2016 U.S. Dist. LEXIS 137078 (N.D. Ill. Oct. 3, 2016) (implied contract claim dismissed because complaint failed to plead any economic or out-of-pocket damages). 

  • Lovell v. P.F. Chang’s China Bistro, Inc., 2015 WL 4940371, at *3 (W.D. Wash. Mar. 27, 2015) (breach of implied contract claims based on Washington law dismissed).

  • Krottner v. Starbucks Corp., 406 F. App’x 129, 131 (9th Cir. 2010) (breach of implied contract claims based on Washington law dismissed because plaintiffs had not alleged the elements of an implied contract: they had not alleged that they read or even saw the documents that supposedly included the offer, or that they understood them as an offer, or that they accepted the purported offer on its terms).

Allowing implied contract claim to go forward:

  • Koeller v. Numrich Gun Parts Corp., 2023 WL 3591176 (N.D.N.Y. May 23, 2023).

  • Weisenberger v. Ameritas Mut. Holding Co., 597 F. Supp. 3d 1351, 1366-67 (D. Neb. 2022) (alleg​ations that the defendant required ​p​laintiff and the other class members to provide the defendant with their highly confidential private information as a condition for obtaining health-related insurance​, that defendant promised ​to keep the plaintiff's PII confidential by the affirmative representations made in its HIPAA Notice of Privacy Practices, and that  the defendant's obligation to protect her PII was a reasonable expectation, part of a mutual understanding, and implicit in their agreement for insurance due to the highly sensitive nature of her PII were sufficient to allege implied contract).

  • Smallman v. MGM Resorts International, no. 2:20-cv-00376, 2022 U.S. Dist. LEXIS 199399, 2022 WL 16636958 (D. Nev. Nov. 2, 2022). Plaintiffs alleged that they "were required to" provide their PII to defendant as a condition of staying at its hotels. Thus, the court said, plaintiffs provided their PII to MGM with the understanding that defendant would take adequate measures to protect it. In terms of consideration, it was undisputed that Plaintiffs paid for their hotel rooms. These alleged actions plausibly demonstrate that Plaintiffs manifested their assent to Defendant MGM's privacy statements. Although plaintiffs did not allege that MGM made any explicit promises "as to the ongoing protection of [their PII], it is difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of . . . sensitive personal information would not imply the recipient's assent to protect [the] information sufficiently,” quoting Castillo v. Seagate Tech., LLC, No. 16-cv-01958, 2016 U.S. Dist. LEXIS 187428, 2016 WL 9280242, at *9 (N.D. Cal. Sept. 14, 2016).

  • In re GE/CBPS Data Breach Litigation No. 1:20-cv-02903-KPF, 2021 U.S. Dist. LEXIS 146020 *21-22, 2021 WL 3406374 (S.D.N.Y., Aug. 4, 2021).

  • Wallace v. Health Quest Sys., 2021 U.S. Dist. LEXIS 54557 *26-29, 2021 WL 1109727 (S.D.N.Y. 2021) (applying New York law, finding that the defendant's online Notice of Privacy Practices and its statements about specific security measures it took to prevent further breaches plausibly alleged "a course of conduct and dealing that raises an inference of an implied contract for the exercise of reasonable care in protecting plaintiffs' private information in exchange for plaintiffs' provision of business.").

  • In re: Marriott International, Inc., Customer Data Security Breach Litigation, 440 F. Supp.  3d 447, 485-86 (D. Md. 2020) (preserving implied contract claim under Oregon law).

  • Perdue v. Hy-Vee, Inc., 455 F. Supp.  3d 749, 764 (C.D. Ill. 2020) (applying Illinois law, finding that plaintiffs in data breach case had plausibly alleged the existence of an implied contract obligating defendant supermarket chain to take reasonable measures to protect their private information in the form of their payment card data).

  • Rudolph v. Hudson’s Bay Co., No. 18-CV-8472 (PKC), 2019 WL 2023713, at *11, 2019 U.S. Dist. LEXIS 77665 at *31-35 (S.D.N.Y. May 7, 2019) (declining to dismiss implied contract claim, referencing New York and California law).

  • Gordon v. Chipotle Mexican Grill, Inc., 344 F. Supp. 3d 1231, 1247–48 (D. Colo. 2018) (affirming magistrate’s ruling that whether a seller’s offer to accept payment cards implies that it will take reasonable measures to ensure that the PII involved remains secure is a factual issue that cannot be resolved at the motion to dismiss stage).

  • Irwin v. Jimmy John’s Franchise, LLC, 175 F. Supp. 3d 1064, 1070-71 (C.D. Ill. 2016) (“Irwin has alleged the existence of an implied contract obligating Jimmy John’s to take reasonable measures to protect Irwin’s information and to timely notify her of a security breach.”).

  • Castillo v. Seagate Tech., LLC, Case No. 16-cv-01958-RS, 2016 WL 9280242 at *9, 2016 U.S. Dist. LEXIS 187428 at *28-33(N.D. Cal. Sept. 14, 2016) (declining to dismiss implied contract claim based on California law; good discussion of the elements of a claim for implied contract).

  • In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518, 531-32 (N.D. Ill. 2011).

  • Anderson v. Hannaford Bros. Co., 659 F.3d 151, 159 (1st Cir. 2011) (declining to dismiss implied contract claim based on Maine law: “When a customer uses a credit card in a commercial transaction, she intends to provide the data to the merchant only . . . and does not expect — and certainly does not intend — the merchant to allow unauthorized third parties to access that data. … A jury could reasonably conclude, therefore, that an implicit agreement to safeguard the data is necessary to effectuate the contract.”).

5.2.5 Unjust Enrichment

Cases go both ways, largely based on the details alleged in the complaint, but the claim does seem to fail more often than not:

  • Rejecting a motion to dismiss: Koeller v. Numrich Gun Parts Corp., 2023 WL 3591176 (N.D.N.Y. May 23, 2023) (unjust enrichment claim upheld where defendant has “accepted the benefits accompanying plaintiff's data, but does so at the plaintiff's expense by not implementing adequate safeguards, thus making it 'inequitable and unconscionable' to permit defendant to retain funds that it saved by 'shirking data-security' and leaving the plaintiff 'to suffer the consequences,’” quoting Rudolph v. Hudson's Bay Co., 2019 U.S. Dist. LEXIS 77665, 2019 WL 2023713, at *12 (S.D.N.Y. May 7, 2019).)

  • Hall v. Centerspace, 2023 U.S. Dist. LEXIS 83438, 2023 WL 3435100 (D.Minn. May 12, 2023) (dismissing unjust enrichment claim, where plaintiff did not identify a benefit plausibly conferred upon defendant through the provision of PII).

  • Rider v. Uphold HQ Inc., 2023 U.S. Dist. LEXIS 29617​, 2023 WL 2163208 (S.D.N.Y. Feb. 22, 2023) ​(unjust enrichment ​d​ismissed as duplicative of contract claim​).

  • Teeter v. Easterseals-Goodwill Northern Rocky Mountain, Inc., 2023 U.S. Dist. LEXIS 35347​, 2023 WL 2330241 (D. Mon. Mar. 2, 2023)​ (unjust enrichment claim​ ​dismissed where plaintiff failed to allege that disclosure of her personal information to the defendant conferred a material benefit upon defendant).

  • Salas v. Acuity-CHS, LLC, 2023 U.S. Dist. LEXIS 54825​, 2023 WL 2710180 (D. Del. Mar. 30, 2023​)​ (under Delaware law, it is permissible for a party to seek quasi-contractual relief in the alternative to its contract claims​, so, where plaintiff sufficiently alleged that the services she paid for included data security practices consistent with industry standards and compliant with relevant laws and regulations​, unjust enrichment claim ​allowed to proceed as an alternative theory of recovery to the breach of contract claim​).

  • Toretto v. Donnelley Fin. Sols., Inc., 583 F. Supp. 3d 570, 602 (S.D.N.Y. 2022) ​(unjust enrichment claim dismissed as duplicative of the negligence claim​).

  • Granting a motion to dismiss: Smallman v. MGM Resorts International, no. 2:20-cv-00376, 2022 U.S. Dist. LEXIS 199399, 2022 WL 16636958 (D. Nev. Nov. 2, 2022) (plaintiffs had not alleged that they did not have adequate legal remedies, as required to invoke the equitable doctrine of unjust enrichment).

  • In re Waste Mgmt. Data Breach Litig., No. 21CV6147 (DLC), 2022 WL 561734 (S.D.N.Y. Feb. 24, 2022) ​(unjust enrichment claim ​dismissed as duplicative of the contract claim​).

  • In re Am. Med. Collection Agency Customer Data Sec. Breach Litig., 2021 U.S. Dist. LEXIS 240360, 2022 WL 5937742 (D.N.J. Dec. 16, 2021) (unjust enrichment claim dismissed because the plaintiffs failed to allege that the defendant was benefited by collecting plaintiffs' personal data​).

  • Granting a motion to dismiss: In re Blackbaud, Inc., Customer Data Breach Litigation, 2021 U.S. Dist. LEXIS 201211, at *37-39, 2021 WL 4866393 (D. S.C. Oct. 19, 2021).

  • Rejecting a motion to dismiss a claim for unjust enrichment: In re Cap. One Consumer Data Sec. Breach Litig., 488 F. Supp. 3d 374, 411-13 (D.D. Va. 2020).

5.2.6 State Laws Prohibiting Unfair or Deceptive Trade Practices

Each prong of a UCL statute must be considered separately. For example, in  Mehta v. Robinhood Financial LLC, Case no. 21-cv-01013-SVK (N.D. Cal. May 6, 2021), plaintiffs’ unlawful claim under the California UCL survived to the extent it was based upon the alleged violations of the California Consumer Privacy Act, the right to privacy in the California Constitution, and negligence. Plaintiffs’ unfairness claim also survived, as the court applied a balancing test: “the Court cannot say that the benefits from Robinhood’s business practices of allegedly emphasizing growth and profit over protecting their customers’ personal and financial information and failing to implement industry-standard security measures outweighs the harm.” However, because the complaint alleged no statements by which a reasonable consumer would be likely to be deceived, a motion to dismiss on the fraudulent prong of the UCL was granted.

In re Blackbaud, Inc., Customer Data Breach Litigation, 2021 U.S. Dist. LEXIS 151831, 2021 WL 3568394 (D.S.C. August 12, 2021), very nicely illustrates how the survival of state UDAP claims will turn on a close reading of state laws, which vary in key details, and on the care necessary when drafting a compliant (or an amended compliant if the court grants that opportunity) to ensure that allegations match the requirements of each state law that is invoked:

  • The court held that Florida plaintiffs had not alleged damages to “the property that is the subject of the consumer transaction” and therefore they failed to sufficiently assert “actual damages” under the Florida Deceptive and Unfair Trade Practice Act. The court did, however, also hold that the plaintiffs had adequately stated a claim for injunctive relief under FDUTPA, which makes declaratory and injunctive relief available to a broader class of plaintiffs than could recover damages.  

  • The court dismissed claims under the New Jersey Consumer Fraud Act Claims because the New Jersey plaintiffs were not “consumers” entitled to the protection of the New Jersey law. The New Jersey plaintiffs had given their data to entities that in turn purchased and used the cloud services of Blackbaud; the individuals themselves were not consumers of Blackbaud’s services.

  • In contrast, though, the court denied Blackbaud’s motion to dismiss claims based on New York General Business Law § 349 because that law covers acts and practices that are “consumer-oriented.”

  • The court granted Blackbaud’s motion to dismiss claims based on Pennsylvania’s Unfair Trade Practices and Consumer Protection Law because the Pennsylvania plaintiff had not sufficiently asserted that she justifiably relied on Blackbaud’s alleged misrepresentations and omissions and a presumption of reliance sometimes accorded under Pennsylvania law did not apply to the facts of this case.

  • The court dismissed a claim under the South Carolina Data Breach Security Act because the plaintiffs had failed to allege that Blackbaud was a business “owning or licensing data,” a required element under the statute.  

Note: Some of these state laws exempt “learned professionals.” See In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., 2021 U.S. Dist. LEXIS 240360, 2021 WL 5937742 (D. N.J. Dec. 16, 2021) (dismissing claims against medical diagnostic providers under the New Jersey Consumer Fraud Act and the North Carolina Unfair and Deceptive Trade Practices Act).

Smallman v. MGM Resorts International, no. 2:20-cv-00376, 2022 U.S. Dist. LEXIS 199399, 2022 WL 16636958 (D. Nev. Nov. 2, 2022), dismissed a claim under the Ohio Trade Practices Act on the ground that individual consumers do not a “standing” to sue under the act. It dismissed a claim under Oregon’s Unlawful Trade Practices Act to the extent that it was based on Oregon's Consumer Information Protection Act (OCIPA), which has no private right of action, and for the same reason it dismissed a claim brought directly under the OCIPA. However, it refused to dismiss claims under the Nevada Consumer Fraud Act; fraudulent omission, unfairness and unlawfulness claims under California’s UCL; a fraudulent omission claim under the California Consumers Legal Remedies Act, Cal. Civ. Code § 1770; a claim under the reasonable security procedures and practices provision of the California Customer Records Act, § 1798.81.5(b); and claims under Connecticut's Unfair Trade Practices Act, Georgia's Uniform Deceptive Trade Practices Act, and New York’s General Business Law § 349(a), which prohibits deceptive acts or practices.

See also In re MCG Health Data Sec. Issue Litig., 2023 U.S. Dist. LEXIS 74398 (W.D. Wa. March 27, 2023), adopted by In re MCG Health Data Sec. Issue Litig., 2023 U.S. Dist. LEXIS 108205 (W.D. Wash., June 22, 2023) (magistrate’s report recommending dismissal of claims under Indiana Deceptive Consumer Sales Act and Kansas Consumer Protection Act, which the court concluded were subject to the heightened pleading requirements of Rule 9(b), and dismissal of a claim under the Ohio Deceptive Trade Practices Act, which the court concluded does not allow a private right of action, but allowing a claim under the Kansas Data Breach Requirements Act to go forward).

As cited by the district court in In re: Marriott International, Inc., Customer Data Security Breach Litigation, 440 F. Supp. 3d 488-90 (D. Md. 2020), these cases dismissed UCL claims:

  • Dugas v. Starwood Hotels & Resorts Worldwide, Inc., No. 316CV00014GPCBLM, 2016 U.S. Dist. LEXIS 152838, 2016 WL 6523428, at *11 (S.D. Cal. Nov. 3, 2016).

  • Gardner v. Health Net, Inc., No. CV 10-2140 PA (CWX), 2010 U.S. Dist. LEXIS 157448, 2010 WL 11597979, at *12 (C.D. Cal. Aug. 12, 2010) (holding plaintiff failed to establish UCL standing where plaintiff alleged time and expense monitoring credit and loss of value of personal information but Defendant had offered credit monitoring services).

  • Ruiz v. Gap, Inc., No. 07-5739 SC, 2009 U.S. Dist. LEXIS 10400, 2009 WL 250481, at *3 (N.D. Cal. Feb. 3, 2009) (denying motion to amend complaint to add UCL claims because plaintiff could not establish UCL standing based on costs associated with monitoring credit and loss of value of personal information where defendant offered credit monitoring services), aff’d, 380 F. App’x 689 (9th Cir. 2010).

These cases allowed UCL claims to stand:

  • In re Anthem, Inc. Data Breach Litigation, 162 F. Supp. 3d 953 (N.D. Cal. 2016) (upholding claims under the unlawful and unfair prongs of the California UCL, dismissing with leave to amend the claim under the statute’s fraud prong, at 984-991; upholding claim under the New York deceptive acts or practices law, finding sufficient allegations of harm based on loss of value of PII and loss of the benefit of the bargain, at 991-98; dismissing claims under Kentucky law on deceptive, unfair, and unlawful acts, at 998-1001).

  • In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1224 (N.D. Cal. 2014).

  • In re LinkedIn User Privacy Litig., No. 12-cv-3088-EJD, 2014 WL 1323713, *4 (N.D. Cal. Mar. 28, 2014) (holding benefit-of-the-bargain losses “sufficient to confer … statutory standing under the UCL”).

Also dismissing a UCL claim, under the California law: Flores-Mendez v. Zoosk, No. 20-04929, 2021 U.S. Dist. LEXIS 18799 *9, 2021 WL 308543 (N.D. Cal. Jan. 30, 2021)

5.2.7 State Laws Requiring Reasonable Security Measures

Cases under the California Consumer Privacy Act have been relatively slow to mature, but some are surviving at least the motion to dismiss phase. In Mehta v. Robinhood Financial LLC, Case no. 21-cv-01013-SVK (N.D. Cal. May 6, 2021), the court ruled, on a motion to dismiss, that a claim based on this provision should survive a motion to dismiss. And the federal district court in South Carolina refused to dismiss a claim under the California law against Blackbaud, a cloud services provider that allegedly suffered a ransomware attack. In re Blackbaud, Inc., Customer Data Breach Litigation, 2021 U.S. Dist. LEXIS 151831, 2021 WL 3568394 (D.S.C. August 12, 2021). The court rejected Blackbaud’s argument that it was not a “business” covered by the California reasonable security measures law and its accompanying statutory damages provision. The court also ruled that Blackbaud qualifies as a “medical provider” under the California Medical Information Act, which covers “[a]ny business that offers software or hardware to consumers ... in order to make the information available to an individual or a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment, or management of a medical condition of the individual ... .”

5.2.9 Fraud Claims

Under California law, at least one federal court found that reliance does have to be alleged and this requires some specificity as to which statements a plaintiff actually read and relied on in setting up an account. See Mehta v. Robinhood Financial LLC, No. 21-cv-01013-SVK (N.D. Cal. Sept. 8, 2021). In assessing claims under the fraudulent prong of the California UCL, under the state’s Consumers Legal Remedies Act, and under its False Advertising Law, the court found that the plaintiffs’ allegations were insufficient, but it allowed leave to amend, giving plaintiffs a chance to strike the right balance between providing sufficient notice to defendants and the relatively generous pleading requirements at the motion to dismiss stage.

5.3 Arbitration

Under California law, at least, an arbitration clause cannot block a suit seeking injunctive relief. California policy ensures the rights of consumers to seek injunctive relief on behalf of the general public. McGill v. Citibank, N.A., 393 P.3d 85 (2017). See also, e.g., Mejia v. DACM Inc, 54 Cal. App. 5th 691, 701 (2020); Blair v. Rent-A-Ctr., Inc., 928 F.3d 819, 828 (9th Cir. 2019).

Based on these cases, in In re StockX Customer Data Security Breach Litigation, Case No. 19-12441 (E.D. Mich. June 15, 2021), the court ruled that, because application of Michigan law would be contrary to fundamental California policy and California has a materially greater interest in the plaintiff’s claims than Michigan, the choice of law clause in the StockX terms of service (designating Michigan law as applicable) was unenforceable. Therefore, the court applied California law, and ruled under California law that the arbitration clause was unenforceable.  

Defendants’ efforts to force cybersecurity cases to arbitration will normally turn on ordinary questions of arbitration law, including the threshold question of whether there is an agreement to arbitrate, which in turn is a question of contract law. For example, Middleton v. T-Mobile U.S. Inc., 1:20-cv-03276 (E.D.N.Y. Aug. 24, 2022), involved allegations that the mobile provider was negligent in allowing fraudsters to trick its employees into SIM swapping the plaintiff’s phones multiple times, which in turn allowed the fraudsters to intercept authentication texts and break into the plaintiff’s cryptocurrency account and steal $8.7 million in cryptocurrency. After extensive analysis of the pleadings surrounding the circumstances under which the plaintiff purchased the phones and what information was presented to plaintiff and how, the court found that there was notice of the arbitration clause and assent. Motion to compel arbitration granted.

5.4  Privilege in Data Breach Cases

To the list of decisions on discoverability of post-breach reports by outside experts, add these, going in opposite directions based on a close analysis of the facts.

  • In re Rutter's Data Sec. Breach Litig., NO. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (M.D. Pa. July 22, 2021) (although outside counsel retained the forensics consultant, the resulting report and related communications were not protected by either the work product doctrine or the attorney-client privilege; court focused on whether the report served a broader purpose than assisting in preparation for litigation; distribution of the report beyond the legal team was evidence that the work would have been conducted regardless of the lawsuit).

  • In re Marriott Int'l Customer Sec. Breach Litig., No. 19-MD-2879, 2021 U.S. Dist. LEXIS 124874, 2021 WL 2660180 (D. Md. June 29, 2021) (magistrate’s recommendation that documents from third-party expert were entitled to protection under “the privilege”; even though there was a history of the expert providing services to Marriott and Starwood before discovering the breach, the services provided after the breach were as the result of new engagements at the request of outside counsel to assist in responding to regulatory authorities and the litigation that was anticipated).

The cases suggest that the law of attorney-client privilege (and work-product doctrine) is at odds with desirable cybersecurity practices. The reports were denied protection in part because they had been shared beyond the legal team. From a lawyer’s standpoint, it was a mistake to disseminate the reports within the affected company. But isn’t it good that a forensics study is shared beyond the lawyers, to make sure that employees at the victim are aware of the problems that caused the breach, so those problems can be corrected and future breaches can be avoided?

For a good overview and a discussion of the specific issues posed by disclosing a forensics report to law enforcement, see Brian Mund and Leonard Bailey, Privilege in Data Breach Investigations, 69 DOJ J. Fed. Law & Prac. 39 (May 2021).

_____________________________________________________________________________

ARCHIVED UPDATES TO THE FIRST EDITION, INCORPORATED INTO THE SECOND EDITION:

5.1.1 Cases Brought on Behalf of Consumers

In at least one case, a complaint has survived that appears not to allege that the defendant’s network was breached but rather that the defendant failed to protect its customers against individual account takeovers using information obtained outside the defendant’s network. Order Granting in Part and Denying in Part Defendants’ Motion to Dismiss, Mehta v. Robinhood Financial LLC, Case no. 21-cv-01013-SVK, 2021 U.S. Dist. LEXIS 253782, 2021 WL 6882377 (N.D. Cal. May 6, 2021).

5.1.2 Cases Brought by Financial Institutions

In the Landry’s case, partial summary judgement was entered, requiring Landry’s (which owns a chain of retail stores) to reimburse Chase (actually, its payment processing affiliate, Paymentech LLC) for the assessments Chase paid to Visa and Mastercard after attackers accessed payment card data inside the Landry’s network. Paymentech LLC v. Landry’s Inc., Civil Action H-18-1622, 2021 U.S. Dist. LEXIS 88749, 2021 WL 1856553 (S.D. Tex. May 7 [entered May 10], 2021). The case turned on contract law. Chase was the acquiring bank. It had contracts with Visa and Mastercard and a separate contract with Landry’s to process credit card payments for Landry’s. The contracts with Visa and Mastercard allowed the brands to levy assessments against Chase if one of its merchants failed to adhere to the payment brands’ cybersecurity standard, the PCI-DSS. Chase’s contract with Landry’s required Landry’s to adhere to the PCI-DSS and to reimburse Chase for any such assessments levied against it by the brands. Chase paid the assessments to the brands and turned around and sought reimbursement from Landry’s. Landry’s argued that there was no evidence that the attackers actually used the compromised cardholder information. That, the court ruled, was irrelevant; the issue was whether Landry’s had complied with the PCI-DSS. Landry’s argued that there was a dispute whether it was in compliance with the standard, citing a report of its expert prepared before the attack. That too was irrelevant, said the court: Landry’s had agreed in its contract to hire an independent expert after the attack and that expert had found Landry’s out of compliance. In February, 2023, the Fifth Circuit affirmed. Paymentech LLC v. Landry’s Inc., No. 21-20447 (5th Cir. Feb. 23, 2023). The appeals court also affirmed the district court’s dismissal of Landry’s third-party complaints against Visa and Mastercard, in which Landry’s alleged that the brands had wrongly imposed the assessments in the first place. The Fifth Circuit opnion includes a good description, with chart, of the relationships among payment brands, banks, and merchants.

5.1.3  Disputes on Insurance Coverage

Insurance claims, even in the cyber context, normally turn on the precise language of the policy at issue, and policies are normally rewritten annually, as insurers adjust their assessment of risk. Therefore, it is difficult if not impossible to discern general principles related to cybersecurity insurance, as many cases will be decided on a close reading of the specific language in the policy in force at the time of the loss—and that language may well be missing from the policy of another insurer or even a future policy issued by the same company.

In March 2022, there was ruling in the Target case mentioned in the book. Target Corp. v. ACE American Insurance Co., 0:19-cv-02916, 2022 U.S. Dist. LEXIS 51044, 2022 WL 848095 (D. Minn. March 22, 2022). The policies at issue applied to “property damage” caused by an “occurrence.” Vacating its earlier decision, the court ruled that the loss of use of payment cards compromised in the data breach was a “loss of use of tangible property that is not physically injured” under the policy and that the breach was an “occurrence.” The cost of replacing the payment cards, the court held, was covered under the terms of the policies and therefore the insurer was obligated to indemnify Target for Target’s settlement with the issuing banks for the costs of replacing the payment cards.

Another case mentioned in the book, Mondelez v. Zurich American, settled in October 2022, just as closing arguments in the trial were about to begin, so there is no decision there on the applicability of the “hostile or warlike action” exclusion. In a different case, a New Jersey trial court held in January 2022, in the context of a motion to dismiss, that a “hostile or warlike action” exclusion in an “all-risks” policy did not cover the NotPetya attack, even if, as alleged by the insurer, it was sponsored by Russia to harm Ukraine. Merck Co. v. ACE American Insurance Co., case number UNN L 002682-18 (Union County Superior Court of New Jersey, Jan 13, 2022). The judge concluded that “no court has applied a war (or hostile acts) exclusion to anything remotely close to the facts herein.” In a warning to insurance companies, the court pointed out that both parties were aware that cyberattacks, sometimes from nation states, have become more common, but the insurer did nothing to change the language of the exemption to reasonably put the insured on notice that it intended to exclude cyberattacks. Given the rules of construction applicable to insurance policies, Merck was justified in its expectation that the exclusion applied only to traditional forms of warfare.

In August 2022, Lloyd’s of London announced that, effective March 2023, it would require that certain standalone cyber-attack policies must include, unless agreed by Lloyd’s, a clause excluding liability for losses arising from certain state backed cyber-attacks. The announcement was interpreted by some headline writers as a declaration that Lloyd’s would no longer cover nation-state cyber-atacks, but in fact it only required exclusion of losses arising from state backed attacks that (a) significantly impair the ability of a state to function (through, for example, degradation of critical infrastructure) or (b) that significantly impair the security capabilities of a state.

Cases continue to turn on close readings of policy language:

  • The court of appeals decision in G&G Oil Co. of Indiana v. Continental Western Insurance Co., 145 N.E. 3d 842 (Ct. of Appeals Ind. 2020), was reversed and remanded by the state supreme court. 2021 Ind. LEXIS 182 (Ind. March 18, 2021). The “Computer Fraud” provision of the Policy’s Commercial Crime Coverage Part covered loss “resulting directly from the use of any computer to fraudulently cause a transfer of money.” G&G Oil suffered losses from a ransomware attack and filed a claim, which Continental denied. The court of appeals had affirmed summary judgment in favor of the insurer. The state supreme court found that G&G Oil’s losses resulted directly from the use of a computer, but it found that neither party had demonstrated it was entitled to summary judgment. Grant of summary judgment in favor of Continental reversed, denial of G&G Oil’s motion for summary judgment affirmed, and case remanded for further proceedings. G&G Oil Co. of Indiana v. Continental Western Insurance Co., No. 20S-PL-617, 2021 Ind. LEXIS 182 (Ind. March 18, 2021).

  • RealPage Inc. v. National Union Fire Insurance Co., 2021 U.S. App. LEXIS 37962, 2021 WL 6060972 (5th Cir. Dec. 22, 2021) (under a Commercial Crime Policy, in a case that began with a phishing attack, where funds were stolen from a third party payments processor, summary judgement for the insurer affirmed, on the grounds that the funds were not “held” by the insured).

  • Landry's, Inc. v. Ins. Co. of the Pa., 2021 U.S. App. LEXIS 21668, 2021 WL 3075937 (5th Cir. July 21, 2021) (insurer must defend Landry's in the underlying Paymentech litigation: hackers’ obtaining of credit card data involved a “publication” under the policy, as did hackers’ use of the data to make fraudulent purchases, and the publication involved an injury within the policy’s “arising out of . . . the violat[ion] [of] a person's right of privacy” language).

  • Ernst & Haas Management Co. v. Hiscox Inc., 23 F. 4th 1195 (9th Cir. 2022), rehearing en banc denied (Mar. 7, 2022) (a transfer of funds in response to a fraudulent email could be covered by either the computer fraud provision or the funds transfer fraud provision of a commercial crime insurance policy; distinguishing Pestmaster v. Travelers).

  • Star Title Partners of Palm Harbor LLC v. Illinois Union Insurance Co., 2022 U.S. App. LEXIS 24930 (11th Cir. Sept. 6, 2022) (under plain language of the Deceptive Transfer Fraud clause in the Cybercrime Endorsement of its Cyber Protection Policy, no coverage after plaintiff was fraudulently induced, by an unknown actor impersonating a mortgage lender, to wire funds to an incorrect account).

  • Fishbowl Solutions Inc. v. The Hanover Insurance Co., No. 0:21-cv-00794 (D. Minn. Nov. 2, 2022) (summary judgement for insured, with the court interpreting the words of a Technology Professional Liability Policy, which incorporated a Data Breach Coverage Form, including a “Cyber Business Interruption and Extra Expense” clause, to find that Fishbowl had incurred an actual loss of “business income,” which occurred during the “period of restoration,” “directly” resulting from a data breach, and which resulted in an “impairment” of business operations).

  • Yoshida Foods International LLC v. Federal Insurance Co., no. 3:21-cv-01455-HZ (D. Ore. 2022) (ransomware payment was a “direct loss” and a Fraudulent Instructions Exclusion was intended to apply to (and exclude from coverage) erroneous payments and thus did not cover the ransomware payment).

See Daniel Tay, The Biggest Cyber Coverage Decisions of 2021, Law 360 (Dec. 21, 2021) (subscription required).

While insurers frequently dispute coverage, when they do pay they may seek to recoup their costs by suing a third party they claim is responsible for the incident. That is the situation in AIG Specialty Insurance Co. v. Accellion Inc., no. 1:22-cv-20272​ (​​S. D. Fla. June 16, 2022). Accellion made a software product that had a security flaw. One of the many Accellion clients that suffered breaches due to the vulnerability was insured by AIG. AIG paid its insured and sued to obtain recovery from Accellion. The district court dismissed claims alleging negligent misrepresentation and violations of the Florida Deceptive and Unfair Trade Practices Act, but it let stand a breach of contract claim based on Accellion’s license agreement with the insured. ​Settlement discussions ensued and, in December 2022, the parties filed a notice of settlement.

5.1.6 Securities Fraud and Shareholder Derivative Class Actions

A shareholders class action against FedEx and several of its officers arising from the NotPetya malware attack also failed. In In re FedEx Corp Securities Litigation, No. 1:19-cv-05990 (RA) (S.D.N.Y. Feb. 4, 2021), the court dismissed, with prejudice, on the grounds that “the complaint failed to adequately plead the required elements of falsity and scienter.” On the question of falsity, the court found that the companies’ disclosures “contained language, often bolded and italicized for emphasis, that warned investors about the potentially lingering effects of the June 2017 cyberattack.” The court gave great weight to these cautionary statements, saying the they “exemplify Defendants’ repeated disclosure of the Company’s difficulties in recovering from NotPetya.” In light of these disclosure, the court concluded, “Plaintiffs have failed to establish that FedEx’s more optimistic statements misled the investing public.”

The Marriott/Starwood data breach produced five sets of cases consolidated in the U.S. District Court for Maryland: class action claims brought by consumers (processed on a “Consumer Track”), claims brought by the City of Chicago (the “Government Track”), class action claims on behalf of financial institutions, class action claims brought by a Marriott shareholder under Section 10(b)/Rule 10b-5 and Section 20(a) (the “Securities Track”), and claims brought by another shareholder as a derivative action (the “Derivative Track”). In June 2021, the district court dismissed the Securities Track case. In re: Marriott Int’l, Inc., Customer Data Security Breach Litigation, MDL No 19-md-2879, 543 F. Supp. 3d 96, 2021 U.S. Dist. LEXIS 110274 (D. Md. June 11, 2021). The court conducted an extensive analysis of 73 statements made by defendants during the class period, and found that the plaintiff had not adequately alleged that any was false or misleading. On top of that, the court found, the plaintiff had failed to adequately allege scienter or loss causation. The Fourth Circuit affirmed the dismissal, focusing just on the failure to adequately allege any false or misleading statements. Constr. Laborers Pension Trust for S. Cal. v. Marriott Int'l, Inc. (In re Marriott Int'l, Inc.), 2022 U.S. App. LEXIS 10911 (4th Cir. Apr. 21, 2022).

The district court also dismissed the derivative claims for failure to adequately plead the ownership and demand requirements for a derivative action under Federal Rule of Civil Procedure 23.1. In re Marriott Int'l, Inc., MDL No 19-md-2879, 2021 U.S. Dist. LEXIS 110301, 2021 WL 2401641 (D. Md. June 11, 2021). The court’s opinion includes a good discussion of several issues relevant to derivative actions, with citations to opinions from other jurisdictions: the requirements under Rule 23.1 for both “continuous ownership” and “contemporaneous ownership” to bring a derivative action; the inadequacy of conclusory allegations of ownership (alleging ownership at “all relevant times” is not adequate); the “continuing wrong” exception to the contemporaneous ownership requirement (which the court found inapplicable in this case); the demand requirement; and the concept of prudential jurisdiction in shareholder derivative actions and how it differs from subject matter jurisdiction.  The court also concluded, upon examination of the allegedly misleading statements in corporate filings, that the defendant failed to adequately allege claims under Exchange Act Section 10(b) and Rule 10-b, Exchange Act Section 20(a), or Exchange Act Section 14(a) and Rule 14a-9.

On the other hand, a federal district court ruled that a Section 10(b)/Rule 10b-5 claim against Zoom and its CEO, for an allegedly false statement on security, was adequately alleged and could go forward. The statement, that Zoom offered end-to-end encrypted, was made in its Registration Statement and Prospectus. The court dismissed claims based on fourteen other statements. In re: Zoom Securities Litigation, no. 5:20-cv-02353, 2022 U.S. Dist. LEXIS 28265 (N.D. Ca. Feb. 16, 2022).

Another Section 10(b)/Rule 10b-5 case surviving a 12(b)(6) motion was In re Solar Winds Corp. Securities Litigation, 1:21-CV-138-RP (W.D. Tex. March 30, 2022). Upon a close reading of the complaint, the court found that the plaintiffs had adequately alleged scienter, material misrepresentation, and causality with respect to the company and its VP of Security Architecture. One the other hand, the court found that plaintiffs had failed to effectively plead scienter against the CEO and dismissed a claim against him, with leave to amend. However, the court refused to dismiss a claim of control person liability against the CEO under Section 20(a) of the Exchange Act. The court also refused to dismiss control person claims against two private equity firms that each owned 40% of the company and had 3 board seats each. In December 2022, the lead plaintiff sought approval of a settlement that called for a $26 million payment to shareholders and no admission of wrongdoing.

The Ninth Circuit revived securities law claims against officers and directors of Alphabet based on statements Alphabet made in its quarterly reports filed with the SEC on Form 10-Q.  In re Alphabet Inc. Secs. Litig., Rhode Island v. Alphabet, Inc., 2021 U.S. App. LEXIS 17926 (June 16, 2021), cert. denied (Mar. 7, 2022). In an action under Section 10(b) of the Securities Exchange Act of 1934, 15 U.S.C. § 78j(b), and S.E.C. Rule 10b-5, the plaintiffs alleged that the reports omitted to disclose security problems with the Google+ social network. The court concluded that the complaint adequately alleged that these two statements omitted material facts necessary to make the statements not misleading. As to ten additional statements identified in the complaint, the panel concluded that the complaint did not plausibly allege that these remaining statements were misleading material misrepresentations. The panel therefore affirmed the district court’s dismissal of claims based on these statements.

In investor actions, careful attention must be paid to pleading facts sufficient to allege all elements of the claims asserted. Securities fraud claims are subject to the heightened pleading requirements of Rule 9. In addition, the Private Securities Litigation Reform Act of 1995, 15 U.S.C. § 78u-4(b)(1), imposes additional specific pleading requirements, including requiring plaintiffs to state with particularity both the facts constituting the alleged violation and the facts evidencing scienter. Illustrative: A district court dismissed, with leave to amend, an investors’ class action under Sections 10(b) and 20(a) of the Exchange Act where, on close examination, the court found that the plaintiff had not identified any false or misleading statement or omission about the state of the defendant’s cybersecurity practices or about the circumstances of a data spillage it experienced. In re First American Financial Corp. Securities Litigation, No. CV 20-9781 DSF (Ex) (C.D. Cal. Sept 22, 2021). In May 2022, the district court dismissed the amended compliant, this time with prejudice, finding again that the plaintiff had failed to allege facts showing that First American made a material misrepresentation or omission. In re First American Financial Corp. Securities Litigation, No. CV 20-9781 DSF (Ex) (C.D. Cal. May 11, 2022).This is the same incident that resulted in a settlement with the SEC. See updates to Chapter 11.7.2. However, the SEC did not allege that the company had made misleading statements. Instead, it alleged that the company did not have adequate procedures to ensure that senior management were notified of a data breach – a quite different claim that does not require materiality or intent to deceive.

Along the same lines is Local 353, I.B.E.W. Pension Fund v. Zendesk Inc., 21-15785 (9th Cir. Mar. 2, 2022), affirming the District Court’s dismissal of shareholder claims under Rule 10b-5 and Sections 10(b) and 20(a), where the plaintiffs had failed to adequately allege falsity (a material misrepresentation or omission) and scienter.

The Delaware chancery court dismissed a derivative shareholder claim against Marriott executives and directors related to the breach discussed several times in the book. Firemen's Retirement System of St. Louis v. Sorenson et al., No. 2019-0965, Chancery Del. Oct. 6, 2021). The complaint alleged breach of fiduciary duty before and after Marriott’s acquisition of the Starwood reservation system. The Starwood system was breached and losing information before the acquisition, and the data loss continued thereafter. The court’s decision hinged on the rule that a stockholder plaintiff can pursue claims belonging to the corporation if (1) the corporation’s directors wrongfully refused a demand to authorize the corporation to bring the suit or (2) a demand would have been futile because the directors were incapable of impartially considering the demand. The plaintiff did not make a demand on Marriott’s Board, and the court dismissed because the complaint did not plead particularized factual allegations establishing that demand was excused.

Delaware chancery also dismissed a derivative action against the directors of Solar Winds. CIL Pension Fund v. Bingle, 2021-0940-SG (Del Chanc. Sept. 6, 2022). The court found that the directors did ensure that the company had at least a minimal reporting system about corporate risk, including cybersecurity, and they were not alleged to have ignored sufficient “red flags” of cyber threats to imply a conscious disregard of a known duty, indicative of scienter. “In other words, the directors failed to prevent a large corporate trauma, but the Plaintiffs have failed to plead specific facts from which I may infer bad faith liability on the part of a majority of the directors regarding that trauma.”

5.2.2 Breach of Implied Contract

In In re GE/CBPS Data Breach Litigation No. 1:20-cv-02903-KPF, 2021 U.S. Dist. LEXIS 146020 *32, 2021 WL 3406374 (S.D.N.Y., Aug. 4, 2021), the court found that GE had an implied contract with its employees based on representations made in a GE guidance document, "The Spirit & The Letter," which set forth GE's Code of Conduct and summarized a range of compliance policies, including policies related to data protection, as well as in GE documents labeled Employee Data Protection Standards and Commitment to the Protection of Personal Information.

Dismissing implied contract claims:

  • In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., 2021 U.S. Dist. LEXIS 240360, 2021 WL 5937742 (D. N.J. Dec. 16, 2021) (“Defendants argue that the mere fact that Plaintiffs provided Personal Information does not suggest that Defendants agreed to guarantee the safety of that information, at least not without accompanying factual allegations to show mutual assent to those terms. The Court agrees.”).

  • Longnecker-Wells v. Benecard Services, Inc., 658 Fed. App’x 659 (3d Cir. 2016).

Allowing implied contract claim to go forward:

  • Smallman v. MGM Resorts International, no. 2:20-cv-00376, 2022 U.S. Dist. LEXIS 199399, 2022 WL 16636958 (D. Nev. Nov. 2, 2022). Plaintiffs alleged that they "were required to" provide their PII to defendant as a condition of staying at its hotels. Thus, the court said, plaintiffs provided their PII to MGM with the understanding that defendant would take adequate measures to protect it. In terms of consideration, it was undisputed that Plaintiffs paid for their hotel rooms. These alleged actions plausibly demonstrate that Plaintiffs manifested their assent to Defendant MGM's privacy statements. Although plaintiffs did not allege that MGM made any explicit promises "as to the ongoing protection of [their PII], it is difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of . . . sensitive personal information would not imply the recipient's assent to protect [the] information sufficiently,” quoting Castillo v. Seagate Tech., LLC, No. 16-cv-01958, 2016 U.S. Dist. LEXIS 187428, 2016 WL 9280242, at *9 (N.D. Cal. Sept. 14, 2016).

5.2.3 Unjust Enrichment

Cases continue to go both ways, largely based on the details alleged in the complaint:

  • Rejecting a motion to dismiss a claim for unjust enrichment: In re Cap. One Consumer Data Sec. Breach Litig., 488 F. Supp. 3d 374, 411-13 (D.D. Va. 2020).

  • Granting a motion to dismiss: In re Blackbaud, Inc., Customer Data Breach Litigation, 2021 U.S. Dist. LEXIS 201211, at *37-39, 2021 WL 4866393 (D. S.C. Oct. 19, 2021).

  • Granting a motion to dismiss: Smallman v. MGM Resorts International, no. 2:20-cv-00376, 2022 U.S. Dist. LEXIS 199399, 2022 WL 16636958 (D. Nev. Nov. 2, 2022) (plaintiffs had not alleged that they did not have adequate legal remedies, as required to invoke the equitable doctrine of unjust enrichment).

5.2.4 State Laws Prohibiting Unfair or Deceptive Trade Practices

Each prong of a UCL statute must be considered separately. For example, in  Mehta v. Robinhood Financial LLC, Case no. 21-cv-01013-SVK (N.D. Cal. May 6, 2021), plaintiffs’ unlawful claim under the California UCL survived to the extent it was based upon the alleged violations of the California Consumer Privacy Act, the right to privacy in the California Constitution, and negligence. Plaintiffs’ unfairness claim also survived, as the court applied a balancing test: “the Court cannot say that the benefits from Robinhood’s business practices of allegedly emphasizing growth and profit over protecting their customers’ personal and financial information and failing to implement industry-standard security measures outweighs the harm.” However, because the complaint alleged no statements by which a reasonable consumer would be likely to be deceived, a motion to dismiss on the fraudulent prong of the UCL was granted.

In re Blackbaud, Inc., Customer Data Breach Litigation, 2021 U.S. Dist. LEXIS 151831, 2021 WL 3568394 (D.S.C. August 12, 2021), very nicely illustrates how the survival of state UDAP claims will turn on a close reading of state laws, which vary in key details, and on the care necessary when drafting a compliant (or an amended compliant if the court grants that opportunity) to ensure that allegations match the requirements of each state law that is invoked:

  • The court held that Florida plaintiffs had not alleged damages to “the property that is the subject of the consumer transaction” and therefore they failed to sufficiently assert “actual damages” under the Florida Deceptive and Unfair Trade Practice Act. The court did, however, also hold that the plaintiffs had adequately stated a claim for injunctive relief under FDUTPA, which makes declaratory and injunctive relief available to a broader class of plaintiffs than could recover damages.  

  • The court dismissed claims under the New Jersey Consumer Fraud Act Claims because the New Jersey plaintiffs were not “consumers” entitled to the protection of the New Jersey law. The New Jersey plaintiffs had given their data to entities that in turn purchased and used the cloud services of Blackbaud; the individuals themselves were not consumers of Blackbaud’s services.

  • In contrast, though, the court denied Blackbaud’s motion to dismiss claims based on New York General Business Law § 349 because that law covers acts and practices that are “consumer-oriented.”

  • The court granted Blackbaud’s motion to dismiss claims based on Pennsylvania’s Unfair Trade Practices and Consumer Protection Law because the Pennsylvania plaintiff had not sufficiently asserted that she justifiably relied on Blackbaud’s alleged misrepresentations and omissions and a presumption of reliance sometimes accorded under Pennsylvania law did not apply to the facts of this case.

Note: Some of these state laws exempt “learned professionals.” See In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., 2021 U.S. Dist. LEXIS 240360, 2021 WL 5937742 (D. N.J. Dec. 16, 2021) (dismissing claims against medical diagnostic providers under the New Jersey Consumer Fraud Act and the North Carolina Unfair and Deceptive Trade Practices Act).

Smallman v. MGM Resorts International, no. 2:20-cv-00376, 2022 U.S. Dist. LEXIS 199399, 2022 WL 16636958 (D. Nev. Nov. 2, 2022), dismissed a claim under the Ohio Trade Practices Act on the ground that individual consumers do not a “standing” to sue under the act. It dismissed a claim under Oregon’s Unlawful Trade Practices Act to the extent that it was based on Oregon's Consumer Information Protection Act (OCIPA), which has no private right of action, and for the same reason it dismissed a claim brought directly under the OCIPA. However, it refused to dismiss claims under the Nevada Consumer Fraud Act; fraudulent omission, unfairness and unlawfulness claims under California’s UCL; a fraudulent omission claim under the California Consumers Legal Remedies Act, Cal. Civ. Code § 1770; a claim under the reasonable security procedures and practices provision of the California Customer Records Act, § 1798.81.5(b); and claims under Connecticut's Unfair Trade Practices Act, Georgia's Uniform Deceptive Trade Practices Act, and New York’s General Business Law § 349(a), which prohibits deceptive acts or practices

5.2.5. State Laws Requiring Reasonable Security Measures

Of all the state laws, the most impactful may be the California Consumer Privacy Act (CCPA), because it is accompanied by a statutory damages provision. The Act provides that “[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action.” Cal. Civ. Code § 1798.150(a)(1). See Chapter 12.2.3.

Cases under the CCPA have been relatively slow to mature, but some are surviving at least the motion to dismiss phase. In Mehta v. Robinhood Financial LLC, Case no. 21-cv-01013-SVK (N.D. Cal. May 6, 2021), the court ruled, on a motion to dismiss, that a claim based on this provision should survive a motion to dismiss. On August 12, 2021, the federal district court in South Carolina refused to dismiss a claim under the California law against Blackbaud, a cloud services provider that allegedly suffered a ransomware attack. In re Blackbaud, Inc., Customer Data Breach Litigation, 2021 U.S. Dist. LEXIS 151831, 2021 WL 3568394 (D.S.C. August 12, 2021). The court rejected Blackbaud’s argument that it was not a “business” covered by the California reasonable security measures law and its accompanying statutory damages provision. The court also ruled that Blackbaud qualifies as a “medical provider” under the California Medical Information Act, which covers “[a]ny business that offers software or hardware to consumers ... in order to make the information available to an individual or a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment, or management of a medical condition of the individual ... .”

5.2.7 Fraud Claims

Under California law, at least one federal court found that reliance does have to be alleged and this requires some specificity as to which statements a plaintiff actually read and relied on in setting up an account. See Mehta v. Robinhood Financial LLC, No. 21-cv-01013-SVK (N.D. Cal. Sept. 8, 2021). In assessing claims under the fraudulent prong of the California UCL, under the state’s Consumers Legal Remedies Act, and under its False Advertising Law, the court found that the plaintiffs’ allegations were insufficient, but it allowed leave to amend, giving plaintiffs a chance to strike the right balance between providing sufficient notice to defendants and the relatively generous pleading requirements at the motion to dismiss stage.

5.2.8 Negligence

5.2.8.1  Is There a Duty of Care?

To the long list of case finding a duty of care with respect to personal information, add:

  • Teeter v. Easterseals-Goodwill Northern Rocky Mountain Inc., no. 4:22-cv-00096 (D. Mont. March 2, 2023) (applying Montana law, and recognizing that a further fact-intensive inquiry may be needed, court found that the complaint contained sufficient factual allegations, taken as true, to state a claim that a common law duty exists; plaintiff sued on behalf of a class of employees of the defendant, but court did not specifically say whether the duty was to employees or broader).

  • In re Blackbaud, Inc., Customer Data Breach Litigation, 2021 U.S. Dist. LEXIS 201211, 2021 WL 4866393 (Oct. 19, 2021) (interpreting South Carolina law). Blackbaud provided data collection and maintenance software solutions for administration, fundraising, marketing, and analytics to non-profits and other “social good entities.” Plaintiffs were patrons of Blackbaud’s customers rather than direct customers of Blackbaud. Nevertheless, the court held that Blackbaud’s contracts with the social good entities supported recognition of a common law duty to plaintiffs because the purpose of the contracts was to maintain and secure plaintiffs’ private information. The court went on to hold that, although as a general rule there is no duty to protect another from the conduct of third parties, plaintiffs had adequately alleged that Blackbaud had a duty to protect them from the criminal conduct of third parties based on Blackbaud’s own negligent conduct in creating the risk by failing to use reasonable security measures.

  • In re: Sonic Corp. Customer Data Security Breach Litigation (Financial Institutions), No. 1:17-md-2807 (N.D. Ohio Sept. 7, 2021). Under Oklahoma law, the court found, there is generally no duty to anticipate and prevent the intentional or criminal acts of a third party. However, a duty does exist if a defendant’s “own affirmative act has created or exposed [Plaintiffs] to a recognizable high degree of risk of harm through such misconduct, which a reasonable [person] would have taken into account.” And that, the court concluded, is what was alleged: Sonic had created for its franchisees a permanently-enabled VPN tunnel that did not block foreign IP addresses and that did not use multi-factor authentication; it required franchisees to use middleware that did not support point-to-point encryption; and it caused delays in upgrading system components that left franchisees operating vulnerable systems. As to foreseeable risk of harm, it was adequately alleged that Sonic knew or should have known the risks in requiring franchisees to use such a vulnerable system. Duty found, hence negligence claim survives. The court also rejected, under Oklahoma law, the defendants’ argument that the hackers’ breach and data theft acted as supervening causes that cut off the defendants’ liability.

  • In re GE/CBPS Data Breach Litigation No. 1:20-cv-02903-KPF, 2021 U.S. Dist. LEXIS 146020 *21-22, 2021 WL 3406374 (S.D.N.Y., Aug. 4, 2021). Under New York law, employers have a duty to take reasonable precautions to protect the PII that they require from employees (citing other cases).

  • Mackey v. Belden, Inc., No. 4:21-CV-00149-JAR, 2021 U.S. Dist. LEXIS 145000, 2021 WL 3363174 (E.D. Mo. Aug. 3, 2021) (the special relationship between employer and employee under Missouri law imposes a duty on the employer to protect employees' PII provided as a condition of employment).

  • Flores-Mendez v. Zoosk, Inc., No. C 20-04929 WHA, 2021 WL 308543, at *3 (N.D. Cal. Jan. 30, 2021).

  • Stasi v. Immediata Health Group Corp., No. 19cv2353 JM (LL), 2020 U.S. Dist. LEXIS 217097, 2020 WL 6799437, at *7 (S.D. Cal. Nov. 19, 2020) (citing cases that found that defendants had a duty to safeguard personal information and maintain adequate security measures).

Interesting case on the duty of care: Hiscox Insurance Co. v. Warden Grier LLP, No. 4:20-cv-00237 (W.D. Mo. Dec. 8, 2021). The defendant, a law firm, suffered a breach; the compromised data included records from the plaintiff, its client, an insurance company. Those records included data about the insurance company’s policyholders. As the case boiled down, the insurance company argued that the law firm should have fully analyzed the compromised files to identify all the individuals whose data was affected. Applying Missouri law, the court focused pretrial on the claim of professional negligence, specifically legal malpractice. It held that the question of whether the defendant had a duty to the plaintiff was a question of law, and the court ruled that yes, of course, a law firm owes its client a duty of due care. However, what specifically that duty entailed and whether it was breached in this case were questions of fact for the jury, “which, with the assistance of expert evidence, must decide whether, given the specific facts of this case, the standard of care” included the specific steps that the plaintiff alleged the defendant had failed to take. Motion to dismiss denied. On March 31, 2022, the jury returned a verdict in favor of the law firm. The verdict form gives no evidence of the jury’s thinking, but the defendant had argued that it was only a service provider and that it fulfilled its duty by notifying the insurance company of the breach and giving the insurance company access to the compromised files; under this argument, it was the plaintiff’s duty to figure out which policyholders were specifically affected and provide the notice. The defendant’s argument aligned with the Missouri breach notice law and the laws of other states.

Attacks on critical infrastructure may not involve any compromise of personal information. In negligence cases arising from such incidents, the plaintiff must focus elsewhere in alleging a duty. In Dickerson v. Colonial Pipeline Co., 1:21-cv-02098 (N.D. Ga. June 17, 2022), the court dismissed a negligence claim against Colonial Pipeline arising out of the 2021 ransomware attack that led the company to shut down the flow of gasoline through its system. None of the plaintiff’s theories sufficed to allege a cognizable statutory or common law duty owed by Colonial: as a public utility to continually provide service, based upon the voluntary undertaking doctrine (which requires an allegation of physical harm), based on industry standards (standards may be relevant to breach, but they do not create a duty), or arising out of a special relationship.

Also finding no duty was Kroeck v. UKG Inc., 2:22-cv-00066 (W.D. Pa. Sept. 21, 2022). The plaintiff worked for a hospital, which outsourced its payroll system, including timekeeping, to third-party providers, the defendants. The defendants suffered a ransomware attack disrupting their operations and, as a result, the plaintiff claimed, his hours were not properly recorded and his pay was not properly calculated. The court, applying Pennsylvania law, declined to extend the Dittman ruling of the state Supreme Court: “Pennsylvania law specifically recognizes those who collect sensitive information as having a duty to implement security measures to prevent the foreseeable harm of a data breach. Dittman, 196 A.3d at 1056 (imposing a common law duty on those who store ‘personal and financial information’ to protect that data). This duty would extend only to those individuals whose confidential information is kept on file. Here, as Defendants note, Mr. Kroeck has not alleged that Defendants possessed his personal and financial information. Therefore, the Court will grant Defendants’ Motion with respect to Count VI. However, the Court will provide him with leave to amend.”

[New subchapter:] 5.2.8.1A What Is the Duty of Care?

Potentially separate from the existence of a duty of care is the question of what that duty requires. That is, assuming there is a duty, what is the content of that duty, which is a predicate for the claim that the defendant breached it? This question may be important at the summary judgment stage. See Silverpop Sys. v. Leading Mkt. Techs., Inc., 641 Fed. Appx. 849 (11th Cir. 2016). The court there adopted the opinion of the district court, which had dismissed a claim of negligence because the party asserting the claim (LMT) “failed to present evidence to establish the applicable standard of care.” 641 Fed. Appx. At 852. "Evidence of custom within a particular industry, group, or organization is admissible as bearing on the standard of care in determining negligence. … LMT’s expert has not proposed any standards that are ordinarily employed in Silverpop's industry … . Overall, while LMT highlights several deficiencies in Silverpop's intrusion detection system, it offers no evidence to establish how Silverpop's practices, as they related to intrusion detection, failed to meet the applicable standard of care. Accordingly, as LMT has failed to present evidence establishing the standard of care that governed Silverpop's actions, it cannot establish a breach of the standard of care.” See also the discussion of Hiscox Insurance Co. v. Warden Grier LLP, No. 4:20-cv-00237, above.

5.2.8.2  Negligence and the Economic Loss Rule

Indeed, at least at the motion to dismiss stage, it may be easy to avoid the economic loss rule with a well-pleaded complaint. Thus, plaintiffs avoided the economic loss rule where they alleged “the loss of control over the use of their identity, harm to their constitutional right to privacy, lost time dedicated to the investigation of and attempt to recover the loss of funds and cure harm to their privacy, the need for future [ ] time dedicated to the recovery and protection of further loss, and privacy injuries associated with having their sensitive personal and financial information disclosed.” Mehta v. Robinhood Financial LLC, No. 21-cv-01013-SVK, 2021 U.S. Dist. LEXIS 253782, 2021 WL 6882377, at *6 (N.D. Cal. May 6, 2021) (citing other cases).

Another case holding that the economic loss rule did not bar a negligence claim where the parties had a contract:  In Re: Wawa Inc. Data Security Litigation, No 2:19-cv-06019 (E.D. Pa. May 6, 2021). The plaintiffs were financial institutions. The defendant operates a chain of convenience stores and gas stations. Hackers accessed its point-of-sale systems and installed malware that targeted in-store payment terminals and gas station fuel dispensers and obtained customer payment card information. Plaintiffs and defendant were parties to the web of contracts that frame the payment card system, but plaintiffs did not claim breach of contract. Instead, the institutions maintained that, separate from any contract, Wawa owed them a common law duty to exercise reasonable care and that it breached that duty by failing to utilize proper security protocols that would have adequately protected sensitive payment card information. The district court agreed that the plaintiffs had the better argument, at least for the motion to dismiss stage. Citing the Pennsylvania Supreme Court's holding in Dittman, the district court ruled that Schnuck Markets was inapplicable and the negligence claim should be allowed to proceed. After all, Dittman had said that the duty to maintain and protect sensitive data with reasonable care “exists independently from any contractual obligations between the parties.” 196 A.3d at 1056.

Declining to apply the economic loss rule:

  • Plaintiffs v. MGM Resorts Int'l, 2022 U.S. Dist. LEXIS 199399 (D. Nev. Nov. 2, 2022) (citing other district court opinions in the Ninth Circuit; “it is difficult to conceive how the dissemination of an individual's PII does not necessarily diminish their control over their digital and physical identity. Such an invasion implicates non-economic harms.”);

  • Smallman v. MGM Resorts International, No. 2:20-cv-00376 (D. Nev. Nov. 2, 2022) (dissemination of individuals’ PII diminishes their control over their digital and physical identity, implicating non-economic harms);

  • Griffey v. Magellan Health Inc., No. CV-20-01282-PHX-MTL, 2021 U.S. Dist. LEXIS 184591 * 20-21 (D. Az. Sep. 27, 2021) (citing the Arizona Supreme Court’s direction that the economic loss doctrine should be applied only in limited contexts);

  • Flores-Mendez v. Zoosk, No. 20-04929, 2021 U.S. Dist. LEXIS 18799, 2021 WL 308543, at *3 (N.D. Cal. Jan. 30, 2021) (“Plaintiffs allege their loss of time, risk of embarrassment, and enlarged risk of identity theft as harms and so do not allege pure economic loss.”);

  • Stasi v. Immediata Health Grp. Corp., 501 F. Supp. 3d 898, 913 (S.D. Cal. 2020) (concluding that the plaintiffs alleged non-economic harms in the form of the privacy injury they suffered, irrespective of whether they subsequently suffered identity fraud).

[New subchapter:] 5.2.8.4 Negligence Claims Dismissed for Failure to Plead Damages

In a number of cases, plaintiffs have cleared the injury-in-fact requirement for standing only to have their negligence claims dismissed for failure to adequately plead damages as an element of stating a negligence claim. In Pruchnicki v. Envision Healthcare Corp., 845 F. App’x 613 (9th Cir. 2021), the plaintiff asserted claims for negligence, breach of implied contract, negligent misrepresentation, and violation of Nevada’s deceptive practices act. The appeals court affirmed dismissal of all claims. Lost time, it indicated, was not a cognizable injury for the purpose of establishing compensable damages unless accompanied by out-of-pocket expenses. “Plaintiff’s asserted emotional distress also failed to establish compensable damages because, under Nevada law, ‘in the absence of physical impact, proof of “serious emotional distress” causing physical injury or illness must be presented.’” 845 F. App’x at 614. And in terms of the loss in value of her information, the plaintiff had failed to adequately allege that her personal information actually lost value. “Several courts in this Circuit have found, and we agree, that the ‘mere misappropriation of personal information’ does not establish compensable damages.” 845 F. App’x at 615. (The latter sentence should not be cited in standing cases; both courts in Pruchnicki found that the plaintiff had alleged sufficient injury-in-fact to support standing.) (Note that the district court had said that "[d]iminution in value of personal information can be a viable theory of damages." Pruchnicki v. Envision Healthcare Corp., 439 F. Supp. 3d 1226, 1234 (D. Nev. 2020).)

Similarly, in Griffey v. Magellan Health Inc., No. CV-20-01282-PHX-MTL, 2021 U.S. Dist. LEXIS 184591 * 20-21 (D. Az. Sep. 27, 2021), the court concluded that the plaintiffs' allegations of lost time addressing the data breach, continued risk to their PII and PHI, and the danger of future harm are not cognizable injuries for negligence claims. Allegations of out-of-pocket expenses spent on credit monitoring services in addition to the identity monitoring services provided by the defendant were insufficient where plaintiffs failed to also allege that the monitoring costs were reasonable and necessary.

Going the other way, under California law, is Mehta v. Robinhood Financial LLC, No. 21-cv-01013-SVK (N.D. Cal. Sept. 8, 2021). After stating the general rule that “California courts have indicated that “[s]peculative harm or the mere threat of future harm is insufficient to constitute actual loss” for purposes of establishing a claim of negligence, the court went on to rule that the plaintiffs’ allegations regarding time spent addressing a breach, the purchase of identity theft protection services, future expenses and time, loss of sensitive personal information, and loss of control over plaintiffs’ identity were sufficient to allege cognizable harm. Slip op. at 11-12. “Given the allegations and the lost time and expenses Plaintiffs allege that they have already incurred due to the data breach, the Court finds that future expenses and time is not too speculative to constitute cognizable injuries at the pleading stage.” Includes useful cites to other cases.

Distinguishing Pruchnicki, the district court in Smallman v. MGM Resorts International, no. 2:20-cv-00376, 2022 U.S. Dist. LEXIS 199399, 2022 WL 16636958 (D. Nev. Nov. 2, 2022), held that both benefit-of-the-bargain losses and diminution in value of PII constituted compensable harm. On the former, the court rejected defendant’s argument that the benefit-of-the-bargain theory could not survive a 12(b)(6) motion without more specific factual allegations showing how data security was a part of the bargain or how much of the money spent was for data security. On the latter, the court concluded that the data breach devalued Plaintiffs' PII by interfering with their fiscal autonomy, and it rejected defendant’s argument that, to allege diminution in value harm, plaintiffs must establish both the existence of a market for their PII and an impairment of their ability to participate in that market. The court held that lost time spent monitoring their accounts and otherwise mitigating the breach was not compensable damages but that money spent to mitigate the risk of harm was. On these questions, the opinion includes a good discussion of other cases going both ways, mostly in the 9th Circuit. The court also held that a substantial risk of future harm was compensable harm, but that doesn’t seem right; the court relied on standing cases, all of them pre-dating TransUnion.

For another good discussion of what kinds of injuries have been recognized as cognizable damages in negligence actions stemming from data breaches, see In re Blackbaud, Inc., Customer Data Breach Litigation, 2021 U.S. Dist. LEXIS 201211, *34-37, 2021 WL 4866393 (D. S.C. Oct. 19, 2021) (finding that plaintiffs had sufficiently alleged cognizable damages).

5.2.9 Negligence per se

In Mehta v. Robinhood Financial LLC, Case no. 21-cv-01013-SVK (N.D. Cal. May 6, 2021), the court refused to dismiss a negligence per se claim based on California Civil Code sections 1798.82, et seq., and 1798.100, et seq., and the provisions of the California Constitution enshrining the right to privacy.

In In re Blackbaud, Inc., Customer Data Breach Litigation, 2021 U.S. Dist. LEXIS 201211, at *29-34, 2021 WL 4866393 (D. S.C. Oct. 19, 2021), applying South Carolina law, the court dismissed negligence per se claims premised on HIPAA, the FTC Act, and the Children’s Online Privacy Protection Act. The court noted an apparent split among courts on whether the FTC Act can serve as the basis for a negligence per se claim in the data breach context. “The variations in these holdings appear to stem from differences in the standards for negligence per se claims under the laws of different states. Under South Carolina's standard, the answer turns on the purpose of the statute.”

Dismissing a negligence per se claim based on Section 5 of the FTC Act: In re GE/CBPS Data Breach Litigation No. 1:20-cv-02903-KPF, 2021 U.S. Dist. LEXIS 146020 *27-28, 2021 WL 3406374 (S.D.N.Y., Aug. 4, 2021).

5.2.11 Negligent Misrepresentation

In Smallman v. MGM Resorts International, no. 2:20-cv-00376, 2022 U.S. Dist. LEXIS 199399, 2022 WL 16636958 (D. Nev. Nov. 2, 2022), the court dismissed plaintiffs' negligent misrepresentation claim after concluding, under Nevada law, that MGM guests had only an arms-length business relationship with the company, insufficient to create the special relationship necessary to support a claim of negligent misrepresentation by omission.

5.2.12 State Constitutional Privacy Rights

In Mehta v. Robinhood Financial LLC, Case no. 21-cv-01013-SVK (N.D. Cal. May 6, 2021), the district court denied a motion to dismiss a claim based on the right to privacy in the California constitution. “To allege a violation of California’s constitutional right to privacy, a plaintiff must allege ‘(1) a legally protected privacy interest; (2) a reasonable expectation of privacy under the circumstances; and (3) conduct by the defendant that amounts to a serious invasion of the protected privacy interest.’ Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1024 (N.D. Cal. 2012) (citing Hill v. Nat’l Collegiate Athletic Ass’n, 7 Cal. 4th 1, 35-37, 26 Cal. Rptr. 2d 834, 865 P.2d 633 (1994)).”

5.3 Arbitration

Under California law, at least, an arbitration clause cannot block a suit seeking injunctive relief. California policy ensures the rights of consumers to seek injunctive relief on behalf of the general public. McGill v. Citibank, N.A., 393 P.3d 85 (2017). See also, e.g., Mejia v. DACM Inc, 54 Cal. App. 5th 691, 701 (2020); Blair v. Rent-A-Ctr., Inc., 928 F.3d 819, 828 (9th Cir. 2019).

Based on these cases, in In re StockX Customer Data Security Breach Litigation, Case No. 19-12441 (E.D. Mich. June 15, 2021), the court ruled that, because application of Michigan law would be contrary to fundamental California policy and California has a materially greater interest in the plaintiff’s claims than Michigan, the choice of law clause in the StockX terms of service (designating Michigan law as applicable) was unenforceable. Therefore, the court applied California law, and ruled under California law that the arbitration clause was unenforceable.  

Defendants’ efforts to force cybersecurity cases to arbitration will normally turn on ordinary questions of arbitration law, including the threshold question of whether there is an agreement to arbitrate, which in turn is a question of contract law. For example, Middleton v. T-Mobile U.S. Inc., 1:20-cv-03276 (E.D.N.Y. Aug. 24, 2022), involved allegations that the mobile provider was negligent in allowing fraudsters to trick its employees into SIM swapping the plaintiff’s phones multiple times, which in turn allowed the fraudsters to intercept authentication texts and break into the plaintiff’s cryptocurrency account and steal $8.7 million in cryptocurrency. After extensive analysis of the pleadings surrounding the circumstances under which the plaintiff purchased the phones and what information was presented to plaintiff and how, the court found that there was notice of the arbitration clause and assent. Motion to compel arbitration granted.

5.4  Privilege in Data Breach Cases

To the list of decisions on discoverability of post-breach reports by outside experts, add these, going in opposite directions based on a close analysis of the facts.

  • In re Rutter's Data Sec. Breach Litig., NO. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (M.D. Pa. July 22, 2021) (although outside counsel retained the forensics consultant, the resulting report and related communications were not protected by either the work product doctrine or the attorney-client privilege; court focused on whether the report served a broader purpose than assisting in preparation for litigation; distribution of the report beyond the legal team was evidence that the work would have been conducted regardless of the lawsuit).

  • In re Marriott Int'l Customer Sec. Breach Litig., No. 19-MD-2879, 2021 U.S. Dist. LEXIS 124874, 2021 WL 2660180 (D. Md. June 29, 2021) (magistrate’s recommendation that documents from third-party expert were entitled to protection under “the privilege”; even though there was a history of the expert providing services to Marriott and Starwood before discovering the breach, the services provided after the breach were as the result of new engagements at the request of outside counsel to assist in responding to regulatory authorities and the litigation that was anticipated).

The cases suggest that the law of attorney-client privilege (and work-product doctrine) is at odds with desirable cybersecurity practices. The reports were denied protection in part because they had been shared beyond the legal team. From a lawyer’s standpoint, it was a mistake to disseminate the reports within the affected company. But isn’t it good that a forensics study is shared beyond the lawyers, to make sure that employees at the victim are aware of the problems that caused the breach, so those problems can be corrected and future breaches can be avoided?

For a good overview and a discussion of the specific issues posed by disclosing a forensics report to law enforcement, see Brian Mund and Leonard Bailey, Privilege in Data Breach Investigations, 69 DOJ J. Fed. Law & Prac. 39 (May 2021).


Last updated: November 21, 2024.

Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.