Updates to Chapter 5

Data Breach Litigation – Causes of Action

UPDATES TO SECOND EDITION
5.1 Typical Causes of Action

See updates to Chapter 15.6, Civil Litigation Arising from Ransomware Incidents, for a B2B case where plaintiff sued for loss of business when its provider of warehousing and delivery services shut down for an extended period in response to a ransomware attack.

5.2.1  Negligence

Applying Pennsylvania Supreme Court decision in Dittman on duty and on intervening criminal act to reject motion to dismiss negligence claim, Clemens v. ExecuPharm Inc., no. 20-3383 (E.D. Pa. June 22, 2023). 

Negligence claim dismissed in a case against two loan servicing companies and their parent company, where plaintiffs did not specifically allege how each defendant was responsible for acts or omissions related to the data breach. In re Lakeview Loan Servicing Data Breach Litig., 2023 U.S. Dist. LEXIS 224865 (S.D. Fla. Dec. 15, 2023).

5.2.1.2  Negligence and the Economic Loss Rule

Finding economic loss rule inapplicable, Tate v. Eyemed Vision Care, LLC, 2023 U.S. Dist. LEXIS 175840 (W.D. Ohio Sept. 29, 2023).

Finding economic loss rule inapplicable,  Alexander v. Wells Fargo Bank, 2023 U.S. Dist. LEXIS 214454 (S.D.Ca. Dec. 1, 2023) ("loss of time" and emotional distress including "fright", "shock," "nervousness," "worry," "anxiety," and "humiliation" constitute non-economic losses).

5.2.2 Negligence per se

In Clemens v. ExecuPharm Inc., no. 20-3383 (E.D. Pa. June 22, 2023), the court, having declined to dismiss a negligence claim, did dismiss the negligence per se claim because, under Pennsylvania law, negligence per se is a theory of negligence, not a standalone claim. However, the court said that the plaintiff could employ a negligence per se theory to satisfy the duty and breach elements of general negligence.

5.2.3 Breach of Express Contract

In a case involving an alleged breach of an employment contract, where the defendant argued that any data security obligation under the contract ended when employment ended, the Court found that it could not determine the parties’ reasonable intent as a matter of law at the 12(b)(6) stage and therefore it denied the motion to dismiss the contract claim. Clemens v. ExecuPharm Inc., no. 20-3383 (E.D. Pa. June 22, 2023).

5.2.4 Breach of Implied contract

Implied contract claim dismissed where plaintiff mortgagees were one step removed from mortgage servicer defendants because plaintiff’s PII was provided to defendant indirectly through plaintiffs' mortgage lenders. In re Lakeview Loan Servicing Data Breach Litig., 2023 U.S. Dist. LEXIS 224865 (S.D. Fla. Dec. 15, 2023).

Other implied contract cases: 

  • In re Brinker Data Incident Litig., No. 3:18-CV-686-J-32MCR, 2020 WL 691848, at *5 (M.D. Fla. Jan. 27, 2020) (holding plaintiffs' allegations that defendant "solicited and invited" them to "eat at its restaurants and make purchases using their credit or debit cards" sufficient to allege an implicit agreement that defendant would protect sensitive credit card information) (internal quotation omitted). 

  • Torres v. Wendy's Int'l, LLC, No. 16-210, 2017 WL 8780453, at *3 (M.D. Fla. Mar. 21, 2017) (holding plaintiff's allegations that "defendant invited its customers to pay for their purchases with credit cards containing confidential information" sufficient to allege an implicit agreement to "protect its customers' confidential information as a reasonable and prudent merchant would").

  • Farmer v. Humana, Inc., 582 F. Supp. 3d 1176, 1187 (M.D. Fla. 2022) (agreeing with the analysis in In re Brinker).

  • Brush v. Miami BeachHealthcare Grp. Ltd., 238 F. Supp. 3d 1359, 1369 (S.D. Fla. 2017) (finding there was no implied contract where plaintiff contracted to receive healthcare services, not data security specifically).

  • In re Mednax Servs., Inc., Customer Data Sec. Breach Litig., 603 F. Supp. 3d at 1221 (finding no implied contract because plaintiffs alleged no invitation or solicitation by defendants indicating that defendants implicitly assented to secure their personal information in exchange for payment of healthcare services).

5.2.5 Unjust enrichment

Dismissing unjust enrichment claim: Tate v. Eyemed Vision Care, LLC, 2023 U.S. Dist. LEXIS 175840 (W.D. Ohio Sept. 29, 2023).

5.2.6 State Laws Prohibiting Unfair or Deceptive Trade Practices

Deprivation of money or property is a prerequisite to suit under Cal. Bus. & Prof. Code § 17204. Tate v. Eyemed Vision Care, LLC, 2023 U.S. Dist. LEXIS 175840 (W.D. Ohio Sept. 29, 2023), citing Dugas v. Starwood Hotels & Resorts Worldwide, Inc., No. 3:16-cv-14, 2016 WL 6523428, at *11 (S.D. Cal. Nov. 3, 2016).

5.2.7 State Laws Requiring Reasonable Security Measures

Entities covered by HIPAA are exempt from  Cal. Civ. Code § 1798.100(e). Tate v. Eyemed Vision Care, LLC, 2023 U.S. Dist. LEXIS 175840 (W.D. Ohio Sept. 29, 2023).

5.2.10.1 Breach of Fiduciary Care

Under Pennsylvania law, to state a claim for breach of fiduciary duty, a plaintiff must establish that the parties were in a fiduciary relationship. An employer-employee relationship, without more, does not give rise to a fiduciary duty. Because plaintiff, a former employee of defendant, had failed to allege any circumstances that distinguished her situation from any other employer-employee relationship motion to dismiss granted with leave to amend with any facts that would establish the necessary heightened relationship. Clemens v. ExecuPharm Inc., no. 20-3383 (E.D. Pa. June 22, 2023).

Dismissing claims based on breach of fiduciary duty. In re Lakeview Loan Servicing Data Breach Litig., 2023 U.S. Dist. LEXIS 224865 (S.D. Fla. Dec. 15, 2023) (business or "arm's-length" relationships, such as those created through contract, typically do not imply a fiduciary duty). 

5.2.10.2 Breach of Confidence

Under Pennsylvania law, a “confidential relationship” exists when one party has reposed a special confidence in another to the extent that the parties do not deal with each other on equal terms. This occurs when there is an “overmastering dominance on one side, or weakness, dependence or justifiable trust, on the other.” A business association may be the basis of a confidential relationship “only if one party surrenders substantial control over some portion of his affairs to the other.” Because plaintiff had not alleged a confidential relationship, claim for r breach of confidence dismissed with leave to amend. Clemens v. ExecuPharm Inc., no. 20-3383 (E.D. Pa. June 22, 2023).

5.3 Arbitration

Keller v. Chegg, Inc., 2023 U.S. Dist. LEXIS 142809 (N.D. Ca. August 15, 2023)(case ordered to arbitration; discussion of routinely-updated Terms of Use and push notifications to customers with a pop-up screen requiring assent to the revised terms).

Patrick v. Running Warehouse LLC, no. 22-56078 (9th Cir. Feb. 12, 2024). Arbitration clause enforceable in data breach case. Hyperlink to terms of service containing arbitration clause, if the link is sufficiently conspicuous, is sufficient to create binding contract and plaintiff manifested assent by clicking the “Place Order” button, where website indicated that, by submitting an order, the consumer “agree[s] to our privacy policy and terms of use.” Discussion of “inquiry notice.”

Motion to dismiss granted in part, denied in part: Guy v. Convergent Outsourcing, Inc., 2023 U.S. Dist. LEXIS 125332 (July 20, 2023).

_________________________________________________________________

ARCHIVED UPDATES TO THE FIRST EDITION, INCORPORATED INTO THE SECOND EDITION:

5.1.1 Cases Brought on Behalf of Consumers

In at least one case, a complaint has survived that appears not to allege that the defendant’s network was breached but rather that the defendant failed to protect its customers against individual account takeovers using information obtained outside the defendant’s network. Order Granting in Part and Denying in Part Defendants’ Motion to Dismiss, Mehta v. Robinhood Financial LLC, Case no. 21-cv-01013-SVK, 2021 U.S. Dist. LEXIS 253782, 2021 WL 6882377 (N.D. Cal. May 6, 2021).

5.1.2 Cases Brought by Financial Institutions

In the Landry’s case, partial summary judgement was entered, requiring Landry’s (which owns a chain of retail stores) to reimburse Chase (actually, its payment processing affiliate, Paymentech LLC) for the assessments Chase paid to Visa and Mastercard after attackers accessed payment card data inside the Landry’s network. Paymentech LLC v. Landry’s Inc., Civil Action H-18-1622, 2021 U.S. Dist. LEXIS 88749, 2021 WL 1856553 (S.D. Tex. May 7 [entered May 10], 2021). The case turned on contract law. Chase was the acquiring bank. It had contracts with Visa and Mastercard and a separate contract with Landry’s to process credit card payments for Landry’s. The contracts with Visa and Mastercard allowed the brands to levy assessments against Chase if one of its merchants failed to adhere to the payment brands’ cybersecurity standard, the PCI-DSS. Chase’s contract with Landry’s required Landry’s to adhere to the PCI-DSS and to reimburse Chase for any such assessments levied against it by the brands. Chase paid the assessments to the brands and turned around and sought reimbursement from Landry’s. Landry’s argued that there was no evidence that the attackers actually used the compromised cardholder information. That, the court ruled, was irrelevant; the issue was whether Landry’s had complied with the PCI-DSS. Landry’s argued that there was a dispute whether it was in compliance with the standard, citing a report of its expert prepared before the attack. That too was irrelevant, said the court: Landry’s had agreed in its contract to hire an independent expert after the attack and that expert had found Landry’s out of compliance. In February, 2023, the Fifth Circuit affirmed. Paymentech LLC v. Landry’s Inc., No. 21-20447 (5th Cir. Feb. 23, 2023). The appeals court also affirmed the district court’s dismissal of Landry’s third-party complaints against Visa and Mastercard, in which Landry’s alleged that the brands had wrongly imposed the assessments in the first place. The Fifth Circuit opnion includes a good description, with chart, of the relationships among payment brands, banks, and merchants.

5.1.3  Disputes on Insurance Coverage

Insurance claims, even in the cyber context, normally turn on the precise language of the policy at issue, and policies are normally rewritten annually, as insurers adjust their assessment of risk. Therefore, it is difficult if not impossible to discern general principles related to cybersecurity insurance, as many cases will be decided on a close reading of the specific language in the policy in force at the time of the loss—and that language may well be missing from the policy of another insurer or even a future policy issued by the same company.

In March 2022, there was ruling in the Target case mentioned in the book. Target Corp. v. ACE American Insurance Co., 0:19-cv-02916, 2022 U.S. Dist. LEXIS 51044, 2022 WL 848095 (D. Minn. March 22, 2022). The policies at issue applied to “property damage” caused by an “occurrence.” Vacating its earlier decision, the court ruled that the loss of use of payment cards compromised in the data breach was a “loss of use of tangible property that is not physically injured” under the policy and that the breach was an “occurrence.” The cost of replacing the payment cards, the court held, was covered under the terms of the policies and therefore the insurer was obligated to indemnify Target for Target’s settlement with the issuing banks for the costs of replacing the payment cards.

Another case mentioned in the book, Mondelez v. Zurich American, settled in October 2022, just as closing arguments in the trial were about to begin, so there is no decision there on the applicability of the “hostile or warlike action” exclusion. In a different case, a New Jersey trial court held in January 2022, in the context of a motion to dismiss, that a “hostile or warlike action” exclusion in an “all-risks” policy did not cover the NotPetya attack, even if, as alleged by the insurer, it was sponsored by Russia to harm Ukraine. Merck Co. v. ACE American Insurance Co., case number UNN L 002682-18 (Union County Superior Court of New Jersey, Jan 13, 2022). The judge concluded that “no court has applied a war (or hostile acts) exclusion to anything remotely close to the facts herein.” In a warning to insurance companies, the court pointed out that both parties were aware that cyberattacks, sometimes from nation states, have become more common, but the insurer did nothing to change the language of the exemption to reasonably put the insured on notice that it intended to exclude cyberattacks. Given the rules of construction applicable to insurance policies, Merck was justified in its expectation that the exclusion applied only to traditional forms of warfare.

In August 2022, Lloyd’s of London announced that, effective March 2023, it would require that certain standalone cyber-attack policies must include, unless agreed by Lloyd’s, a clause excluding liability for losses arising from certain state backed cyber-attacks. The announcement was interpreted by some headline writers as a declaration that Lloyd’s would no longer cover nation-state cyber-atacks, but in fact it only required exclusion of losses arising from state backed attacks that (a) significantly impair the ability of a state to function (through, for example, degradation of critical infrastructure) or (b) that significantly impair the security capabilities of a state.

Cases continue to turn on close readings of policy language:

  • The court of appeals decision in G&G Oil Co. of Indiana v. Continental Western Insurance Co., 145 N.E. 3d 842 (Ct. of Appeals Ind. 2020), was reversed and remanded by the state supreme court. 2021 Ind. LEXIS 182 (Ind. March 18, 2021). The “Computer Fraud” provision of the Policy’s Commercial Crime Coverage Part covered loss “resulting directly from the use of any computer to fraudulently cause a transfer of money.” G&G Oil suffered losses from a ransomware attack and filed a claim, which Continental denied. The court of appeals had affirmed summary judgment in favor of the insurer. The state supreme court found that G&G Oil’s losses resulted directly from the use of a computer, but it found that neither party had demonstrated it was entitled to summary judgment. Grant of summary judgment in favor of Continental reversed, denial of G&G Oil’s motion for summary judgment affirmed, and case remanded for further proceedings. G&G Oil Co. of Indiana v. Continental Western Insurance Co., No. 20S-PL-617, 2021 Ind. LEXIS 182 (Ind. March 18, 2021).

  • RealPage Inc. v. National Union Fire Insurance Co., 2021 U.S. App. LEXIS 37962, 2021 WL 6060972 (5th Cir. Dec. 22, 2021) (under a Commercial Crime Policy, in a case that began with a phishing attack, where funds were stolen from a third party payments processor, summary judgement for the insurer affirmed, on the grounds that the funds were not “held” by the insured).

  • Landry's, Inc. v. Ins. Co. of the Pa., 2021 U.S. App. LEXIS 21668, 2021 WL 3075937 (5th Cir. July 21, 2021) (insurer must defend Landry's in the underlying Paymentech litigation: hackers’ obtaining of credit card data involved a “publication” under the policy, as did hackers’ use of the data to make fraudulent purchases, and the publication involved an injury within the policy’s “arising out of . . . the violat[ion] [of] a person's right of privacy” language).

  • Ernst & Haas Management Co. v. Hiscox Inc., 23 F. 4th 1195 (9th Cir. 2022), rehearing en banc denied (Mar. 7, 2022) (a transfer of funds in response to a fraudulent email could be covered by either the computer fraud provision or the funds transfer fraud provision of a commercial crime insurance policy; distinguishing Pestmaster v. Travelers).

  • Star Title Partners of Palm Harbor LLC v. Illinois Union Insurance Co., 2022 U.S. App. LEXIS 24930 (11th Cir. Sept. 6, 2022) (under plain language of the Deceptive Transfer Fraud clause in the Cybercrime Endorsement of its Cyber Protection Policy, no coverage after plaintiff was fraudulently induced, by an unknown actor impersonating a mortgage lender, to wire funds to an incorrect account).

  • Fishbowl Solutions Inc. v. The Hanover Insurance Co., No. 0:21-cv-00794 (D. Minn. Nov. 2, 2022) (summary judgement for insured, with the court interpreting the words of a Technology Professional Liability Policy, which incorporated a Data Breach Coverage Form, including a “Cyber Business Interruption and Extra Expense” clause, to find that Fishbowl had incurred an actual loss of “business income,” which occurred during the “period of restoration,” “directly” resulting from a data breach, and which resulted in an “impairment” of business operations).

  • Yoshida Foods International LLC v. Federal Insurance Co., no. 3:21-cv-01455-HZ (D. Ore. 2022) (ransomware payment was a “direct loss” and a Fraudulent Instructions Exclusion was intended to apply to (and exclude from coverage) erroneous payments and thus did not cover the ransomware payment).

See Daniel Tay, The Biggest Cyber Coverage Decisions of 2021, Law 360 (Dec. 21, 2021) (subscription required).

While insurers frequently dispute coverage, when they do pay they may seek to recoup their costs by suing a third party they claim is responsible for the incident. That is the situation in AIG Specialty Insurance Co. v. Accellion Inc., no. 1:22-cv-20272​ (​​S. D. Fla. June 16, 2022). Accellion made a software product that had a security flaw. One of the many Accellion clients that suffered breaches due to the vulnerability was insured by AIG. AIG paid its insured and sued to obtain recovery from Accellion. The district court dismissed claims alleging negligent misrepresentation and violations of the Florida Deceptive and Unfair Trade Practices Act, but it let stand a breach of contract claim based on Accellion’s license agreement with the insured. ​Settlement discussions ensued and, in December 2022, the parties filed a notice of settlement.

5.1.6 Securities Fraud and Shareholder Derivative Class Actions

A shareholders class action against FedEx and several of its officers arising from the NotPetya malware attack also failed. In In re FedEx Corp Securities Litigation, No. 1:19-cv-05990 (RA) (S.D.N.Y. Feb. 4, 2021), the court dismissed, with prejudice, on the grounds that “the complaint failed to adequately plead the required elements of falsity and scienter.” On the question of falsity, the court found that the companies’ disclosures “contained language, often bolded and italicized for emphasis, that warned investors about the potentially lingering effects of the June 2017 cyberattack.” The court gave great weight to these cautionary statements, saying the they “exemplify Defendants’ repeated disclosure of the Company’s difficulties in recovering from NotPetya.” In light of these disclosure, the court concluded, “Plaintiffs have failed to establish that FedEx’s more optimistic statements misled the investing public.”

The Marriott/Starwood data breach produced five sets of cases consolidated in the U.S. District Court for Maryland: class action claims brought by consumers (processed on a “Consumer Track”), claims brought by the City of Chicago (the “Government Track”), class action claims on behalf of financial institutions, class action claims brought by a Marriott shareholder under Section 10(b)/Rule 10b-5 and Section 20(a) (the “Securities Track”), and claims brought by another shareholder as a derivative action (the “Derivative Track”). In June 2021, the district court dismissed the Securities Track case. In re: Marriott Int’l, Inc., Customer Data Security Breach Litigation, MDL No 19-md-2879, 543 F. Supp. 3d 96, 2021 U.S. Dist. LEXIS 110274 (D. Md. June 11, 2021). The court conducted an extensive analysis of 73 statements made by defendants during the class period, and found that the plaintiff had not adequately alleged that any was false or misleading. On top of that, the court found, the plaintiff had failed to adequately allege scienter or loss causation. The Fourth Circuit affirmed the dismissal, focusing just on the failure to adequately allege any false or misleading statements. Constr. Laborers Pension Trust for S. Cal. v. Marriott Int'l, Inc. (In re Marriott Int'l, Inc.), 2022 U.S. App. LEXIS 10911 (4th Cir. Apr. 21, 2022).

The district court also dismissed the derivative claims for failure to adequately plead the ownership and demand requirements for a derivative action under Federal Rule of Civil Procedure 23.1. In re Marriott Int'l, Inc., MDL No 19-md-2879, 2021 U.S. Dist. LEXIS 110301, 2021 WL 2401641 (D. Md. June 11, 2021). The court’s opinion includes a good discussion of several issues relevant to derivative actions, with citations to opinions from other jurisdictions: the requirements under Rule 23.1 for both “continuous ownership” and “contemporaneous ownership” to bring a derivative action; the inadequacy of conclusory allegations of ownership (alleging ownership at “all relevant times” is not adequate); the “continuing wrong” exception to the contemporaneous ownership requirement (which the court found inapplicable in this case); the demand requirement; and the concept of prudential jurisdiction in shareholder derivative actions and how it differs from subject matter jurisdiction.  The court also concluded, upon examination of the allegedly misleading statements in corporate filings, that the defendant failed to adequately allege claims under Exchange Act Section 10(b) and Rule 10-b, Exchange Act Section 20(a), or Exchange Act Section 14(a) and Rule 14a-9.

On the other hand, a federal district court ruled that a Section 10(b)/Rule 10b-5 claim against Zoom and its CEO, for an allegedly false statement on security, was adequately alleged and could go forward. The statement, that Zoom offered end-to-end encrypted, was made in its Registration Statement and Prospectus. The court dismissed claims based on fourteen other statements. In re: Zoom Securities Litigation, no. 5:20-cv-02353, 2022 U.S. Dist. LEXIS 28265 (N.D. Ca. Feb. 16, 2022).

Another Section 10(b)/Rule 10b-5 case surviving a 12(b)(6) motion was In re Solar Winds Corp. Securities Litigation, 1:21-CV-138-RP (W.D. Tex. March 30, 2022). Upon a close reading of the complaint, the court found that the plaintiffs had adequately alleged scienter, material misrepresentation, and causality with respect to the company and its VP of Security Architecture. One the other hand, the court found that plaintiffs had failed to effectively plead scienter against the CEO and dismissed a claim against him, with leave to amend. However, the court refused to dismiss a claim of control person liability against the CEO under Section 20(a) of the Exchange Act. The court also refused to dismiss control person claims against two private equity firms that each owned 40% of the company and had 3 board seats each. In December 2022, the lead plaintiff sought approval of a settlement that called for a $26 million payment to shareholders and no admission of wrongdoing.

The Ninth Circuit revived securities law claims against officers and directors of Alphabet based on statements Alphabet made in its quarterly reports filed with the SEC on Form 10-Q.  In re Alphabet Inc. Secs. Litig., Rhode Island v. Alphabet, Inc., 2021 U.S. App. LEXIS 17926 (June 16, 2021), cert. denied (Mar. 7, 2022). In an action under Section 10(b) of the Securities Exchange Act of 1934, 15 U.S.C. § 78j(b), and S.E.C. Rule 10b-5, the plaintiffs alleged that the reports omitted to disclose security problems with the Google+ social network. The court concluded that the complaint adequately alleged that these two statements omitted material facts necessary to make the statements not misleading. As to ten additional statements identified in the complaint, the panel concluded that the complaint did not plausibly allege that these remaining statements were misleading material misrepresentations. The panel therefore affirmed the district court’s dismissal of claims based on these statements.

In investor actions, careful attention must be paid to pleading facts sufficient to allege all elements of the claims asserted. Securities fraud claims are subject to the heightened pleading requirements of Rule 9. In addition, the Private Securities Litigation Reform Act of 1995, 15 U.S.C. § 78u-4(b)(1), imposes additional specific pleading requirements, including requiring plaintiffs to state with particularity both the facts constituting the alleged violation and the facts evidencing scienter. Illustrative: A district court dismissed, with leave to amend, an investors’ class action under Sections 10(b) and 20(a) of the Exchange Act where, on close examination, the court found that the plaintiff had not identified any false or misleading statement or omission about the state of the defendant’s cybersecurity practices or about the circumstances of a data spillage it experienced. In re First American Financial Corp. Securities Litigation, No. CV 20-9781 DSF (Ex) (C.D. Cal. Sept 22, 2021). In May 2022, the district court dismissed the amended compliant, this time with prejudice, finding again that the plaintiff had failed to allege facts showing that First American made a material misrepresentation or omission. In re First American Financial Corp. Securities Litigation, No. CV 20-9781 DSF (Ex) (C.D. Cal. May 11, 2022).This is the same incident that resulted in a settlement with the SEC. See updates to Chapter 11.7.2. However, the SEC did not allege that the company had made misleading statements. Instead, it alleged that the company did not have adequate procedures to ensure that senior management were notified of a data breach – a quite different claim that does not require materiality or intent to deceive.

Along the same lines is Local 353, I.B.E.W. Pension Fund v. Zendesk Inc., 21-15785 (9th Cir. Mar. 2, 2022), affirming the District Court’s dismissal of shareholder claims under Rule 10b-5 and Sections 10(b) and 20(a), where the plaintiffs had failed to adequately allege falsity (a material misrepresentation or omission) and scienter.

The Delaware chancery court dismissed a derivative shareholder claim against Marriott executives and directors related to the breach discussed several times in the book. Firemen's Retirement System of St. Louis v. Sorenson et al., No. 2019-0965, Chancery Del. Oct. 6, 2021). The complaint alleged breach of fiduciary duty before and after Marriott’s acquisition of the Starwood reservation system. The Starwood system was breached and losing information before the acquisition, and the data loss continued thereafter. The court’s decision hinged on the rule that a stockholder plaintiff can pursue claims belonging to the corporation if (1) the corporation’s directors wrongfully refused a demand to authorize the corporation to bring the suit or (2) a demand would have been futile because the directors were incapable of impartially considering the demand. The plaintiff did not make a demand on Marriott’s Board, and the court dismissed because the complaint did not plead particularized factual allegations establishing that demand was excused.

Delaware chancery also dismissed a derivative action against the directors of Solar Winds. CIL Pension Fund v. Bingle, 2021-0940-SG (Del Chanc. Sept. 6, 2022). The court found that the directors did ensure that the company had at least a minimal reporting system about corporate risk, including cybersecurity, and they were not alleged to have ignored sufficient “red flags” of cyber threats to imply a conscious disregard of a known duty, indicative of scienter. “In other words, the directors failed to prevent a large corporate trauma, but the Plaintiffs have failed to plead specific facts from which I may infer bad faith liability on the part of a majority of the directors regarding that trauma.”

5.2.2 Breach of Implied Contract

In In re GE/CBPS Data Breach Litigation No. 1:20-cv-02903-KPF, 2021 U.S. Dist. LEXIS 146020 *32, 2021 WL 3406374 (S.D.N.Y., Aug. 4, 2021), the court found that GE had an implied contract with its employees based on representations made in a GE guidance document, "The Spirit & The Letter," which set forth GE's Code of Conduct and summarized a range of compliance policies, including policies related to data protection, as well as in GE documents labeled Employee Data Protection Standards and Commitment to the Protection of Personal Information.

Dismissing implied contract claims:

  • In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., 2021 U.S. Dist. LEXIS 240360, 2021 WL 5937742 (D. N.J. Dec. 16, 2021) (“Defendants argue that the mere fact that Plaintiffs provided Personal Information does not suggest that Defendants agreed to guarantee the safety of that information, at least not without accompanying factual allegations to show mutual assent to those terms. The Court agrees.”).

  • Longnecker-Wells v. Benecard Services, Inc., 658 Fed. App’x 659 (3d Cir. 2016).

Allowing implied contract claim to go forward:

  • Smallman v. MGM Resorts International, no. 2:20-cv-00376, 2022 U.S. Dist. LEXIS 199399, 2022 WL 16636958 (D. Nev. Nov. 2, 2022). Plaintiffs alleged that they "were required to" provide their PII to defendant as a condition of staying at its hotels. Thus, the court said, plaintiffs provided their PII to MGM with the understanding that defendant would take adequate measures to protect it. In terms of consideration, it was undisputed that Plaintiffs paid for their hotel rooms. These alleged actions plausibly demonstrate that Plaintiffs manifested their assent to Defendant MGM's privacy statements. Although plaintiffs did not allege that MGM made any explicit promises "as to the ongoing protection of [their PII], it is difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of . . . sensitive personal information would not imply the recipient's assent to protect [the] information sufficiently,” quoting Castillo v. Seagate Tech., LLC, No. 16-cv-01958, 2016 U.S. Dist. LEXIS 187428, 2016 WL 9280242, at *9 (N.D. Cal. Sept. 14, 2016).

5.2.3 Unjust Enrichment

Cases continue to go both ways, largely based on the details alleged in the complaint:

  • Rejecting a motion to dismiss a claim for unjust enrichment: In re Cap. One Consumer Data Sec. Breach Litig., 488 F. Supp. 3d 374, 411-13 (D.D. Va. 2020).

  • Granting a motion to dismiss: In re Blackbaud, Inc., Customer Data Breach Litigation, 2021 U.S. Dist. LEXIS 201211, at *37-39, 2021 WL 4866393 (D. S.C. Oct. 19, 2021).

  • Granting a motion to dismiss: Smallman v. MGM Resorts International, no. 2:20-cv-00376, 2022 U.S. Dist. LEXIS 199399, 2022 WL 16636958 (D. Nev. Nov. 2, 2022) (plaintiffs had not alleged that they did not have adequate legal remedies, as required to invoke the equitable doctrine of unjust enrichment).

5.2.4 State Laws Prohibiting Unfair or Deceptive Trade Practices

Each prong of a UCL statute must be considered separately. For example, in  Mehta v. Robinhood Financial LLC, Case no. 21-cv-01013-SVK (N.D. Cal. May 6, 2021), plaintiffs’ unlawful claim under the California UCL survived to the extent it was based upon the alleged violations of the California Consumer Privacy Act, the right to privacy in the California Constitution, and negligence. Plaintiffs’ unfairness claim also survived, as the court applied a balancing test: “the Court cannot say that the benefits from Robinhood’s business practices of allegedly emphasizing growth and profit over protecting their customers’ personal and financial information and failing to implement industry-standard security measures outweighs the harm.” However, because the complaint alleged no statements by which a reasonable consumer would be likely to be deceived, a motion to dismiss on the fraudulent prong of the UCL was granted.

In re Blackbaud, Inc., Customer Data Breach Litigation, 2021 U.S. Dist. LEXIS 151831, 2021 WL 3568394 (D.S.C. August 12, 2021), very nicely illustrates how the survival of state UDAP claims will turn on a close reading of state laws, which vary in key details, and on the care necessary when drafting a compliant (or an amended compliant if the court grants that opportunity) to ensure that allegations match the requirements of each state law that is invoked:

  • The court held that Florida plaintiffs had not alleged damages to “the property that is the subject of the consumer transaction” and therefore they failed to sufficiently assert “actual damages” under the Florida Deceptive and Unfair Trade Practice Act. The court did, however, also hold that the plaintiffs had adequately stated a claim for injunctive relief under FDUTPA, which makes declaratory and injunctive relief available to a broader class of plaintiffs than could recover damages.  

  • The court dismissed claims under the New Jersey Consumer Fraud Act Claims because the New Jersey plaintiffs were not “consumers” entitled to the protection of the New Jersey law. The New Jersey plaintiffs had given their data to entities that in turn purchased and used the cloud services of Blackbaud; the individuals themselves were not consumers of Blackbaud’s services.

  • In contrast, though, the court denied Blackbaud’s motion to dismiss claims based on New York General Business Law § 349 because that law covers acts and practices that are “consumer-oriented.”

  • The court granted Blackbaud’s motion to dismiss claims based on Pennsylvania’s Unfair Trade Practices and Consumer Protection Law because the Pennsylvania plaintiff had not sufficiently asserted that she justifiably relied on Blackbaud’s alleged misrepresentations and omissions and a presumption of reliance sometimes accorded under Pennsylvania law did not apply to the facts of this case.

Note: Some of these state laws exempt “learned professionals.” See In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., 2021 U.S. Dist. LEXIS 240360, 2021 WL 5937742 (D. N.J. Dec. 16, 2021) (dismissing claims against medical diagnostic providers under the New Jersey Consumer Fraud Act and the North Carolina Unfair and Deceptive Trade Practices Act).

Smallman v. MGM Resorts International, no. 2:20-cv-00376, 2022 U.S. Dist. LEXIS 199399, 2022 WL 16636958 (D. Nev. Nov. 2, 2022), dismissed a claim under the Ohio Trade Practices Act on the ground that individual consumers do not a “standing” to sue under the act. It dismissed a claim under Oregon’s Unlawful Trade Practices Act to the extent that it was based on Oregon's Consumer Information Protection Act (OCIPA), which has no private right of action, and for the same reason it dismissed a claim brought directly under the OCIPA. However, it refused to dismiss claims under the Nevada Consumer Fraud Act; fraudulent omission, unfairness and unlawfulness claims under California’s UCL; a fraudulent omission claim under the California Consumers Legal Remedies Act, Cal. Civ. Code § 1770; a claim under the reasonable security procedures and practices provision of the California Customer Records Act, § 1798.81.5(b); and claims under Connecticut's Unfair Trade Practices Act, Georgia's Uniform Deceptive Trade Practices Act, and New York’s General Business Law § 349(a), which prohibits deceptive acts or practices

5.2.5. State Laws Requiring Reasonable Security Measures

Of all the state laws, the most impactful may be the California Consumer Privacy Act (CCPA), because it is accompanied by a statutory damages provision. The Act provides that “[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action.” Cal. Civ. Code § 1798.150(a)(1). See Chapter 12.2.3.

Cases under the CCPA have been relatively slow to mature, but some are surviving at least the motion to dismiss phase. In Mehta v. Robinhood Financial LLC, Case no. 21-cv-01013-SVK (N.D. Cal. May 6, 2021), the court ruled, on a motion to dismiss, that a claim based on this provision should survive a motion to dismiss. On August 12, 2021, the federal district court in South Carolina refused to dismiss a claim under the California law against Blackbaud, a cloud services provider that allegedly suffered a ransomware attack. In re Blackbaud, Inc., Customer Data Breach Litigation, 2021 U.S. Dist. LEXIS 151831, 2021 WL 3568394 (D.S.C. August 12, 2021). The court rejected Blackbaud’s argument that it was not a “business” covered by the California reasonable security measures law and its accompanying statutory damages provision. The court also ruled that Blackbaud qualifies as a “medical provider” under the California Medical Information Act, which covers “[a]ny business that offers software or hardware to consumers ... in order to make the information available to an individual or a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment, or management of a medical condition of the individual ... .”

5.2.7 Fraud Claims

Under California law, at least one federal court found that reliance does have to be alleged and this requires some specificity as to which statements a plaintiff actually read and relied on in setting up an account. See Mehta v. Robinhood Financial LLC, No. 21-cv-01013-SVK (N.D. Cal. Sept. 8, 2021). In assessing claims under the fraudulent prong of the California UCL, under the state’s Consumers Legal Remedies Act, and under its False Advertising Law, the court found that the plaintiffs’ allegations were insufficient, but it allowed leave to amend, giving plaintiffs a chance to strike the right balance between providing sufficient notice to defendants and the relatively generous pleading requirements at the motion to dismiss stage.

5.2.8 Negligence

5.2.8.1  Is There a Duty of Care?

To the long list of case finding a duty of care with respect to personal information, add:

  • Teeter v. Easterseals-Goodwill Northern Rocky Mountain Inc., no. 4:22-cv-00096 (D. Mont. March 2, 2023) (applying Montana law, and recognizing that a further fact-intensive inquiry may be needed, court found that the complaint contained sufficient factual allegations, taken as true, to state a claim that a common law duty exists; plaintiff sued on behalf of a class of employees of the defendant, but court did not specifically say whether the duty was to employees or broader).

  • In re Blackbaud, Inc., Customer Data Breach Litigation, 2021 U.S. Dist. LEXIS 201211, 2021 WL 4866393 (Oct. 19, 2021) (interpreting South Carolina law). Blackbaud provided data collection and maintenance software solutions for administration, fundraising, marketing, and analytics to non-profits and other “social good entities.” Plaintiffs were patrons of Blackbaud’s customers rather than direct customers of Blackbaud. Nevertheless, the court held that Blackbaud’s contracts with the social good entities supported recognition of a common law duty to plaintiffs because the purpose of the contracts was to maintain and secure plaintiffs’ private information. The court went on to hold that, although as a general rule there is no duty to protect another from the conduct of third parties, plaintiffs had adequately alleged that Blackbaud had a duty to protect them from the criminal conduct of third parties based on Blackbaud’s own negligent conduct in creating the risk by failing to use reasonable security measures.

  • In re: Sonic Corp. Customer Data Security Breach Litigation (Financial Institutions), No. 1:17-md-2807 (N.D. Ohio Sept. 7, 2021). Under Oklahoma law, the court found, there is generally no duty to anticipate and prevent the intentional or criminal acts of a third party. However, a duty does exist if a defendant’s “own affirmative act has created or exposed [Plaintiffs] to a recognizable high degree of risk of harm through such misconduct, which a reasonable [person] would have taken into account.” And that, the court concluded, is what was alleged: Sonic had created for its franchisees a permanently-enabled VPN tunnel that did not block foreign IP addresses and that did not use multi-factor authentication; it required franchisees to use middleware that did not support point-to-point encryption; and it caused delays in upgrading system components that left franchisees operating vulnerable systems. As to foreseeable risk of harm, it was adequately alleged that Sonic knew or should have known the risks in requiring franchisees to use such a vulnerable system. Duty found, hence negligence claim survives. The court also rejected, under Oklahoma law, the defendants’ argument that the hackers’ breach and data theft acted as supervening causes that cut off the defendants’ liability.

  • In re GE/CBPS Data Breach Litigation No. 1:20-cv-02903-KPF, 2021 U.S. Dist. LEXIS 146020 *21-22, 2021 WL 3406374 (S.D.N.Y., Aug. 4, 2021). Under New York law, employers have a duty to take reasonable precautions to protect the PII that they require from employees (citing other cases).

  • Mackey v. Belden, Inc., No. 4:21-CV-00149-JAR, 2021 U.S. Dist. LEXIS 145000, 2021 WL 3363174 (E.D. Mo. Aug. 3, 2021) (the special relationship between employer and employee under Missouri law imposes a duty on the employer to protect employees' PII provided as a condition of employment).

  • Flores-Mendez v. Zoosk, Inc., No. C 20-04929 WHA, 2021 WL 308543, at *3 (N.D. Cal. Jan. 30, 2021).

  • Stasi v. Immediata Health Group Corp., No. 19cv2353 JM (LL), 2020 U.S. Dist. LEXIS 217097, 2020 WL 6799437, at *7 (S.D. Cal. Nov. 19, 2020) (citing cases that found that defendants had a duty to safeguard personal information and maintain adequate security measures).

Interesting case on the duty of care: Hiscox Insurance Co. v. Warden Grier LLP, No. 4:20-cv-00237 (W.D. Mo. Dec. 8, 2021). The defendant, a law firm, suffered a breach; the compromised data included records from the plaintiff, its client, an insurance company. Those records included data about the insurance company’s policyholders. As the case boiled down, the insurance company argued that the law firm should have fully analyzed the compromised files to identify all the individuals whose data was affected. Applying Missouri law, the court focused pretrial on the claim of professional negligence, specifically legal malpractice. It held that the question of whether the defendant had a duty to the plaintiff was a question of law, and the court ruled that yes, of course, a law firm owes its client a duty of due care. However, what specifically that duty entailed and whether it was breached in this case were questions of fact for the jury, “which, with the assistance of expert evidence, must decide whether, given the specific facts of this case, the standard of care” included the specific steps that the plaintiff alleged the defendant had failed to take. Motion to dismiss denied. On March 31, 2022, the jury returned a verdict in favor of the law firm. The verdict form gives no evidence of the jury’s thinking, but the defendant had argued that it was only a service provider and that it fulfilled its duty by notifying the insurance company of the breach and giving the insurance company access to the compromised files; under this argument, it was the plaintiff’s duty to figure out which policyholders were specifically affected and provide the notice. The defendant’s argument aligned with the Missouri breach notice law and the laws of other states.

Attacks on critical infrastructure may not involve any compromise of personal information. In negligence cases arising from such incidents, the plaintiff must focus elsewhere in alleging a duty. In Dickerson v. Colonial Pipeline Co., 1:21-cv-02098 (N.D. Ga. June 17, 2022), the court dismissed a negligence claim against Colonial Pipeline arising out of the 2021 ransomware attack that led the company to shut down the flow of gasoline through its system. None of the plaintiff’s theories sufficed to allege a cognizable statutory or common law duty owed by Colonial: as a public utility to continually provide service, based upon the voluntary undertaking doctrine (which requires an allegation of physical harm), based on industry standards (standards may be relevant to breach, but they do not create a duty), or arising out of a special relationship.

Also finding no duty was Kroeck v. UKG Inc., 2:22-cv-00066 (W.D. Pa. Sept. 21, 2022). The plaintiff worked for a hospital, which outsourced its payroll system, including timekeeping, to third-party providers, the defendants. The defendants suffered a ransomware attack disrupting their operations and, as a result, the plaintiff claimed, his hours were not properly recorded and his pay was not properly calculated. The court, applying Pennsylvania law, declined to extend the Dittman ruling of the state Supreme Court: “Pennsylvania law specifically recognizes those who collect sensitive information as having a duty to implement security measures to prevent the foreseeable harm of a data breach. Dittman, 196 A.3d at 1056 (imposing a common law duty on those who store ‘personal and financial information’ to protect that data). This duty would extend only to those individuals whose confidential information is kept on file. Here, as Defendants note, Mr. Kroeck has not alleged that Defendants possessed his personal and financial information. Therefore, the Court will grant Defendants’ Motion with respect to Count VI. However, the Court will provide him with leave to amend.”

[New subchapter:] 5.2.8.1A What Is the Duty of Care?

Potentially separate from the existence of a duty of care is the question of what that duty requires. That is, assuming there is a duty, what is the content of that duty, which is a predicate for the claim that the defendant breached it? This question may be important at the summary judgment stage. See Silverpop Sys. v. Leading Mkt. Techs., Inc., 641 Fed. Appx. 849 (11th Cir. 2016). The court there adopted the opinion of the district court, which had dismissed a claim of negligence because the party asserting the claim (LMT) “failed to present evidence to establish the applicable standard of care.” 641 Fed. Appx. At 852. "Evidence of custom within a particular industry, group, or organization is admissible as bearing on the standard of care in determining negligence. … LMT’s expert has not proposed any standards that are ordinarily employed in Silverpop's industry … . Overall, while LMT highlights several deficiencies in Silverpop's intrusion detection system, it offers no evidence to establish how Silverpop's practices, as they related to intrusion detection, failed to meet the applicable standard of care. Accordingly, as LMT has failed to present evidence establishing the standard of care that governed Silverpop's actions, it cannot establish a breach of the standard of care.” See also the discussion of Hiscox Insurance Co. v. Warden Grier LLP, No. 4:20-cv-00237, above.

5.2.8.2  Negligence and the Economic Loss Rule

Indeed, at least at the motion to dismiss stage, it may be easy to avoid the economic loss rule with a well-pleaded complaint. Thus, plaintiffs avoided the economic loss rule where they alleged “the loss of control over the use of their identity, harm to their constitutional right to privacy, lost time dedicated to the investigation of and attempt to recover the loss of funds and cure harm to their privacy, the need for future [ ] time dedicated to the recovery and protection of further loss, and privacy injuries associated with having their sensitive personal and financial information disclosed.” Mehta v. Robinhood Financial LLC, No. 21-cv-01013-SVK, 2021 U.S. Dist. LEXIS 253782, 2021 WL 6882377, at *6 (N.D. Cal. May 6, 2021) (citing other cases).

Another case holding that the economic loss rule did not bar a negligence claim where the parties had a contract:  In Re: Wawa Inc. Data Security Litigation, No 2:19-cv-06019 (E.D. Pa. May 6, 2021). The plaintiffs were financial institutions. The defendant operates a chain of convenience stores and gas stations. Hackers accessed its point-of-sale systems and installed malware that targeted in-store payment terminals and gas station fuel dispensers and obtained customer payment card information. Plaintiffs and defendant were parties to the web of contracts that frame the payment card system, but plaintiffs did not claim breach of contract. Instead, the institutions maintained that, separate from any contract, Wawa owed them a common law duty to exercise reasonable care and that it breached that duty by failing to utilize proper security protocols that would have adequately protected sensitive payment card information. The district court agreed that the plaintiffs had the better argument, at least for the motion to dismiss stage. Citing the Pennsylvania Supreme Court's holding in Dittman, the district court ruled that Schnuck Markets was inapplicable and the negligence claim should be allowed to proceed. After all, Dittman had said that the duty to maintain and protect sensitive data with reasonable care “exists independently from any contractual obligations between the parties.” 196 A.3d at 1056.

Declining to apply the economic loss rule:

  • Plaintiffs v. MGM Resorts Int'l, 2022 U.S. Dist. LEXIS 199399 (D. Nev. Nov. 2, 2022) (citing other district court opinions in the Ninth Circuit; “it is difficult to conceive how the dissemination of an individual's PII does not necessarily diminish their control over their digital and physical identity. Such an invasion implicates non-economic harms.”);

  • Smallman v. MGM Resorts International, No. 2:20-cv-00376 (D. Nev. Nov. 2, 2022) (dissemination of individuals’ PII diminishes their control over their digital and physical identity, implicating non-economic harms);

  • Griffey v. Magellan Health Inc., No. CV-20-01282-PHX-MTL, 2021 U.S. Dist. LEXIS 184591 * 20-21 (D. Az. Sep. 27, 2021) (citing the Arizona Supreme Court’s direction that the economic loss doctrine should be applied only in limited contexts);

  • Flores-Mendez v. Zoosk, No. 20-04929, 2021 U.S. Dist. LEXIS 18799, 2021 WL 308543, at *3 (N.D. Cal. Jan. 30, 2021) (“Plaintiffs allege their loss of time, risk of embarrassment, and enlarged risk of identity theft as harms and so do not allege pure economic loss.”);

  • Stasi v. Immediata Health Grp. Corp., 501 F. Supp. 3d 898, 913 (S.D. Cal. 2020) (concluding that the plaintiffs alleged non-economic harms in the form of the privacy injury they suffered, irrespective of whether they subsequently suffered identity fraud).

[New subchapter:] 5.2.8.4 Negligence Claims Dismissed for Failure to Plead Damages

In a number of cases, plaintiffs have cleared the injury-in-fact requirement for standing only to have their negligence claims dismissed for failure to adequately plead damages as an element of stating a negligence claim. In Pruchnicki v. Envision Healthcare Corp., 845 F. App’x 613 (9th Cir. 2021), the plaintiff asserted claims for negligence, breach of implied contract, negligent misrepresentation, and violation of Nevada’s deceptive practices act. The appeals court affirmed dismissal of all claims. Lost time, it indicated, was not a cognizable injury for the purpose of establishing compensable damages unless accompanied by out-of-pocket expenses. “Plaintiff’s asserted emotional distress also failed to establish compensable damages because, under Nevada law, ‘in the absence of physical impact, proof of “serious emotional distress” causing physical injury or illness must be presented.’” 845 F. App’x at 614. And in terms of the loss in value of her information, the plaintiff had failed to adequately allege that her personal information actually lost value. “Several courts in this Circuit have found, and we agree, that the ‘mere misappropriation of personal information’ does not establish compensable damages.” 845 F. App’x at 615. (The latter sentence should not be cited in standing cases; both courts in Pruchnicki found that the plaintiff had alleged sufficient injury-in-fact to support standing.) (Note that the district court had said that "[d]iminution in value of personal information can be a viable theory of damages." Pruchnicki v. Envision Healthcare Corp., 439 F. Supp. 3d 1226, 1234 (D. Nev. 2020).)

Similarly, in Griffey v. Magellan Health Inc., No. CV-20-01282-PHX-MTL, 2021 U.S. Dist. LEXIS 184591 * 20-21 (D. Az. Sep. 27, 2021), the court concluded that the plaintiffs' allegations of lost time addressing the data breach, continued risk to their PII and PHI, and the danger of future harm are not cognizable injuries for negligence claims. Allegations of out-of-pocket expenses spent on credit monitoring services in addition to the identity monitoring services provided by the defendant were insufficient where plaintiffs failed to also allege that the monitoring costs were reasonable and necessary.

Going the other way, under California law, is Mehta v. Robinhood Financial LLC, No. 21-cv-01013-SVK (N.D. Cal. Sept. 8, 2021). After stating the general rule that “California courts have indicated that “[s]peculative harm or the mere threat of future harm is insufficient to constitute actual loss” for purposes of establishing a claim of negligence, the court went on to rule that the plaintiffs’ allegations regarding time spent addressing a breach, the purchase of identity theft protection services, future expenses and time, loss of sensitive personal information, and loss of control over plaintiffs’ identity were sufficient to allege cognizable harm. Slip op. at 11-12. “Given the allegations and the lost time and expenses Plaintiffs allege that they have already incurred due to the data breach, the Court finds that future expenses and time is not too speculative to constitute cognizable injuries at the pleading stage.” Includes useful cites to other cases.

Distinguishing Pruchnicki, the district court in Smallman v. MGM Resorts International, no. 2:20-cv-00376, 2022 U.S. Dist. LEXIS 199399, 2022 WL 16636958 (D. Nev. Nov. 2, 2022), held that both benefit-of-the-bargain losses and diminution in value of PII constituted compensable harm. On the former, the court rejected defendant’s argument that the benefit-of-the-bargain theory could not survive a 12(b)(6) motion without more specific factual allegations showing how data security was a part of the bargain or how much of the money spent was for data security. On the latter, the court concluded that the data breach devalued Plaintiffs' PII by interfering with their fiscal autonomy, and it rejected defendant’s argument that, to allege diminution in value harm, plaintiffs must establish both the existence of a market for their PII and an impairment of their ability to participate in that market. The court held that lost time spent monitoring their accounts and otherwise mitigating the breach was not compensable damages but that money spent to mitigate the risk of harm was. On these questions, the opinion includes a good discussion of other cases going both ways, mostly in the 9th Circuit. The court also held that a substantial risk of future harm was compensable harm, but that doesn’t seem right; the court relied on standing cases, all of them pre-dating TransUnion.

For another good discussion of what kinds of injuries have been recognized as cognizable damages in negligence actions stemming from data breaches, see In re Blackbaud, Inc., Customer Data Breach Litigation, 2021 U.S. Dist. LEXIS 201211, *34-37, 2021 WL 4866393 (D. S.C. Oct. 19, 2021) (finding that plaintiffs had sufficiently alleged cognizable damages).

5.2.9 Negligence per se

In Mehta v. Robinhood Financial LLC, Case no. 21-cv-01013-SVK (N.D. Cal. May 6, 2021), the court refused to dismiss a negligence per se claim based on California Civil Code sections 1798.82, et seq., and 1798.100, et seq., and the provisions of the California Constitution enshrining the right to privacy.

In In re Blackbaud, Inc., Customer Data Breach Litigation, 2021 U.S. Dist. LEXIS 201211, at *29-34, 2021 WL 4866393 (D. S.C. Oct. 19, 2021), applying South Carolina law, the court dismissed negligence per se claims premised on HIPAA, the FTC Act, and the Children’s Online Privacy Protection Act. The court noted an apparent split among courts on whether the FTC Act can serve as the basis for a negligence per se claim in the data breach context. “The variations in these holdings appear to stem from differences in the standards for negligence per se claims under the laws of different states. Under South Carolina's standard, the answer turns on the purpose of the statute.”

Dismissing a negligence per se claim based on Section 5 of the FTC Act: In re GE/CBPS Data Breach Litigation No. 1:20-cv-02903-KPF, 2021 U.S. Dist. LEXIS 146020 *27-28, 2021 WL 3406374 (S.D.N.Y., Aug. 4, 2021).

5.2.11 Negligent Misrepresentation

In Smallman v. MGM Resorts International, no. 2:20-cv-00376, 2022 U.S. Dist. LEXIS 199399, 2022 WL 16636958 (D. Nev. Nov. 2, 2022), the court dismissed plaintiffs' negligent misrepresentation claim after concluding, under Nevada law, that MGM guests had only an arms-length business relationship with the company, insufficient to create the special relationship necessary to support a claim of negligent misrepresentation by omission.

5.2.12 State Constitutional Privacy Rights

In Mehta v. Robinhood Financial LLC, Case no. 21-cv-01013-SVK (N.D. Cal. May 6, 2021), the district court denied a motion to dismiss a claim based on the right to privacy in the California constitution. “To allege a violation of California’s constitutional right to privacy, a plaintiff must allege ‘(1) a legally protected privacy interest; (2) a reasonable expectation of privacy under the circumstances; and (3) conduct by the defendant that amounts to a serious invasion of the protected privacy interest.’ Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1024 (N.D. Cal. 2012) (citing Hill v. Nat’l Collegiate Athletic Ass’n, 7 Cal. 4th 1, 35-37, 26 Cal. Rptr. 2d 834, 865 P.2d 633 (1994)).”

5.3 Arbitration

Under California law, at least, an arbitration clause cannot block a suit seeking injunctive relief. California policy ensures the rights of consumers to seek injunctive relief on behalf of the general public. McGill v. Citibank, N.A., 393 P.3d 85 (2017). See also, e.g., Mejia v. DACM Inc, 54 Cal. App. 5th 691, 701 (2020); Blair v. Rent-A-Ctr., Inc., 928 F.3d 819, 828 (9th Cir. 2019).

Based on these cases, in In re StockX Customer Data Security Breach Litigation, Case No. 19-12441 (E.D. Mich. June 15, 2021), the court ruled that, because application of Michigan law would be contrary to fundamental California policy and California has a materially greater interest in the plaintiff’s claims than Michigan, the choice of law clause in the StockX terms of service (designating Michigan law as applicable) was unenforceable. Therefore, the court applied California law, and ruled under California law that the arbitration clause was unenforceable.  

Defendants’ efforts to force cybersecurity cases to arbitration will normally turn on ordinary questions of arbitration law, including the threshold question of whether there is an agreement to arbitrate, which in turn is a question of contract law. For example, Middleton v. T-Mobile U.S. Inc., 1:20-cv-03276 (E.D.N.Y. Aug. 24, 2022), involved allegations that the mobile provider was negligent in allowing fraudsters to trick its employees into SIM swapping the plaintiff’s phones multiple times, which in turn allowed the fraudsters to intercept authentication texts and break into the plaintiff’s cryptocurrency account and steal $8.7 million in cryptocurrency. After extensive analysis of the pleadings surrounding the circumstances under which the plaintiff purchased the phones and what information was presented to plaintiff and how, the court found that there was notice of the arbitration clause and assent. Motion to compel arbitration granted.

5.4  Privilege in Data Breach Cases

To the list of decisions on discoverability of post-breach reports by outside experts, add these, going in opposite directions based on a close analysis of the facts.

  • In re Rutter's Data Sec. Breach Litig., NO. 1:20-CV-382, 2021 U.S. Dist. LEXIS 136220 (M.D. Pa. July 22, 2021) (although outside counsel retained the forensics consultant, the resulting report and related communications were not protected by either the work product doctrine or the attorney-client privilege; court focused on whether the report served a broader purpose than assisting in preparation for litigation; distribution of the report beyond the legal team was evidence that the work would have been conducted regardless of the lawsuit).

  • In re Marriott Int'l Customer Sec. Breach Litig., No. 19-MD-2879, 2021 U.S. Dist. LEXIS 124874, 2021 WL 2660180 (D. Md. June 29, 2021) (magistrate’s recommendation that documents from third-party expert were entitled to protection under “the privilege”; even though there was a history of the expert providing services to Marriott and Starwood before discovering the breach, the services provided after the breach were as the result of new engagements at the request of outside counsel to assist in responding to regulatory authorities and the litigation that was anticipated).

The cases suggest that the law of attorney-client privilege (and work-product doctrine) is at odds with desirable cybersecurity practices. The reports were denied protection in part because they had been shared beyond the legal team. From a lawyer’s standpoint, it was a mistake to disseminate the reports within the affected company. But isn’t it good that a forensics study is shared beyond the lawyers, to make sure that employees at the victim are aware of the problems that caused the breach, so those problems can be corrected and future breaches can be avoided?

For a good overview and a discussion of the specific issues posed by disclosing a forensics report to law enforcement, see Brian Mund and Leonard Bailey, Privilege in Data Breach Investigations, 69 DOJ J. Fed. Law & Prac. 39 (May 2021).

Last updated: April 15, 2024.

Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.