New cyber regulations, such as the California Consumer Privacy Act, have companies concerned about expanding potential liability. Companies fear that private rights of action are being created that will allow consumers to sue by alleging that the companies failed to protect their personal information. But attention should also be paid to plaintiffs’ recent successes in applying existing legal frameworks—such as basic tort law—to cyber cases. We have previously written about the use of state consumer protection acts to recover in data breach cases. Recently, plaintiffs have also made some significant inroads in bringing negligence actions against companies that have experienced cyber events.
On January 28, 2019, the U.S. District Court for the Northern District of Georgia issued a decision in the Equifax Consolidated Consumer Class Action, allowing the consumers’ negligence claims against Equifax to move forward. Judge Thrash found that the consumers had sufficiently alleged injuries resulting from the breach, pointing to the “unauthorized charges on their payment cards as a result of the Data Breach” as actual, concrete injuries that are legally cognizable under Georgia law. The Court rejected Equifax’s arguments that the consumer’s injuries should be attributed to the hackers and could have been caused by data breaches at other companies. The Court noted that allowing companies “to rely on other data breaches to defeat a causal connection would ‘create a perverse incentive for companies: so long as enough data breaches take place, individual companies will never be found liable.’” Critically, the Court found that, given the foreseeable risk of a data breach, Equifax owed consumers an independent legal duty of care to take reasonable measures to safeguard their personal information in Equifax’s custody. In doing so, the Court found that the economic loss doctrine was not a bar to the consumers’ recovery because Equifax owed an independent duty to safeguard personal information.
Until recently, courts had regularly ruled against these types of negligence claims in the context of cyber breaches. The economic loss doctrine generally provides that a contracting party who suffers purely economic losses must seek its remedy in contract and not in tort. For example, in SELCO Community Credit Union v Noodles & Company, the District of Colorado held that the economic loss doctrine barred the plaintiffs’ negligence claims. In SELCO, Noodles & Company had suffered a cyberattack in 2016 targeting customers’ credit and debit card information. Noodles argued that the duties of care it allegedly breached did not stem from an independent duty of care, but rather from a series of contracts governing plaintiffs’ payment-card networks and the handling of cardholder information, including requirements regarding data security. The court agreed, holding that any independent duty that Noodles allegedly breached was bound up in those agreements and could not be considered “independent of a contract that memorialize[d] it.”
By finding that Equifax owed an independent duty of care that exists in the context of data breaches, the Northern District of Georgia has made negligence claims a more viable option for data breach plaintiffs. Similarly, in November 2018, the Pennsylvania Supreme Court held in Dittman v. UPMC that an employer has a common law duty to use reasonable care to safeguard employees’ personal information. The court held that Pennsylvania’s economic loss doctrine allows for recovery for “purely pecuniary damages” in data breach negligence claims, provided that the plaintiff can establish the defendant’s breach of a legal duty arising under common law that is independent of any duty assumed pursuant to contract. Dittman involved the breach of the University of Pittsburgh Medical Center’s network, which resulted in the theft of information from thousands of employees, including Social Security numbers, birthdates, tax information, and bank account information.
It is important to point out that while negligence provides plaintiffs with a powerful new tool in data breach cases, it still requires damages, and therefore does not create a new cause of action for consumers whose data was compromised, but who cannot show that they suffered concrete damages as a result. But these cases do highlight the need for companies to take “reasonable” security measures to protect the personal data of employees and customers.
The Davis Polk Cyber Portal is available to clients to help determine what measures companies are taking to protect sensitive data and avoid regulatory and civil liability.
This article has also been posted at the Compliance & Enforcement blog sponsored by NYU Law’s Program on Corporate Compliance and Enforcement.