Offers You Make May be Used against You: Free Credit Monitoring and Standing in Data Breach Cases

It’s become an unfortunate rite of passage for the modern age: the receipt of a letter from a company explaining that one’s personal information been lost or stolen in a data breach.

The letter usually offers to provide free credit monitoring or identity-theft insurance through a third-party vendor. The law usually does not require this type of offer, but companies do it anyway. One reason may be because these types of offers have been shown to reduce the chance of consumer lawsuits.

But if consumers do sue, can the company’s offer be used against it? 

This post addresses this question, one recently addressed by three federal appellate courts. As we’ll see, those courts analyzed whether the plaintiffs had Article III standing, a key issue in data-breach litigation.

Standing in data breach cases

In a typical data-breach case, individuals sue the breached company before thieves have misused their data. The alleged injury, then, is usually an increased risk of future fraud or identity theft.

Future harm, however, is often not enough to establish Article III standing in federal court. In Clapper v. Amnesty International, the U.S. Supreme Court confirmed that an alleged “future injury” constitutes an injury-in-fact—and satisfies Article III standing—only if that future injury is “certainly impending.”

This standard, the Supreme Court explained, does not always mean “literally certain.” Instead, a court may find standing based on a showing of “substantial risk” that harm will occur, “which may prompt the plaintiffs to reasonably incur costs to mitigate or avoid that harm.” 

Federal courts assessing standing in recent data-breach cases have turned to Clapper and the “substantial risk” standard. The Seventh Circuit’s decision in Remijas v. Neiman Marcus and the Sixth Circuit’s decision in Galaria v. Nationwide are two leading examples. In both cases:

  • the defendants suffered breaches of their networks by hackers who targeted and stole customers’ personal information;
  • the defendants sent consumers notification letters that included an offer to provide free credit monitoring and identify-theft protection insurance; and
  • the plaintiffs’ injuries consisted in part of an alleged risk of future identity theft.

On these facts, the district courts in both dismissed the plaintiffs’ claims for lack of standing. The appeals, however, yielded different results.

In Remijas, the Seventh Circuit concluded that the threat of future harm, and expenditures made by the plaintiffs to protect against that threat, established standing under Clapper. The Seventh Circuit focused specifically on “telling” evidence that Neiman Marcus had offered free protective services to consumers after the breach. The cost of that offer was not de minimis, the court noted. According to the Seventh Circuit, Neiman Marcus would not have offered the services if the risk to the plaintiffs were so “ephemeral” that it “could safely be disregarded.” 

Interestingly, the plaintiffs’ brief never argued this point.  It only appears to have arisen in questioning by Chief Judge Diane Wood, the author of the court’s decision, at oral argument

The Sixth Circuit followed the same reasoning in Galaria. It concluded that the plaintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, were sufficient to overcome a Rule 12(b)(1) motion. The Sixth Circuit relied in part on the defendant’s offer of free credit monitoring, reasoning that the offer must reflect the severity of the risk.

In doing so, the Sixth Circuit rejected the company’s public-policy argument: companies might stop offering these free services if the offers themselves give rise to lawsuits.

Beck v. McDonald: Don’t punish good deeds.

A third recent appellate case, however, is more favorable for defendants.

In Beck v. McDonald, the Fourth Circuit considered whether individuals had standing to assert claims arising from data breaches at a Veterans Affairs hospital. One breach was caused by the theft of a laptop containing patients’ unencrypted personal information. Another breach was caused by the theft or misplacement of four boxes of pathology reports. In each case, hospital officials notified affected individuals of the breach and offered free credit monitoring. 

Individuals affected by each incident filed separate class actions against the Secretary of Veterans Affairs and hospital officials. In each case, the plaintiffs’ alleged injuries consisted of the threat of future identity theft and measures taken to mitigate that threat.  In each case, the district court relied on Clapper to dismiss the plaintiffs’ claim for lack of standing.

On appeal, the plaintiffs turned to Remijas. They emphasized that the expenditure of federal funds on credit monitoring showed a substantial risk of harm to the plaintiffs. 

The Fourth Circuit, however, sidestepped this argument. Instead, the court distinguished Remijas and Galaria on the ground that those cases involved thieves who intentionally targeted personal information. In Beck, by contrast, there was no evidence the missing laptop or pathology reports were taken because of the personal information they contained. 

In addition, the Fourth Circuit adopted the very public-policy point that the Sixth Circuit disregarded in Galaria. The Fourth Circuit reasoned that, if an offer to provide free credit monitoring services is interpreted to imply a substantial risk of harm, organizations would be discouraged from offering these valuable services.

Implications for Companies

Remijas and Galaria deserve some consideration by companies deciding whether to offer free credit monitoring in the wake of a data breach.  But in most cases the benefits of offering these services—meeting customer expectations, preserving goodwill, and possibly avoiding the filing of an action—will outweigh the risk.  That’s especially true now that a defendant can turn to the Fourth Circuit’s decision in Beck if plaintiffs try to turn its generosity against it. 

Author: Alex Pearce

Can a Lender’s Failure to Provide a Promised Refinancing be an Unfair or Deceptive Trade Practice?

When a borrower asserts an alleged violation of N.C. Gen. Stat. § 75-1.1 against a lender, the claim often presents a familiar fact pattern. Frequently, the borrower alleges that the lender promised to refinance or modify the borrower’s loan and then broke that promise, causing injury to the borrower.

A borrower who asserts this type of claim usually faces several substantial hurdles to avoid dismissal or summary judgment. In Hetzel v. JPMorgan Chase Bank, N.A., however, a borrower’s 75-1.1 claim based on a bank’s alleged broken promise to refinance a real estate loan survived summary judgment.

This post analyzes Hetzel. For reasons that I’ll explain, the somewhat unique fact pattern led to a decision by United States District Court Judge Terrence W. Boyle that may have limited application in future cases.

The bank pays off the wrong mortgage

In Hetzel, the borrower owned multiple coastal properties. Those properties secured multiple loans to JPMorgan Chase Bank. The borrower started the process of refinancing the loans with another lender. The borrower thought that he could obtain better loan terms with the other lender.

The borrower successfully obtained a refinancing commitment from the new lender on one of the properties. The new lender sent the refinancing proceeds to JPMorgan to pay off JPMorgan’s mortgage on that property. Unfortunately, JPMorgan inadvertently paid off the mortgage on one of the borrower’s other properties, and not on the refinanced property.

Compounding the mistake, the borrower stopped making payments to JPMorgan for the mortgage on the refinanced property. The borrower claimed that he was unaware that the first mortgage had not been paid off.

Once he stopped paying on the first mortgage, the loan fell into arrears, and JPMorgan started foreclosure proceedings. JPMorgan also reported the borrower’s payment delinquencies to credit bureaus.

Eventually, the borrower discovered the payoff error and demanded that JPMorgan fix the problem.  The bank worked to correct the misapplication of the proceeds. But the borrower alleged that JPMorgan further promised that it would refinance the borrower’s other properties should the other lender be unwilling to proceed with refinancing because of the error (i.e. because of the loan delinquencies JPMorgan erroneously reported).

Ultimately, neither JPMorgan nor the other lender refinanced the remaining loans. The borrower disputed his ongoing payment obligations to JPMorgan, and JPMorgan commenced foreclosure proceedings. 

Among other defendants, the borrower then sued JPMorgan. The borrower asserted multiple claims against the bank, including a 75-1.1 claim based on JPMorgan’s alleged promises to the borrower that it would refinance the borrower’s remaining properties but failed to do so. The borrower alleged that JPMorgan’s promises were false and made “in an unfair attempt to delay plaintiff from seeking legal redress.” 

The borrower filed his suit in Carteret County Superior Court. With the consent of the other defendants, JPMorgan removed the case to the United States District Court for the Eastern District of North Carolina.

The borrower’s 75-1.1 claim survives summary judgment

After several rounds of motion practice and amended pleadings, JPMorgan ended up as the lone defendant at the close of discovery. JPMorgan filed a motion for summary judgment. Judge Boyle granted summary judgment to JPMorgan on certain claims, but denied summary judgment as to the 75-1.1 claim.

Significantly, Judge Boyle found that the bank did not have a contractual obligation to modify the loans.  Judge Boyle opined that there cannot be a 75-1.1 claim based on a failure to modify a loan or contract if the lender has no obligation to make the modification.

The court allowed the 75-1.1 claim to go forward, however, based on JPMorgan’s alleged promises that the borrower would receive a loan modification. Judge Boyle indicated that there was “just enough” evidence to allow the 75-1.1 claim to make it to the jury.

Although it is notable that the court here allowed the 75-1.1 claim to survive, this case presents a slightly different fact pattern than in other cases. The borrower here was able to raise a genuine issue of material fact that JPMorgan was responsible for the borrower being unable to refinance or modify the loans in the first place. In allowing the borrower’s negligence claim to also survive summary judgment, Judge Boyle determined that the lender’s alleged misapplication of the loan proceeds could give rise to a duty of care that the lender would not otherwise owe to the borrower.

It also does not appear that the parties briefed whether the borrower had actually or reasonably relied on any statement by the bank. As we have pointed out in previous posts, the North Carolina Supreme Court has held that both actual and reasonable reliance are necessary if a 75-1.1 claim is premised on misrepresentations.

In Hetzel, the court found that the lender may have owed a duty to the borrower that would not normally arise in the debtor/creditor context. It will be left to other courts to explore the significance of that special duty on a lender’s liability under 75-1.1—the parties in Hetzel settled at mediation before trial.

Author: George Sanderson


A New Front for the Blog: Consumer Protection and the Law on Privacy and Data Security

Since this blog’s inception, we’ve primarily concentrated our posts on the law under N.C. Gen. Stat. § 75-1.1, a mainstay of business and consumer disputes in North Carolina. We’ve been gratified by the positive feedback from our readership as we write about novel developments in consumer-protection law.

With an eye toward those novel developments, we write today to announce an expansion of the blog’s substantive focus to another critical area of consumer-protection law: the law on privacy and data security. 

Indeed, privacy and data-security litigation has become one of the most concerning areas of consumer protection for corporations and their in-house counsel. Privacy and data-security litigation features many of the same characteristics as the law that governs section 75-1.1—including and especially the application of open-ended concepts of unfairness, deception, and consumer injury.

Our posts on privacy and data security will be authored by our colleague Alex Pearce. Alex has deep experience and first-rate credentials in both complex business litigation and the law on privacy and data security. A Stanford Law School graduate, Alex clerked for Judge Milton I. Shadur in federal court in Chicago, and then practiced business litigation at Winston & Strawn and Ellis & Winters. Alex later moved to SAS, where he served as the company’s privacy counsel, before re-joining Ellis & Winters this past January.

As to our schedule going forward:

  • We’ll publish our posts on privacy and data-security law on the third Tuesday of each month, the first one being on March 21.
  • Section 75-1.1 devotees need not worry that our new coverage will mean that we’ll cover that statute any less frequently. We’ll continue to make our regularly-scheduled section 75-1.1 posts on the second and fourth Tuesday every month.

We look forward to this next chapter in the blog’s development.   As always, we invite your ideas on topics that we should address.