Indemnification for Data Breaches: Understanding and Allocating Risk

Many contracts between companies and their service providers have broad indemnification provisions. How do those provisions apply in the context of a privacy breach?

Today’s post looks at that question—in particular, a recent federal decision called CVS Pharmacy, Inc. v. Press America, Inc.

Misdirected Mailings Lead to Major Fee Adjustment

CVS Pharmacy is a pharmacy benefits manager for group health plans, such as IBM’s group health plan. CVS’s services included mail-order pharmacy services.

CVS hired Press America to print and mail information to beneficiaries. The mailings often contained beneficiaries’ protected health information (PHI).

Press America made a mistake in one of the mailings; that mistake resulted in 41 separate unauthorized disclosures of IBM beneficiaries’ PHI. Under its contract with IBM, CVS had to pay nearly $2 million to IBM for those disclosures—an amount that CVS had agreed to pay as a “fee adjustment” for privacy breaches.

CVS turned to Press America to recoup the $2 million. Under its contracts with CVS—including a HIPAA business associate agreement—Press America had to indemnify CVS for any liability, cost, or expense “arising out of or in connection with” any breach of PHI within Press America’s control.

Press America refused to pay, so CVS sued.

Secrecy Is No Defense to Indemnity

Press America moved to dismiss.

First, it argued that it had no awareness of the CVS-IBM contract, and so could not have agreed to indemnify CVS for payments made under that contract. That contract had a confidentiality provision that barred CVS from even disclosing the existence of the fee adjustment provision.

Press America also argued that the CVS’s payment to IBM constituted an unenforceable penalty.

The court didn’t buy either argument.

The court homed in on the plain language of the indemnification provision. That language called for indemnification based on any liability “arising out of or in connection with” a data breach and appeared broad enough to encompass CVS’s payment to IBM.

The court also observed that the provision lacked any express exclusion for contractual payments made to third parties because of Press America’s negligence.

The court then considered whether the parties meant for the CVS payment to IBM to fall within the indemnification provision. That question, the court found, could not be resolved on the pleadings.

The court also rejected Press America’s penalty argument. As the court explained, Press America could have contracted with CVS for the right to challenge on CVS’s behalf the enforceability of any payment obligations that might give rise to a claim for indemnification. Having failed to do so, Press America lacked standing to challenge the enforceability of the IBM contract. 

Data-Breach Indemnification: What You Don’t Know Can Hurt You

If you prepare HIPAA business associate agreements or other contracts that contemplate the handling of sensitive personal information, Press America is an important read.

As the decision shows, boilerplate indemnity language that applies to privacy and data security failures can be a potent weapon when a breach occurs—especially given the many sources from which losses can arise. These can include claims by affected individuals, fines and other penalties imposed by regulators, and—as Press America shows—contract obligations owed to third parties.

Parties who fail to understand and anticipate their potential exposure under data breach-related indemnification provisions do so at their own peril. That’s especially true for parties who act as subcontractors.  As Press America discovered only after the fact, their exposure can include undisclosed payment obligations owed to end customers.

Can a Lender’s “Robo-Signing” of a Loan Document be the Basis for an Unfair or Deceptive Trade Practice Claim?

The financial crisis of 2008 and the subsequent wave of mortgage foreclosures brought to light certain lenders’ practices of “Robo-Signing.” Robo-Signing was a term coined to refer to bank employees’ alleged practice of “robotically” signing mortgage loan documents without reviewing them.

A recent decision from the Middle District of North Carolina explores in some depth whether the alleged robo-signing of a mortgage assignment provides a basis for a borrower to make a N.C. Gen. Stat. § 75-1.1 claim. 

In Tobias v. Nationstar Mortgage, LLC, the plaintiffs were borrowers who took out a mortgage loan. To secure the loan, the borrowers executed a deed of trust on their residence. Several years later, Bank of America purported to assign the loan to Nationstar Mortgage. A written assignment was recorded in the appropriate county register of deeds.

The borrowers then applied for a loan modification with Nationstar. Nationstar denied the loan modification. Nationstar maintained that the borrowers failed to timely submit documents to Nationstar.

After the denial of the loan modification, the borrowers filed a complaint against Nationstar and other related entities. The borrowers asserted claims for violations of federal lending regulations and section 75-1.1. As a basis for their 75-1.1 claim, the borrowers contended that the assignment was “fraudulent and/or forged” because it had been robo-signed.

Besides seeking treble damages for the 75-1.1 violation, the borrowers sought as a separate state-law remedy to void and cancel the assignment. The borrowers asserted that the defendants’ conduct harmed the borrowers’ ability to market and sell their residence.

The defendants moved to dismiss the borrowers’ cause of action to cancel the assignment and the 75-1.1 claim. The defendants argued that the borrowers could not void the assignment and maintain a 75-1.1 claim because the borrowers lacked standing to challenge the assignment. As an alternative ground, the defendants argued that the North Carolina Debt Collections Act is the exclusive remedy for debt collection actions that allege unfair and deceptive practices.

The Court dismisses the 75-1.1 claim, but on an alternative basis

The Court agreed with the defendants that the borrowers lacked standing to void the assignment. The borrowers were not a party to the assignment, did not allege that they were a third-party beneficiary of the assignment, and did not allege that they could be the subject of double liability if Nationstar enforced the assignment. The borrowers, therefore, could not show a particularized injury stemming from the alleged robo-signing.

The Court also found that the complaint failed to state a claim for unfair and deceptive trade practices.  But not for the reasons defendants advanced. Although they lacked standing to void/cancel the assignment, the Court found that the defendants had standing to maintain the 75-1.1 claim because they alleged that the assignment clouded title to their residence.   

The Court agreed with the defendants that the NCDCA is the exclusive remedy under North Carolina law for unfair debt collection practices. The court did not, however, dismiss the 75-1.1 claim on that basis because the borrowers were not challenging the defendants’ debt collection procedures.

The defendants caught a break, however because rather than allowing the 75-1.1 claim to proceed, the Court dismissed the claim on a basis that the defendants had not briefed.

The Court found that the borrowers failed to allege sufficiently an actual injury proximately caused by the defendants’ conduct. The borrowers’ complaint affirmatively alleged that the borrowers obtained a mortgage loan memorialized by a recorded deed of trust. The borrowers also attached a copy of the deed of trust to the complaint.

The borrowers did not dispute the validity of the deed of trust. The court recognized that the undisputed terms of the deed of trust allowed the holder to assign its interest without notice to the borrowers.  After reviewing language in the assignment, the Court found that was exactly what happened—Bank of America assigned and conveyed the loan to Nationstar. 

The Court also found that the borrowers’ allegations regarding the property’s marketability and their ability to sell it were conclusory and unsupported by any other factual allegations. The Court also noted the absence of allegations of any unfair or deceptive conduct on Nationstar’s part.

The takeaway—linking conduct to injury is important

Why did the Court go out of its way to dismiss the 75-1.1 claim? Perhaps the Court was uncomfortable with imposing treble damages for possible misconduct that did not appear to cause the borrowers’ injury.

The Tobias decision thus shows that a defendant’s misconduct—standing alone—may not be a basis for 75-1.1 liability. A 75-1.1 claimant should show with particularity how the misconduct alleged to be either unfair or deceptive caused a particularized injury, or risk summary dismissal of the claim.

Special thanks to Lauren Golden, who made substantial contributions to the writing of this blog post.

Author: George Sanderson

When a Claim of Deception Turns on Promises

Businesses regularly make decisions based on forecasts of future market opportunities.

When a business makes a bad guess, however, can N.C. Gen. Stat. § 75-1.1 come to its aid? What if the guess turned on statements by a contracting partner?

Today’s post looks at a recent decision about these questions. As the decision reveals, section 75-1.1 sets a high bar for claims that appear to rest—as Naked Eyes might say—on promises, promises.

It’s Showtime

The facts in Topshelf Management v. Campbell-Ewald (a case we have covered before) concern flying simulators that the U.S. Navy uses in recruiting events.

The defendant, Campbell-Ewald, did marketing for the Navy. The Navy would issue a statement of work to Campbell-Ewald that sought specific services. Campbell-Ewald then gave pricing information to the Navy, and the Navy would issue a task order for the services. After it received a task order, Campbell-Ewald would issue a corresponding purchase order to a subcontractor.

In September 2008, Campbell-Ewald considered using Showtime Sports and Marketing as a subcontractor for the simulators. Showtime signed terms and conditions that would govern each purchase order from Campbell-Ewald. The terms said that no work by Showtime would be authorized before Campbell-Ewald issued a purchase order.

Campbell-Ewald soon issued a purchase order to Showtime to supply two simulators. Then, in mid-2010, Campbell-Ewald decided to subcontract work for a third simulator to Showtime, even though Campbell-Ewald had considered supplying the simulator itself.

Before it issued the purchase order for the third simulator, however, Campbell-Ewald received a letter from Showtime’s principal, Brian Efird. The letter said that Showtime was winding up its operations, but that Efird would soon associate with a new company, called Topshelf, which could contract with Campbell-Ewald.

This letter changed the calculus for Campbell-Ewald; it decided to do the work on the third simulator itself. Though disappointed about not getting the purchase order for the third simulator, Efird (through Topshelf) continued to supply Campbell-Ewald with the first and second simulators.

That work didn’t last. In December 2011, Campbell-Ewald told Efird that the Navy had discontinued the first two simulators, and that Topshelf’s work would end in January 2012.

Topshelf sued. Its complaint had tort and contract claims, but only its section 75-1.1 claim survived a motion to dismiss. Campbell-Ewald later moved for summary judgment.

When Misrepresentations and Contract Terms Collide

Topshelf’s 75-1.1 claim had two parts.

First, it claimed that Campbell-Ewald misled Topshelf about the third simulator. In particular, Topshelf thought that Campbell-Ewald, through its statements, had assured the issuance of a purchase order for the third simulator.

Second, Topshelf accused Campbell-Ewald of making a series of representations that led Topshelf to believe that more purchase orders were coming. Relying on these representations, Topshelf spent money updating the first two simulators—only to have its work on those simulators discontinued.

U.S. District Court Judge Thomas D. Schroeder didn’t buy either argument.

As for the third simulator, Judge Schroeder emphasized that Campbell-Ewald simply changed its mind about the purchase order when it learned of Showtime’s dissolution. He then explained that, on these facts, Campbell-Ewald’s evaluation of the pros and cons of using Topshelf did not violate section 75-1.1. Showtime’s dissolution, after all, was a significant event, and Campbell-Ewald’s change of heart reflected a rational business response.

The parties’ contract confirmed this reasoning. The terms that Showtime signed at the outset of the parties’ relationship said that no work could be assigned without Campbell-Ewald issuing a purchase order. Campbell-Ewald never issued a purchase order for the third simulator.

Topshelf’s second theory fared no better. That theory, like the first theory, clashed with the fundamental structure of the parties’ dealings: the companies worked under short-term purchase orders. Campbell-Ewald, moreover, issued purchase orders only based on the Navy’s needs. Given that the parties’ contract memorialized this structure Topshelf could not claim to have been misled about future expectations of work.

Top Lessons from Topshelf

Topshelf serves as yet another reminder that, when two parties have a business relationship governed by a contract, the starting point to analyze their conduct under section 75-1.1 is that contract. Here, that contract made clear that a purchase order was a prerequisite to any subcontractor work on a simulator. The plaintiff here couldn’t overcome that factual hurdle.

But was the hurdle insurmountable?

Imagine, for example, if Campbell-Ewald had told Topshelf that, notwithstanding the terms of the contract, Topshelf could be guaranteed work on the third simulator. If an executive at Campbell-Ewald made that statement to an executive at Topshelf, would Topshelf have acted reasonably had it relied on that statement? One can imagine a battle of facts regarding reasonableness—including whether the contract language would defeat any “guarantee” of future work, regardless of the specific words used to make the guarantee.

In any event, the analysis would likely start with, and revolve around, the role of the parties’ contract. That contract can leave a plaintiff, like Topshelf here, with empty promises.

Author: Stephen Feldman