Author Archives: Alex Pearce

How a Potent Defense Can Stifle Data-Breach Lawsuits by Businesses

Consumers aren’t the only plaintiffs in data-breach litigation. Businesses sue, too.

When they do sue, businesses can be strong plaintiffs. This is because, unlike consumers, businesses usually can establish standing, since they’re more likely to have suffered direct financial loses that can be readily identified.  

This doesn’t mean, however, that a data-breach business plaintiff can waltz untouched through the Rule 12(b)(6) stage.

Instead, a business plaintiff must overcome a different defense: the economic-loss rule.  That rule prevents plaintiffs who suffer economic losses stemming from a contract from trying to recover those losses through non-contract claims. 

A recent decision from a federal court in Colorado involving one of my kids’ favorite mac-and-cheese spots shows how the economic-loss rule can apply when one business sues another over a data breach. This post studies that decision.

A Cyberattack Compromises Diners’ Payment Card Data

SELCO Community Credit Union v Noodles & Company concerns a cyberattack on the Noodles & Company restaurant chain that compromised customers’ credit and debit card information. The plaintiffs were not consumers, but instead credit unions whose cardholders dined at Noodles and whose information was compromised. They sued Noodles for failing to prevent the breach. 

According to the credit unions, Noodles breached a common-law duty to protect its customers’ payment card information by failing to implement industry-standard data-security measures. The credit unions alleged that this breach caused them damages, including the costs to cancel and reissue affected cards and to refund cardholders for unauthorized charges.

The credit union brought tort claims—all based on theories of negligence—against Noodles. Noodles filed a motion to dismiss based on the economic-loss rule, pointing to agreements it and the plaintiffs had entered as participants in the payment-card-processing ecosystem.   

The Payment Card Ecosystem: A Chain of Interrelated Contracts

The court provided the following diagram to explain this ecosystem:


In its motion, Noodles observed that each actor in this ecosystem signed an agreement with at least one other actor in which it agreed to follow rules issued by the bank-card associations. Importantly, the agreements required merchants to maintain a certain level of security for payment-card data—including compliance with a set of detailed best practices for data security in the payment-card industry called the Payment Card Industry Data Security Standard (PCI DSS).

Noodles argued that these agreements also allocated the parties’ rights and responsibilities in the event of a cyberattack. More specifically, the agreements called for the credit unions to guarantee cardholders zero liability for fraudulent transactions. The credit unions, in turn, could partially recover their losses through a loss-shifting scheme managed by the bank-card associations.

According to Noodles, this arrangement reflected “a series of determinations by several sophisticated commercial entities about how the risk of fraudulent transactions should be allocated in the payment card networks.” Noodles accused the credit unions of trying to re-allocate that risk—and violating the economic-loss rule—by bringing tort claims.

An Independent Duty?

The credit unions had two main arguments in response.

First, they argued that Noodles owed them a common-law duty to secure payment-card data and to prevent foreseeable harm to cardholders. This duty, they urged, was separate and distinct from any contract-based duty to comply with PCI DSS. The credit unions made this argument to try to shoehorn their claims into what’s known as the “independent duty” exception to the economic-loss rule.

Second, the credit unions argued that the economic-loss rule should not apply because the credit unions had no contract with Noodles. Thus, the credit unions argued, they never had the chance to “reliably allocate risks and costs” with Noodles.  

The Court’s Decision

The court, like my children, sided with Noodles.

On the independent-duty argument, the court concluded that each duty that Noodles allegedly breached was bound up in the agreements to comply with the bank-card association rules and PCI DSS. Even if Noodles might also have had a common law duty to protect payment card data from a cyberattack, that duty could not be considered “independent of a contract that memorialize[d] it.”

The fact that the credit unions never contracted directly with Noodles had no analytical impact. In the court’s view, the economic-loss rule does not mandate a one-to-one contract relationship. Instead, the court reasoned, the rule asks whether a plaintiff had “the opportunity to bargain and define their rights and remedies, or to decline to enter into the contractual relationship.” The credit unions had that chance here.

Lessons for Litigants

SELCO confirms that the economic-loss rule can provide a powerful shield against attempts—including and especially by businesses—to make end-runs around negotiated limitations and allocations of liability for cyberattacks.

Defendants, however, must be ready to show that the contract on which they rely imposes relevant data-security obligations. Doing so requires that the obligations be clearly defined—well before litigation arises—in any contracts that involve the receipt or handling of sensitive information.

Clearly defining data-security obligations in contracts is already a recognized best practice for information-security risk management.  But as SELCO demonstrates, this type of clarity can also lay the groundwork for deploying the economic-loss rule against lawsuits arising from a successful cyberattack. 

Author: Alex Pearce

Defending Novel Theories in Data-Breach Litigation

The success of a data-breach lawsuit often turns on whether the plaintiff has standing to sue. Showing actual injury can be especially hard when the only alleged damage consists of a risk of future identity theft

Data-breach plaintiffs are therefore looking for new avenues into the courtroom. One of these avenues is an “overpayment” theory.  

This theory rests on the premise that the price of a product or service includes a payment for measures to protect the buyer’s personal information. When a data breach compromises that information, the buyer alleges that he or she has overpaid for the product or service because the seller failed to provide the agreed-upon measures. 

This theory has seen mixed success. 

Courts have rejected the theory in cases that involve the purchase of physical products, where privacy and data security factor only into the processing of the buyer’s payment, rather than the product itself. Examples include data-breach lawsuits against Chinese food restaurants, grocery stores, and brick-and-mortar bookstores for failing to protect credit- and debit-card information.  

Courts have accepted the theory, however, in cases involving the purchase of online services, such as paid subscriptions to social networks and digital magazines. The purchases of these online offerings—unlike the purchase of physical products—were governed by terms of service that included explicit privacy and data security commitments.

A federal court in Chicago recently issued a decision that straddles these two lines of cases. The case, In re VTech Data Breach Litigation, involved physical products whose features included connectivity to an online service.

A Toy Story

VTech Electronics North America sold learning toys for young children. These toys, which included tablet computers and other handheld electronics, connected to VTech’s online application store, from which customers could purchase and download games, books, music, and videos. Some toys could also connect to an online service that enabled children to exchange text, picture, and voice messages with their parents’ cellphones. 

To access these services, customers had to register for online accounts with VTech. Parents who registered provided personal information about themselves and their children to VTech. Parents also had to agree to terms and conditions that incorporated VTech’s privacy policy. In that policy, VTech promised to protect personal information through certain data-security measures.

In 2015, a hacker infiltrated VTech’s servers and downloaded the personal information of over ten million adults and children. The plaintiffs—purchasers of VTech’s toys who had also registered for the online services—sued VTech and alleged that the hack resulted from VTech’s failure to live up to its data security promises. Their complaint asserted various claims, including one for breach of contract. 

The plaintiffs alleged that their injuries consisted of an economic harm: receiving a product worth less than the one for which they paid. According to the plaintiffs, the “product” they paid for included the toys, the online service, and the promised data-security measures. 

You Only Get What You Pay For

VTech rejected that characterization of the transaction and moved to dismiss for lack of standing and for failure to state a claim. 

According to VTech, buyers participated in two transactions:

  1. a purchase transaction involving the plaintiffs’ payment for a standalone physical toy, and
  2. the plaintiffs’ registration for the online services, an optional but separate—and free—offering.

Because VTech had only made data-security promises in the second transaction, VTech argued that the plaintiffs could not establish any “overpayment” for the physical toys that would constitute an injury-in-fact for Article III purposes.

For the same reason, VTech argued, the plaintiffs could not establish a key element of their breach of contract claim, namely, that both parties understood and intended that a portion of the purchase price for the toys would be allocated to protecting personal information collected through the online service.

Overpayment for Data Security can be an Injury-in-Fact

The court denied VTech’s arguments as to standing. 

The court observed that economic injury can result “from being given a different, less valuable product than the one that was promised and paid for,” and that such an injury meets Article III’s injury-in-fact requirement. By alleging such an injury—one consisting of overpayment for VTech’s toys and the associated online services—the plaintiffs had satisfied Article III’s injury-in-fact requirement.

The court also noted, however, that whether an injury-in-fact had been sufficiently alleged was separate and distinct from whether the complaint plausibly stated a claim that would entitle the plaintiffs to recover damages. 

But the Plaintiffs Didn’t Pay for Data Security

Turning to that question, the court acknowledged the parties’ disagreement as to what the purchase contract included, but held that VTech had the better of that argument. To that end, it agreed with VTech that “there is a difference between selling a product that combines both a physical toy and a service, and selling a physical toy whose features may be supplemented by a separate service that VTech provided for free.” 

The court then concluded that VTech had done the latter. To support that conclusion, the court observed that the toys functioned without the online services. In addition, the online-services terms did not suggest that the plaintiffs “purchased” the online services, or that the parties intended to incorporate those terms into the purchase contract for the toys. 

The court thus held that the plaintiffs had failed to show that both parties understood a portion of the purchase price for the toys would be allocated to the protection of personal information submitted through the online services. 

The court concluded this failure was fatal to the plaintiffs’ breach of contract claim, and granted VTech’s motion to dismiss.

Implications for the Data Breach Litigants

VTech contains some important lessons for data breach litigants.

First, it suggests that overpayment theories can succeed where other injury theories have failed, provided that a plaintiff plausibly alleges some connection between a purchased product or service itself and a defendant’s data-security duties.

It also confirms, however, that claims premised on an overpayment theory of damages remain vulnerable to challenge under Rule 12(b)(6). That’s especially true if a defendant can show that terms of service that include data-security promises are not part of a purchase transaction, but rather a separate and distinct event for which it does not collect any payment at all.  

Author: Alex Pearce

61 Million Reasons to Carefully Oversee Your Third-Party Marketer?

As we’ve mentioned before, federal privacy statutes that permit lawsuits and award automatic damages can be a fertile source of consumer class action litigation.

The Telephone Consumer Protection Act (TCPA) fits this bill.  Under the TCPA, telemarketers cannot call residential phone numbers on the National Do Not Call Registry. A TCPA  violation results in statutory damages of up to $500 per unlawful call. Those damages can be trebled if the defendant knowingly or willfully violated the act. 

The consequences of willful TCPA violations were on full display in Krakauer v. Dish Network, a recent case in the Middle District of North Carolina. Krakauer is notable both because it presents a rare example of a federal civil case proceeding to a jury trial, and because it resulted in a $61 million treble damages award.

Krakauer is particularly interesting because the defendant, Dish Network, did not even make the telemarketing calls at issue. Rather, those calls were made by a third party marketer that Dish Network hired to sell its satellite television programming.

The case thus turned on a key issue: when can a defendant be responsible for “knowing and willful” TCPA violations committed by a marketer acting on the defendant’s behalf?

Hello, is it Dish you’re looking for?

Krakauer concerned telemarketing calls made by Satellite Systems Network, a marketer that Dish hired to sell Dish’s satellite television programming and related services. The class action complaint alleged that Satellite made thousands of calls to individuals who registered their numbers on the Do Not Call Registry. The plaintiffs alleged that Dish should be liable for those TCPA violations. They sought statutory damages for each call, and sought to treble those damages for willful or knowing violations. 

After surviving a Spokeo-based standing challenge, and overcoming Dish’s summary judgment motion, the case proceeded to trial, where the plaintiffs presented evidence that showed that:

  • Dish’s agreement with Satellite gave Dish broad power to oversee and control Satellite’s telemarketing activities;
  • Dish received numerous complaints about Satellite’s telemarketing practices; and
  • Dish typically instructed Satellite to put complainants on Satellite’s internal do-not-call list and not to call them again, but didn’t do anything else.

The jury ruled against Dish. It found that Satellite acted as Dish’s agent in making over 51,000 calls to numbers on the Do Not Call Registry, and awarded statutory damages of $400 per call, for a total award of over $20 million.

The Court then considered whether to treble those damages. 

Can a principal be charged with “knowing and willful” conduct for TCPA violations committed by an agent?

The Court’s opinion on that issue evaluated whether the TCPA violations were “knowing or willful.” The Court first noted that existing case law didn’t specify whose conduct should be the focus of that inquiry in a case involving calls made by an agent: the agent’s or the principal’s.

The Court avoided deciding that issue, because it found that damages could be trebled whether the court focused on Satellite’s conduct and imputed it to Dish, or looked only at Dish’s own conduct. 

As to Dish’s own conduct, the court found the following factors established Dish’s willfulness:

  • Dish’s agreement with Satellite gave it “virtually unlimited rights to monitor” Satellite and “complete control” over Satellite’s telemarketing calls;
  • Dish was aware that Satellite had a history of TCPA violations, but failed to closely monitor the telemarketing it conducted on Dish’s behalf; and
  • Dish turned a “blind eye” to complaints that came to its attention, asking only that Satellite stop calling the specific person who complained.

This evidence, the Court concluded, showed that Dish’s TCPA compliance policy was “decidedly two-faced.”  “On paper,” said the Court, Dish had “committed to monitoring its marketers’ compliance with telemarketing laws and investigating complaints.”  Its failure to do so in practice, the Court concluded, showed that Dish “knew or should have known” that Satellite was violating the TCPA, but “cared about stopping complaints, not about achieving TCPA compliance.” 

The Court thus trebled the per-call damages from $400 to $1,200, leading to a total damages award of more than $61 million.

Lessons from Krakauer

Krakauer presents a conundrum for companies that seek to manage risk presented by third-party marketers. 

Given the stakes, those companies often insist on agreements that give them a high degree of control over the marketers’ activities, and extensive rights to monitor and enforce the marketers’ compliance with the TCPA. 

But Krakauer may create an incentive for companies to avoid including these terms in their agreements with vendors, lest they lead to a finding of willfulness when a marketer fails to live up to its TCPA duties. Indeed, the potential for that outcome was recently cited as a reason not to impose punitive damages on Dish in a separate TCPA enforcement action brought against the company by the Federal Trade Commission and four state attorneys general (including North Carolina’s) in the United States District Court for the Central District of Illinois. 

However a company chooses to address prospective TCPA compliance in its agreements with marketers, Krakauer makes clear that once it becomes aware of TCPA compliance issues presented by a marketer who makes calls on its behalf, the company ignores those issues at its peril. 

Author: Alex Pearce