Author Archives: Alex Pearce

The Proposed Overhaul of North Carolina’s Data-Breach Law Could Have Big-Time Consequences

One might expect N.C. Gen. Stat. § 75-1.1 to play a big role in data-breach litigation. The statute, after all, offers the prospect of treble damages and attorney fees. 

But, historically, it hasn’t. Only three decisions—from federal courts in 2009, 2014, and 2017—appear even to have considered 75-1.1 claims in the context of a data breach.

That all could change. Last week,  North Carolina Attorney General Josh Stein and Republican state representative Jason Saine announced a plan to overhaul North Carolina’s data-breach law.

We’re still waiting to see the bill, but the announcement included a Fact Sheet with the proposed legislation’s key elements. Two of those elements caught my attention. 

First, the bill would meaningfully change the notification obligations imposed by North Carolina’s Identity Theft Protection Act,  N.C. Gen. Stat. § 75-60 et seq., on businesses that suffer a security breach:

  • The definition of “security breaches” for which notification is required would now include incidents of mere “access” to information—such as ransomware attacks like the one recently suffered by Mecklenburg County—regardless of whether they pose a material risk of harm to a consumer.
  • Businesses would be held to a strict 15-day deadline for notifying consumers and the Attorney General about a security breach.

Second, the bill would require businesses to implement and maintain reasonable security measures to protect individuals’ personal information against a security breach. The Fact Sheet doesn’t define those measures, other than to say that they must be “appropriate to the nature of personal information.”  Fifteen other states have passed similar laws.  

Here’s where section 75-1.1 comes into the picture: the proposed legislation would make any violation of this new affirmative data-security duty a per se violation of section 75-1.1. As I’ll discuss below, this could be a pretty big deal for data-breach litigants.

The Current and Limited Options for 75-1.1 Claims on Data Breaches

Not many data-breach plaintiffs bring 75-1.1 claims, and for good reason. Leaving aside the failure to notify consumers of a security breach (which under section 75-65(i) is an automatic 75-1.1 violation), there’s no obvious way to bring the failure to prevent a breach within section 75-1.1’s ambit.

At first blush, a deception theory might seem like a viable option. A plaintiff could allege that the business represented that it employed safeguards to protect the plaintiff’s personal information, but that those representations were misleading, because the safeguards were insufficient. A deception-based claim, however, would require actual and reasonable reliance on those security-related representations. This would be no small task given the growing body of 75-1.1 case law striking down deception-based 75-1.1 claims on the pleadings for failing to meet that threshold.

A direct-unfairness theory likely wouldn’t fare any better. A plaintiff could allege that a business’s failure to protect personal information is by itself a “unfair” practice, but courts have struggled to decide whether particular conduct is unfair enough to violate section 75-1.1. And although the theory finds some support in the data-security “common law” developed by the Federal Trade Commission, no court appears ever to have held that failing to protect personal information is unfair under section 75-1.1. 

Deficient Data Security as Per Se 75-1.1 Violation?

The proposed legislation would give plaintiffs a third—and much easier—way to make out a 75-1.1 claim: a per se theory. According to the Fact Sheet, “[a] business that suffers a breach and failed to maintain reasonable security procedures will have committed a violation of the Unfair and Deceptive Trade Practices Act.” 

The proposed legislation would therefore allow data-breach plaintiffs to bypass the difficult question of whether a business’s data security practices can give rise to 75-1.1 liability. The inquiry would instead be whether the business’s security procedures were reasonable and “appropriate to the nature of the information” it held. And that inquiry—which could require a fact-intensive consideration of the business’s security procedures and the nature of the security breach—would often not be susceptible to a motion to dismiss under Rule 12. 

The availability of a per se 75-1.1 claim could thus give data-breach plaintiffs a substantial strategic advantage. Defendants might often be forced to confront, from the outset, the prospect that a fact-finder will determine that their information-security programs failed to satisfy the amorphous “reasonable security” standard. And if the price of losing that battle is a treble damages award under section 75-1.1, many businesses would face increased pressure to settle early.

Troubled Waters Ahead for Data-Breach Defendants?

Without the bill text, it’s hard to say whether the proposed overhaul will lead to more data-breach lawsuits under section 75-1.1. Various factors could avoid or limit that result.

First, even if the proposed data-security requirement is adopted and violations are declared per se violative of 75-1.1, the General Assembly might nonetheless preclude a private right of action to enforce that 75-1.1 violation. Other states with similar data-security statutes—such as Arkansas, Florida, and Massachusetts—have followed this approach. Those states have limited enforcement to the state’s attorney general. 

Second, the General Assembly could allow a private right of action, but preclude or limit the availability of treble damages. This approach has precedent: North Carolina’s records disposal law, section 75-64, requires businesses to take “reasonable measures” to protect personal information “in connection with or after its disposal.” The statute makes a violation of that requirement a per se violation of section 75-1.1, but it also prohibits the trebling of damages where the violation was caused by the business’s “nonmanagerial employees . . . unless the business was negligent in the training, supervision or monitoring of those employees.” 

Finally, data-breach defendants will still have other defenses, including and especially those based on lack of injury-in-fact sufficient to establish standing and/or to state a claim. As we’ve discussed before, these “lack of injury” defenses can present a substantial hurdle for data-breach plaintiffs.

But if the reward for clearing that hurdle is automatic treble damages, plus the chance to get attorney fees, more plaintiffs might attempt the leap.

Defending Data-Breach Lawsuits Brought by Employees (Part 2 of 2)

Yesterday’s post examined Sackin v. TransPerfect, Inc., where an employer suffered a data breach involving its employees’ sensitive information. After the employees sued, a federal court in New York refused to dismiss claims based on theories of negligence and breach of contract. 

Today’s post examines another federal case with similar facts. In this case, however, the employer ultimately defeated the employees’ negligence and contract claims.

How did the defendant in this case achieve the result that TransPerfect could not?

Stolen Laptops and Identities

In Enslin v. The Coca-Cola Company, a rogue Coca-Cola employee stole fifty-five company laptops that contained the sensitive personal information of some 74,000 other current and former Coca-Cola employees. After discovering the theft, Coca-Cola notified those employees and offered them a one-year subscription to a credit-monitoring service.

Shane Enslin, a former Coca-Cola employee who received a notification letter, sued the company in Pennsylvania. Enslin alleged that he experienced various incidents of identity theft because of the breach, including fraudulent charges to his credit cards and bank accounts. His complaint, like the Sackin complaint, asserted claims for negligence and breach of express and implied contracts.

Coca-Cola’s Motion to Dismiss

Like TransPerfect in Sackin, Coca-Cola moved to dismiss those claims.

Coca-Cola first argued that the economic-loss doctrine barred Enslin’s negligence claim. That doctrine prevents plaintiffs from suing in negligence to recover economic damages that are unaccompanied by physical injury or property damage. According to Coca-Cola, Enslin’s negligence claim fell squarely within that rule.

In response, Enslin argued that his claims fell within Pennsylvania’s “special relationship” exception to the doctrine. Under that exception, the doctrine does not apply when a plaintiff and defendant are in a relationship that involves confidentiality, the repose of trust, or fiduciary responsibilities. His employment relationship with Coca-Cola, said Enslin, satisfied that test.

As to the contract claims, Coca-Cola argued that Enslin had failed to allege facts sufficient to establish that Coca-Cola had promised to safeguard his personal information. Without identifying any specific terms, Enslin had alleged only that “part of his employment contract” contained a “mutual exchange of consideration” that included Coca-Cola’s promise to secure his personal information.

Coca-Cola’s Mixed Success under Rule 12(b)(6)

In its decision partially granting Coca-Cola’s motion to dismiss, the court agreed with Coca-Cola that the economic loss rule barred Enslin’s negligence claim because Enslin sought only to recover economic damages. The court also concluded that Enslin could not avail himself of the “special relationship” exception, because his employment with Coca-Cola reflected an “arms-length business contract” rather than a relationship of trust and confidence.

The court refused, however, to dismiss Enslin’s contract claims. The court concluded that his allegations—general though they might be—included the essential elements to make out a claim: the existence of a contract, its essential terms, and a breach by Coca-Cola. Those allegations were enough to state a claim. 

Summary Judgment: Coca-Cola’s Formula to Defeat Enslin’s Contract Claims

Having lost the Rule 12(b)(6) battle to defeat Enslin’s contract claims, Coca-Cola arranged for a rematch under Rule 56.

Following discovery, Coca-Cola moved for summary judgment on the contract claims. Coca-Cola argued that the evidence showed Coca-Cola never agreed—expressly or implicitly—to protect Enslin’s personal information.

In response, Enslin pointed to Coca-Cola’s code of conduct. The code included an “Employee Records” section in which Coca-Cola made certain representations about how it would collect and use employees’ information:

The Company will safeguard the confidentiality of employee records by advising employees of all personnel files maintained on them, collecting only data related to the purpose for which the files were established and allowing those authorized to use a file to do so only for legitimate Company purposes.

This provision, argued Enslin, along with the company’s information technology policies and Enslin’s employment application, established a contract that bound Coca-Cola to protect his personal information.

The court disagreed. Its decision granting Coca-Cola’s summary judgment motion found that the code of conduct was binding on the company and enforceable by Enslin. But the Court did not read the code to establish a general contractual duty to safeguard his personal information.

To that end, the court observed that the “Employee Records” provision of the code carefully limited the scope of Coca-Cola’s responsibilities to three specific duties:

  • advising employees of the personnel files maintained on them;
  • collecting only data relevant to the purpose for which the files were established; and
  • allowing use of the files only for legitimate company purposes.

The code’s recitation of those three specific duties, concluded the court, demonstrated that Coca-Cola had not expressly agreed to take on “a sweeping contractual duty” to safeguard Enslin’s information against criminal misappropriation. 

The court also concluded that Enslin could not establish an implied contract to take on that broad duty. Under Pennsylvania law, the court observed, a contract cannot be implied in fact if an express contract covers the same subject matter. 

But even if the code of conduct did not amount to an express contract, the court would still decline to imply one. That type of agreement could only be implied if the circumstances showed a common understanding that Coca-Cola intentionally took on a duty to protect Enslin’s personal information.

Unlike the Sackin court, the Enslin court refused to make that inference. 

Instead, the court concluded that, at most, employers may have an implied contractual duty not to directly disclose employees’ personal information to third-parties, or to use it for non-business purposes. But the “common-sense understanding” of this duty would not include safeguarding that information against malicious third parties.  That was especially true in this case, reasoned the court, where Coca-Cola’s code of conduct showed it intended to avoid taking on that broader duty.

The court therefore granted Coca-Cola’s motion for summary judgment on both of Enslin’s contract claims.

A Path to Defeating Employees’ Negligence and Contract Claims?

The Enslin decisions contain some important lessons for companies involved in employee data-breach litigation.

First, the economic loss doctrine (which we’ve previously noted can provide a potent defense in business-to-business litigation), can also provide a defense against employee data-breach claims sounding in negligence.

Second, the case confirms that defeating contract-based claims will be difficult under Rule 12(b)(6). As we saw in Sackin, allegations premised on the employment relationship—even when seemingly conclusory—can survive motions to dismiss so long as they address the essential claim elements.   

Third, however, Enslin offers a potential path for defeating breach of contract claims under Rule 56. But the foundation must be laid well before a data breach occurs. To that end, employers should carefully draft their employment agreements, codes of conduct, and internal policies to avoid making unnecessarily broad commitments to secure employees’ personal information.

When the company’s data-security duties are expressly limited in those documents, Enslin suggests they can serve as a shield against employees’ express and implied contract claims.

Author: Alex Pearce

Defending Data-Breach Lawsuits Brought by Employees (Part 1 of 2)

As we’ve previously discussed, companies are often sued by their customers and business partners after a data breach. Another increasingly common source of data-breach litigation comes from within: companies’ own employees.    

That’s because almost every business collects social security numbers, bank account information, and other sensitive personal information to administer the employment relationship. Cyber-criminals know this and choose their targets accordingly. And when their attacks succeed, affected employees are prone to sue.

Two especially common theories of liability in these cases are negligence and breach of contract.  This two-part series of posts examines two recent federal court cases—one from New York and one from Pennsylvania—that show how courts deal with these types of claims.

A Phishing Attack Exploits Imperfect Data Security

In Sackin v. TransPerfect Global, Inc., a case from the United States District Court from the Southern District of New York, TransPerfect’s human resources department fell victim to a popular scheme known as “W-2 phishing.” In this scheme, criminals posing as a company executive send an email to unwitting personnel at the company and ask for copies of all employees’ W-2 tax forms. 

A TransPerfect employee received and complied with one of these requests. The employee sent thousands of current and former employees’ W-2 forms and other payroll data to an unidentified attacker. As a result, the criminals obtained employees’ names, addresses, social security numbers, and banking information.

A group of employees sued TransPerfect after being notified of the breach. They alleged that the release of their information was caused by TransPerfect’s failure to properly train its employees on data security and to maintain appropriate security controls. Their complaint asserted a claim for common-law negligence. It also asserted, based on the employment relationship between the employees and TransPerfect, claims for breach of express and implied contract.  

TransPerfect moved to dismiss those claims under Rule 12(b)(6). It argued that the employees’ negligence claim failed because TransPerfect had no common-law duty to protect their personal information against third-party criminals. TransPerfect also argued that the contract claims failed because employees hadn’t sufficiently alleged that TransPerfect had promised—explicitly or implicitly—to secure and protect their personal information.

A Common-Law Duty to Protect Employees’ Personal Data?

As to the negligence claim, the court first observed that under New York law, whether a defendant owes a duty to a plaintiff depends on a variety of factors:

  • the relationship of the parties,
  • which party is best positioned to avoid the harm,
  • the public policy served by the presence of a duty, and
  • the foreseeability of the harm if the duty is breached.

Those factors, the court concluded, supported imposing a common-law duty on employers to take reasonable precautions to protect employees’ personal information. 

Employees, the court observed, cannot usually choose to withhold their information from an employer. They also have no means to protect that information in the employer’s hands, and they alone suffer the harmful consequences if the employer fails to protect it. Looking to public policy, the court also observed that the prospect of liability would provide employers with an economic incentive to protect employees’ information from the threat of cyberattacks.

Having determined that TransPerfect had a duty to protect its employees’ information, the court then concluded that employees had sufficiently alleged that TransPerfect was aware of and violated that duty.  TransPerfect’s own website, the court observed, showed it recognized the risks of sending sensitive personal information by email. That website warned visitors to “never send” sensitive information by email because email is “generally not secure” and “vulnerable to hacking.” Despite that knowledge, the employees alleged, TransPerfect failed to prevent the emailing of their sensitive information to the criminals.

The court therefore denied TransPerfect’s motion to dismiss the negligence claim.

An Agreement to Secure Employees’ Personal Data?

As to the contract claims, the court first agreed with TransPerfect that the employees had failed to sufficiently allege an express contract that would bind TransPerfect to protect their personal information. 

Simply alleging that their employment contracts “involved a mutual exchange of consideration” that included TransPerfect’s promise to provide employment and secure their personal information, without more, was not sufficient. 

Nevertheless, the court found that the employees had plausibly alleged the existence and breach of an implied contract to that effect. The court observed that TransPerfect required employees to provide their personal information and was generally aware of the cybersecurity risks it faced. These factors, the court concluded, showed an implicit promise by TransPerfect to safeguard that information: 

While TransPerfect may not have explicitly promised to protect [personal information] from hackers in Plaintiffs’ employment contracts, it is difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of Social Security numbers or other sensitive personal information would not imply the recipient’s assent to protect the information sufficiently.

The court therefore allowed the employees’ implied-contract claim to proceed.

Smooth Sailing for Employee Negligence and Contract Claims?

Sackin suggests that, because of the nature of the employment relationship, courts may be particularly inclined to find a duty on the part of employers to protect their employees’ personal information. 

In that relationship, employees have little choice but to turn over their personal information.  And so, the logic goes, employees can expect the employer to protect that information—especially when the allegations show that an employer is aware of the risks associated with collecting and storing it.

Given that reasoning, might companies still be able to defeat these types of claims? 

Tomorrow’s post will examine a case in which a company did just that.

Author: Alex Pearce