Category Archives: Unfair Trade Practices

The Proposed Overhaul of North Carolina’s Data-Breach Law Could Have Big-Time Consequences

One might expect N.C. Gen. Stat. § 75-1.1 to play a big role in data-breach litigation. The statute, after all, offers the prospect of treble damages and attorney fees. 

But, historically, it hasn’t. Only three decisions—from federal courts in 2009, 2014, and 2017—appear even to have considered 75-1.1 claims in the context of a data breach.

That all could change. Last week,  North Carolina Attorney General Josh Stein and Republican state representative Jason Saine announced a plan to overhaul North Carolina’s data-breach law.

We’re still waiting to see the bill, but the announcement included a Fact Sheet with the proposed legislation’s key elements. Two of those elements caught my attention. 

First, the bill would meaningfully change the notification obligations imposed by North Carolina’s Identity Theft Protection Act,  N.C. Gen. Stat. § 75-60 et seq., on businesses that suffer a security breach:

  • The definition of “security breaches” for which notification is required would now include incidents of mere “access” to information—such as ransomware attacks like the one recently suffered by Mecklenburg County—regardless of whether they pose a material risk of harm to a consumer.
  • Businesses would be held to a strict 15-day deadline for notifying consumers and the Attorney General about a security breach.

Second, the bill would require businesses to implement and maintain reasonable security measures to protect individuals’ personal information against a security breach. The Fact Sheet doesn’t define those measures, other than to say that they must be “appropriate to the nature of personal information.”  Fifteen other states have passed similar laws.  

Here’s where section 75-1.1 comes into the picture: the proposed legislation would make any violation of this new affirmative data-security duty a per se violation of section 75-1.1. As I’ll discuss below, this could be a pretty big deal for data-breach litigants.

The Current and Limited Options for 75-1.1 Claims on Data Breaches

Not many data-breach plaintiffs bring 75-1.1 claims, and for good reason. Leaving aside the failure to notify consumers of a security breach (which under section 75-65(i) is an automatic 75-1.1 violation), there’s no obvious way to bring the failure to prevent a breach within section 75-1.1’s ambit.

At first blush, a deception theory might seem like a viable option. A plaintiff could allege that the business represented that it employed safeguards to protect the plaintiff’s personal information, but that those representations were misleading, because the safeguards were insufficient. A deception-based claim, however, would require actual and reasonable reliance on those security-related representations. This would be no small task given the growing body of 75-1.1 case law striking down deception-based 75-1.1 claims on the pleadings for failing to meet that threshold.

A direct-unfairness theory likely wouldn’t fare any better. A plaintiff could allege that a business’s failure to protect personal information is by itself a “unfair” practice, but courts have struggled to decide whether particular conduct is unfair enough to violate section 75-1.1. And although the theory finds some support in the data-security “common law” developed by the Federal Trade Commission, no court appears ever to have held that failing to protect personal information is unfair under section 75-1.1. 

Deficient Data Security as Per Se 75-1.1 Violation?

The proposed legislation would give plaintiffs a third—and much easier—way to make out a 75-1.1 claim: a per se theory. According to the Fact Sheet, “[a] business that suffers a breach and failed to maintain reasonable security procedures will have committed a violation of the Unfair and Deceptive Trade Practices Act.” 

The proposed legislation would therefore allow data-breach plaintiffs to bypass the difficult question of whether a business’s data security practices can give rise to 75-1.1 liability. The inquiry would instead be whether the business’s security procedures were reasonable and “appropriate to the nature of the information” it held. And that inquiry—which could require a fact-intensive consideration of the business’s security procedures and the nature of the security breach—would often not be susceptible to a motion to dismiss under Rule 12. 

The availability of a per se 75-1.1 claim could thus give data-breach plaintiffs a substantial strategic advantage. Defendants might often be forced to confront, from the outset, the prospect that a fact-finder will determine that their information-security programs failed to satisfy the amorphous “reasonable security” standard. And if the price of losing that battle is a treble damages award under section 75-1.1, many businesses would face increased pressure to settle early.

Troubled Waters Ahead for Data-Breach Defendants?

Without the bill text, it’s hard to say whether the proposed overhaul will lead to more data-breach lawsuits under section 75-1.1. Various factors could avoid or limit that result.

First, even if the proposed data-security requirement is adopted and violations are declared per se violative of 75-1.1, the General Assembly might nonetheless preclude a private right of action to enforce that 75-1.1 violation. Other states with similar data-security statutes—such as Arkansas, Florida, and Massachusetts—have followed this approach. Those states have limited enforcement to the state’s attorney general. 

Second, the General Assembly could allow a private right of action, but preclude or limit the availability of treble damages. This approach has precedent: North Carolina’s records disposal law, section 75-64, requires businesses to take “reasonable measures” to protect personal information “in connection with or after its disposal.” The statute makes a violation of that requirement a per se violation of section 75-1.1, but it also prohibits the trebling of damages where the violation was caused by the business’s “nonmanagerial employees . . . unless the business was negligent in the training, supervision or monitoring of those employees.” 

Finally, data-breach defendants will still have other defenses, including and especially those based on lack of injury-in-fact sufficient to establish standing and/or to state a claim. As we’ve discussed before, these “lack of injury” defenses can present a substantial hurdle for data-breach plaintiffs.

But if the reward for clearing that hurdle is automatic treble damages, plus the chance to get attorney fees, more plaintiffs might attempt the leap.

Does Misappropriation of Trade Secrets by a Former Employee Constitute a Per Se Violation of Section 75-1.1?

As we have explored, a party that tries to prove a violation of N.C. Gen. Stat § 75-1.1 in connection with an employment matter faces some serious obstacles.

A recent decision from the U.S. District Court for the Western District of North Carolina analyzes one of these obstacles. In Legacy Data Access, LLC v. Mediquant, Inc., Chief Judge Frank D. Whitney examined an important issue in 75-1.1 jurisprudence that arises regularly in departing-employee matters: does the misappropriation of trade secrets constitute a per se violation of section 75-1.1?

This post studies Judge Whitney’s analysis. (His opinion also assesses another important issue on the law of section 75-1.1: the application of the statute to the conduct of a departing employee and his new employer. We will explore this aspect of the opinion in a later post.)

An Employee Joins a Competitor—at a Price of $600,000

William Rowland worked for Legacy Data Access until he resigned to join Mediquant. Legacy believed that Rowland took trade secrets and clients with him.

Legacy then sued Mediquant. The lawsuit included a claim for trade-secret misappropriation under the North Carolina Trade Secrets Protection Act, as well as an alleged violation of section 75-1.1.

After a six-day trial, Legacy largely prevailed. The jury awarded Legacy $600,000 on the trade-secret claim. Legacy also prevailed on the 75-1.1 claim, but it received only nominal damages of $1.

Legacy and Mediquant filed post-trial motions—including motions to amend the judgment on the 75-1.1 claim:

  • Legacy argued that a misappropriation of trade secrets is a per se violation of section 75-1.1. That conclusion would call for the $600,000 award to be trebled.
  • Mediquant argued that Legacy had not proven a violation of section 75-1.1. In particular, Mediquant argued that that the jury’s finding that Mediquant had employed Rowland—when Mediquant knew that Rowland was violating his restrictive covenants with Legacy—did not give rise to 75-1.1 liability. We will explore this aspect of the case in a later post.

Judge Whitney considered both motions, but ultimately left the verdict untouched.

Are Per Se Violations the Exception?

The North Carolina Supreme Court has not addressed whether a violation of the Trade Secrets Act is a per se violation of section 75.1.1. In view of this void, Judge Whitney turned to other Supreme Court decisions that assessed arguments for 75-1.1 per se liability based on the violation of some statute:

  • In Winston Realty Co. v. G.H.G., Inc., the Court treated the violation of a statute designed to regulate the actions of employment agencies as a per se violation of section 75-1.1.
  • Similarly, in Pearce v. American Defender Life Insurance Co., the Court concluded that violations of a statute designed to define unfair or deceptive trade practices in the insurance industry also amounted to violations of section 75-1.1.
  • Judge Whitney also noted the Court’s recent refusal in Walker v. Fleetwood Homes of North Carolina to treat the violation of a licensing regulation under the North Carolina Administrative Code as a per se violation of section 75-1.1.

Having reviewed these cases, Judge Whitney concluded that a violation of the Trade Secrets Act does not establish a per se unfair or deceptive trade practice. He noted that the Trade Secrets Act has several features that the relevant statutes in Winston and Pearce did not have. 

First, the Trade Secrets Act contains a private right of action. The Trade Secrets Act also allows violations even where the violator has acted by mistake or in good faith. Judge Whitney further noted that the Trade Secrets Act protects property rights, while the statutes in Winston and Pearce were designed to protect consumers.

Perhaps most importantly, Judge Whitney understood Walker to reflect that the law on section 75-1.1 disfavors per se violations. Judge Whitney viewed the Walker Court’s refusal to find a per se violation as an indication that the Supreme Court “is not inclined to recognize violations of regulations or statutes as ‘unfair or deceptive trade practices’ as a matter of law.”

Finally, Judge Whitney examined decisions of the North Carolina Court of Appeals regarding the relationship between a misappropriation of trade secrets and 75-1.1 liability. In Medical Staffing Network v. Ridgway, the Court of Appeals stated that a “violation of the Trade Secrets Protection Act constitutes an unfair act or practice.” In its decision in Drouillard v. Keister Williams Newspaper Services, Inc., however, the Court of Appeals concluded that a violation of the Trade Secrets Act does not automatically violate section 75-1.1. These cases, Judge Whitney explained, suggest there is no per se rule that a violation of the Trade Secrets Act also violates section 75-1.1.

Having determined that a violation of the Trade Secrets Act does not automatically violate section 75-1.1, Judge Whitney considered whether any of the jury’s other findings nevertheless demonstrated that the misappropriation here was an unfair and deceptive trade practice. The only other finding available to Judge Whitney was the jury’s damages number of $600,000. Judge Whitney concluded that the damages alone did not suggest that the conduct fit within the intended reach of section 75-1.1.  Thus, the misappropriation of trade secrets did not establish an unfair or deceptive trade practice. 

The Evolution of Per Se Theories

For a litigant who seeks to impose 75-1.1 liability under a per se theory, the decision in Legacy Data reveals the types of arguments that the litigant will likely face. These arguments may rely on (1) appellate decisions on per se liability, (2) the relevant statutory language, and (3) the purpose of the statute that serves as the predicate violation.

Legacy Data also serves as a reminder of the varying law on per se liability. Matt Sawchak—this blog’s founder, and the current North Carolina Solicitor General—recently prepared an in-depth analysis of this area of 75-1.1 law in the North Carolina Law Review.

This article, and Legacy Data, are important reads for North Carolina business litigators.

Author: Jeremy Falcone

Defending Data-Breach Lawsuits Brought by Employees (Part 2 of 2)

Yesterday’s post examined Sackin v. TransPerfect, Inc., where an employer suffered a data breach involving its employees’ sensitive information. After the employees sued, a federal court in New York refused to dismiss claims based on theories of negligence and breach of contract. 

Today’s post examines another federal case with similar facts. In this case, however, the employer ultimately defeated the employees’ negligence and contract claims.

How did the defendant in this case achieve the result that TransPerfect could not?

Stolen Laptops and Identities

In Enslin v. The Coca-Cola Company, a rogue Coca-Cola employee stole fifty-five company laptops that contained the sensitive personal information of some 74,000 other current and former Coca-Cola employees. After discovering the theft, Coca-Cola notified those employees and offered them a one-year subscription to a credit-monitoring service.

Shane Enslin, a former Coca-Cola employee who received a notification letter, sued the company in Pennsylvania. Enslin alleged that he experienced various incidents of identity theft because of the breach, including fraudulent charges to his credit cards and bank accounts. His complaint, like the Sackin complaint, asserted claims for negligence and breach of express and implied contracts.

Coca-Cola’s Motion to Dismiss

Like TransPerfect in Sackin, Coca-Cola moved to dismiss those claims.

Coca-Cola first argued that the economic-loss doctrine barred Enslin’s negligence claim. That doctrine prevents plaintiffs from suing in negligence to recover economic damages that are unaccompanied by physical injury or property damage. According to Coca-Cola, Enslin’s negligence claim fell squarely within that rule.

In response, Enslin argued that his claims fell within Pennsylvania’s “special relationship” exception to the doctrine. Under that exception, the doctrine does not apply when a plaintiff and defendant are in a relationship that involves confidentiality, the repose of trust, or fiduciary responsibilities. His employment relationship with Coca-Cola, said Enslin, satisfied that test.

As to the contract claims, Coca-Cola argued that Enslin had failed to allege facts sufficient to establish that Coca-Cola had promised to safeguard his personal information. Without identifying any specific terms, Enslin had alleged only that “part of his employment contract” contained a “mutual exchange of consideration” that included Coca-Cola’s promise to secure his personal information.

Coca-Cola’s Mixed Success under Rule 12(b)(6)

In its decision partially granting Coca-Cola’s motion to dismiss, the court agreed with Coca-Cola that the economic loss rule barred Enslin’s negligence claim because Enslin sought only to recover economic damages. The court also concluded that Enslin could not avail himself of the “special relationship” exception, because his employment with Coca-Cola reflected an “arms-length business contract” rather than a relationship of trust and confidence.

The court refused, however, to dismiss Enslin’s contract claims. The court concluded that his allegations—general though they might be—included the essential elements to make out a claim: the existence of a contract, its essential terms, and a breach by Coca-Cola. Those allegations were enough to state a claim. 

Summary Judgment: Coca-Cola’s Formula to Defeat Enslin’s Contract Claims

Having lost the Rule 12(b)(6) battle to defeat Enslin’s contract claims, Coca-Cola arranged for a rematch under Rule 56.

Following discovery, Coca-Cola moved for summary judgment on the contract claims. Coca-Cola argued that the evidence showed Coca-Cola never agreed—expressly or implicitly—to protect Enslin’s personal information.

In response, Enslin pointed to Coca-Cola’s code of conduct. The code included an “Employee Records” section in which Coca-Cola made certain representations about how it would collect and use employees’ information:

The Company will safeguard the confidentiality of employee records by advising employees of all personnel files maintained on them, collecting only data related to the purpose for which the files were established and allowing those authorized to use a file to do so only for legitimate Company purposes.

This provision, argued Enslin, along with the company’s information technology policies and Enslin’s employment application, established a contract that bound Coca-Cola to protect his personal information.

The court disagreed. Its decision granting Coca-Cola’s summary judgment motion found that the code of conduct was binding on the company and enforceable by Enslin. But the Court did not read the code to establish a general contractual duty to safeguard his personal information.

To that end, the court observed that the “Employee Records” provision of the code carefully limited the scope of Coca-Cola’s responsibilities to three specific duties:

  • advising employees of the personnel files maintained on them;
  • collecting only data relevant to the purpose for which the files were established; and
  • allowing use of the files only for legitimate company purposes.

The code’s recitation of those three specific duties, concluded the court, demonstrated that Coca-Cola had not expressly agreed to take on “a sweeping contractual duty” to safeguard Enslin’s information against criminal misappropriation. 

The court also concluded that Enslin could not establish an implied contract to take on that broad duty. Under Pennsylvania law, the court observed, a contract cannot be implied in fact if an express contract covers the same subject matter. 

But even if the code of conduct did not amount to an express contract, the court would still decline to imply one. That type of agreement could only be implied if the circumstances showed a common understanding that Coca-Cola intentionally took on a duty to protect Enslin’s personal information.

Unlike the Sackin court, the Enslin court refused to make that inference. 

Instead, the court concluded that, at most, employers may have an implied contractual duty not to directly disclose employees’ personal information to third-parties, or to use it for non-business purposes. But the “common-sense understanding” of this duty would not include safeguarding that information against malicious third parties.  That was especially true in this case, reasoned the court, where Coca-Cola’s code of conduct showed it intended to avoid taking on that broader duty.

The court therefore granted Coca-Cola’s motion for summary judgment on both of Enslin’s contract claims.

A Path to Defeating Employees’ Negligence and Contract Claims?

The Enslin decisions contain some important lessons for companies involved in employee data-breach litigation.

First, the economic loss doctrine (which we’ve previously noted can provide a potent defense in business-to-business litigation), can also provide a defense against employee data-breach claims sounding in negligence.

Second, the case confirms that defeating contract-based claims will be difficult under Rule 12(b)(6). As we saw in Sackin, allegations premised on the employment relationship—even when seemingly conclusory—can survive motions to dismiss so long as they address the essential claim elements.   

Third, however, Enslin offers a potential path for defeating breach of contract claims under Rule 56. But the foundation must be laid well before a data breach occurs. To that end, employers should carefully draft their employment agreements, codes of conduct, and internal policies to avoid making unnecessarily broad commitments to secure employees’ personal information.

When the company’s data-security duties are expressly limited in those documents, Enslin suggests they can serve as a shield against employees’ express and implied contract claims.

Author: Alex Pearce