Category Archives: Unfair Trade Practices

How a Potent Defense Can Stifle Data-Breach Lawsuits by Businesses

Consumers aren’t the only plaintiffs in data-breach litigation. Businesses sue, too.

When they do sue, businesses can be strong plaintiffs. This is because, unlike consumers, businesses usually can establish standing, since they’re more likely to have suffered direct financial loses that can be readily identified.  

This doesn’t mean, however, that a data-breach business plaintiff can waltz untouched through the Rule 12(b)(6) stage.

Instead, a business plaintiff must overcome a different defense: the economic-loss rule.  That rule prevents plaintiffs who suffer economic losses stemming from a contract from trying to recover those losses through non-contract claims. 

A recent decision from a federal court in Colorado involving one of my kids’ favorite mac-and-cheese spots shows how the economic-loss rule can apply when one business sues another over a data breach. This post studies that decision.

A Cyberattack Compromises Diners’ Payment Card Data

SELCO Community Credit Union v Noodles & Company concerns a cyberattack on the Noodles & Company restaurant chain that compromised customers’ credit and debit card information. The plaintiffs were not consumers, but instead credit unions whose cardholders dined at Noodles and whose information was compromised. They sued Noodles for failing to prevent the breach. 

According to the credit unions, Noodles breached a common-law duty to protect its customers’ payment card information by failing to implement industry-standard data-security measures. The credit unions alleged that this breach caused them damages, including the costs to cancel and reissue affected cards and to refund cardholders for unauthorized charges.

The credit union brought tort claims—all based on theories of negligence—against Noodles. Noodles filed a motion to dismiss based on the economic-loss rule, pointing to agreements it and the plaintiffs had entered as participants in the payment-card-processing ecosystem.   

The Payment Card Ecosystem: A Chain of Interrelated Contracts

The court provided the following diagram to explain this ecosystem:


In its motion, Noodles observed that each actor in this ecosystem signed an agreement with at least one other actor in which it agreed to follow rules issued by the bank-card associations. Importantly, the agreements required merchants to maintain a certain level of security for payment-card data—including compliance with a set of detailed best practices for data security in the payment-card industry called the Payment Card Industry Data Security Standard (PCI DSS).

Noodles argued that these agreements also allocated the parties’ rights and responsibilities in the event of a cyberattack. More specifically, the agreements called for the credit unions to guarantee cardholders zero liability for fraudulent transactions. The credit unions, in turn, could partially recover their losses through a loss-shifting scheme managed by the bank-card associations.

According to Noodles, this arrangement reflected “a series of determinations by several sophisticated commercial entities about how the risk of fraudulent transactions should be allocated in the payment card networks.” Noodles accused the credit unions of trying to re-allocate that risk—and violating the economic-loss rule—by bringing tort claims.

An Independent Duty?

The credit unions had two main arguments in response.

First, they argued that Noodles owed them a common-law duty to secure payment-card data and to prevent foreseeable harm to cardholders. This duty, they urged, was separate and distinct from any contract-based duty to comply with PCI DSS. The credit unions made this argument to try to shoehorn their claims into what’s known as the “independent duty” exception to the economic-loss rule.

Second, the credit unions argued that the economic-loss rule should not apply because the credit unions had no contract with Noodles. Thus, the credit unions argued, they never had the chance to “reliably allocate risks and costs” with Noodles.  

The Court’s Decision

The court, like my children, sided with Noodles.

On the independent-duty argument, the court concluded that each duty that Noodles allegedly breached was bound up in the agreements to comply with the bank-card association rules and PCI DSS. Even if Noodles might also have had a common law duty to protect payment card data from a cyberattack, that duty could not be considered “independent of a contract that memorialize[d] it.”

The fact that the credit unions never contracted directly with Noodles had no analytical impact. In the court’s view, the economic-loss rule does not mandate a one-to-one contract relationship. Instead, the court reasoned, the rule asks whether a plaintiff had “the opportunity to bargain and define their rights and remedies, or to decline to enter into the contractual relationship.” The credit unions had that chance here.

Lessons for Litigants

SELCO confirms that the economic-loss rule can provide a powerful shield against attempts—including and especially by businesses—to make end-runs around negotiated limitations and allocations of liability for cyberattacks.

Defendants, however, must be ready to show that the contract on which they rely imposes relevant data-security obligations. Doing so requires that the obligations be clearly defined—well before litigation arises—in any contracts that involve the receipt or handling of sensitive information.

Clearly defining data-security obligations in contracts is already a recognized best practice for information-security risk management.  But as SELCO demonstrates, this type of clarity can also lay the groundwork for deploying the economic-loss rule against lawsuits arising from a successful cyberattack. 

Author: Alex Pearce

Failure to Hold Back Settlement Funds Subject to a Medical Lien Can Expose an Insurer to Treble Damages

A court’s decision to impose liability for committing an unfair or deceptive trade practice in a particular case may have wide-ranging implications—even when the amount in dispute in the matter itself is relatively minor.

Such is the case in Nash Hospitals, Inc. v. State Farm Mutual Automobile Insurance, Co., a recent decision by the North Carolina Court of Appeals.

In Nash, the Court of Appeals concluded that State Farm committed an unfair and deceptive trade practice in its handling of the disbursement of settlement proceeds subject to a medical lien. Although the matter arose over a hospital bill of only $757, the reasoning and holding in Nash could have broader implications for how insurers handle personal injury settlements.

State Farm settles without notifying the hospital

Jessica Whitaker was injured in an automobile accident caused by another driver. She incurred medical expenses with Nash Hospitals and two other healthcare providers following the accident.

State Farm insured the culpable driver. State Farm negotiated a settlement with Ms. Whitaker to pay a substantial portion of her medical expenses. Ms. Whitaker did not involve counsel in those negotiations.

State Farm sent a check to Ms. Whitaker for the negotiated settlement amount. The check was jointly payable to Ms. Whitaker, Nash Hospitals, and the other medical providers. Ms. Whitaker was unable to cash the check because it required the endorsement of the co-payees.

North Carolina law grants hospitals and medical providers with certain statutory rights to assert an interest in the personal injury recoveries of their patients. These statutory rights are commonly referred to as medical liens. Pursuant to N.C. Gen. Stat. § 44-50, Nash Hospitals possessed a medical lien on Ms. Whitaker’s settlement proceeds pro rata with the other healthcare providers. Under the statute, the lienholders’ recovery was capped at 50% of the total settlement. 

Nash Hospitals notified State Farm of its medical lien prior to the settlement. State Farm did not notify Nash Hospitals, however, that it had reached a settlement with Ms. Whitaker.

Nash Hospitals subsequently contacted State Farm to inquire about the status of the claim. Only then did State Farm disclose that it had reached a settlement with Ms. Whitaker and issued the joint check to her. State Farm took the position that the issuance of the joint check satisfied and extinguished any obligation it had to satisfy Nash Hospitals’ medical lien. State Farm told Nash Hospitals to contact Ms. Whitaker directly to resolve how the settlement proceeds should be divided.

After finding out about the settlement, Nash Hospitals advised State Farm that State Farm’s failure to retain funds sufficient to satisfy its lien violated the medical lien statutes. Nash Hospitals also pointed out that, by issuing a joint check to Ms. Whitaker that she was unable to cash, Ms. Whitaker would be forced to obtain an attorney and incur additional unnecessary expenses in order to actually recover any of the insurance proceeds.

Nash Hospitals sues for its share of the settlement proceeds

State Farm did not respond to the letter. Nash Hospitals then sued State Farm for violating North Carolina’s medical lien statutes. Nash Hospitals’ complaint also included an unfair and deceptive trade practices claim.

The trial court granted summary judgment to Nash Hospitals, finding that State Farm violated both the medical lien statutes and N.C. Gen. Stat. § 75-1.1.

State Farm appealed and the North Carolina Court of Appeals affirmed State Farm’s liability for both claims. The Court of Appeals remanded the case, however, to have the trial court recalculate the damages originally awarded.

The Court of Appeals determined that State Farm had a statutory duty to retain sufficient funds from the settlement to satisfy the lien claims and to distribute proceeds to the lienholders before disbursing to Ms. Whitaker.

With respect to the 75-1.1 claim, State Farm first challenged the hospital’s standing to bring the claim. State Farm argued that Nash Hospitals lacked privity with the insurer. The Court of Appeals rejected that argument. The court reasoned that Nash Hospitals was a third-party beneficiary of the insurance contract and came into privity with State Farm upon notifying State Farm of its asserted lien.

The court also found that State Farm’s failure to notify Nash Hospitals of the settlement with Ms. Whitaker, coupled with its direction that Nash Hospitals seek recovery from Ms. Whitaker herself, was both an unfair and a deceptive act.  The Court of Appeals appears to have viewed the insurer’s conduct as a species of direct unfairness. The court also indicated that the same conduct met the statutory definition of a deceptive act because State Farm’s handing of the lien claim possessed “the capacity or tendency to deceive.”

The court was careful, however, to indicate that State Farm’s violation of the North Carolina medical lien statutes did not make State Farm per se liable under 75-1.1. Rather, liability stemmed from State Farm’s underlying conduct and “its failure to cure the violation absent litigation.”

The Court of Appeals directed the trial court to enter summary judgment to Nash Hospitals for a mere $971.07 (treble the actual damages of $323.69 awarded) . Upon remand, it is possible that Nash Hospitals will also seek an attorney fee per N.C. Gen Stat. § 75-16.1.

Although it appears that State Farm will not incur a significant cash outlay in this matter, the case is likely to have broader implications for how the company handles claims settlement generally. State Farm’s counsel indicated at oral argument that the insurer routinely issued joint checks and told “the . . . parties [to] agree . . . who’s going to get what.” State Farm will presumably need to end the practice of issuing joint checks to head off potential future treble damages awards. Going forward, it also appears the burden of determining how personal injury settlement proceeds should be allocated will fall more on the insurer.

Author: George Sanderson

The Plaintiff or Defendant Is Not from North Carolina. Does Section 75-1.1 Apply?

N.C. Gen. Stat. § 75-1.1 regulates conduct “in or affecting commerce.” The statute doesn’t expressly differentiate based on type of commerce—intrastate versus interstate.

When conduct involves parties both inside and outside North Carolina, however, the reach of section 75-1.1 can come into question. Only a few months ago, we reviewed a federal-court decision that described the different choice-of-law tests that courts have used when considering whether section 75-1.1 applies to multistate conduct.

The North Carolina Business Court recently issued another decision on the standards that govern whether a party from outside of North Carolina can raise a section 75-1.1 claim.

In Window World of Baton Rouge, LLC v. Window World, Inc., Judge Louis A. Bledsoe, III refused to dismiss a section 75-1.1 claim that the defendant argued was barred by choice-of-law principles. More specifically, the defendant argued that section 75-1.1 did not apply to the defendant’s conduct because no plaintiff had a home office in North Carolina.

How did Judge Bledsoe reach this conclusion? This post examines the decision.

A Window into a Franchise Dispute

The plaintiffs in Window World are franchisees of Window World, Inc. Window World is based in North Carolina.

The complaint accuses Window World—as franchisor—of committing a host of wrongs. Certain plaintiffs complained to Window World about these wrongs and appeared to reach a settlement with Window World, but Window World reneged.

This lawsuit followed. The complaint contains the usual assortment of contract claims, business torts, and an alleged violation of section 75-1.1.

The plaintiffs sued multiple defendants, including Tammy Whitworth, whose family once owned all outstanding shares of Window World’s stock, and against whom the plaintiffs seek to pierce the corporate veil.

Ms. Whitworth filed a motion to dismiss.  On the section 75-1.1 claim, Ms. Whitworth argued that the plaintiffs have not stated a cognizable claim because the plaintiffs have not alleged an in-state injury.

Mapping Out the Place of the Injury

Judge Bledsoe began his analysis of Ms. Whitworth’s argument by identifying the controlling choice-of-law rule.

Under decisions of the North Carolina Supreme Court, he explained, the law of the situs of the claim determines the applicable law for matters that affect the parties’ substantial rights. For tort claims, the situs of the claim is “the state where the injury occurred.”

How does a court determine where an injury occurs?

To answer that question, Judge Bledsoe drilled down on the specific choice-of-law rule that applies to alleged violations of section 75-1.1.

Just two months ago, in a decision called Soma Tech, Inc. v. Dalamagas, Judge Bledsoe concluded that the North Carolina Supreme Court would likely apply the lex loci rule to section 75-1.1 claims. The alternative rule would be the most-significant-relationship test, but, as Judge Bledsoe noted, the state Supreme Court has rejected the modern trend toward that test.

Under lex loci, the plaintiff is considered to have sustained his injury in the state where the last act occurred that gave rise to the injury.

This rule might sound straightforward, but the parties had competing arguments about how it applies:

  • Ms. Whitworth argued that because the plaintiffs are not located in North Carolina, they could not have been injured in North Carolina.
  • In response, the plaintiffs argued that they were injured in North Carolina. More specifically, they argued that the injury occurred when Window World—located in North Carolina—received kickbacks and other information that the law compelled them to disclose to the plaintiffs.

To evaluate these arguments, Judge Bledsoe turned to a 2010 decision of the North Carolina Court of Appeals called Harco National Insurance Company v. Grant Thornton LLP. In Harco, the Court of Appeals held that the location of a plaintiff’s business may be useful in determining whether a plaintiff suffered injury—but only if, “after a rigorous analysis, the place of injury is difficult or impossible to discern.”

In most cases, the Court of Appeals emphasized, “a plaintiff has clearly suffered its pecuniary loss in a particular state, irrespective of that plaintiff’s residence or principal place of business.” In those cases, lex loci applies, and the governing law is the law of the state where the plaintiff has actually suffered harm.

Judge Bledsoe then applied these teachings to the motion to dismiss.

In her motion, Ms. Whitworth made only a bare assertion that the plaintiffs “are not located in, and did not suffer injury in, North Carolina.” As Harco makes clear, the location of a plaintiff’s business does not exclusively determine where the plaintiff suffered injury. That determination depends on the facts of each case.

Here, the plaintiffs have alleged that they suffered an injury in North Carolina, based on Window World’s conduct and its acceptance of kickbacks. These allegations, viewed in the light most favorable to the plaintiffs, could not be interpreted to establish injury somewhere other than North Carolina, as Ms. Whitworth had argued.

Judge Bledsoe therefore denied the motion.

The Place of Injury and Section 75-1.1 Claims

Because section 75-1.1 claims are ubiquitous in North Carolina business litigation, one can easily overlook the question of whether section 75-1.1 applies when the plaintiff or defendant is not from North Carolina. This is an important question to answer.

The answer, moreover, can require careful analysis of the allegations and facts of each case.  As Window World clarifies, the location of the plaintiff’s business does not automatically supply the answer.

Window World also illustrates two other tactical considerations in section 75-1.1 litigation:

  • A challenge at the pleadings stage to the application of section 75-1.1 must take into account not only the relevant choice-of-law regime, but also the Rule 12(b)(6) standard; and
  • In anticipation of a Rule 12(b)(6) fight, a plaintiff with a section 75-1.1 claim would benefit from including allegations in the complaint that concern the location of the plaintiff’s injury.

In the end, choice-of-law issues can be thorny in any type of litigation. This can be especially true—as Window World reminds us—in section 75-1.1 litigation.

Author: Stephen Feldman