Category Archives: Unfair Trade Practices

Defending Data-Breach Lawsuits Brought by Employees (Part 1 of 2)

As we’ve previously discussed, companies are often sued by their customers and business partners after a data breach. Another increasingly common source of data-breach litigation comes from within: companies’ own employees.    

That’s because almost every business collects social security numbers, bank account information, and other sensitive personal information to administer the employment relationship. Cyber-criminals know this and choose their targets accordingly. And when their attacks succeed, affected employees are prone to sue.

Two especially common theories of liability in these cases are negligence and breach of contract.  This two-part series of posts examines two recent federal court cases—one from New York and one from Pennsylvania—that show how courts deal with these types of claims.

A Phishing Attack Exploits Imperfect Data Security

In Sackin v. TransPerfect Global, Inc., a case from the United States District Court from the Southern District of New York, TransPerfect’s human resources department fell victim to a popular scheme known as “W-2 phishing.” In this scheme, criminals posing as a company executive send an email to unwitting personnel at the company and ask for copies of all employees’ W-2 tax forms. 

A TransPerfect employee received and complied with one of these requests. The employee sent thousands of current and former employees’ W-2 forms and other payroll data to an unidentified attacker. As a result, the criminals obtained employees’ names, addresses, social security numbers, and banking information.

A group of employees sued TransPerfect after being notified of the breach. They alleged that the release of their information was caused by TransPerfect’s failure to properly train its employees on data security and to maintain appropriate security controls. Their complaint asserted a claim for common-law negligence. It also asserted, based on the employment relationship between the employees and TransPerfect, claims for breach of express and implied contract.  

TransPerfect moved to dismiss those claims under Rule 12(b)(6). It argued that the employees’ negligence claim failed because TransPerfect had no common-law duty to protect their personal information against third-party criminals. TransPerfect also argued that the contract claims failed because employees hadn’t sufficiently alleged that TransPerfect had promised—explicitly or implicitly—to secure and protect their personal information.

A Common-Law Duty to Protect Employees’ Personal Data?

As to the negligence claim, the court first observed that under New York law, whether a defendant owes a duty to a plaintiff depends on a variety of factors:

  • the relationship of the parties,
  • which party is best positioned to avoid the harm,
  • the public policy served by the presence of a duty, and
  • the foreseeability of the harm if the duty is breached.

Those factors, the court concluded, supported imposing a common-law duty on employers to take reasonable precautions to protect employees’ personal information. 

Employees, the court observed, cannot usually choose to withhold their information from an employer. They also have no means to protect that information in the employer’s hands, and they alone suffer the harmful consequences if the employer fails to protect it. Looking to public policy, the court also observed that the prospect of liability would provide employers with an economic incentive to protect employees’ information from the threat of cyberattacks.

Having determined that TransPerfect had a duty to protect its employees’ information, the court then concluded that employees had sufficiently alleged that TransPerfect was aware of and violated that duty.  TransPerfect’s own website, the court observed, showed it recognized the risks of sending sensitive personal information by email. That website warned visitors to “never send” sensitive information by email because email is “generally not secure” and “vulnerable to hacking.” Despite that knowledge, the employees alleged, TransPerfect failed to prevent the emailing of their sensitive information to the criminals.

The court therefore denied TransPerfect’s motion to dismiss the negligence claim.

An Agreement to Secure Employees’ Personal Data?

As to the contract claims, the court first agreed with TransPerfect that the employees had failed to sufficiently allege an express contract that would bind TransPerfect to protect their personal information. 

Simply alleging that their employment contracts “involved a mutual exchange of consideration” that included TransPerfect’s promise to provide employment and secure their personal information, without more, was not sufficient. 

Nevertheless, the court found that the employees had plausibly alleged the existence and breach of an implied contract to that effect. The court observed that TransPerfect required employees to provide their personal information and was generally aware of the cybersecurity risks it faced. These factors, the court concluded, showed an implicit promise by TransPerfect to safeguard that information: 

While TransPerfect may not have explicitly promised to protect [personal information] from hackers in Plaintiffs’ employment contracts, it is difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of Social Security numbers or other sensitive personal information would not imply the recipient’s assent to protect the information sufficiently.

The court therefore allowed the employees’ implied-contract claim to proceed.

Smooth Sailing for Employee Negligence and Contract Claims?

Sackin suggests that, because of the nature of the employment relationship, courts may be particularly inclined to find a duty on the part of employers to protect their employees’ personal information. 

In that relationship, employees have little choice but to turn over their personal information.  And so, the logic goes, employees can expect the employer to protect that information—especially when the allegations show that an employer is aware of the risks associated with collecting and storing it.

Given that reasoning, might companies still be able to defeat these types of claims? 

Tomorrow’s post will examine a case in which a company did just that.

Author: Alex Pearce

When Does a Business Dispute That Involves a Third Party Remain “Internal” for Purposes of an Unfair and Deceptive Trade Practice Claim?

The North Carolina Business Court has issued several opinions this year that examine the contours of the “internal business affairs” doctrine. As we have explained in prior posts, North Carolina courts have recognized that internal business disputes are exempt from N.C. Gen. Stat. § 75-1.1 because they are not “in or affecting commerce.”

In the latest Business Court opinion, JS Real Estate Investments, LLC v. Gee Real Estate, LLC, Judge Adam Conrad had to pick between two lines of North Carolina Supreme Court precedent to determine whether the doctrine applied.

This post examines why the Court in JS Real Estate decided that the dispute was an internal business matter, even though the defendant diverted funds to a third party.

The Parting of the Ways

The JS Real Estate case arose from the aftermath of a messy business divorce between two investors, James Shaw and Raymond Gee.

Shaw and Gee were members in multiple entities that owned and managed commercial real estate. Shaw and Gee were also members in companies that supervised the day-to-day management of those entities.

After several years, Shaw and Gee decided to end their business relationship.  Shaw and Gee executed a formal Separation Agreement in order to divide their interests.  The Separation Agreement explicitly provided that proceeds from their prior business affairs would be shared equally, but that Gee and his wholly owned company would manage the assets.

After the execution of the Separation Agreement, Gee replaced the firms that provided supervisory services with a company that Gee solely owned, GVest Capital.  GVest imposed a new management fee that it collected before any distributions were paid to Shaw and Gee.

Shaw, through his real estate company, claimed that Gee’s installation of GVest violated the terms of the Separation Agreement. Shaw alleged that the management fees GVest collected should have instead been distributed equally to Shaw and Gee.

Shaw’s real estate company sued Gee and Gee’s real estate company for breach of the Separation Agreement, breach of fiduciary duty, constructive fraud, and for committing an unfair or deceptive trade practice in violation of section 75-1.1. Shaw designated the case to the Business Court upon filing.

After discovery closed, Shaw moved for partial summary judgment as to the breach-of-contract claim. At the same time, Gee moved for partial summary judgment on the claims for breach of fiduciary duty, constructive fraud, and violation of section 75-1.1.

The Business Court issued an opinion on the cross motions for summary judgment. The only claim that the Court disposed of was the section 75-1.1 claim. The Court dismissed the section 75-1.1 claim because it viewed the matter as an internal business dispute.

The Fundamental Character of the Dispute Was Internal

In briefing summary judgment, Shaw argued that the matter was not solely an internal business matter because Gee’s conduct involved “commercial interactions” with an outside market participant, i.e. the company to which funds were allegedly diverted, GVest.  

Shaw argued that the North Carolina Supreme Court case of Sara Lee Corp. v. Carter was controlling precedent. In Sara Lee, the Supreme Court held that an employee violated section 75-1.1 by engaging in self-dealing when he sold computer parts and services to his employer from companies that the employee owned.

Gee countered that all of the alleged conduct was “encompassed within the rubric of the management and ownership” of the entities that Shaw and Gee jointly owned.

Gee argued that a different North Carolina Supreme Court case, White v. Thompson, controlled. In White, the Supreme Court held that a partner’s alleged misconduct in diverting work to a new business away from the partnership was not “in or affecting commerce” because the partner only breached his duty “as a partner in this single market participant.”

Weighing the two lines of precedent, the Court characterized the dispute between Shaw and Gee as a dispute between members over the internal management of, and right to receive distributions from, the companies of which they were members. Ultimately, the court decided that the facts at hand were more analogous to those presented in White than in Sara Lee.

The Court decided that third-party GVest’s collection of the new management fees did not change the “fundamental character” of the dispute as an internal business matter. In the Court’s estimation, GVest’s alleged involvement was more accurately classified as a “misappropriation of corporate funds within a single entity rather than commercial transactions between separate market participants.”

The Court further noted that White itself involved a partner diverting work towards his own business and away from the partnership.

How Involved are Third Parties?

The Business Court’s decision in JS Real Estate suggests that the determination of whether the internal business doctrine applies is often intensely fact-specific. Practitioners should note well, however, that the Court looked at the fundamental character of the dispute and still determined that the doctrine applied, notwithstanding the “tangential involvement” of third parties. Plaintiffs and defendants alike should assess what conduct lies at the core of the dispute when analyzing whether a section 75-1.1 claim is truly in or affecting commerce.

Author: George Sanderson

Playing Chicken with Claims for Unfair Trade Practices

The past year has seen several notable decisions concerning how choice-of-law regimes can affect the viability of a claim for violation of N.C. Gen. Stat. § 75-1.1.

Today’s post involves another case on this topic.

In Koch Foods, Inc. v. Pate Dawson Company, a federal district court assessed a claim for unfair trade practices by the seller of processed poultry against directors and officers of a distributor that bought the seller’s poultry.

This post studies the court’s meaty decision.

I’ll Buy, But Who’s Paying?

Koch sold processed poultry to Pate Dawson Company. Dawson, in turn, sold the poultry to restaurants. Its top customer was Bojangles.

When Dawson delivered the poultry to Bojangles, Bojangles would pay Dawson the cost of the poultry, plus the cost of shipping. Dawson would then pay Koch a portion of what Dawson received from Bojangles.

In September 2015, Bojangles ended its relationship with Dawson. That decision put Dawson in financial peril.

After Bojangles cut the cord, however, Dawson continued to order poultry from Koch. In the three months following the end of its relationship with Bojangles, Dawson placed 38 orders with Koch for products worth $3.6 million.

Dawson paid the first $106,000 of that amount, but no more.

Koch then sued Dawson and the company’s officers. Koch alleged that the officers never intended to pay for the $3.6 million in poultry. Koch’s claims included a claim for unfair and deceptive trade practices.

Koch settled its claims with Dawson, but not its claims with the officers. Koch and the officers each moved for summary judgment on the claim for unfair trade practices.

A Most Significant Inquiry into the Applicable Choice of Law

Koch filed the case in Mississippi federal court on diversity grounds, but no party is a Mississippi citizen. Koch has its principal place of business in Illinois. (Koch is the majority member of Koch Foods of Mississippi, LLC, which sold the poultry to Dawson.) The officers all live in North Carolina, which was also Dawson’s principal place of business.

The court’s first order of business was to discern what state’s law applies to the claim for unfair trade practices. To do that, the court turned to Mississippi’s conflict-of-law rules.

Before doing so, the court noted that an actual conflict exists between the laws of Mississippi and North Carolina on unfair trade practices. Each state has its own analogue of Section 5 of the FTC Act. Mississippi’s statute, however, applies only to consumer transactions, and not to business-to-business transactions.

For claims for unfair trade practices, Mississippi law applies the “most significant relationship” test. (Notably, two recent decisions in North Carolina—one from a federal district court, and one from the North Carolina Business Court—show that North Carolina’s choice-of-law regime is more likely to apply a different test, the lex loci test, to claims for unfair trade practices.)

Under the “most significant relationship” test, as it applies under Mississippi law, the court turned to the following four factors to discern which state’s law has the most significant relationship to the relevant conduct and the parties:

  1. the place where the injury occurred;
  1. the place where the conduct that caused the injury occurred;
  1. the domicile, residence, nationality, place of incorporation, and place of business of the parties; and
  1. the place where the relationship between the parties is centered.

The “most significant relationship” test then calls for the evaluation of these contacts in light of seven more choice-of-law considerations. These considerations include “the needs of the interstate and international systems” and “the protection of justified expectations.”

Having laid out these “guideposts”—some of which the court itself described as “nebulous”—the court placed the most weight on the second factor: the place where the conduct that caused the injury occurred. That conduct occurred in North Carolina. The court concluded that North Carolina’s interest in regulating the conduct within its borders outweighed any policy or interest of Mississippi.

Would the lex loci test have yielded the same result? It’s not clear. As the Business Court recently explained, the place that a plaintiff suffered its pecuniary loss is not necessarily where the plaintiff has its principal place of business.

A Dispute of Facts

Having concluded that the law on section 75-1.1 applies to Koch’s claims, the court reasoned that buying $3.6 million of a product without the means or intent to pay for it violates section 75-1.1.

In reaching this conclusion, the court effectively ruled that this conduct amounted to substantial aggravating circumstances. As the Business Court recently explained in Post v. Avita Drugs, deception in a contract’s formation is a “classic example of an aggravating circumstance.”

This conclusion, however, did not mean that the court granted offensive summary judgment in Koch’s favor. The parties had conflicting facts about whether Dawson actually lacked the means or intent to pay for the poultry products, and a jury must resolve that factual dispute.

Considerations for 75-1.1 Claims Concerning Multistate Conduct

Koch Foods is an instructive case for litigators and businesses involved in claims of unfair trade practices that cross state lines.

First, in litigation on unfair trade practices, the choice of forum matters. In Koch Foods, the viability of a claim for unfair trade practices required a forum in which section 75-1.1—because its reach is not limited to consumer transactions—would apply. Mississippi’s choice-of-law regime, which applies the “most significant relationship” test, led to that outcome.

Second, Koch Foods is another data point that emphasizes that the facts concerning contract formation can be a fertile area for proving “substantial aggravating circumstances.”

Finally, the court’s ultimate ruling—that a trial is needed to determine Dawson’s financial condition and intent during contract formation—underscores the role of the factfinder in section 75-1.1 litigation. Even though whether a set of facts actually violates section 75-1.1 is a legal question, each litigant must be ready to persuade a factfinder that its set of facts constitutes the truth.

Author: Stephen Feldman