Unfair and Deceptive Trade Practices Claims in Data-Breach Lawsuits

Section 5 of the Federal Trade Commission Act provides a powerful tool for the federal government to regulate companies’ data-security practices. Rather than adopt specific data-security standards, the FTC often uses Section 5’s flexible and open-ended concepts of unfairness and deception to bring enforcement actions against companies for data-security failures.    

The FTC treats these enforcement actions as a form of “common law” that tells other companies what data-security practices Section 5 requires.

While it gives the FTC broad authority, Section 5 lacks a private right of action. Does this absence preclude a plaintiff in a data-breach lawsuit from nonetheless relying on the data-security “common law” developed by the FTC under Section 5?

A recent decision from a federal court in the state of Washington explored this question. This post studies two aspects of that decision, named Veridian Credit Union v. Eddie Bauer:

  • Can the failure to employ data-security measures that the FTC says are required by Section 5 be treated as evidence of a defendant’s negligence?
  • Can a plaintiff assert an unfairness claim for treble damages under a state’s “Little FTC Act” based on a defendant’s failure to employ FTC-mandated data security measures?

A Cyberattack Compromises Point of Sale Systems

Veridian arose from a cyberattack on Eddie Bauer’s in-store point-of-sale systems. The attack compromised customers’ credit- and debit-card information. 

Veridian—a credit union whose cardholders shopped at affected stores and had their information stolen—sued Eddie Bauer for failing to prevent the breach. Eddie Bauer’s lax data security practices, Veridian alleged, caused it damages including the costs to cancel and reissue affected cards and to refund cardholders for unauthorized charges.

Veridian’s complaint asserted a common-law negligence claim. For the “duty” element of that claim, Veridian alleged that Section 5 required Eddie Bauer to use reasonable data-security measures. To that end, Veridian pointed to orders issued by the FTC against other companies for failing to secure payment-card data, and to the informal guidance contained in the FTC publication “Protecting Personal Information: A Guide for Business.”  

Veridian also asserted a claim under Washington’s Consumer Protection Act  (“CPA”). That statute, like Section 5, broadly prohibits unfair or deceptive acts and practices. It also allows courts to award treble damages to private plaintiffs. According to Veridian, Eddie Bauer’s failure to employ security measures that the FTC has said are required by Section 5 was also an “unfair” practice under the CPA.

Blaming the Victim?

Eddie Bauer moved to dismiss the claims. 

As to the negligence claim, Eddie Bauer argued that it owed Veridian no duty to secure its customers’ payment-card data. Section 5 could not be the source of any such duty, Eddie Bauer contended, because Congress didn’t intend for the statute to protect parties in Veridian’s position.

As for Veridian’s CPA claim, Eddie Bauer observed that “unfairness” requires a showing that a defendant’s conduct was “likely to cause substantial harm” that consumers could not reasonably avoid. The company then argued that being victimized by cyberattack did not satisfy this test, for two reasons: 

  1. the consumers suffered harm owing to the theft of payment-card information, not any failure by Eddie Bauer to properly secure that information; and
  1. the consumers could avoid any risks posed by the company’s data-security practices by paying with cash instead of credit cards.

The Court’s Decision

The court denied Eddie Bauer’s motion as to both claims.

The court agreed with Eddie Bauer that Veridian’s common-law negligence claim could not rest on a violation of Section 5. Under Washington law, the violation of a statute can be evidence of negligence—but only if the statute was intended to protect a class of persons that includes the plaintiff. In this case, Congress enacted Section 5 to protect a business’s consumers and competitors from unfair trade practices. Veridian was neither.

Despite this conclusion, the court allowed Veridian’s negligence claim to proceed. The reason? A different Washington state statute supplied the requisite duty. That statute requires a business to reimburse financial institutions for the cost to reissue payment cards if the business has failed to use reasonable care, and that failure causes a breach.

As to the CPA claim, the court rejected Eddie Bauer’s argument that being victimized by a data breach was not an “unfair” practice because the real harm to consumers flows from the acts of a malicious third party. 

The court first observed that the Washington legislature modeled the CPA on Section 5 and specifically intended the CPA to be interpreted in light of FTC orders.  Pointing to the FTC’s data-security cases against LabMD and Wyndham Hotels, Veridian had shown that the FTC had concluded that failing to properly secure payment-card data could be an unfair practice.

For this reason, Eddie Bauer should have foreseen that failing to secure payment-card data could substantially injure consumers. The fact that the attackers also caused the injury was immaterial: under Section 5 (and thus the CPA), an unfair practice need not be the only cause of the harm. 

The court also had sharp words for Eddie Bauer’s “the consumers could have used cash” argument. As the court pointed out, the use of credit and debit cards is “ubiquitous” in all types of commerce. And when deciding how to pay, customers would have no way of knowing that Eddie Bauer’s payment-card security measures were deficient. Because of these points, the court characterized the argument as “disingenuous.”

Avoiding Liability: Keep An Eye on the FTC

Veridian suggests that the FTC’s aggressive use of its unfairness authority under Section 5 to regulate data security may have another unexpected consequence for companies.  Private plaintiffs—including in business-to-business data-breach lawsuits—can look to the FTC’s enforcement actions to establish a claim under state laws that regulate unfair and deceptive trade practices.

The prospect of treble damages under these laws gives companies another reason to stay current on the FTC’s developing body of data security “common law.”

Author: Alex Pearce

Internal Business Disputes, Third Parties, and Section 75-1.1

The reach of N.C. Gen. Stat § 75-1.1 extends to conduct “in or affecting commerce.” Although this phrasing seems broad, courts interpreted it to exempt several types of conduct from the statute’s purview. 

One recognized exemption is for internal business disputes: that is, conduct among members of the same business.

A recent decision by the North Carolina Business Court addressed this important exemption. In Chisum v. Campagna, the plaintiff tried to sidestep the exemption by alleging that his section 75-1.1 claim involved not only owners of the same business, but also several third-party companies.

Did that allegation bring the claim within the statute’s ambit? This post examines the Court’s analysis and conclusion.

A membership dispute

Dennis Chisum was a commercial real estate developer in the Wilmington area. In the 1990s, he teamed up with fellow Wilmington developers, and father and son, Rocky and Rick Campagna. The three formed several LLCs to develop land in and around Wilmington.

Chisum alleged that, beginning in 2007, the Campagnas started a campaign to squeeze Chisum out of the LLCs. The campaign allegedly included “sham” capital calls, designed to dilute his interest in each company. According to Chisum, he never received notice of the capital calls, and the Campagnas also held member meetings without him. Through these capital calls and meetings, the Campagnas purported to cut Chisum’s ownership in each company in half.

Chisum further alleged that the Campagnas engaged in self-interested transactions, including (a) diverting opportunities to themselves or other entities they controlled, (b) selling the companies’ assets without Chisum’s knowledge or approval, and (c) failing to pay Chisum his proper share of the assets. 

Chisum’s complaint included a section 75-1.1 claim. The defendants moved to dismiss that claim.

Conduct does not become less “internal” to a business simply because the conduct benefits third parties

Judge Gregory P. McGuire granted the motion to dismiss. As his decision explains, Chisum’s section 75-1.1 claim concerned a dispute between owners of a business—and therefore fell beyond the statute’s reach.

Judge McGuire noted that the Campagnas’ allegedly wrongful conduct involved intracorporate actions. This conduct included the “sham” capital calls, a fraudulent attempt to amend an operating agreement, and the Campagnas’ conversion of Chisum’s membership interests. 

That alleged conduct, Judge McGuire explained, did not affect any other market participants; the conduct only affected the co-owners of the businesses. To confirm this conclusion, Judge McGuire cited White v. Thompson, 364 N.C. 47, 52, 691 S.E.2d 676, 679 (2010). In White, the Supreme Court held that section 75-1.1 does not regulate the “internal conduct of individuals within a single market participant,” which the court defined as a “single business.”

While the exemption clearly captured these allegations, Chisum’s other allegations required a deeper analysis. Chisum alleged that the Campagnas had diverted assets and opportunities away from the Chisum-associated LLCs and into other companies that the Campagnas controlled. Chisum argued that the exemption did not apply to these actions because the actions involved third parties—namely, companies that the Campagnas alone controlled.

Here, Judge McGuire drew a line: he reasoned that the mere involvement of a third party was not enough, and that the allegedly unfair or deceptive conduct must actually be directed toward the third party to affect commerce. 

Judge McGuire then applied that rule. Chisum alleged that the Campagnas directed the unfair conduct toward the Chisum-associated LLCs—and not toward any third-party companies. The conduct therefore constituted conduct internal to the businesses that Chisum owned with the Campagnas. Critically, the fact that third-party companies benefitted from the allegedly wrongful conduct did not, by itself, mean that the Campagnas directed their conduct toward those companies.

Overcoming the exemption

The exemption for internal business disputes often sounds the death knell for section 75-1.1 claims. The decision in Chisum adds another data point to this conclusion. As Chisum reveals, the exemption can apply even when internal conduct benefits a third party.

Author: Jeremy Falcone

The North Carolina Business Court Explores the Boundaries of “Substantial Aggravating Circumstances”

Courts have long recognized limitations on claims brought under N.C. Gen. Stat. § 75-1.1 in conjunction with alleged breaches of contract. Although the North Carolina Supreme Court has never formally recognized a restriction, state and federal courts alike have determined that a breach of contract does not give rise to an unfair or deceptive trade practice claim unless “substantial aggravating circumstances” accompany the breach.

Courts have provided little guidance on what counts as a substantial aggravating circumstance, though some cases suggest there needs to be a showing of deceptive conduct. Courts usually focus on whether the specific fact pattern at hand discloses “egregious” or “substantially aggravating” conduct.

In a recent decision, however, North Carolina Business Court Judge Adam M. Conrad surveys several 75-1.1 cases that involve an alleged breach of contract. In examining the cases, Judge Conrad makes some helpful observations about what type of conduct courts do and do not recognize to be substantially aggravating.

The depth of analysis in Judge Conrad’s opinion appears to be unique among decisions that examine the intersection of 75-1.1 and breach-of-contract claims. As such, the opinion is a critical read for all North Carolina business litigators.

Questions About the Buyer’s Post-Closing Accounting

Post v. Avita Drugs, LLC involves the sale of MedExpress. MedExpress was a successful pharmacy based in Salisbury, North Carolina. MedExpress’s shareholders sold the business to Avita Drugs.

A stock purchase agreement governed the terms of the sale. Avita paid $6 million for MedExpress at closing. The stock purchase agreement also provided for a deferred payment of up to $5.5 million.  The actual amount of the deferred payment was to be determined under a formula in the stock purchase agreement. The formula was tied to the financial performance of MedExpress during the one-year period after the sale.

After the sale of MedExpress closed, the shareholders and Avita were unable to agree on the deferred payment amount. One of the shareholders ultimately sued Avita.

In his complaint, the shareholder alleged that Avita took a series of wrongful actions after the sale closed, including: (1) improperly adjusting the earnings calculation for MedExpress; (2) making retroactive adjustments to MedExpress’s books and records; and (3) failing to operate MedExpress as a separate company in the manner that the stock purchase required. The shareholder alleged that these actions improperly depressed the earnings calculation used to set the deferred payment amount.

The shareholder brought breach-of-contract claims under the stock purchase agreement and a 75-1.1 claim.

Avita’s Alleged Post-Closing Conduct was not Substantially Aggravating

Avita moved to dismiss the 75-1.1 claim. The Court granted the motion on the basis that the shareholder failed to allege sufficient substantial aggravating circumstances. Judge Conrad’s opinion went into great detail about the policies driving the substantial aggravating circumstances doctrine.

Judge Conrad first noted the high frequency of 75-1.1 claims in North Carolina business litigation. Citing Matt Sawchak’s article in the University of North Carolina Law Review about direct-unfairness claims, Judge Conrad hypothesized that the reason for the proliferation of 75-1.1 claims is chiefly economic. He observed that a successful 75-1.1 claimant is entitled to treble damages and, in certain instance, reasonable attorneys’ fees.

Judge Conrad contrasted the “potent and credible” threat of a treble-damages recovery with the purpose of damages recoveries generally for breaches of contract. Ordinarily, punitive damages are not recoverable for a contract breach under North Carolina law. By extension, Judge Conrad proffered that 75-1.1 claims that “piggyback” on breach-of-contract claims are disfavored by North Carolina state and federal courts.

Judge Conrad theorized that the prospect of damage recoveries that are disproportionate to the amounts involved in the underlying contract may cause uncertainty for contracting parties. That uncertainty could possibly increase transaction costs incurred in contractual negotiations.

Judge Conrad examined several cases in which a 75-1.1 claim involved a contract. He  concluded that most substantial aggravating circumstances (1) are attendant to the formation of the contract, and (2) are some variety of a fraud-in-the-inducement claim. He also noted that it appears “far more difficult to allege and prove egregious circumstances after the formation of the contract.”  

Judge Conrad also cited a line of cases that indicate that a 75-1.1 violation “is unlikely to occur during the course of contractual performance.”  Based on the case law, Judge Conrad opined that “efforts to encourage” continued contractual performance while “planning to breach” do not rise to the level of aggravating circumstances.

Judge Conrad’s case review did disclose a narrow band of post-formation conduct sufficient to trigger 75-1.1 liability. He cited instances of “clear deception” such as “forging and destroying documents” and “concealment of a breach” combined with “acts to deter further investigation” as actionable conduct.

Regarding the facts at hand, Judge Conrad did not find Avita’s alleged conduct to be sufficiently egregious or aggravating for the plaintiff to maintain a 75-1.1 claim. All of Avita’s alleged wrongful conduct occurred post-closing.

The judge also emphasized that each of Avita’s wrongful acts alleged was subject to an express provision of the stock purchase agreement. As such, he determined that the stock purchase agreement, and not section 75-1.1, defined the parties’ rights and obligations.

A Guide for Future Breach of Contract Cases?

One of the main purposes of the establishment of the North Carolina Business Court was to encourage the development and definition of business law in North Carolina. In keeping with that mandate, Judge Conrad’s opinion is a commendable attempt to provide definition to the concept of substantial aggravating circumstances not previously undertaken. It will be interesting to see how other courts use this framework in subsequent 75-1.1 decisions that involve a breach of contract.

Author: George Sanderson