Defending Novel Theories in Data-Breach Litigation

The success of a data-breach lawsuit often turns on whether the plaintiff has standing to sue. Showing actual injury can be especially hard when the only alleged damage consists of a risk of future identity theft

Data-breach plaintiffs are therefore looking for new avenues into the courtroom. One of these avenues is an “overpayment” theory.  

This theory rests on the premise that the price of a product or service includes a payment for measures to protect the buyer’s personal information. When a data breach compromises that information, the buyer alleges that he or she has overpaid for the product or service because the seller failed to provide the agreed-upon measures. 

This theory has seen mixed success. 

Courts have rejected the theory in cases that involve the purchase of physical products, where privacy and data security factor only into the processing of the buyer’s payment, rather than the product itself. Examples include data-breach lawsuits against Chinese food restaurants, grocery stores, and brick-and-mortar bookstores for failing to protect credit- and debit-card information.  

Courts have accepted the theory, however, in cases involving the purchase of online services, such as paid subscriptions to social networks and digital magazines. The purchases of these online offerings—unlike the purchase of physical products—were governed by terms of service that included explicit privacy and data security commitments.

A federal court in Chicago recently issued a decision that straddles these two lines of cases. The case, In re VTech Data Breach Litigation, involved physical products whose features included connectivity to an online service.

A Toy Story

VTech Electronics North America sold learning toys for young children. These toys, which included tablet computers and other handheld electronics, connected to VTech’s online application store, from which customers could purchase and download games, books, music, and videos. Some toys could also connect to an online service that enabled children to exchange text, picture, and voice messages with their parents’ cellphones. 

To access these services, customers had to register for online accounts with VTech. Parents who registered provided personal information about themselves and their children to VTech. Parents also had to agree to terms and conditions that incorporated VTech’s privacy policy. In that policy, VTech promised to protect personal information through certain data-security measures.

In 2015, a hacker infiltrated VTech’s servers and downloaded the personal information of over ten million adults and children. The plaintiffs—purchasers of VTech’s toys who had also registered for the online services—sued VTech and alleged that the hack resulted from VTech’s failure to live up to its data security promises. Their complaint asserted various claims, including one for breach of contract. 

The plaintiffs alleged that their injuries consisted of an economic harm: receiving a product worth less than the one for which they paid. According to the plaintiffs, the “product” they paid for included the toys, the online service, and the promised data-security measures. 

You Only Get What You Pay For

VTech rejected that characterization of the transaction and moved to dismiss for lack of standing and for failure to state a claim. 

According to VTech, buyers participated in two transactions:

  1. a purchase transaction involving the plaintiffs’ payment for a standalone physical toy, and
  2. the plaintiffs’ registration for the online services, an optional but separate—and free—offering.

Because VTech had only made data-security promises in the second transaction, VTech argued that the plaintiffs could not establish any “overpayment” for the physical toys that would constitute an injury-in-fact for Article III purposes.

For the same reason, VTech argued, the plaintiffs could not establish a key element of their breach of contract claim, namely, that both parties understood and intended that a portion of the purchase price for the toys would be allocated to protecting personal information collected through the online service.

Overpayment for Data Security can be an Injury-in-Fact

The court denied VTech’s arguments as to standing. 

The court observed that economic injury can result “from being given a different, less valuable product than the one that was promised and paid for,” and that such an injury meets Article III’s injury-in-fact requirement. By alleging such an injury—one consisting of overpayment for VTech’s toys and the associated online services—the plaintiffs had satisfied Article III’s injury-in-fact requirement.

The court also noted, however, that whether an injury-in-fact had been sufficiently alleged was separate and distinct from whether the complaint plausibly stated a claim that would entitle the plaintiffs to recover damages. 

But the Plaintiffs Didn’t Pay for Data Security

Turning to that question, the court acknowledged the parties’ disagreement as to what the purchase contract included, but held that VTech had the better of that argument. To that end, it agreed with VTech that “there is a difference between selling a product that combines both a physical toy and a service, and selling a physical toy whose features may be supplemented by a separate service that VTech provided for free.” 

The court then concluded that VTech had done the latter. To support that conclusion, the court observed that the toys functioned without the online services. In addition, the online-services terms did not suggest that the plaintiffs “purchased” the online services, or that the parties intended to incorporate those terms into the purchase contract for the toys. 

The court thus held that the plaintiffs had failed to show that both parties understood a portion of the purchase price for the toys would be allocated to the protection of personal information submitted through the online services. 

The court concluded this failure was fatal to the plaintiffs’ breach of contract claim, and granted VTech’s motion to dismiss.

Implications for the Data Breach Litigants

VTech contains some important lessons for data breach litigants.

First, it suggests that overpayment theories can succeed where other injury theories have failed, provided that a plaintiff plausibly alleges some connection between a purchased product or service itself and a defendant’s data-security duties.

It also confirms, however, that claims premised on an overpayment theory of damages remain vulnerable to challenge under Rule 12(b)(6). That’s especially true if a defendant can show that terms of service that include data-security promises are not part of a purchase transaction, but rather a separate and distinct event for which it does not collect any payment at all.  

Author: Alex Pearce

Can Forcing a Company into Bankruptcy Be an Unfair or Deceptive Trade Practice? Part 2

In a recent post, we examined the bankruptcy case of In re American Ambulette & Ambulette Service, Inc.—a case in which a trustee raised a novel theory of liability under N.C. Gen. Stat. § 75-1.1. The bankruptcy trustee alleged that certain business strategies that forced the debtors into bankruptcy constituted unfair and deceptive trade practices.

The bankruptcy court dismissed the trustee’s original 75-1.1 claim for failing to plead how the defendants’ alleged conduct affected either competitors or consumers. But the court allowed the trustee to amend the complaint.

The trustee’s amended 75-1.1 claim survived dismissal. Today, we examine the court’s opinion about the amended complaint.

The Trustee’s Original Allegations

The debtors in American Ambulette were in the medical-transport business. Each of them filed for liquidation under chapter 7 of the bankruptcy code. The bankruptcy court consolidated the cases and appointed a single bankruptcy trustee to administer the debtors’ assets.

The trustee then filed an adversary proceeding against the debtors’ parent and sister corporations, as well as their officers and directors.

The trustee alleged that the debtors’ corporate parents developed a business plan to expand their operations. As part of the expansion plans, the parent entities established two new subsidiaries. The new subsidiaries allegedly competed with the debtors. According to the trustee, the corporate parents and their officers and directors caused the debtors to incur substantial expenses to further the expansion plans.

In the original complaint, the trustee accused the defendants of (1) diverting the fruits of their business-development activities to the competing subsidiaries, (2) transferring assets from the debtors to those subsidiaries, and (3) forcing the debtors into liquidation. Those activities, the trustee argued, eliminated the debtors as competition for the new subsidiaries.

The complaint included a claim against the parent companies and their officers and directors for violations of section 75-1.1.

The First Motion to Dismiss

The defendants moved to dismiss the original complaint. The motion largely relied on a recent federal district court decision since affirmed on appeal. The defendants argued that, under the recent decision, a business can pursue a 75-1.1 claim only when the business has acted as a consumer or is engaged in commercial dealings with the defendant. The defendants also stressed that the defendants on the 75-1.1 claim did not include the competing subsidiaries themselves.

The bankruptcy court granted the motion to dismiss. The court identified three categories of cases in which a business plaintiff may assert a 75-1.1 claim:

  • The plaintiff has acted as a consumer or has otherwise engaged in commercial dealings with the defendant.
  • The plaintiff and the defendant were competitors.
  • The conduct that gives rise to the claim has had a negative effect on the consuming public.

In the original complaint, the trustee did not allege that the debtors were engaged in commercial dealings with—or were competitors of—the defendants. The complaint also lacked any allegations on how the defendants’ conduct affected consumers. 

After the court dismissed the original 75-1.1 claim, the trustee filed an amended complaint. The amended complaint added the competing subsidiaries as parties to the 75-1.1 claim. It also asserted that the defendants’ actions benefited the competing subsidiaries.

The amended complaint also contained detailed allegations about how the defendants affected the marketplace and the consuming public.  The trustee’s amended complaint specifically alleged that the defendants’ conduct did not merely cause the replacement of one competitor with another, but actually removed a competitor from the relevant market altogether.  The trustee further alleged that the removal forced the county in which the debtors previously operated to declare a state of emergency. The county was also allegedly forced to obtain an injunction to compel the debtors to continue to provide the 911 emergency services that the debtors contracted to provide to the county.

The Second Motion to Dismiss

The defendants moved to dismiss the amended complaint, but the court refused to dismiss the amended 75-1.1 claim. The court used the same analytical framework, and categories for when a business may assert a 75-1.1 claim, as in the prior opinion.  This time around, however, the trustee convinced the court that the debtor’s alleged removal from the relevant market, and the alleged interruption of emergency medical service to citizens that was a result, made a sufficient impact on the consuming public to violate section 75-1.1.

The factual scenario in which the possible 75-1.1 violation in American Ambulette arose is relatively unique.  But the caselaw concerning when a business may assert a 75-1.1 claim is developing quickly.  Going forward, we may see other “theft of corporate opportunity” claims—both in and out of bankruptcy.

Author: George Sanderson

An Important New Decision on Substantial Aggravating Circumstances

North Carolina courts regularly dismiss claims for violation of N.C. Gen. Stat. § 75-1.1 where the allegations amount to nothing more than a breach of contract. 

A recent decision by Judge Adam M. Conrad of the North Carolina Business Court, however, provides a potential pathway around that doctrine. In LendingTree v. Intercontinental, Judge Conrad denied a motion to dismiss a section 75-1.1 claim even though the parties’ contract created the duties that gave rise to the action.

This post examines how Judge Conrad reached that result.

Intercontinental Hires LendingTree’s Key Employees

LendingTree describes itself as an online loan marketplace. It allows mortgage seekers to have potential lenders compete to provide a loan.

Intercontinental is a lender that has a contract with LendingTree. Intercontinental does business across the country under the trade name eQualify.

Intercontinental’s contract with LendingTree forbids Intercontinental from hiring LendingTree employees. LendingTree had no contract with eQualify.

LendingTree alleged that Intercontinental breached the contract by recruiting and hiring LendingTree’s employees. Daniel Wilson, former Chief Architect of Technology at LendingTree, and Laura Ashley Brooks, LendingTree’s Senior Director of Product Management, were among the targeted employees. Both Mr. Wilson and Ms. Brooks joined Intercontinental, and LendingTree alleged that these employees were tasked with building a system to compete directly with LendingTree.

After learning about the departures, LendingTree accused Intercontinental of a contract breach. Ron Fountain, Intercontinental’s President and General Counsel, responded and denied a breach. Mr. Fountain specifically noted that the employees were employed by eQualify, not Intercontinental.

LendingTree then sued Intercontinental, eQualify, and the two former employees. The complaint included both contract and tort theories. Against Intercontinental, LendingTree also included a section 75-1.1 claim. 

Intercontinental moved to dismiss the section 75-1.1 claim on two grounds. 

First, Intercontinental argued the tried-and-true defense that a mere breach of contract cannot give rise to a section 75-1.1 claim. 

In its second—and more novel argument—Intercontinental attempted to take advantage of the learned-profession exemption to section 75-1.1 liability. 

Judge Conrad rejected both of these arguments.

You Can Breach, But You Better Not Enjoy It

Intercontinental argued that LendingTree’s claim was nothing more than a breach of contract: its contract with LendingTree, Intercontinental contended, spelled out the obligations that gave rise to the conduct at issue.

Judge Conrad, however, identified potential aggravating circumstances that could elevate a breach of contract to a section 75-1.1 claim. He focused in particular on two actions by Intercontinental:

  1. Intercontinental’s attempt to circumvent the non-solicitation provision by having its alter ego, eQualify, hire the employees—even though the employees were providing services to Intercontinental; and
  1. Intercontinental’s denial that it had breached the agreement. That denial, Judge Conrad explained, was “akin to concealment of a breach.”

These actions by Intercontinental, Judge Conrad explained, reflected deception in connection with the breach. As we have noted before, the “substantial aggravating circumstances” doctrine evolved from decisions that involved deceptive conduct. Judge Conrad’s ruling confirms the vitality of this doctrine.

Notably, in reaching this ruling, Judge Conrad noted that the amended complaint alleged that Intercontinental enjoyed “both the benefit of its bargain and the benefit of its breach.” This statement, if read in isolation, might imply that an intentional breach of contract is a 75-1.1 violation. Judge Conrad, however, explained that—in this case—Intercontinental had stated a cognizable 75-1.1 claim because of its deceptive conduct. He then cited to two decisions—Sparrow Systems v. Private Diagnostic Clinic, and Interstate Narrow Fabrics v. Century USA—to emphasize the point. In both Sparrow Systems and Interstate Narrow Fabrics, a 75-1.1 claim survived a dispositive motion because of deceptive conduct related to a contract.

It’s Not Always the Lawyer’s Fault

Intercontinental also tried to blaze a new legal path with its second argument to avoid liability.

In raising a section 75-1.1 claim, LendingTree had focused on Intercontinental’s deceit in hiding its breach of contract through the letter that professed that the employees were actually eQualify’s employees. Because its lawyer wrote that letter, Intercontinental argued that the learned-profession exemption to section 75-1.1 liability barred the claim.

Judge Conrad made quick work of this theory: he pointed out that LendingTree’s claim concerned Intercontinental’s actions in hiring LendingTree’s employees. Thus, the 75-1.1 claim did not rest solely on the actions of an attorney.

In addition, Intercontinental’s attorney sent the letter to LendingTree in his capacity as the company’s general counsel and president. The acts of a company officer do not enjoy the protection of the learned-profession exemption. 

Pleading Around a Mere Breach of Contract

Judge Conrad’s decision shows that a plaintiff may be able to construct a contract-based section 75-1.1 claim by focusing on the defendant’s deceptive conduct after the breach.  If the defendant took steps to avoid the plaintiff discovering the breach, those steps may constitute sufficient substantial aggravating circumstances to allow a section 75-1.1 claim.

Author: Jeremy Falcone