chevron-down Created with Sketch Beta.

Litigation News

Litigation News | 2024

Data Breach Pleading Based on Industry Standards Insufficient

Kelso Lorne St. Jacques Anderson

Summary

  • Parties must plead with specificity to withstand dismissal in data breach case.
  • This is true even where an implied contract exists between a consumer and a business.
  • Businesses affected by data breaches are encouraged to immediately retain counsel familiar with data breach laws in various states and internationally.
Data Breach Pleading Based on Industry Standards Insufficient
skynesher via Getty Images

Jump to:

A federal court has ruled that, even where an implied contract exists between a consumer and a business, the consumer must plead facts beyond the defendant’s mere failure to meet industry standards in a data breach case to survive a motion to dismiss pursuant to Federal Rule of Civil Procedure 12(b)(6). ABA Litigation Section leaders agree with the court’s decision and encourage businesses affected by data breaches to immediately retain counsel familiar with data breach laws in various states and internationally. Businesses should also review their own policies and notices to their customers to ensure consistency.

Data Breach Schema

In Troy v. American Bar Association,, the plaintiffs were residents of New York and Texas who were registered members of the defendant and purchased goods, services, or both from the defendant during the relevant time-period of the lawsuit. In 2023, a hacker gained unapproved access to the defendant’s network and obtained the defendant’s members’ personal information. The plaintiffs alleged that they had to spend money to handle identity theft issues that resulted from the data breach, including alleged credit card fraud, spam emails, and telephone calls.

Fraudsters attempted to make purchases from one of the plaintiffs’ credit cards, and that plaintiff immediately purchased identity theft protection. The other plaintiff received several spam emails that were advertising false offers. Based on these incidents, the plaintiffs alleged that the defendant denied them privacy and that the plaintiffs suffered monetary damages since they had to “overpay” for the defendant’s services, monitor their financial accounts, and pay for identity theft services.

The plaintiffs filed a putative class action lawsuit against the defendant in the U. S. District Court for the Eastern District of New York alleging, among other state law claims, breach of implied contract. The plaintiffs’ lawsuit proposed two classes of plaintiffs: those who resided in the U.S. and suffered breach of contract and were registered as members with the defendant, and those who suffered consumer fraud in any of the thirty-two states with active membership in defendant’s organization. In the alternative, the plaintiffs also proposed a subclass of plaintiffs who specifically reside in New York and Texas, respectively, and have registered accounts with the defendant.

Breach of Contract Claim Plead Without Specificity

In considering the defendant’s Rule 12(b)(6) motion to dismiss, the court cited Supreme Court precedent for the principle that a plaintiff must plead sufficient facts in their complaint to show that a claim to relief is “plausible on its face.” Such “facial plausibility” in a pleading allows the court to make inferences in the plaintiffs’ favor, thereby vaulting a defendant’s motion to dismiss, said the court. If a plaintiff’s complaint fails to state a claim upon which relief can be granted, then dismissal of such a claim is appropriate. Further, the court reasoned, when a plaintiff brings a claim on behalf of themselves and a putative class, a court cannot exercise jurisdiction over the matter if the plaintiff’s complaint fails to state a claim in the first instance.

The procedural framework established, the court then held that New York law applied to the implied contract claims because the elements of an implied contract claim are the same in the plaintiffs’ and defendant’s home states. An implied contract requires the elements of a contract, including a valid agreement and facts and circumstances evidencing breach of a contractual duty. The court then rejected the plaintiffs’ argument that the defendant breached industry standards when it used hashed and salted passwords—modes of authenticating a person’s password identity—to store its members’ private data. According to the court, “absent allegations identifying the security measures [the] ABA purportedly failed to implement, plaintiffs cannot sustain their breach of implied contract claims.”

Data Breach Guidance

Litigation Section leaders agree that specificity must be plead to withstand a motion to dismiss under Rule 12(b)(6). Section leaders also recommend that companies immediately find qualified counsel and take steps to mitigate the effects of a data breach. “Companies and their outside counsel should retain the services of a qualified data protection professional when a breach occurs,” says Brian Esler, Seattle, WA, Co-Chair of the Section’s Business Torts & Unfair Competition Committee.

Given the potentially global impact of data breach, counsel handling data breach cases must ensure “their response [to such breach] complies with all applicable state, federal and perhaps even foreign law governing data breach reporting and remediation,” adds Brian A. Hill, Washington, D.C., another Co-Chair of the Section’s Business Torts & Unfair Competition Committee. Hill also urges companies that have experienced a data breach to “carefully review the language of their own policies and notices to ensure that they are acting consistently with what they have previously told their customers.”

Resources

    Author