“Private Cybersecurity Lawsuits (Part 2)”
Question: What liability do we have to individuals in a private lawsuit if there is a data breach?
In last month’s installment I covered the basic elements that constitute a negligence case in cybersecurity, as well as some very general guidelines on what outcomes can be expected. For this month’s installment, I will be covering the following causes of action that may also be brought in an individual private civil action. These include:
- Negligent misrepresentation or omission (A company failed to exercise reasonable care and supplied false information that cause damages to an individual)
- Breach of contract (A company breached a bargained for promise or promises in a contract)
- Breach of implied warranty (A company’s product or services failed to satisfy basic expectations of fitness)
- Invasion of privacy (A company published private facts about individual that are offensive and not of public concern)
- Unjust enrichment (A company knowingly benefitted from an individual in a manner that was so unfair that basic principles of equity require the company to pay the individual the fair value of that benefit)
- State Consumer Protection Laws (Varies depending on the statute. Generally, either a company engages in unfair competition, unconscionable acts, or unfair or deceptive acts of trade or commerce)
Negligent Misrepresentation or Omission claims can arise when a company misrepresents its cybersecurity habits or they omit critical details about insufficiencies in their cybersecurity system. Now, many if not most states require the same elements for this cause of action as they do in general negligence cases (discussed last month), however some states all cases to proceed even if all that is alleged is economic losses, thus getting around the “Economic Loss Doctrine” I described last month which is often fatal to negligence cases.
The elements, of the claim, drawn and simplified from the Restatement (Second) of Torts are as follows:
One is liable for negligent misrepresentation IF:
1.In the course of ANY transaction in which he or she has a pecuniary interest,
2.Supplies false information (whether intentionally, knowingly, recklessly or negligently obtained or communicated) for the guidance of another in their business transactions, and
3.The other person justifiably relied on that information.
Breach of Contract claims usually arise when a contract guarantees a specific level of data security, but fails to deliver on it. The law of contracts is not entirely unified and there are differences in how goods are treated as opposed to services. However, typically the following elements are required for a breach of contract claim:
One is liable for breach of contract IF:
1.There exists a contract between one person or entity and another person or entity,
2.The one person or entity has breached that contract, and
3.Damage was caused by that breach.
However, that is not all. One may still be able to bring a breach of contract claim against some person or entity that he/she/it did not even sign a contract with if one is a “3rd Party Beneficiary” of a contract between two other people or entities. In those cases, what is needed is that the contract either explicitly states that a 3rd party is a beneficiary or a court finds that the contract intended to have a 3rd party beneficiary. Furthermore, and more interestingly, subject to the various state laws on the matter one may bring a claim for a breach of an “implied contract” if it is shown that a particular security promise was indispensable to effectuate the intention of the parties. For example, a 2017 case in New York appears to have held that an employer impliedly contracted with their employees to secure their private information simply by taking the information as part of their normal employment process!
Breach of Implied Warranty claims often involve goods as opposed to services and arise when a merchant sells a customer an item that is unfit for its intended purpose. Generally speaking, for cybersecurity purposes an implied warranty to protect private information will be sought to be read into a service contract. Typically such a claim will fail because these warranties can be expressly disclaimed in service contracts.
Invasion of Privacy claims can be brought when private information of one person is published by another person or entity. The elements to this cause are as follows:
One is liable for invasion of privacy IF:
1.They publish
2.Another person’s private facts
3.That are offensive, and
4.Are not of public concern.
This may seem like a strong weapon to use in cases involving data breaches, but it is not. Why? Because a court will likely require that the publication was affirmatively carried out by the breached party and that the information was published to the public at large or so many people that the information is certain to become common knowledge. This claim will, in all likelihood, fail in a data breach case because it is quite unlikely that any hacked party would somehow affirmatively publish private information or that such information will become common knowledge.
Unjust Enrichment claims allows for a cybersecurity suit to collect “ill-gotten gains” in cases where one person or entity has wrongly obtained an undue advantage from another. The law varies a bit from state to state, but the Florida law below is instructive:
One is liable for unjust enrichment IF:
1.The plaintiff has conferred a benefit on the defendant,
2.The defendant has knowledge of the benefit,
3.The defendant has accepted or retained the benefit conferred; and
4.The circumstances are such that it would be inequitable for the defendant to retain the value without paying fair value for it.
As you can tell, that 4th element is extremely hazy and open to a wide range of interpretations. But, that shouldn’t dissuade anyone from bringing an unjust enrichment action. Indeed, the 11th Circuit appeared to hold that premiums one may pay to a company constitute unjust enrichment if they are not used by the company to provide adequate data security! And that is not all, a Minnesota district court held that if a party can establish that they bought goods from a company at a time when that company knew or should have known that they were breached, and the party would not have shopped there if they knew of the breach, then a jury could find that it is not equitable for such a company to keep the money the party spent. *Note however, typically unjust enrichment is not available to a party if another cause of action covers the same claim.
State Consumer Protection Laws are very similar to the laws which underpin the FTC’s jurisdiction to prosecute companies for wrongful trade practices. However, most state statutes allow private parties to bring claims under their causes of action. While it largely depends on the specific state statutes at hand, these cases are also usually not easy to win for a plaintiff in a cybersecurity case due primarily to three reasons: 1) courts are reluctant (so far) to allow private suits under these statutes when there are other more traditional legal remedies such as negligence, 2) these statutes usually require proof of actual or monetary damages for the claim to succeed, and 3) plaintiff typically must show that they overpaidbecause of a company’s false representation. Not easy in a security breach case.
Well, that concludes my modest two part dive into the deep and treacherous waters of cybersecurity laws pertaining to individual civil suits. I hope you found it enjoyable and edifying. As I usually end all of my blog postings, I again recommend that if you need any assistance with your cybersecurity management system, you contact us and we will be happy to assist you in setting up or maintaining a great solution that fits your needs and budget.