by Dennis Crouch
The decision here is simple, the plaintiffs sued WM for a data breach, but failed to allege that any of WM’s actions were unreasonable. The court dismissed the case, holding that “the law does not impose strict liability for harms arising out of the storage of personal information.”
In re Waste Management Data Breach Litigation, 21CV6147 (DLC), 2022 WL 561734, at *6 (S.D.N.Y. Feb. 24, 2022) [WasteManagementDismissal].
Waste Management detected some suspicious activity on its servers in January 2021, but did not discover that there was a real breach until May 2021. By that time, hackers had obtained personally identifiable information (PII) for the company’s 40,000 employees, and tens-of-thousands of former employees. This includes name, SSN, DOB, Driver’s License, etc. 4-weeks after discovering the breach, Waste Management disclosed the breach to individuals as well as to the California Attorney General (required by statute). WM offered to pay for 1-year identity monitoring.
The current/former employees sued in a nationwide class action alleging negligence, breach of implied contract, breach of fiduciary duty, and unjust enrichment. In addition, the California plaintiffs alleged breach of various California state laws, including the CCPA. In her recent decision, S.D.N.Y. Judge Denise Cote has dismissed the case for failure to state a claim upon which relief could be granted. Fed. R. Civ. Pro. R. 12(b)(6).
Negligence: “When an employer requires an employee to submit their sensitive personal information, the employee … has a reasonable expectation that the employer will take reasonable care not to place their personal data at unnecessary risk of exposure.” However, negligence does not sound in strict liability for all hacked disclosures. Rather, negligence always requires some unreasonable action (or inaction) in breach of the duty of care. Here, the complaint did not spin-out any such story. The court provides potential examples: non-encrypted files; failure to delete old data; failure to adhere to industry security guidelines; etc. However, none of these facts were pled. Thus, the negligence claim was dismissed.
Implied Contract: The court found that the plaintiffs might be able to prove that WM entered into an implied contract regarding data security. However, the complaint alleges that the implied contract was that WM “act reasonably.” But, as in the negligence claim, the complaint failed to plead plausible facts telling the story of any unreasonable action. The court notes that the plaintiffs might have pled (but did not actually plead) an implied contract to “insure employees against any data loss.”
Fiduciary Duty: No case here because “employers are not fiduciaries of their employees.”
Unjust Enrichment: Again, an unjust enrichment claim here would require some unreasonable act by WM. Plaintiffs failed to allege such an act.
California Consumer Privacy Act (CCPA): The complaint failed here again on reasonableness grounds. In particular, the complaint failed to allege that WM had in place “reasonable security procedures and practices appropriate to the nature of the information.” Cal. Civ. Code § 1798.150(a)(1). The CCPA also creates an action for unreasonable delay, but the court found that the 24-day delay “is insufficient on its own to plausibly allege unreasonable delay.”
Dismissed on the pleadings.