by Dennis Crouch
The decision here is simple, the plaintiffs sued WM for a data breach, but failed to allege that any of WM’s actions were unreasonable. The court dismissed the case, holding that “the law does not impose strict liability for harms arising out of the storage of personal information.”
In re Waste Management Data Breach Litigation, 21CV6147 (DLC), 2022 WL 561734, at *6 (S.D.N.Y. Feb. 24, 2022) [WasteManagementDismissal].
Waste Management detected some suspicious activity on its servers in January 2021, but did not discover that there was a real breach until May 2021. By that time, hackers had obtained personally identifiable information (PII) for the company’s 40,000 employees, and tens-of-thousands of former employees. This includes name, SSN, DOB, Driver’s License, etc. 4-weeks after discovering the breach, Waste Management disclosed the breach to individuals as well as to the California Attorney General (required by statute). WM offered to pay for 1-year identity monitoring.
The current/former employees sued in a nationwide class action alleging negligence, breach of implied contract, breach of fiduciary duty, and unjust enrichment. In addition, the California plaintiffs alleged breach of various California state laws, including the CCPA. In her recent decision, S.D.N.Y. Judge Denise Cote has dismissed the case for failure to state a claim upon which relief could be granted. Fed. R. Civ. Pro. R. 12(b)(6).
Negligence: “When an employer requires an employee to submit their sensitive personal information, the employee … has a reasonable expectation that the employer will take reasonable care not to place their personal data at unnecessary risk of exposure.” However, negligence does not sound in strict liability for all hacked disclosures. Rather, negligence always requires some unreasonable action (or inaction) in breach of the duty of care. Here, the complaint did not spin-out any such story. The court provides potential examples: non-encrypted files; failure to delete old data; failure to adhere to industry security guidelines; etc. However, none of these facts were pled. Thus, the negligence claim was dismissed.
Implied Contract: The court found that the plaintiffs might be able to prove that WM entered into an implied contract regarding data security. However, the complaint alleges that the implied contract was that WM “act reasonably.” But, as in the negligence claim, the complaint failed to plead plausible facts telling the story of any unreasonable action. The court notes that the plaintiffs might have pled (but did not actually plead) an implied contract to “insure employees against any data loss.”
Fiduciary Duty: No case here because “employers are not fiduciaries of their employees.”
Unjust Enrichment: Again, an unjust enrichment claim here would require some unreasonable act by WM. Plaintiffs failed to allege such an act.
California Consumer Privacy Act (CCPA): The complaint failed here again on reasonableness grounds. In particular, the complaint failed to allege that WM had in place “reasonable security procedures and practices appropriate to the nature of the information.” Cal. Civ. Code § 1798.150(a)(1). The CCPA also creates an action for unreasonable delay, but the court found that the 24-day delay “is insufficient on its own to plausibly allege unreasonable delay.”
Dismissed on the pleadings.
“the law does not impose strict liability for harms arising out of the storage of personal information.”
1. It Should.
2. Did WM’s customers’ data get hacked, too?
3. Does this doctrine apply to Hospitals with your medical records?
Yes, I know about HIPPA. I also know from personal experience there’s no teeth in it.
Protecting patients’ medical records wasn’t the real purpose of HIPAA anyway.
The real purpose was to require doctors and other health care professionals to report patients whom they felt were a threat to the President or Vice-President. (It’s buried in there somewhere.) It turned all doctors into Government goons.
HIPAA also gave law enforcement (at all levels) the right to get your medical information without a warrant. (It used to require a warrant.)
Can this be correct No One? So HIPAA was a government Trojan Horse?
Thanks for the info and insight.
You sure about that…?
The biggest problem is resolving the case on a motion to dismiss. There is a certain res ipsa loquitur aspect to data breaches e.g., if the data were actually encrypted, then it shouldn’t be “hackable.” Similarly, fi the company used 2FA, user passwords shouldn’t be “hackable.”
At the very least, plaintiffs should have some discovery wrt how the breach occurred, whether it was really a business necessity to store this info on the network, etc.
>failure to adhere to industry security guidelines
OTOH, there is no particular incentive for those guidelines to meaningfully protect SPI if the industry’s worse-case scenario is only having to buy “one year of [generally useless] identity monitoring and protection services [from some low cost provider who will impose their own onerous TOS]” (commentary added).
Two-factor can be defeated, esp. via SMS. Phishing has gotten more sophisticated.
link to slate.com
Appropriate encryption is a tougher nut, but the keys have to live somewhere and the stack can be compromised below the encryption level.
Strict liability for data breach is not appropriate: we all depend without alternative on systems that are in large part out of our control. Zero day exploits cannot be foreseen and no reasonable level of care can prevent exposure.
Breach incidents are highly fact dependent.
IDK. There is a perfect defense: don’t collect SPI unless you absolutely need it right now. Stronger liability will shift the burden back to the entity that asserts that necessity (though I’d probably pick something like statutory damages of $1000/person affected)
Way too many organizations collect and store way too much info for flimsy reasons e.g., “it might be useful someday”
This reflects a far deeper CULTURAL view of “who owns what.”
One may compare and contrast how Europe views personal data (including the Right to be forgotten) and the US view that “business comes first” with a STRONG view that ANY ‘personal right’ is minor (if at all there).
Just curious, in law school curricula, where does “privacy law” fall in the spectrum of types of law. Personally, I don’t view it as a subset of IP law. I think it either falls under tort law or under its own branch of law.
Really depends.
Lots of torts. Defendants would often like this to be analyzed under tort law because of various limits on damages and the requirement for unreasonable acts by the defendant.
In general, there are big IP questions about who ‘owns’ the data and name-image-likeness rights. In the business context we have trade secrets that the Supreme Court gave property-like status, and there is a question about whether personal data should also be given parallel rights. Because this is information and typically involves some communication, then we also have First Amendment implications.
There are also lots of employment and contract questions. Unlike ordinary torts, there is usually an underlying contract between the party that holds the data and the person who is the subject of the data.
But, the biggest area here is really outside of the traditional law school curriculum — it is about management and regulation.
I have to wonder whether the (Supreme Court created) “penumbra” of personal privacy rights are also implicated.
Thanks, Dennis.
This is a handy, current guide to the 50 state requirements, including safe-harbor provisions (if any) where notification of a breach may not be required.
link to foley.com
Thanks!
Comments are closed.