Surviving a Motion to Dismiss in a Data Breach Case

by Dennis Crouch

Coffey v. OK Foods, 2:21-CV-02200, 2022 WL 738072 (W.D. Ark. Mar. 10, 2022)

Coffey applied for a job with large poultry producer OK Foods (owned by Bachoco). The online application required her to provide substantial personally identifiable information (PII), including her name, SSN, birthdate, etc.  She got the job.  At some point a few years later OK Foods computer system was hacked and Coffey’s information was exposed (along with that of thousands of other employees).   Coffey found out after being provided notice of the breach (as required by law).

Coffey sued OK Foods, bringing a class action for negligence, breach of implied contract, breach of confidence, invasion of privacy, breach of fiduciary duty, and breach of the covenant of good faith and fair dealing.

Concrete Injury for Data Breach: Coffey’s action suffers from the same problems seen in most large PII hacking cases — concrete harm.  Here, Coffey argues that she now suffers from an increased risk of future identity theft.   The defendant pointed the district court toward the 2021 decision in TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021).  In TransUnion, the Supreme Court held that “mere risk of future harm” regarding a credit alert was not sufficiently concrete to satisfy the Constitutional standing requirements.

OK Foods requested dismissal for lack of standing, but the district court found that the allegations future risk in this case was substantial and concrete enough to survive a motion to dismiss. the district court particularly distinguished TransUnion. In that case, there was no evidence that the information had been disseminated to any third-parties.   On the other hand, in Coffee’s case everyone agrees that Coffee’s PII was obtained by a third party.  Coffee also provided evidence of recent unknown requests for credit on her credit report.   For the district court, this setup was enough to demonstrate standing.  The decision here is on the cusp and other courts would have dismissed.  Cases are more likely to proceed when the breach includes financial  or account login information such as user_IDs and passwords.

Arbitration Agreement in Job Application: When Coffee applied for the job, she also clicked “I agree” to a set of terms that included an arbitration agreement.  She argued, however, that the agreement is not binding because she was not provided a copy of the agreement to review and she does not recall ever actually signing the agreement.  The district court noted two problems with OK Foods’ evidence thus far presented: (1) OK Foods did not present the “exact materials” as they appeared on here screen during the 2016 application process; and (2) the download link provided does not show the arbitration package.  In addition, the evidence from OK Foods shows that a digitally signed arbitration agreement dated May 3, 2016, while Plaintiff alleges that she completed her online application in April 2016.

All these competing allegations and proofs create an issue of material fact and so the district court refused compel arbitration at this point.

Next steps in the case:

  • Jury Trial on whether the parties entered into a binding arbitration agreement. 9 U.S.C. § 4.  Note here that jury trials on arbitrability are rarely granted. Rather, the usual approach is for the district court to decide arbitrability based upon a summary judgment standard. Here, however, the court determined that the competing evidence created a sufficient dispute.
  • If no arb, then a trial on Plaintiff’s claims (although D’s will likely attempt to preempt this via summary judgment).

7 thoughts on “Surviving a Motion to Dismiss in a Data Breach Case

  1. 3

    > The decision here is on the cusp and other courts would have dismissed.

    Hence, the caviler attitude most firms take toward data collection / retention. Apparently, including this one:

    >At some point a few years later OK Foods computer system was hacked

  2. 2

    While not really a case for IP, there are some interesting procedural wrinkles, as well as a lower court distinguishing a Supreme Court case that does pique the interest.

  3. 1

    Since this is an individual suit rather than a class action suit, how likely is it that this plaintiff can collect enough damages to pay for this lawsuit unless significant punitive damages can also awarded for employer gross negligence in protecting employee personal data? [Which seems to be rampant, even in government agencies, but rarely compensated.] [Even less so, commercial sellers of the of easily hacked software with no data encryption.]

    1. 1.1


      Sometimes people file lawsuits without regard as to a profit angle on the results.

      I know – tough to believe.

      1. 1.1.1

        Re: those engaging in money-losing-lawsuits: Indeed, especially eccentric lawyers who can afford it, and poorly counseled patent owners, especially as to cert petitions. But not many chicken company employees, as here.


          You quite missed the point there Paul.

          Here’s a hint: some really do fight for principle.

Comments are closed.