Lost in the Clouds: Liability for Personal Information Breaches

This article summarizes several U.S. Court decisions regarding liability in breaches of personal information collected by third-party service providers on the behalf of other organizations. This is just one aspect of a study of information management-related cases that was solicited by the ARMA International Educational Foundation and underwritten by the ARMA Metro New York City Chapter; it is available at armaedfoundation.org.

Organizations have a penchant for capturing increasingly large amounts of information and storing it in distributed systems (i.e., computer networks), but this practice continues to outpace the ability to place adequate and up-to-date controls on the information’s capture and use.

An increasingly important example of this is the capture and use of personal information to process transactions, such as credit card information for a purchase, personal financial data for a mortgage loan application, personal health information for fitness tracking, and a great many other things.

An increasingly important example of this is the capture and use of personal information to process transactions…

In each of these, the consumer uses some sort of web interface (i.e., a browser or an application), which solicits personal information and uploads it to a database someplace. The app and database may be owned by the organization that’s obtaining the data, but often the information collection is done by and through a third party. The volume and variety of information captured in this manner are vast and growing – as are their associated legal issues.

Court Decisions on Data Custody

Often, a key aspect of these legal issues is who has ownership and legal custody of the information. Consider, for example, a data breach involving the theft of consumers’ credit card and financial information, which exposes the consumers to a substantial risk of harm from identity theft and fraudulent credit card use. It might appear as though a lawsuit against the merchant that collected the data would be a slam-dunk, but that is often not the case.

Third Party Owes No Duty of Care

Consider Leibovic v. United Shore Mortg. (2016 U.S. Dist. LEXIS 149584), a class-action case involving a data breach in which personal information provided to a mortgage broker for the purposes of obtaining a mortgage was stolen. The information was collected and stored electronically by a third-party service provider on behalf of the mortgage company.

The service provider moved to dismiss the complaint, arguing that it owed no duty of care to the plaintiffs. The arguments made by the parties required the court to consider the nature and legal status of the service provider’s custody of the data to determine if the service provider could survive a motion to dismiss for the plaintiffs’ failure to state a claim upon which relief could be granted.

The plaintiffs proffered several legal theories to support their claims, including breach of contract, bailment (the transfer of property to another for safekeeping), and unjust enrichment. Prior to ruling, the court considered the applicable precedent and concluded as follows.

The plaintiffs were not in a contractual relationship with the service provider. The service provider had contracted with the mortgage broker, and the plaintiffs were, if anything, third-party beneficiaries, a subject on which the contract was silent and prior cases were conflicting. Although the court let the breach of contract claim proceed, the plaintiffs nonetheless faced an uphill battle. Before prevailing on the merits, they would first have to demonstrate that a contract that contained no such provisions nonetheless contemplated granting them rights as third-party beneficiaries.

The court rejected the bailment claim and with it the assertion that the contractor owed them a duty of care that required returning or accounting for the information it had obtained. In the court’s view, there was no basis for a reasonable expectation of these things based on the relationship between the parties.

The court observed that to prevail on a claim of unjust enrichment, the plaintiffs must show two things:

  1. The receipt of a benefit by the contractor from them
  2. An inequity resulting to them because of the retention of the benefit by the contractor

Citing prior cases, the court concluded there must be prior contact between the plaintiffs and the contractor. The court rejected the unjust enrichment claim on this last basis alone. But, given the lack of any kind of contractual relationship between the parties, proving the first two points would have been very difficult as well.

Plaintiff’s Location Matters

An equally problematic situation arose in In re Target Corp. Customer Data Breach Litig. (66 F. Supp. 3d 1154 (D. Minn, 2014)), a case also involving a data breach. Target sought to have the plaintiff’s claims dismissed, and as in Leibovic v. United Shore Mortg., the court’s ruling was dependent upon the specifics of state law from a number of states and the precise facts alleged.

…the plaintiffs found themselves in a situation where some had potential remedies in the class action and others did not, based upon their state of residence.

For one, suit could be brought as a class action only for some states because class actions are precluded by consumer protection statutes in many states. Additionally, claims that Target failed to notify consumers of the data breach were likewise precluded in many states because breach notification statutes in those states vested enforcement authority exclusively in a state official.

In analyzing these and many other claims, arguments, and counter-arguments, the court analyzed dozens of state statutes, often without the benefit of much prior case law to guide it. And given the variability of state laws, the plaintiffs found themselves in a situation where some had potential remedies in the class action and others did not, based upon their state of residence.

Another case that illustrates the unsettled state of the law, and with it the lack of remedies for consumers, is In re Hannaford Bros. Co. Customer Data Sec. Breach Litig. (613 F. Supp. 2d 108, 2009 U.S. Dist. LEXIS 41300). Here, there court concluded that under Maine law there is no implied warranty of fitness for a credit card payment system, and there is no duty to notify consumers of a data breach.

This rather surprising ruling effectively means that in the absence of some other remedy, a merchant or contractor processing credit card transactions has no duties at all to the consumers respecting data security for the transaction or any duty of care to mitigate the harm to them in the event of a breach. (In this case, the court allowed the plaintiffs to proceed with a theory that the contract of which the credit card transaction was a part contained an implied data security clause.)

Injury in Breach Is Presumed

The landscape is not uniform, however. In Remijas v. Neiman Marcus Grp. LLC (794 F.3d 688, 693 (7th Cir. 2015)), the court took a much different approach, concluding that consumers did not have to “wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.”

Breach Gives No Legal Standing

Still other courts have concluded that a data breach does not give rise to standing in any circumstance. In In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig. (45 F. Supp. 3d 14, 2014 U.S. Dist. LEXIS 64125), the court concluded that neither prospective future damages from theft of personally identifiable information nor actual costs, such as the costs of remediation measures (e.g., credit monitoring), were sufficient to give standing.

U.S.’s Unsettled Legal Environment

These cases illustrate the legal vacuum within which parties often operate in this kind of scenario: consumers hand off sensitive personal information to what they believe is a merchant they are in a business arrangement with. In fact, the information may be going to an anonymous third party for processing, and when there is an issue, it turns out that the lack of a relationship with that third party may well preclude any meaningful remedy against that third party.

Even when there is a direct contractual relationship between the parties, vagaries and variations in state law create an uneven and unsettled landscape in which outcomes are uncertain, and rights and responsibilities are uncertain or undetermined. The potential for this sort of scenario is widespread – personal information of all sorts is commonly collected and processed in transactions like those above.

EU’s Comprehensive Protection

This situation stands in stark contrast to that in the European Union (EU). The recently enacted General Data Privacy Regulation (GDPR) sets forth a comprehensive set of duties for every party involved in the collection of personal information, and it clearly allocates liability for breaches and other data mishandling.

Had the above cases taken place within the jurisdiction of the EU, in every case the merchant and any third-party processor would unquestionably have been jointly liable for all consumer damages, and they likely would have been hit with hefty regulatory penalties.

EU’s Comprehensive Protection

This situation stands in stark contrast to that in the European Union (EU). The recently enacted General Data Privacy Regulation (GDPR) sets forth a comprehensive set of duties for every party involved in the collection of personal information, and it clearly allocates liability for breaches and other data mishandling.

Had the above cases taken place within the jurisdiction of the EU, in every case the merchant and any third-party processor would unquestionably have been jointly liable for all consumer damages, and they likely would have been hit with hefty regulatory penalties.

U.S. Landscape Slowly Changing

At present, no U.S. laws go to the extent that the GDPR does in protecting personal information.

The landscape in the United States is changing, albeit slowly. Earlier this year, California passed the California Consumer Privacy Act of 2018, which grants consumers a series of rights very similar to those in the GDPR, including disclosure rights, opt-out rights, and the right to prevent continued retention and re-use of their information. This act, and other new ones like it, also obligate businesses to destroy personal information in secure ways to minimize the risk of theft.

At present, no U.S. laws go to the extent that the GDPR does in protecting personal information. These state laws are merely the first step in what will undoubtedly be much more comprehensive governance of personal information. There is likely to be much more comprehensive and clear assignment of responsibility and liability in cases of data breach or loss, as well as many more readily available remedies for consumers when an issue arises.

A Contractual Remedy

In the meantime, what can be done to deal with this uncertain landscape? A remedy is surprisingly simple: clearly state the rights and responsibilities of all parties to the contract. Many of the cases cited here involved contracts that were silent on the questions of data ownership, data responsibilities, and data rights.

A contract is essentially private law, and in the absence of statutes and case decisions, it operates perfectly well to adjudicate rights and responsibilities among the contracting parties. In all cases referenced in this article, clear contract language and transparent disclosure of that language would have gone a long way toward eliminating the uncertainty the parties faced. As with so many things, clarity and disclosure can prevent many problems.

See the Full Report

The full, 40-page report “Information Management and the Courts: An Update” discusses U.S. court decisions related to these topics: “Custody, Ownership and Control,” Data Breaches and Liability,” “Discovery and Spoliation,” and “Records and Information Policies.” Issued in August 2018, it is available for download free of charge from ARMA International Educational Foundation.

[ls_content_block id=”430″]

Author

  • John C. Montaña, J.D., FAI, is founder and principal of Montaña and Associates, a full service records and information management and information governance consulting firm. In addition to writing How to Develop a Retention Schedule, Montaña has co-authored several other books and written dozens of articles. Montaña is a Fellow of ARMA International and a member of the group that developed the Generally Accepted Recordkeeping Principles®. He holds a juris doctor degree from the University of Denver. Montaña can be contacted at jcmontana@montana-associates.com.

(Visited 834 times, 1 visits today)

About the Author

John Montaña, J.D., FAI
John Montaña, J.D., FAI
John C. Montaña, J.D., FAI, is founder and principal of Montaña and Associates, a full service records and information management and information governance consulting firm. In addition to writing How to Develop a Retention Schedule, Montaña has co-authored several other books and written dozens of articles. Montaña is a Fellow of ARMA International and a member of the group that developed the Generally Accepted Recordkeeping Principles®. He holds a juris doctor degree from the University of Denver. Montaña can be contacted at jcmontana@montana-associates.com.

John Montaña, J.D., FAI

John C. Montaña, J.D., FAI, is founder and principal of Montaña and Associates, a full service records and information management and information governance consulting firm. In addition to writing How to Develop a Retention Schedule, Montaña has co-authored several other books and written dozens of articles. Montaña is a Fellow of ARMA International and a member of the group that developed the Generally Accepted Recordkeeping Principles®. He holds a juris doctor degree from the University of Denver. Montaña can be contacted at jcmontana@montana-associates.com.