US Privacy & Breach Litigation Monitor
Welcome to the US Privacy & Breach Litigation Monitor
We are pleased to share the latest edition of Kennedys US Privacy & Breach Litigation Monitor. This mailing was created with our clients in mind - to bring you up to speed on the latest topics and trends in data privacy and breach litigation.
Nevada Court Addresses Breach of Implied-Contract Claim in Data Breach Consumer Class Action
“It is difficult to imagine how, in our day and age of data and identity theft, the mandatory receipt of sensitive personal information would not imply the recipient's assent to protect the information sufficiently.” Those words, which have become more and more common in data breach case decisions involving breach of implied contract claims stemming from consumer transactions, were recently echoed by a Nevada federal district court in the matter of Smallman v. MGM Resorts Int'l (D. Nev. Nov. 2, 2022). The decision is wide-ranging and worthy of a read, but it is the foregoing language which is particularly noteworthy. The matter arose from a 2019 data breach of MGM's network in which hackers downloaded the personally identifiable information (“PII”) of Defendant MGM guests worldwide. Plaintiffs alleged that the stolen PII had been posted on the dark web for purchase on at least three separate occasions, and that cybersecurity journalists observed that the PII of at least 10.6 million MGM guests were available on a dark web hacking forum. Plaintiffs claimed they subsequently faced a long-term heightened risk that their PII would be sold or disseminated on the dark web. The court found that Plaintiffs adequately stated a claim for breach of implied contract where they alleged that they “were required to” provide their PII to Defendant MGM as a condition of staying at its hotels, and that they had the understanding that Defendant MGM, while it held the information, would take adequate measures to protect it. In terms of consideration, the court noted that it was undisputed that Plaintiffs paid for their hotel rooms. Accordingly, although there were no allegations that MGM made any explicit promises as to the ongoing protection of PII, the court found that Plaintiffs had adequately pled their implied contract claims. While this is not the first time a court has reached such a conclusion, this reasoning has picked up traction recently.
Wisconsin Court Addresses Breach of Implied-Contract Claim in Data Breach Employee Class Action
It is important to recognize that the Smallman case described immediately above involved a consumer transaction, which perhaps should have been made clear by the court, because in the context of an employer-employee relationship, the mandatory receipt of PII does not always imply the employer’s implied contractual assent to protect that information. This proposition was recently illustrated by the Court of Appeals of Wisconsin in a November 22, 2022 decision in Janet Reetz v. Advocate Aurora Health, Inc. In Reetz, after a data breach at Aurora in which a phishing scheme compromised employees’ Social Security numbers, bank accounts, birth dates and home addresses, the lead Plaintiff filed a class action complaint. The trial court dismissed the complaint in its entirety, finding not only that Plaintiff lacked standing, but also that her negligence and contract based claims were deficient. On appeal, the appellate court reversed with respect to standing and negligence , but affirmed dismissal of the breach of implied contract claim. With respect to that claim, as in Smallman, the Plaintiff argued that she had an implied contract with Aurora and that when she provided her PII, Aurora implicitly agreed to safeguard it. Aurora, for its part, argued that it was legally required to collect Plaintiff’s PII, and that Plaintiff’s working at Aurora was not separate consideration that could establish that an implied contract existed. In Wisconsin, the elements of an implied contract are: (1) a benefit conferred upon the defendant by the plaintiff; (2) knowledge or appreciation of the benefit by the defendant; and (3) acceptance and retention by the defendant of such benefit under such circumstances that it would be unfair to retain it without paying the value thereof. Based on that standard, the court concluded that an implied contract would be an awkward application to the facts because to find that a benefit was conferred upon Aurora by Plaintiff would mean that it was to Aurora’s benefit for Plaintiff to provide her PII. Thus, in the absence of allegations supporting such a conclusion, the court found that it could reasonably be inferred that Aurora needed Plaintiff’s PII to comply with federal and state regulations of employers. This case is easily contrasted with Smallman, where the plaintiff clearly conferred a benefit (money) upon the defendant in connection with the provision of PII.
Illinois Court Rejects Multiple Arguments for Dismissal and Allows BIPA Suit to Proceed
A federal judge denied in part the motion to dismiss filed by cosmetics giant, Estée Lauder, in a proposed class action Illinois Biometric Information Privacy Act (“BIPA”) suit brought against it in the US District Court for the Northern District of Illinois. The plaintiff alleged that Estée Lauder violated BIPA in the collection of facial-geometry data when users visiting one of the company’s websites engaged a makeup overlay try-on tool that utilized their web cameras. Estée Lauder sought dismissal of the claim on the bases of the presence of an arbitration agreement on its website, failure to state a claim on the merits, lack of personal jurisdiction, and partial lack of Article III standing. To determine whether the plaintiff assented to the arbitration agreement, the court analyzed whether the website adequately communicated all the terms and conditions of the agreement and whether the circumstances supported that the users received actual or constructive knowledge of the terms. As the plaintiff did not claim actual knowledge, constructive knowledge hinged on whether the terms and conditions were presented in clickwrap (which requires a customer to check a box to affirm assent) or browsewrap (simply continuing to use the website implies assent) form. The subject website used browsewrap, which is subject to a fact-intensive review, and the court found the plaintiff sufficiently alleged that the terms were inconspicuous. The court also rejected Estée Lauder’s argument that the plaintiff had constructive notice because of similar BIPA suits against TikTok and L’Oréal, holding that a user is not automatically on notice that any website visited likely has terms and conditions or the contents of such terms just because the user has visited other websites that had them. Regarding personal jurisdiction, the court had to determine whether Estée Lauder was subject to general (continuous and systematic contact with the state) or specific (when a defendant purposefully directs its activities to or purposefully avails itself of the privilege of conducting business in the state, and the alleged injuries involved in a suit arise from or relate to those contacts). As the plaintiff did not argue for general jurisdiction, the court analyzed whether specific jurisdiction applied. Eventually, the court held that while operating an interactive website by itself is insufficient to confer specific jurisdiction, Estée Lauder was using the website to purposefully avail itself of the Illinois cosmetics market, which was enough to demonstrate a substantial connection and, therefore, make the company subject to Illinois jurisdiction. On standing, Estée Lauder argued that as the plaintiff only used one website, they lacked the standing to sue on behalf of other users using other websites as a plaintiff’s individual claim cannot reach beyond their own injuries. The court rejected this argument, holding that it does not decide the scope of a potential class or the plaintiff’s suitability as a class representative. Further, the court held that the plaintiff’s injury as alleged was traceable to Estée Lauder and could be redressed by a favorable decision. As such, the court found that the plaintiff had standing. Finally, on the failure to state a claim argument, the court held that the plaintiff sufficiently pled allegations of negligence but failed to sufficiently allege recklessness or intent. Therefore, the court partially dismissed the plaintiff’s claims.
Minnesota Federal Court Rules Cyber Business Interruption and Extra Expense Clause Provides Coverage For Money Lost In Fraudulent Wire Transfer Incident
On November 3, 2022, the federal district court for Minnesota, applying Minnesota substantive law, granted summary judgment to Fishbowl Solutions, Inc. (Fishbowl) in an insurance coverage dispute between Fishbowl and The Hanover Insurance Company (Hanover), finding that a Technology Professional Liability (TPL) policy’s Data Breach Coverage Form, which included a Cyber Business Interruption and Extra Expense clause, provided coverage for losses Fishbowl sustained after a bad actor gained unauthorized access to the email account of Fishbowl’s in-house accountant, impersonated her, and, in so doing, fraudulently caused one of Fishbowl’s clients to send approximately $177,000 in payments intended for Fishbowl to an account controlled by the bad actor. Fishbowl Sols., Inc. v. The Hanover Ins. Co. (D. Minn. Nov. 3, 2022). In doing so, notably, the court rejected Hanover’s argument that a finding of coverage would contradict the overall purpose of the Hanover TPL policy and of business interruption insurance. Looking at the specific language of the Cyber Business Interruption and Extra Expense clause—which, in part, stated that the policy afforded coverage for “actual loss of ‘business income’ . . . incurred by [Fishbowl] . . . directly resulting from a ‘data breach’ . . . which result[ed] in an actual impairment or denial of service of ‘business operations’ during the ‘policy period’”—the court distinguished that language from policies insuring against losses from an “interruption” of the insured’s business. The court concluded that the use of “impairment” rather than “interruption” in the Cyber Business Interruption and Extra Expense clause demonstrated that the policy “specifically grant[ed] coverage when a business suffer[ed] something less than a total suspension of operations.” For that and other reasons, the court concluded that a finding of coverage “conform[ed] to the type of business interruption contemplated by the explicit terms of the TPL Policy . . . .”
Reminder that in the Absence of the Substantial Possibility of Data Theft, Plaintiffs Cannot Inflict Harm on Themselves to Confer Article III Standing
There are no shortage of decisions addressing Article III standing in the context of data breach class actions. (Article III of the federal US Constitution limits the judicial power of the federal courts to actual cases and controversies, and to establish that a case or controversy exists, the party asserting federal jurisdiction must show that they have suffered an injury-in-fact that is fairly traceable to the challenged action. In other words, the plaintiff must establish that they personally suffered an injury, or that a (concrete) injury is (substantially) likely to occur.) What has become abundantly clear in these Article III decisions is that when plaintiffs fail to allege that their (or other class members’) PII has been stolen or misused, they cannot assert standing because they have not suffered any injury. Plaintiffs have tried (and almost universally failed) to cure this type of pleading deficiency by alleging that they spent time and money to monitor their credit accounts due to alleged breaches. However, as the court in Webb v. Injured Workers Pharmacy, LLC (D. Mass. Oct. 17, 2022) recently reiterated, a plaintiff cannot manufacture standing merely by inflicting hypothetical future harm on themselves. When allegations rest entirely on the future possibility that an unauthorized third party will, at some undetermined time, misuse an individual’s PII, that potential harm is not sufficiently threatening to establish an injury in fact sufficient to confer the individual standing to sue in federal court.
To view our full newsletter, click here: Privacy & Breach Litigation Monitor - November 29, 2022