Lost in the Clouds: Liability for Personal Information Breaches
This article summarizes several U.S. Court decisions regarding liability in breaches of personal information collected by third-party service providers on the behalf of other organizations. This is just one aspect of a study of information management-related cases that was solicited by the ARMA International Educational Foundation and underwritten by the ARMA Metro New York City Chapter; it is available at armaedfoundation.org.
Organizations have a penchant for capturing increasingly large amounts of information and storing it in distributed systems (i.e., computer networks), but this practice continues to outpace the ability to place adequate and up-to-date controls on the information’s capture and use.
An increasingly important example of this is the capture and use of personal information to process transactions, such as credit card information for a purchase, personal financial data for a mortgage loan application, personal health information for fitness tracking, and a great many other things.
In each of these, the consumer uses some sort of web interface (i.e., a browser or an application), which solicits personal information and uploads it to a database someplace. The app and database may be owned by the organization that’s obtaining the data, but often the information collection is done by and through a third party. The volume and variety of information captured in this manner are vast and growing – as are their associated legal issues.
Court Decisions on Data Custody
Often, a key aspect of these legal issues is who has ownership and legal custody of the information. Consider, for example, a data breach involving the theft of consumers’ credit card and financial information, which exposes the consumers to a substantial risk of harm from identity theft and fraudulent credit card use. It might appear as though a lawsuit against the merchant that collected the data would be a slam-dunk, but that is often not the case.
Third Party Owes No Duty of Care
Consider Leibovic v. United Shore Mortg. (2016 U.S. Dist. LEXIS 149584), a class-action case involving a data breach in which personal information provided to a mortgage broker for the purposes of obtaining a mortgage was stolen. The information was collected and stored electronically by a third-party service provider on behalf of the mortgage company.
The service provider moved to dismiss the complaint, arguing that it owed no duty of care to the plaintiffs. The arguments made by the parties required the court to consider the nature and legal status of the service provider’s custody of the data to determine if the service provider could survive a motion to dismiss for the plaintiffs’ failure to state a claim upon which relief could be granted
The plaintiffs proffered several legal theories to support their claims, including breach of contract, bailment (the transfer of property to another for safekeeping), and unjust enrichment. Prior to
The plaintiffs were not in a contractual relationship with the service provider. The service provider had contracted with the mortgage broker, and the plaintiffs were, if anything, third-party beneficiaries, a subject on which the contract was silent and prior cases were conflicting. Although the court let the breach of contract claim proceed, the plaintiffs nonetheless faced an uphill battle. Before prevailing on the merits, they would first have to demonstrate that a contract that contained no such provisions nonetheless contemplated granting them rights as third-party beneficiaries.
The court rejected the bailment claim and with it the assertion that the contractor owed them a duty of care that required returning or accounting for the information it had obtained. In the court’s view, there was no basis for a reasonable expectation of these things based on the relationship between the parties.
The court observed that to prevail on a claim of unjust enrichment, the plaintiffs must show two things:
- The receipt of a benefit by the contractor from them
- An inequity resulting to them because of the retention of the benefit by the contractor
Citing prior cases, the court concluded there must be prior contact between the plaintiffs and the contractor. The court rejected the unjust enrichment claim on this last basis alone. But, given the lack of any kind of contractual relationship between the parties, proving the first two points would have been very difficult as well.
Plaintiff’s Location Matters
An equally problematic situation arose in In re Target Corp. Customer Data Breach Litig. (66 F. Supp. 3d 1154 (D. Minn, 2014)), a case also involving a data breach. Target sought to have the plaintiff’s claims dismissed, and as in Leibovic v. United Shore Mortg., the court’s ruling was dependent upon the specifics of state law from a number of states and the precise facts alleged.
For one,
In analyzing these and many other claims, arguments, and counter-arguments, the court analyzed dozens of state statutes, often without the benefit of much prior case law to guide it. And given the variability of state laws, the plaintiffs found themselves in a situation where some had potential remedies in the class action and others did
Another case that illustrates the unsettled state of the law, and with it the lack of remedies for consumers, is In re Hannaford Bros. Co. Customer Data Sec. Breach Litig. (613 F. Supp. 2d 108, 2009 U.S. Dist. LEXIS 41300). Here,
This rather surprising ruling effectively means that in the absence of some other remedy, a merchant or contractor processing credit card transactions has no duties at all to the consumers respecting data security for the transaction or any duty of care to mitigate the harm to them in the event of a breach. (In this case, the court allowed the plaintiffs to proceed with a theory that the contract of which the credit card transaction was a part contained an implied data security clause.)
Injury in Breach Is Presumed
The landscape is not uniform, however. In Remijas v. Neiman Marcus Grp. LLC (794 F.3d 688, 693 (7th Cir. 2015)), the court took a much different approach, concluding that consumers did not have to “wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.”
Breach Gives No Legal Standing
U.S.’s Unsettled Legal Environment
These cases illustrate the legal vacuum within which parties often operate in this kind of scenario: consumers
Even when there is a direct contractual relationship between the parties, vagaries and variations in state law create an uneven and unsettled landscape in which outcomes are uncertain, and rights and responsibilities are uncertain or undetermined. The potential for this sort of scenario is widespread – personal information of all sorts is commonly collected and processed in transactions like those above.
EU’s Comprehensive Protection
This situation stands in stark contrast to that in the European Union (EU). The recently enacted General Data Privacy Regulation (GDPR) sets forth a comprehensive set of duties for every party involved in the collection of personal information, and it clearly allocates liability for breaches and other data mishandling.
Had the above cases taken place within the jurisdiction of the EU, in every case the merchant and any third-party processor would unquestionably have been jointly liable for all consumer damages, and they likely would have been hit with hefty regulatory penalties.
EU’s Comprehensive Protection
This situation stands in stark contrast to that in the European Union (EU). The recently enacted General Data Privacy Regulation (GDPR) sets forth a comprehensive set of duties for every party involved in the collection of personal information, and it clearly allocates liability for breaches and other data mishandling.
Had the above cases taken place within the jurisdiction of the EU, in every case the merchant and any third-party processor would unquestionably have been jointly liable for all consumer damages, and they likely would have been hit with hefty regulatory penalties.
U.S. Landscape Slowly Changing
The landscape in the United States is changing, albeit slowly. Earlier this year, California passed the California Consumer Privacy Act of 2018, which grants consumers a series of rights very similar to those in the GDPR, including disclosure rights, opt-out rights, and the right to prevent continued retention and re-use of their information. This act, and other new ones like it, also obligate businesses to destroy personal information in secure ways to minimize the risk of theft.
At present, no U.S. laws go to the extent that the GDPR does in protecting personal information. These state laws are merely the first step in what will undoubtedly be much more comprehensive governance of personal information. There is likely to be much more comprehensive and clear assignment of responsibility and liability in cases of data breach or loss, as well as many more readily available remedies for consumers when an issue arises.
A Contractual Remedy
In the meantime, what can be done to deal with this uncertain landscape? A remedy is surprisingly simple:
A contract is essentially private law, and in the absence of statutes and case decisions, it operates perfectly well to adjudicate rights and responsibilities among the contracting parties. In all cases referenced in this article, clear contract language and transparent disclosure of that language would have gone a long way toward eliminating the uncertainty the parties faced. As with so many things, clarity and disclosure can prevent many problems.
See the Full Report
The full, 40-page report “Information Management and the Courts: An Update” discusses U.S. court decisions related to these topics: “Custody, Ownership
About the Author
- John C. Montaña, J.D., FAI, is founder and principal of Montaña and Associates, a full service records and information management and information governance consulting firm. In addition to writing How to Develop a Retention Schedule, Montaña has co-authored several other books and written dozens of articles. Montaña is a Fellow of ARMA International and a member of the group that developed the Generally Accepted Recordkeeping Principles®. He holds a juris doctor degree from the University of Denver. Montaña can be contacted at jcmontana@montana-associates.com.