Data Security Law Journal Focusing on legal trends in data security, cloud computing, data privacy, and anything E

The Southern District of Florida Weighs In On Data Breach Lawsuits

Posted in Data Breach, Data Security, Lawsuits

Late last week, another Federal District Court (the Southern District of Florida) weighed in on the circumstances under which a plaintiff may sue a breached entity civilly for damages when the plaintiff’s personally identifiable information (PII) is inappropriately accessed or acquired.  The Court allowed the case to proceed with counts for violation of Florida’s Unfair and Deceptive Trade Practices Act and negligence (assuming Plaintiff can clarify the damages he is seeking).

In Burrows v. Purchasing Power, LLC, No. 1:12-cv-22800-UU (S.D. Fla. Oct. 18, 2012), the court denied a motion to dismiss a class action lawsuit arising from a data breach.  According to the allegations of the lawsuit, Defendant Winn-Dixie, allegedly shared Plaintiff’s PII (without his consent) with Defendant Purchasing Power, to help Purchasing Power implement a program that allowed Winn-Dixie’s employees to purchase merchandise via automatic payroll deductions.  In January 2012, Winn-Dixie notified Plaintiff that a Purchasing Power employee inappropriately accessed Winn-Dixie employees’ PII.  Plaintiff alleges that Winn-Dixie and Purchasing Power knew of this access three months earlier.  Plaintiff claims that his PII was used to file a fraudulent federal income tax return on his behalf, causing him to incur credit monitoring costs to protect against identity theft and continued exposure to damages from people stealing his identity because his PII has been accessed.

Defendants moved to dismiss the lawsuit on several grounds, which are discussed in turn below:

I.          Standing

The Court held that Plaintiff had standing to proceed.  Defendants argued that Plaintiff lacked standing because he has not suffered an injury in fact and because his injury is not “fairly traceable” to Defendants.  The Court rejected this argument, citing to the Eleventh U.S. Circuit Court’s recent decision in Resnick v. AvMed as support for the proposition that the alleged misuse of an individual’s PII amounts to an injury in fact.  The Southern District Court determined that Plaintiff suffered a monetary loss when he failed to obtain his tax refund due to fraud.  Defendants argued that Plaintiff’s injury was speculative because Plaintiff has not yet even challenged the denial of his tax refund with the IRS.  The Court rejected the argument, ruling that the allegation of actual identity theft alone gave Plaintiff standing independent of any economic damages he claimed to have suffered.  The Court also ruled that Plaintiff’s injury was “fairly traceable” to Defendants’ actions, in part relying on the allegation that Plaintiff’s PII was used within months of the breach.

II.        Negligence (Count I)

The Court dismissed Plaintiff’s negligence count without prejudice, ostensibly to clarify some of the damages Plaintiff is seeking.  Plaintiff alleged that Defendants were negligent in storing his personal data, causing him to suffer monetary loss for the use of his PII and identity theft, loss of privacy, lost monetary value of his PII, and out-of-pocket expenses.  The Court held that Plaintiff “sufficiently alleged facts to support his claims for damages resulting from the monetary loss from the use of this PII and identity theft.”  The Court did not, however, allow Plaintiff to recover damages for the “monetary value of his PII” (perhaps in contrast to the RockYou decision, the Court held that “[p]ersonal data does not have an apparent monetary value that fluctuates like the price of goods or services”).  The Court also required Plaintiff to clarify what “other economic damages” he suffered.  Finally, the Court rejected Plaintiff’s damages for loss of privacy because invasion of privacy is an intentional tort that cannot be pleaded as part of a negligence claim.

III.       Violation of the Federal Stored Communications Act (FSCA) (Count II)

The Court dismissed the FSCA count with prejudice.  Plaintiff claimed that Defendants violated the FSCA, which makes it unlawful for an entity providing an electronic communications service or a remote computing service to the public to knowingly divulge to any person or entity the contents of any communication that is carried or maintained on that service.  Defendants argued successfully that the count should be dismissed because they do not provide an electronic communications service or a remote computing service.

IV.       Florida’s Deceptive and Unfair Trade Practices Act (FDUTPA) (Count III)

The Court denied Defendants’ motion to dismiss Plaintiff’s FDUTPA claim.  Plaintiff alleged that Defendants violated FDUTPA by:  (1) failing to properly implement adequate, commercially reasonable security measures to protect Plaintiff’s PII; (2) failing to immediately notify Plaintiff of the nature and extent of the data breach, and; (3) representing their services to be of a particular standard and quality which they failed to adhere to.

The Court held that Defendants’ alleged failure to adequately secure his PII was an unfair practice under FDUTPA because Winn-Dixie allegedly transferred to Purchasing Power the personal data of Winn-Dixie’s employees regardless of whether those employees had participated in the Purchasing Power program.

On Plaintiff’s second theory—Defendants’ alleged failure to immediately notify Plaintiff of the breach—the Court again agreed with Plaintiff that this was unfair.  The Court stated that by not “immediately” notifying Plaintiff that his PII had been compromised, Defendants did not afford Plaintiff the chance to take remedial measures such as credit monitoring or filing his federal tax return earlier.  As I read this portion of the opinion, I question whether the Court’s use of the term “immediately” unintentionally creates an obligation to notify affected individuals of a breach sooner than the “without unreasonable delay” standard currently set forth in section 817.5681(1)(a), Florida Statutes (2012) (Florida’s data breach notification law).

The Court did not appear to address Plaintiff’s third theory of FDUTPA violation—Defendants’ representation that their services were of a particular standard and quality that they failed to meet.

V.        Invasion of Right to Privacy (Count IV)

The Court dismissed Plaintiff’s count for invasion of right to privacy.  Plaintiff had relied on Florida’s constitutional right to privacy, which the Court dismissed with prejudice as Defendants were not acting on behalf of the government.  Plaintiff also relied on the common law right to privacy, which the Court also dismissed (though without prejudice) because any release of Plaintiff’s PII was not intentional.

Plaintiff must file an Amended Complaint no later than October 26th.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

  • Lee

    Helpful summary

  • http://twitter.com/scheidell SecurityPrivateers

    /* not a lawyer, just playing on on the internet */
    I think the real momentum is in this: “Defendants argued that Plaintiff lacked standing because he has not suffered an injury in fact and because his injury is not “fairly traceable” to Defendants. The Court rejected this argument, citing to the Eleventh U.S. Circuit Court’s recent decision in Resnick v. AvMed as support for the proposition that the alleged misuse of an individual’s PII amounts to an injury in fact. ”
    As we continue to move forward with privacy breach claims, the potentially injured party is considered injured in fact of law due to the breach. Without the necessity of actually providing any additional damage beyond the breach of the PII. I believe this was also the case of avmed, google ‘hard disk breach avmed’. They lost two hard drives, that contained 1.2MM names, PII

    More specifically, two of the plaintiffs have alleged harm due to AvMed’s carelessness when it comes to mobile data protection:

    Ms. Jauna Curry, whose information was used 10 months after the incident to open a Bank of American account and credit cards (that were used).

    Mr. William Moore, whose information was used 14 months after the incident to open an E-Trade account that was overdrawn.

    /* on soap box */

    Between these two rulings, no longer can we ‘hope and pray’ when a tape, or disk, or lap goes missing.

    The injury happened IMMEDIATELY, when the unencrypted PII was lost. I contend that the POTENTIAL injury happened as soon ad the unencrypted PII was stored.

    With built in whole disk encryption on today’s laptops, and easy to use encryption on cd roms, and thumb drives, there is no excuse not to encrypt all mobile data. Let alone all data at rest.

    (ps, did you store your companies’ PII in the cloud? did YOU encrypt it? is it stored in the US or offshore?)