by Stephen E. Meltzer, Esq., CIPP

The case of McLoughlin v. People’s United Bank, 2009 WL 2843269 (D.Conn)( August 31, 2009)(“PUB” Case), illustrates a trend toward granting private rights of action in data breach cases.  The tipping point is nearing as more and more jurisdictions analyze the issues.  In the PUB Case, backup tapes containing bank customer personal information were lost by The Bank of New York Mellon Corporation, Inc. – a third party data processor of the banking information for PUB.  The tapes were unencrypted and were stolen out of an unattended truck with a broken lock.

Standing

PUB first argued that the plaintiff’s lacked standing, that they has no “injury in fact.”  Noting a growing trend among other jurisdictions, the McLoughlin Court (the District Court for the District of Connecticut) considered the data loss “an increasingly common scenario in this nation: one where . . . personal information is missing, has not yet been misused, but where the plaintiff’s fear [sic]that it will be used improperly and to their  financial detriment.”  The test for standing, for an “injury in fact,” according to the Court, is fairly easily satisfied.  The plaintiffs need only show “simply  . . . the fear or anxiety of future harm.”

Unfair Trade Practices

Commonly pursued state unfair trade practices allegations for unfair and deceptive business practices were analyzed in the PUB Case under the Connecticut Unfair Trade Practices Act (“CUPTA”). CUPTA, like many state deceptive practice legislation, requires that a plaintiff suffer “ascertainable loss of money or property.”  The plaintiffs argued that their ascertainable loss was the “increased risk of identity theft.”  Citing a Maine decision under the Maine Unfair Practices Act, the Court concluded that “only the risk of injury and no actual misuse of the stolen . . . data,” does not rise to the level of an ascertainable loss.  Practitioners and entity counsel should be wary, however, of the many jurisdictions that do allow actions for unfair trade practices without injury (Massachusetts for one) and those jurisdictions that interpret the unfair trade practice legislation broadly in favor of consumers (again, Massachusetts and many others).  This is particularly important to note in light of the new and strict Massachusetts data security legislation which goes into effect on March 1, 2010.

Negligence

The Court’s decision on this issue turned on the difference between “speculation as to a possible risk of injury,” which is not actionable under a negligence theory, and a situation where there is proof of a “rational basis for the fear that the date would be misused.”  This distinction creates a fine factual line of inquiry which may turn on subtle differences in the actual circumstances of the loss of the data, and the Courts that are analyzing the issue.  As a litigator and a risk manager, this is not a distinction to leave up to chance.

Breach of Fiduciary Duty

The plaintiff in the PUB Case also claimed that the bank had a fiduciary duty to protect the data, and that it breached that duty.  Again, similar to the negligence analysis, actual harm is necessary to prevail (in the applicable jurisdiction) in order for the plaintiffs to have sustained this cause of action.  It is, however, instructive to plaintiffs and easy to imagine a way to plead, and to show some actual and immediate damages based upon the loss of the data.

Private rights of action will just increase the litigation risk they increase the tools for bringing action against data challenged entities, and decrease plaintiff’s barriers to bring the actions.  They also increase the potential awards to classes of plaintiffs that may attract more attention from the plaintiff’s bar.

Popularity: 8% [?]

Related posts:

1. 9th Circuit Ends Long-standing Data Breach Litigation Against Gap, Inc. On May 28, 2010, in an unpublished decision, the U.S. Court of...
2. Federal Magistrate: Increased-risk-of-harm from data breach is conjectural or hypothetical (and not actionable) On November 23, 2009, Magistrate Judge Frederick R. Buckles of the U.S....
3. 9th Circuit sets high bar for CAN-SPAM private right of action [T]he Ninth Circuit built on that foundation, issuing its decision in Asis...
4. US District Court recognizes possible action based on increased risk of future harm On January 5, 2010, Judge William Hibbler of the U.S. District Court...
5. MA: Supreme Judicial Court upholds dismissal of action against BJ’s for breach of 9.2 million credit cards On December 11, 2009, the Massachusetts Supreme Judicial  Court upheld a trial...
6. Malware increasing as cause of data loss The 2009 CSI Computer Crime and Security survey identified a number of...