Plaintiffs in data breach cases have tried many theories of recovery, including negligence, negligence per se, violations of state data protection statutes, violations of the Fair Credit Reporting Act, breach of fiduciary duty, and violations of the constitutional right to privacy, with mixed results.
Courts have rejected many of these claims, but plaintiffs and regulators are increasingly having success with allegations of unfair business practices. At the federal level, the Federal Trade Commission (“FTC”) has obtained settlements in some of the largest breach settlements using this approach, including a $1.6 million settlement with Ashley Madison. We are now seeing a rise in state-law consumer protection cyber cases which are attractive to plaintiffs because these laws exist in every state and are interpreted liberally by courts.
The Massachusetts Attorney General filed a complaint against Equifax in September alleging violations of the Consumer Protection Act (“CPA”) for Massachusetts, and numerous individuals and entities nationwide are also bringing CPA claims against Equifax in other actions. For instance, Montana residents and consumers have filed a class action claiming that Equifax violated Montana’s CPA and engaged in unfair or deceptive practices when it continued to accept credit card information before it purged its systems of the hackers’ malware. Plaintiffs in an ongoing suit against Yahoo! alleged, among other things, violations of California’s CPA. The class action brought by banks against Target, which settled for $39 million, alleged violations of multiple states’ CPAs. The Home Depot data breach settlement also included claims for violation of eight CPAs.
Earlier this year, an action was brought by a purported class of financial institutions against Eddie Bauer in the wake of a 2016 data breach that is alleged to have compromised credit and debit card information at approximately 350 Eddie Bauer stores. Recently, the court in that case dismissed the plaintiffs’ common law negligence claim (finding no legal duty), but allowed the unfair and deceptive business practices claim to proceed. Washington’s CPA provides that “unfair or deceptive acts or practices in the conduct of any trade or commerce are . . . unlawful,” and similar language is found in most other state CPAs. The court in Eddie Bauer found that the alleged failure to take proper measures to protect credit card information could constitute an unfair act under the statute. Eddie Bauer had argued that the CPA claims should not proceed because the harm was caused by a criminal third party, but the court rejected that argument and applied a but-for proximate causation standard. The survival of these unfair business practices claims means that we are likely to see more state law CPA cyber cases in the future, and we will be sure to provide updates on interesting developments in this area.