August 17, 2011
Ikon Office Solutions Had no Duty to Disclose That Office Equipment Retained Data -- Putnam Bank v. Ikon Office Solutions
[Post by Venkat Balasubramani]
Putnam Bank v. Ikon Office Solutions, Inc., 10-cv-1067 (WWE) (D. Conn.; July 5, 2011)
Putnam Bank filed a putative class action on behalf of those who purchased and leased office equipment from Ikon, alleging that Ikon improperly failed to disclose that this type of equipment automatically saved images of documents that had been printed, faxed, scanned, or copied. The complaint alleged that not only did Ikon failed to disclose this, Ikon failed to destroy the data when such equipment is returned. The complaint further alleged that Ikon knew or should have known that the equipment would be used to fax, print, scan and copy documents which contained sensitive information (e.g., social security numbers, birthdates, medical records, and business data). Putnam sued under Connecticut's unfair trade practices statute, under general negligence and breach of contract theories, and under Connecticut's data breach statute.
Did Ikon Have a Duty to Disclose? A key question relevant to the negligence, unfair trade practice and data breach statute claims: did Ikon have a duty to disclose in the first place? Negative, says the court. According to the court, the data breach statute "is directed to businesses that collect or keep personal information." Ikon does neither by incidentally coming into contact with personal information that their customers have placed on office equipment that Ikon leased out. Additionally, the data breach statute only kicks in where there has been a breach, and Putnam failed to allege that "a breach of security [had] occurred."
The allegations regarding identity theft were, as usual, too speculative:
The amended complaint does not allege facts establishing a reasonable belief that an unauthorized person has accessed personal information from the office equipment used by Putnam. The allegations are confined to an undetermined degree of risk of identity theft.
Was Ikon bound to disclose by its implied duty to act in good faith? Putnam pointed to the implied duty of good faith and fair dealing as a basis for Ikon's duty to disclose. This duty requires a party to not take action that "would injure the other party's right to receive the benefits of the contract." The court found that the complaint did not include allegations of bad faith on Ikon's part. Putnam argued that the lease agreement did not address "the storage devices in office equipment," but the court says that this is not indicative of bad faith.
Was there a common law duty to disclose? Putnam also argued that Ikon had a common law duty to disclose. The key question on this issue was whether it was foreseeable to Ikon that leasing equipment would create a risk of its customers having to incur expenses associated with credit monitoring and ID-theft prevention. This turned on whether reasonable business persons in Ikon's position would expect disclosure of the risk in question. The court says no. The "essence of the transactions between Putnam and Ikon was the lease of office equipment, not the protection of data that would be saved on the equipment." There was no allegation that Ikon knew that Putnam was unfamiliar with the data storage aspect of the equipment or that Putnam expected digital storage to be covered by the lease.
Did Ikon have a contractual obligation to disclose? Finally, the court dismisses Putnam's contract-based argument. The agreement was silent on the issue of data security. Putnam tried to argue that "common trade practice" was to imply a term as to data security but the court is unswayed.
It's become entirely predictable that data breach plaintiffs will be rebuffed if they don't assert any out-of-pocket losses. Courts have said time and time again that data breach plaintiffs who don't suffer out of pocket costs cannot maintain a claim, and that the costs of monitoring is not damage that the law typically provides compensation for. Here, the plaintiff tried to argue that the data breach statute required disclosure. Not only was there no breach to speak of, the court questioned whether the statute applied to Ikon at all, since it did not collect any information.
Users of office equipment should obviously have some control over whether data is stored and erased when this equipment is returned to vendors such as Ikon. In some instances, the users may not want their data to be stored at all. But for some reason, many machines are manufactured to store such data. I wondered about whether manufacturers provide a mechanism and instructions on how to wipe hard drives on office equipment. A quick Google search unearthed this LifeHacker post which advised on erasing a copy machine's hard drive ("Erase Your Copy Machine’s Hard Drive to Wipe Important Documents"):
most manufacturers provide exact instructions on how to clear this data, so check your machine's manual before you get rid of it.
It looks like many manufacturers or vendors provide some instructions and a mechanism for making sure data is wiped from the equipment. But the court did not place responsibility on the vendor in this case to make sure this issue was addressed. It would have been nice to see some details around manufacturer/vendor practices and whether information on how to wipe the particular pieces of equipment in question was readily available (i.e., in the equipment manuals) but the court did not delve into this issue. Obviously individual employees may not have much control over storage and deletion of digital images, so they may want to avoid using office equipment to copy highly personal documents.
Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit -- Krottner v. Starbucks
9th Circuit Affirms Rejection of Data Breach Claims Against Gap -- Ruiz v. Gap
The [Non]enforceability of Privacy Promises--Pinero v. Jackson Hewitt
Acxiom Not Liable for Security Breach--Bell v. Acxiom
Posted by Venkat at August 17, 2011 11:14 AM | Privacy/Security