Data Breach Claim Survives Based on Allegation of Misuse of Personal Information — Burrows v. Purchasing Power

October 31, 2012 · by Venkat Balasubramani · in E-Commerce, Privacy/Security

Burrows v. Purchasing Power, LLC, 12-cv-22800-UU (S.D. Fla. Oct. 18, 2012) [pdf]

This is another data breach lawsuit. Some of the claims survive defendants’ motion to dismiss.

Purchasing Power runs a preferred purchasing (or discount purchasing) program for Winn-Dixie employees. It offers Winn-Dixie employees the ability to pay for items purchased via automatic payroll deductions. In October 2011, Purchasing Power and Winn-Dixie learned that a Purchasing Power employee had obtained the personal information of Burrows (the named plaintiff) and other Winn-Dixie employees. data breach.jpg Burrows alleged that when he went to file his 2012 tax return, he was advised that a return had already been filed in his name, and therefore Burrows could not get the refund that he was owed. He sued Winn-Dixie and Purchasing Power, alleging negligence, violations of the Stored Communications Act and the Florida Deceptive Trade Practices Statute, and invasion of privacy.

Standing: Defendants argued that Burrows did not suffer any actual monetary loss, and Burrows had not taken up with the IRS the issue of whether he could obtain his refund–i.e., he hadn’t exhausted his remedies with the IRS. The court disagrees and says that by alleging “actual identity theft,” Burrows satisfies standing, regardless of any monetary loss. The court notes that even in Reilly v. Ceridian, an Eleventh Circuit data breach case that took a narrow view of standing, the court intimated that risk of future identity theft is not sufficient but found that actual misuse of information would be sufficient.

Negligence: The court says that Burrows’ allegation “for monetary loss for the use of his PII and identity theft” sufficiently alleges a claim for negligence. However, it also says that his allegation as to the “lost monetary value of his PII” is insufficient. The court grants the motion and denies it in part with respect to the negligence claim. I found the ruling on the negligence issue somewhat confusing, but the big takeaway is that his allegation of identity theft sufficiently states a claim for negligence.

Stored Communications Act: The court dismisses the Stored Communications Act because Burrows doesn’t allege that defendants either offer Electronic Communications Services or Remote Computing Services as defined under the SCA.

FDUTPA: The court denies the motion with respect to the deceptive trade practices statute based on several allegations: (1) defendants failed to adequately secure the PII, (2) defendants allegedly transferred the personal data of employees regardless of their participation in the purchase program; and (3) defendants failed to notify Burrows promptly of the data breach.

Invasion of Privacy: The court dismisses the invasion of privacy claim on the basis that it’s an intentional tort and there was no allegation that defendants intended to compromise the employees’ personal information.

Data breach plaintiffs have historically gotten blasted in court, but this marks the second or third ruling where the court finds standing and allows claims to move forward. What accounts for the different results? One way to explain it is that if there’s actual evidence that your personal data has been misused, and this misuse is not obviously financially covered elsewhere (e.g., by a bank refund or reversal of charges), then you have enough damages to bring a claim. The risk of identity theft is still not sufficient for most courts. The claims themselves are still all across the board. In a recent California case, the court applied the rule barring economic damages without physical injury or an exception to the rule in the form of a special relationship. The court in this case doesn’t discuss this issue at all; perhaps under Florida law, plaintiff could have easily alleged a special relationship (e.g., employer / employee). It’s tough to know whether this is part of a larger trend, or a few outlier rulings. Either way, this ruling is broad in some respects (in allowing negligence and finding that the mere transfer of information for all employees or failure to notify affected parties quickly enough could constitute a deceptive trade practice).

Resolution of the Stored Communications Act was worth noting; it’s an affirmation that entities who do not provide computing services to the public do not fall under the statute. I would have thought that plaintiff may have had an argument with respect to Purchasing Power, who was in the business of facilitating the purchases and would presumably deal with a fairly large segment of the public in situations involving the transfer of information between its client/employers and employees.

Most data breach rulings highlight the importance of the relationship between a company that takes in personal information and its service providers, but this ruling does more so. What looked like a perk for employees that any employer would be eager to offer its employees has now turned into a litigation nightmare (and has resulted in loss or hassle for some employees). I would hope the agreement between Winn-Dixie and Purchasing Power spells out what protections are put in place and who bears the responsibility for any data breach and related litigation. It’s a fair bet that this agreement offers a less than definitive resolution of the issues, and it’s likely we’ll see another round of litigation between these two parties and/or their insurers.

(h/t: PogoWasRIght)

Other coverage:

Data Security Law Journal: The Southern District of Florida Weighs in on Data Breach Lawsuits

InsidePrivacy: Florida Data Security Claims Survive Motion to Dismiss

Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit — Krottner v. Starbucks

9th Circuit Affirms Rejection of Data Breach Claims Against Gap — Ruiz v. Gap

LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn

Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data — Reilly v. Ceridian

First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing–Katz v Pershing

New Essay: The Irony of Privacy Class Action Lawsuits

Another Data Loss Case Tossed on Article III Grounds–Whitaker v. Health Net

Reidentification Theory Doesn’t Save Privacy Lawsuit–Steinberg v. CVS Caremark