Court Decision Sheds Light on Duty to Protect Personal Information

Confidentiality has now become very important in the conduct of security companies. Although the following case does not involve an alarm company, it is worth noting. In the case, the plaintiff brought a class action against a law firm alleging that it failed to safeguard their data properly, leading to a data breach that exposed their personal identifiable information (PII) and protected health information (PHI).

The plaintiffs sought injunctive relief and monetary damages arising from the firm’s alleged negligence, breach of confidence, breach of implied contract and breach of implied covenant of good faith and fair dealing.

The claim arose from a data breach that purportedly exposed the PII and the PHI of one of the plaintiffs to criminal cyber hackers. The complaint alleged that the defendant law firm failed to safeguard plaintiffs’ data properly. The defendant filed a motion to dismiss.

The plaintiff alleged that she and the other class members provided their PHI and PII to defendant law firm in order to establish attorney-client relationships. On an unspecified date, a cyberattack targeting the defendant’s network servers was purportedly launched by hackers. The attack enabled hackers to gain access to the PII and PHI of plaintiff and approximately 12,000 other individuals.

In discussing the matter, the court indicated that with respect to the injunction to prevent future harm, the plaintiff failed to allege an imminent injury sufficient to confer standing for the injunctive remedies sought. As for monetary relief, the court found that the allegation concerning the existence of actual misuse of plaintiff’s PII or that of other victims of the data breach were tenuous.

The court pointed out, however, that while the plaintiff provided little detail as to the nature of the “actual identity theft,” it would accept the facts as pled and accordingly concluded that the complaint did set forth a sufficient basis for standing with respect to plaintiff’s claims for monetary relief.

As to the claim for negligence, the court indicated that to establish a complaint for negligence, the plaintiff must demonstrate that the defendant owed the plaintiff a duty of reasonable care, that the defendant breached this duty, that damage resulted, and there was a causal relation between the breach of the duty and the damage.

The court pointed out that while plaintiff’s theory of breach is quite vague, allegations that defendant failed to encrypt plaintiff’s data effectively, store plaintiff’s data, or learn of the breach and waited for more than one month to notify plaintiff of the data breach, are sufficient to satisfy the plausibility standard.

The court further pointed out that the defendant did not substantially address the existence of a duty in its motion to dismiss. In this case, the plaintiff failed to allege a breach and cognizable damages. Therefore the court did not elaborate on the question of duty, but noted that other sessions of the court found a duty to protect PII from foreseeable cyberattacks in the data breach context.

The court therefore allowed the defendant’s motion to dismiss with respect to injunctive remedies, but otherwise denied its motion to dismiss. Consequently, the matter will go to trial.

Lessing E. Gold of Mitchell, Silberberg & Knupp is counsel to the California Alarm Association and a contributing legal columnist. He can be reached at sdm@bnpmedia.com.

Join security leaders and practitioners across every industry and sector to gain the knowledge and capabilities you need to translate thought leadership into action. A world-class lineup of sessions and speakers will uncover the topics and tactics you need to know to stay vigilant today and as security’s landscape evolves.