(Article from Insurance Law Alert, June 2019)
For more information, please visit the Insurance Law Alert Resource Center.
Litigation arising out of data breaches, hacking activities, and other incidents of computer fraud continues to proliferate. As a result, a body of case law is developing that addresses the scope of (1) actionable claims by consumers or other claimants arising out of cyber-related incidents; and (2) insurance coverage for such cyber-related losses. Prior Alerts have reported on the latter issue. See April and May 2019 Alerts; April, May and July/August 2018 Alerts; March, July/August and September 2017 Alerts; June 2016 Alert; March and July/August 2015 Alerts; and March 2014 Alert. Several recent noteworthy developments relating to the former issue—the viability of data breach claims against insured entities—are discussed below.
The Eighth Circuit dismissed a putative class action based on a data breach, finding that the plaintiff failed to allege actionable claims. In re: SuperValu, Inc., 2019 WL 2306267 (8th Cir. May 31, 2019).
SuperValu, an operator of retail grocery stores, suffered two cyberattacks that compromised customers’ credit and debit card information. Customers brought putative class action suits, alleging negligence, breach of implied contract and unjust enrichment, among other claims. The suits were consolidated and dismissed by a Minnesota district court based on a lack of standing. The Eighth Circuit affirmed in part, ruling that with one exception, “no plaintiff had alleged a prospective injury in fact because, as pleaded, the likelihood of future identity theft was purely speculative.” However, the Eighth Circuit ruled that named plaintiff David Holmes had standing because he adequately pled actual present injury based on an allegation of a single fraudulent charge on his credit card. In re: SupreValu, Inc., 870 F.3d 763 (8th Cir. 2017)
On remand, the district court dismissed Holmes’ suit for failure to state a claim. The Eighth Circuit affirmed, ruling that Holmes failed to allege negligence because Illinois law does not impose a common law or statutory duty on retailers to safeguard customers’ credit or debit card information. The court also held that Holmes failed to allege consumer protection claims, noting the absence of alleged “actual damage.” In this context, the court held that the expenditure of time monitoring a credit account and effort spent replacing a credit card do not constitute actual damage. Finally, the court dismissed the unjust enrichment and breach of implied contract claims, finding no factual support for such claims. The Eighth Circuit’s dismissal of all class action claims alleging both present and future damage is significant in limiting the scope of actionable consumer-based data breach claims. The decision suggests that hacking-related claims must allege more than inconvenience or speculation about future pecuniary loss in order to survive dismissal motions.
Several other data breach suits have been filed in recent weeks, setting the stage for future rulings that define the scope of viable claims against insured entities.
The first of what may be a growing number of suits was also filed last month against First American Title Company. The suit comes in the wake of an announcement that a security flaw exposed approximately 885 million mortgage records containing customers’ personal information. The putative class action alleges that the company ignored warnings from federal authorities relating to cybersecurity and failed to allocate adequate resources to ensuring data security. See Gritz v. First Am. Fin. Corp., No. 8:19-cv-01009 (C.D. Cal. Compl. filed May 27, 2019).
In addition, two suits were filed this month against laboratory companies and a third party billing vendor, alleging harm incurred as the result of data breaches. In Villarreal v. Am. Medical Collection Agency, Inc., No. 7:19-cv-05340 (S.D.N.Y. Compl. filed June 6, 2019), a putative class of patients alleged that LabCorp, a medical diagnostic testing facility, and its bill collection vendor failed to protect financial, medical and personal information even after being put on notice that hackers’ had gained access to those records. A similar suit was filed in New Jersey against Quest Diagnostics and the same bill collection vendor after the company revealed that it was the victim of a data breach that compromised the banking information and medical data of nearly 12 million patients. The putative class action complaint in Carbonneau v. Quest Diagnostics Inc., No. 2:19-cv-13472 (D.N.J. Compl. filed June 6, 2019) alleges breach of implied contract, negligence and violation of state consumer laws.
The viability of the claims alleged in these and other similar suits will likely be addressed in preliminary motion practice. Given that these suits allege harm based, in part, on the risk of future injury of identity theft and pecuniary loss it remains to be seen whether courts will reject such claims on standing grounds as the Eighth Circuit did in In re: SuperValu, Inc.