Court Dismisses Data Privacy Litigation Alleging Defendant Failed to Maintain Reasonable Security Procedures in Wake of Data Breach
CPW has been covering data breach litigations, including instances in which meritless claims are kicked by courts at the pleading stage. A recent decision from an Ohio district court is yet another example of this trend. Newman v. Total Quality Logistics, 2021 U.S. Dist. LEXIS 60651 (S.D. Ohio Mar. 30, 2021). Read on to learn more.
First, some background. Plaintiffs (various trucking companies) sued Totally Quality Logistics (a freight brokerage firm that connects its customers to freight carriers) in the wake of a data event. In the course of providing its brokerage services, Defendant acquired personal and financial information on many of the carriers such as social security numbers, tax identification numbers, bank account numbers, and invoice information. Plaintiffs brought a class action alleging negligence, breach of implied contract, and negligence per se. At issue here is Plaintiffs’ claim that Defendant failed to implement and maintain reasonable security measures to protect and secure Plaintiffs’ and other carriers’ personal and financial information from unauthorized access. Plaintiffs alleged that unauthorized individuals gained access to this private information and planned to use it for criminal or nefarious purposes, including identity theft and identity fraud.
Defendant filed a motion to compel one of the Plaintiffs to arbitrate its claims. The Court denied Defendant’s motion based on the plain language of the parties Brokerage/Carrier Agreement (“BCA”). The BCA contained an arbitration clause, but expressly limited the availability of arbitration “for disputes whose amount in controversy exceeds $10,000 the parties will seek litigation.” The Court found that Plaintiffs’ claims are not subject to arbitration since Plaintiffs alleged $5,000,000 as the amount in controversy in their Complaint, which exceeds the $10,000 ceiling the parties agreed to in the BCA.
Defendant further argued that the remaining of Plaintiffs’ claims should be dismissed because Plaintiffs do not have standing and they failed to state claims upon which relief can be granted. Defendants argued that Plaintiffs lack standing to sue because they did not allege a plausible injury in fact or that Plaintiffs’ alleged injuries are traceable to Defendant. Specifically, Plaintiffs alleged that they spent a substantial amount of time closing bank accounts, opening new bank accounts, updating payment associations, and/or monitoring their bank statements for fraudulent activity.
However, the Court concluded that at this early stage of the litigation, Plaintiffs met their initial burden to establish standing for their negligence, breach of implied contract, and negligence per se claims. This was in reliance on Sixth Circuit precedent finding that “[w]here a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent purposes alleged in Plaintiffs’ complaints.” [Note: although recall the current federal court split on this issue, and the majority position that such allegations are inadequate for standing.]
Defendants also moved to dismiss Plaintiffs’ claims under Rule 12(b)(6), arguing that Plaintiffs failed to allege sufficient facts to maintain their breach of implied contract, negligence, and negligence per se claims. The Court agreed.
First, the Court dismissed the implied breach of contract claim because Plaintiffs cannot maintain a claim for a breach of an implied contract where there is an agreement between the parties.
Next, the Court dismissed the negligence claim based on the economic loss doctrine. Generally speaking, a “plaintiff who has suffered only economic loss due to another’s negligence has not been injured in a manner which is legally cognizable or compensable.” Floor Craft Floor Covering, Inc. v. Parma Community General Hosp. Ass’n, 54 Ohio St.3d. 1 (1990). Therefore, the Court rejected Plaintiffs’ negligence claim because it was impermissibly premised on the same allegations and same claims for economic damages which would arise from a claim based on a breach of the BCA.
Similarly, the Court rejected Plaintiffs’ negligence per se claim because it was barred by the economic loss rule.
As such, the Court dismissed all three of Plaintiffs’ claims for failure to state a claim upon which relief can be granted.
Ultimately, the Court’s ruling granting Defendant’s Motion to Dismiss serve as an important reminder that notwithstanding the deluge of data privacy litigation, a plaintiff remains obligated at the pleadings stage to sufficiently allege a claim upon which relief can be granted. Additionally, expect companies going forward to continue to use arbitration agreements to try kick data privacy claims. For more on this area of the law, stay tuned. CPW will be there.