Negligence Actions Hit UCLA, Sony, and Home Depot Boards
In the most recent in a string of cases highlighting the trend of claims of negligence against boards and officers in the face of security breaches, on July 20, 2015, a class action complaint was filed against the UCLA Health Systems Auxiliary and the Regents of the University of California. The plaintiff alleges, among other claims, a “failure to adequately secure the private, personal financial information of Plaintiff and all other persons similarly situated.” The complaint was filed in the Central District (Los Angeles) of the United States District Court. In Plaintiff’s negligence claim, he alleges:
“Defendants had a foreseeable duty to Plaintiff and Class members to exercise reasonable care to secure Plaintiff’s and Class members’ nonpublic personal and financial health information from being accessed by unauthorized persons. This duty included creating, maintaining, testing, and securing any databases containing Defendants’ customers’ nonpublic personal and financial information, to ensure that Plaintiff’s and Class members’ nonpublic personal and financial information was secured from cyber attack, and other things. This duty also included, at the minimum, that Plaintiff’s and Class members’ nonpublic personal, financial and health information be encrypted.”
On June 15, 2015, in a class action lawsuit arising out of Sony Pictures’ 2014 data breach, the Federal District Court for the Central District of California ruled on Sony’s motion to dismiss the complaint filed by Sony employees, allowing certain of the plaintiffs’ claims for damages to proceed, including a claim that Sony’s failure to maintain adequate data security measures was negligent. The court also held that the plaintiffs had established standing by alleging that their personally identifiable information had been made available to potential identity thieves and that the information had been used to send emails threatening physical harm. The court determined that the allegations demonstrated “a credible threat of real and immediate harm, or certainly impending injury.”
Sony argued that plaintiffs’ negligence claim should be dismissed because the plaintiffs suffered only purely economic losses, and such losses were not recoverable under the economic loss doctrine. Though decisions have been mixed in barring negligence claims arising out of data breaches, here, the court noted that even if the plaintiffs had only suffered purely economic losses, a negligence claim could still proceed in California if a special relationship existed between the parties. The court determined that plaintiffs’ employment with Sony was sufficient to establish such a special relationship, and thus the plaintiffs’ negligence claim could proceed despite having suffered only purely economic losses.
Also in June, a complaint was filed in Delaware Court of Chancery, arising out of Home Depot’s 2014 data breach which had resulted in the widespread exposure of consumer information.
The complaint was filed by a Home Depot stockholder pursuant to 8 Del C. § 220 to compel the production of records at Home Depot related to the data breach. The court noted that the allegations of “lax cyber security at the company, the pending government investigations, together with numerous lawsuits claiming misconduct at Home Depot, provide a credible basis from which mismanagement at the Company can be inferred,” and that the inspection of records was necessary to “take appropriate action in the event the members of the Company’s management and certain directors did not properly discharge their fiduciary duties.”
The corporate laws of every state impose fiduciary obligations on all officers and directors. Courts will not second-guess decisions by officers and directors made in good faith with reasonable care and inquiry. To fulfill that obligation, officers and directors must assume an appropriate role in establishing the correct policies and procedures to address data security in their organizations and ensuring the policies and procedures are followed.