A Court Recognizes a Duty in Data Breach Litigation

According to many plaintiffs in recently filed data breach litigations, credit and debit card fraud is a growing problem.  It’s great if this sounds familiar to readers of CPW, because it should:  last year, we discussed a class action lawsuit filed by a group of credit unions against a Pennsylvania-based convenience store chain alleging a data breach disclosed sensitive consumer information.  That case was In Re: Wawa Inc. Data Security Litigation, No. 2:19-cv-06019 (E.D. Pa.).  While an opinion in Wawa’s motion to dismiss remains pending, a sister Pennsylvania court recently issued an opinion that may offer a preview of how some courts recognize a duty upon acceptance of a consumer’s electronic payment information.  In In re Rutter’s Data Sec. Breach Litig., 2021 U.S. Dist. LEXIS 761 (M.D. Pa. Jan. 2021), the court addressed a motion to dismiss in the context of litigation regarding an alleged data breach at another Pennsylvania-based convenience store chain.  Rutter’s presents a number of takeaways for emerging case law, especially for its interpretation of Pennsylvania tort law, which was a key issue in Wawa.

Let’s take a look at the underlying factual allegations at issue.  Rutter’s, in contrast to Wawa, was not a lawsuit filed by credit union.  Instead, the plaintiffs were four consumers that alleged they used their debit or credit cards to purchase items from the defendant around or during the time of an alleged data breach.  The plaintiffs filed a class action lawsuit against Rutter’s, a central Pennsylvania convenience store chain.  According to the complaint, in early 2020, the defendant disclosed a possible data breach that concerned payment cards used at the various point-of-sale devices installed throughout some of its locations.

The four plaintiffs can be separated into two different groups, each of which are discussed below.  The first group alleged they experienced fraudulent charges and unauthorized withdrawals from their account because of the alleged data breach.  They also alleged expenses incurred from securing their accounts against further fraudulent activities.  The second group, however, did not allege unauthorized access to their accounts.  Instead, they alleged merely a “continuing interest” in protecting their accounts from fraud and argued this “interest” was heightened or otherwise more legitimate than a passing concern because the first group of plaintiffs alleged fraudulent activity.

On January 6, 2021, the court issued its decision denying in part and granting in part defendant’s motion to dismiss.

First, the court rejected the second group of plaintiffs’ “continuing interest” argument and found those plaintiffs did not have standing.  The court examined relevant case law and concluded, “[t]he Third Circuit was unequivocal—where a plaintiff suffers no actual injury in a data breach, that plaintiff cannot rely on the mere possibility of future injury to establish standing.”  Additionally, the court rejected the second group’s argument that the injuries alleged by the first group should be transmitted to the second group for standing purposes.  Specifically, the court stated, “Plaintiffs’ argument would require us to grant standing to a plaintiff who is entirely without an injury based solely on the injuries allegedly suffered by a separate plaintiff.  That we cannot do.”

Second, the court upheld claims for negligence, implied breach of contract, and unjust enrichment.

For the negligence claim, the court found the defendant created a legal duty when it retained the credit and debit card information of its consumers that used such payment methods because this use created a risk of foreseeable harm from unscrupulous third parties.  This ruling expands the context where a duty might lie beyond that previously recognized in recent Pennsylvania state court decisions–employer’s duty to its employees to “use reasonable means” to protect sensitive information that employees are required to disclose as a condition of employment.

As we discussed in our 2020 Year in Review, in response to the absence of uniform causes of action in data breach litigation, one strategy frequently utilized by plaintiffs in data breach litigations has been to allege negligence claims.

The Rutter’s court stated, “a more general principle … has significant applicability here—that in new factual scenarios, a court need not undertake the burdensome task of carving out new legal duties, but, instead, courts can and should apply longstanding duties where possible.”  The court stated, “in other words, affirmative conduct associated with an increased risk of harm can yield a special relationship for tort purposes.”  The court then stated this defendant’s “affirmative act of retaining credit and debit card information” was sufficient to recognize a legal duty when it created a “risk of foreseeable harm from unscrupulous third parties”.

While it upheld the breach of implied contract claim, the court clarified the claim “may not ultimately succeed”.  According to the opinion, the plaintiffs alleged they entered into an implied contract with the defendant when they provided their payment card information in exchange for the defendant’s goods and services.  Through those transactions, the defendant allegedly “impliedly promised to safeguard their card information,” as evidenced in part by the representations in the defendant’s privacy policy.

The court agreed with plaintiff, going so far as to state, “the context in which a consumer entrusts data to a merchant may be more suggestive of a promise to secure that data than in an employer-employee relationship.”  The court based its reasoning on the limited nature of the merchant and consumer relationship, clarifying:

The merchant and consumer are engaged in a momentary transaction that features all sorts of unspoken assurances between the parties—that the goods sold are as advertised and that the tender paid is valid, for example . . . When a customer provides financial information to a merchant, however, the customer could fairly assume that the data is for a single, limited purpose and thus the information will not be unreasonably exposed to third-parties; in other words, that the data will be used to complete a transaction and nothing more.

Finally, the court upheld the unjust enrichment claim on the theory that the plaintiffs conferred a material benefit to the defendant by paying funds for merchandise, a part of which was supposed to be used to employ adequate data privacy infrastructure.

Rutter’s puts another piece into the puzzle of standing in data breach litigation and offers a look into how a duty may be created upon acceptance of a consumer’s electronic payments.  As we await for a decision from its peer case, WawaRutter’s offers a potential look at developing case law trends.

ARTICLE BY