Negligence might finally be actionable for breach of duty to protect customer data

Business relationships are often strained when a third party successfully breaches the data security of a target, creating profound negative consequences not only to the target but also to that company’s vendors, business associates, and customers. These damages are often costly but sometimes hard to identify or quantify.

In the majority of security breaches, the customers who have had their identity exposed have suffered no actual economic harm. The courts, therefore, are appropriately reluctant to give monetary damages to those injured customers and generally refuse to compensate for the time lost checking credit scores or otherwise dealing with the problems associated with the data breach.

The vendors and business associates, however, may incur substantially greater economic losses and more direct financial injury. Because this injury is exclusively economic loss, a question remains whether such loss is compensable under tort law or whether all remedies are limited entirely to contract claims.

In Lone Star Nat. Bank v. Heartland Payment Systems, No. 12-20648, 2013 WL 4728445 (5th Cir. Sept. 3, 2013), the Fifth Circuit reversed a dismissal of a tort claim based on the plaintiff bank’s assertion it suffered financial harm when it had to replace consumers’ compromised credit cards and to refund fraudulent charges as a result of the negligence of the defendant in securing against data breach. The case arose from a 2008 data breach of the defendant’s payment processor’s systems, exposing 130 million credit card numbers.

The Fifth Circuit focused on the law of New Jersey after establishing the jurisdictional basis for the claim. The court explained, “the economic loss doctrine generally limits a plaintiff seeking to recover purely economic losses, such as lost profits, to contractual remedies.” Economic losses are generally covered exclusively by contract remedies, unlike tort principles which “are better suited for resolving claims involving unanticipated physical injury, particularly those arising out of an accident.”

Contract may be better than tort, but such a limitation oversimplifies the scope of tort law. Tort injuries occur in inchoate interests such as defamation and assault. Not all tortious harms are physical.

The New Jersey Supreme Court had earlier held the tort remedy applied when a duty was breach. It explained that when “a defendant owes a duty of care to take reasonable measures to avoid the risk of causing economic damages, aside from physical injury, to particular plaintiffs or plaintiffs comprising an identifiable class with respect to whom defendant knows or has reason to know are likely to suffer such damages from its conduct. . . .” People Express Airlines, Inc. v. Consolidated Rail Corp., 495 A.2d 107 (N.J. 1985).

Based on this line of reasoning, the Fifth Circuit reinstated the claim. It acknowledged that New Jersey law generally did not permit the tort claim if there was a contract between the parties, since the terms of their express agreement should govern the allocation of risk. But third party beneficiary law often provides that parties not directly negotiating the agreement may still be affected by it, and so to might a group of readily identifiable tort victims who are not party to the contract but affected by the duties created.

Since the defendant, Heartland “would not be exposed to ‘boundless liability,’ but rather to the reasonable amount of loss from a limited number of entities [then] even absent physical harm, Heartland may owe the Issuer Banks a duty of care and may be liable for their purely economic losses.” The decision merely allows the case to proceed and a great many additional defenses will be addressed. Nonetheless, the decision is an important reminder on the creation of contracts and the scope of those contracts as they affect third parties contemplated but not direct parties to the agreements.

Advertisements