Additionally, the plaintiffs alleged that they have received increased spam and targeted marketing after the data breach occurred and that the increase in spam was caused by the data breach. The trial court dismissed the claim for lack of standing and failure to state a claim, and the plaintiffs appealed. The Appellate Court reversed and found the plaintiffs successfully pled damages for: (1) negligence; (2) negligence per se; (3) breached of implied contract; (4) unjust enrichment; (5) the Illinois Consumer Fraud Act; (6) the Florida Deceptive and Unfair Trade Practices Act; (7) invasion of privacy under Illinois Law; and (8) the Moorman doctrine (the Moorman doctrine, also known as the economic loss doctrine, states that there can be no recovery in tort for purely economic losses.) Id. at 11-22. The key finding in the last ruling regarding the Moorman doctrine depended upon the court finding that there is a common law duty to protect the information. Without finding a common law duty under the initial claim of negligence, the Moorman doctrine would apply and a claim for economic loss may not be allowed. In determining whether the claim for negligence could prevail, the Appellate Court noted that the plaintiffs “have alleged that they carefully safeguard their personal information and that after the data breach they began to be targeted more frequently by spam messages and targeted marketing, as well as two fraudulent charges. They have also alleged that the data breach is the cause of these injuries because personal information stolen in data breaches is used to cross-reference other available information … These allegations of proximate cause and injury are sufficient at the pleading stage.” Id. at 11. In sum, the Appellate Court determined that being subjected to more “spam messages” and “target marketing” can be used for damage allegations in a claim under a common law negligence theory. In a recent decision on a pending motion to dismiss in Thai, et al. v. Molecular Pathology Laboratory Network, Inc. , Case No. 2-CV-315 (E.D. Tenn. Sep. 29, 2023), the court granted defendant ’ s motion to dismiss all but one claim in this pathology lab data breach class action. In December 2021, plaintiffs alleged that Molecular Pathology Laboratory Network, Inc. discovered that hackers had infiltrated its network servers and accessed protected health information (PHI) and personal identifiable information (PII) of over 300,000 patients. The accessed data allegedly included, among other things, name and date of birth, diagnosis information, medical treatment information, health insurance information, and financial information belonging to both adults and children. The complaint contended that the defendant failed to take adequate and reasonable measures to safeguard patient data. It also asserted that the defendant failed to timely report the incident as required under HIPAA, delayed investigation of ascertaining who was impacted by the data breach, and delayed informing the plaintiff of the data breach. The court concluded that the plaintiff could move forward with his negligence claim, and rejected the lab ’ s argument that plaintiff had not alleged “a present injury” and instead only “injuries that may occur at some point in the future.” Id. at 5. The court found sufficient that the plaintiff alleged that he and the class members already incurred “out-of-pocket expenses associated with the prevention, detection, and recovery from identity theft, tax fraud, and/or unauthorized use of its PHI/PII and financial information.” Id. However, all other claims were dismissed. The court rejected the negligence per se claim and the TCPA claim because the plaintiff failed to sufficiently allege how the defendant violated the TCPA. The court also dismissed the plaintiff ’ s invasion of privacy and breach of confidence claims because the complaint lacked allegations that the defendant intruded on the plaintiff ’ s “private affairs or concerns” or used the plaintiff ’ s confidences “to obtain some benefit from, or advantage over” the plaintiff. Id. Finally, the court concluded that the complaint failed to sufficiently allege a “meeting of the minds occurred” as to the formation of an implied contract for the defendant to implement data security features to protect the plaintiff ’ s data, which was fatal to the plaintiff ’ s breach of implied contract, breach of implied covenant of good faith and fair dealing, and unjust enrichment claims. Id. 3. Data Breach Class Certification Rulings Courts issued a mixed bag of results in adjudicating class certification motions in data breach cases this past year. In Frechette, et al. v. Health Recovery Services, Inc ., 2023 U.S. Dist. LEXIS 153015 (S.D. Ohio Aug. 29, 2023), the plaintiffs filed a class action alleging that the defendant, a non-profit providing mental health and
16
© Duane Morris LLP 2024
Duane Morris Data Breach Class Action Review – 2024
Made with FlippingBook - professional solution for displaying marketing and sales documents online