A federal judge in the Southern District of New York recently issued an opinion providing guidance concerning the viability of data breach claims, particularly in the context of a breach of employee information. Sackin v. Transperfect Global, Inc. involves a purported class action filed on behalf of Transperfect employees whose personally identifiable information (PII) was disclosed as a result of a cyber attack. In January 2017, a targeted phishing email was sent to a Transperfect employee designed to look like it had come from the company’s CEO, requesting payroll information regarding Transperfect employees. The Transperfect employee fell for the scheme and sent unencrypted PII to the attacker including names, addresses, Social Security Numbers, and bank account numbers for Transperfect employees. According to the complaint, the disclosure involved thousands of employees.
As a result of this data breach, a purported class action was filed asserting claims of negligence, breach of an express contract, breach of an implied contract, unjust enrichment, and violations of the New York Labor Law. Transperfect sought to dismiss all of the claims. The court largely denied the request, finding that all of the Plaintiffs’ claims were viable except for the breach of express contract claim, which was dismissed. In doing so, the court offered a useful discussion, particularly on the standing analysis as to who can sue in the event of a data breach claim and on the duty element of the negligence claim.
Transperfect’s initial argument was that the Plaintiffs did not have standing to assert a claim because they had not suffered an “injury in fact.” This aspect of standing requires that a plaintiff have suffered a concrete injury which is actual or imminent, not merely hypothetical. Transperfect suggested the Plaintiffs had not met this standard because they did not allege they had actually suffered identity theft as a result of the breach, only that they had a future risk of identity theft and had expended time and money to reduce the threat of theft. The court rejected that argument, stating that the “obvious motivation” for the scam was to commit identity theft, particularly where the information taken included especially sensitive information such as Social Security Numbers and bank account numbers. As a result, the risk of identity theft was held sufficiently imminent to constitute an injury in fact, and the time and money expended to mitigate that risk was also a sufficient injury.
The court also analyzed whether Transperfect owed its employees a duty under either common law or statute to protect its employees’ PII. The court found that both existed. Finding a common law duty, the court noted that employees typically have no choice but to provide PII to an employer, and also have no means within their own power to protect that information once given to the employer. Therefore, looking at the societal factors relevant to imposing a duty, the court held that imposing a duty was appropriate to provide an incentive to employers to protect their employees’ PII. Additionally, the court found that the New York Labor Law also creates a statutory duty allowing for a finding of negligence per se when violated. A provision of the law makes it illegal for an employer to “communicate an employee’s personal identifying information to the general public.” The court held that this provision, along with other aspects of the statute, creates a duty for employers to protect their employees’ information and imposes liability when an employer fails to take steps to do so.
In light of these holdings and other discussion in the court’s opinion, the Plaintiffs will be permitted to proceed with their negligence, breach of implied contract, unjust enrichment, and violation of New York Labor Law claims. The Plaintiffs filed this case as a purported class action, and therefore the next steps in the litigation will be to determine whether the Plaintiffs can indeed proceed on a class-wide basis. This is an issue likely to be vigorously resisted by Transperfect, and will be worth watching as the case moves forward. Regardless of the outcome of that issue, the court’s ruling joins the trend in moving away from requiring data breach plaintiffs from showing they have suffered a specific injury, such as actual identity theft or, e.g., theft of funds from a bank account. Rather, where the breach discloses information sufficiently sensitive to make risk of such an injury particularly probable, courts will likely find the plaintiffs suffered an “injury in fact.” The case also indicates that a duty to protect information exists not only when the information has been obtained from a customer as part of a commercial transaction, but also from employees as part of the employment process.