Data Breach Class Action Defense – Contractual and Quasi-Contractual Claims
Reading Time: 4 minutes
Modern Florida businesses are often targeted by nefarious actors who seek to compromise confidential information to commit identity fraud and to sell the information on the black market. While businesses often work tirelessly to protect consumer data, the reality is, sometimes confidential information is compromised. For Florida businesses to minimize their trailing legal liability and exposure, they should ensure they adequately respond to any data breach. Understanding the contractual and quasi-contractual claims data breach class action plaintiffs assert will help prudent businesses effectively respond to data breaches.
Contract Implied in Fact
A contract implied in fact “is based on a tacit promise, one that is inferred in whole or in part from the parties’ conduct, not solely from their words.” Commerce Partnership 8098 L.P. v. Equity Contracting Co., 695 So. 2d 383, 385 (Fla. 4th DCA 1997). “Express contracts and contracts implied in fact require the assent of the parties”. Tipper v. Great Lakes Chemical Co., 281 So. 2d 10, 13 (Fla. 1973). Accordingly, the viability of data breach claims predicated on a contract implied in fact often turn on the representation made concerning the data in question.
Many federal courts have held that an implied contract to safeguard customers’ sensitive data could reasonably be found to exist in transactions where consumers are solicited or invited to provide personal information in exchange for a good or service. See, e.g. In re Brinker, 2020 WL 691848, at *5 (holding plaintiffs’ allegations that defendant “solicited and invited” them to “eat at its restaurants and make purchases using their credit or debit cards” sufficient to allege an implicit agreement that defendant “would utilize [p]laintiffs’ confidential information for the agreed payment and nothing else, thereby creating an obligation that [defendant] use reasonable measures to safeguard and protect [c]ustomer data”) (quotation omitted); Torres v. Wendy’s Int’l, LLC, 2017 WL 8780453, at *3 (M.D. Fla. 2017) (plaintiff’s allegations that “defendant invited its customers to pay for their purchases with credit cards containing confidential information” were sufficient allegations to support an implicit agreement that Defendant would “protect its customers’ confidential information as a reasonable and prudent merchant would”).
It is important to note, in the healthcare context, where a privacy notice informs patients of their rights under HIPAA, and entities are “required by law to adhere to HIPAA without receiving any consideration from . . . patient[s], these provisions cannot create contractual obligations.” Brush v. Miami Beach Healthcare Grp. Ltd., 238 F. Supp. 3d 1359, 1367 (S.D. Fla. 2017). Accordingly, where healthcare providers do not indicate an implicit assent to secure plaintiffs’ PHI and PII in exchange for payment, breach of contract implied in fact claims tend to fail. See In re Mednax Servs., Inc., Customer Data Sec. Breach Litig., 603 F. Supp. 3d 1183, 1210 (S.D. Fla. 2022); see also Brush, 238 F. Supp. 3d at 1369.
Unjust Enrichment
Under Florida law, “[t]o prove that a quasi-contract exists, the Plaintiff must establish that: (1) the plaintiff conferred a benefit on the defendant; (2) the defendant knew of the benefit; (3) the defendant accepted or retained the benefit; and (4) it would be inequitable for the defendant to retain the benefit without paying for it.” Brush, 238 F. Supp. 3d at 1369. However, “[b]ecause unjust enrichment damages are economic damages, the amount of damages must be measurable and quantifiable: it has long been accepted in Florida that a party claiming economic losses must produce evidence justifying a definite amount.” Alvarez v. All Star Boxing, Inc., 258 So. 3d 508, 512 (Fla. 3d DCA 2018) (quotations omitted). In Brush, an unjust enrichment claim was rejected in the data breach contact as the plaintiff failed to “establish that: (1) she conferred payment–above and beyond the money owed for her medical treatment; (2) the Defendant knew Plaintiff paid additional remuneration for data security; and (3) Defendants accepted more money than was owed for their healthcare services.” Brush, 238 F. Supp.3d at 1369. Accordingly, Florida businesses should ensure they evaluate their quasi-contractual liability in the event of a data breach should they accept compensation for or represent that they will secure consumer data from nefarious actors.
Conclusion
Prudent Florida businesses understand they are constantly being targeted by nefarious actors that seek to compromise sensitive data. Accordingly, Florida businesses should ensure that their standard operating procedures minimize their liability in the event of a data breach. Businesses should ensure they are not entering into contractual or quasi-contractual agreements to ensure the data is protected without considering the impact of such agreements in the event of a data breach. Businesses should retain legal counsel to review their data protection processes, procedures, contracts, and representations to ensure that they are adequately protected in the event of a data breach.