Data Breach Class Action Defense – Understanding and Minimizing Tort Liability

Florida businesses that collect substantial amounts of consumer data are often targeted by nefarious actors who seek to compromise confidential information that may be valuable for sale to those who aim to commit identity fraud. The resulting data breaches often lead to class action lawsuits. Data breaches and privacy litigation are increasing as businesses leverage technology and collect big data on their customers, clients, and patients. The law is constantly changing as courts grapple with changes in technology, and the Plaintiff’s bar becomes increasingly creative in theories of liability against these businesses. This article addresses some of those theories of liability under tort law and how courts view those theories. For Florida businesses to minimize their legal liability and exposure, understanding the theories of relief Plaintiffs pursue is critical.

Understanding Data Breach Tort Theories

Plaintiffs who have their sensitive data compromised typically pursue the associated businesses under a variety of tort-based causes of action, including:

1. Breach of Fiduciary Duty

Under Florida law, “[a] fiduciary relationship which is implied in law is based on the specific factual circumstances surrounding the transaction and the relationship of the parties.” Weinberg, 147 F. Supp. 3d 1367 (quoting First Nat’l Bank & Trust Co. of Treasurer Coast v. Pack, 789 So. 2d 411, 415 (Fla. 4th DCA 2001)). “To establish a fiduciary relationship, a party must allege some degree of dependency on one side and some degree of undertaking on the other side to advise, counsel, and protect the weaker party.” Id. (quoting Jaffe v. Bank of Am., N.A., 667 F. Supp. 2d 1299, 1319 (S.D. Fla. 2009)). Accordingly, liability for breach of fiduciary duty will turn on the facts concerning the relationship between the consumer and the associated business.

Generally, “in an arms-length transaction, however, there is no duty imposed on either party to act for the benefit or protection of the other party.” Id. “[T]he mere receipt of confidential information is insufficient by itself to transform an arm’s-length transaction into a fiduciary relationship.” In re Mednax Servs., Inc., Customer Data Sec. Breach Litig., 603 F. Supp. 3d 1183, 1227 (S.D. Fla. 2022). Accordingly, for data breach Plaintiffs to assert viable claims for breach of fiduciary duty, Plaintiffs must allege and prove something more than the mere transfer of confidential information to the associated business. Id.

2. Breach of Confidence

“A common law breach of confidence lies where a person offers private information to a third party in confidence and the third party reveals that information.” Muransky v. Godiva Chocolatier, Inc., 922 F.3d 1175, 1190–91 (11th Cir. 2019). A breach-of-confidence claim requires a “disclosure.” Id. Disclosure is “[t]he act or process of making known something that was previously unknown.” In re Brinker Data Incident Litig., 2020 WL 691848, at *22 (quoting Disclosure, Black’s Law Dictionary (11th ed. 2019)). In data breach class actions, breach of confidence claims typically turn on whether a “disclosure” was made and the facts surrounding the breach.

A breach-of-confidence claim does not lie where a defendant’s “inadequate security facilitated the theft” of information by “third-parties.” Id. Conversely, allegations that employees “affirmatively shared” information or performed some “act that made [the plaintiff’s] information known” likely sustain a claim. Id.; In re Ambry Genetics Data Breach Litig., 567 F.Supp.3d 1130, 1146–47 (C.D. Cal. 2021). Accordingly, effective management of employee access and controls to limit potential affirmative disclosure of sensitive data can allow businesses to minimize prospective breach of confidence liability.

3. Invasion of Privacy

Finally, many data breach plaintiffs have pursued invasion of privacy claims but Florida courts have not been receptive to these claims. For an invasion of privacy claim to exist, there must be “(1) the publication, (2) of private facts, (3) that are offensive, and (4) are not of public concern.” Woodard v. Sunbeam Television Corp., 616 So. 2d 501, 503 (Fla. 3d DCA 1993). Like in the Breach of Confidence context, “Florida courts routinely dismiss invasion-of-privacy claims where a plaintiff fails to allege that a defendant ‘intentionally divulged his PII’ and instead asserts that ‘an unknown [person] stole the PII from [the defendant’s] computer system.’” Burrows v. Purchasing Power, LLC, 2012 WL 9391827, at *6 (S.D. Fla. Oct. 18, 2012) (emphasis added); see also Farmer, 582 F.Supp.3d at 1187–89; Carlisi v. Sprintcom, Inc., 2006 WL 8432613, at *2 (S.D. Fla. Sept. 6, 2006). Accordingly, Invasion of Privacy claims are typically not viable unless there is an intentional disclosure of protected information.

Conclusion

Prudent Florida businesses that seek to minimize their prospective liability must fully understand what theories of liability Plaintiffs use to pursue data breach victims. Understanding these causes of action allow prudent businesses to minimize their prospective liability by ensuring that effective safeguards are in place to minimize affirmative disclosure of protected information. Prudent businesses will also review their policies regarding the information they collect to ensure they do not establish a fiduciary relationship with consumers as it pertains to the data collection activities specifically. Prudent Florida businesses engage legal counsel to ensure they adequately protect themselves from prospective data breach liability.