Data Breach Class Action Defense – Understanding Negligence Claims
Reading Time: 5 minutes
Modern Florida businesses often collect significant amounts of personal information in the ordinary course of their business. This information is attractive to threat actors who regularly use confidential information to commit identity fraud and to sell such information to other nefarious persons or entities. Accordingly, motivated and sophisticated hacker collectives often target healthcare providers and Florida businesses trying to compromise this valuable, sensitive information. Where there’s a data breach, a threatened class action lawsuit is likely not far behind. Most of the resulting data breach class action claims include some form of negligence claims. Negligence claims often turn on whether the business acted objectively reasonable under the circumstances in the safeguarding of confidential and personal information of their customers, clients, and patients. Prudent Florida businesses proactively mitigate their potential negligence exposure and seek to limit their prospective liability in the event of a breach.
Effective Training and Supervision Can Help Limit Potential Exposure
Generally, to maintain a claim for negligence, Plaintiffs must allege four elements: (1) a duty; (2) breach of that duty; (3) causation; and (4) damages. Williams v. Davis, 974 So. 2d 1052, 1056 (Fla. 2007) (citing Clay Elec. Coop., Inc. v. Johnson, 873 So. 2d 1182, 1185 (Fla. 2003)). In the data breach context, plaintiffs often allege general negligence claims and argue that when a business “collect[s] sensitive, private data from consumers,” it has “a duty to protect that information.” Brush v. Miami Beach Healthcare Grp. Ltd., 238 F. Supp. 3d 1359, 1365 (S.D. Fla. 2017); see also In re Brinker Data Incident Litig., 2020 WL 691848, at *8 (M.D. Fla. 2020).
1. Negligent Training or Supervision Claims
Under Florida law, “[n]egligent supervision ‘occurs when, during the course of employment, the employer becomes aware or should have become aware of problems with an employee that indicated [their] unfitness, and the employer fails to take further actions such as investigating, discharge, or reassignment.’” Diaz v. Carnival Corp., 555 F. Supp. 3d 1302, 1310 (S.D. Fla. 2021) (quoting Cruz v. Advance Stores Co., 842 F. Supp. 2d 1356, 1359 (S.D. Fla. 2012)). Where plaintiffs provide no factual support for a finding that any defendant was aware or should have been aware of any problem with an employee and where plaintiffs don’t identify any specific employee or employees who were unfit, a negligent supervision claim likely cannot survive. See In re Mednax Servs., Inc., Customer Data Sec. Breach Litig., 603 F. Supp. 3d 1183, 1227 (S.D. Fla. 2022). Accordingly, prudent Florida businesses ensure all employees and their data management systems are effectively supervised. Prudent Florida businesses maintain logs and supporting documentation evidencing compliance with adequate supervision processes and procedures to minimize any associated liability in the event of a breach.
“[N]egligent training occurs when an employer ‘was negligent in the implementation or operation of the training program’ and the negligence causes a plaintiff’s injury.” see Gutman v. Quest Diagnostics Clinical Labs., Inc., 707 F. Supp. 2d 1327, 1332 (S.D. Fla. 2010); Wynn v. City of Lakeland, 727 F. Supp. 2d 1309, 1317 (M.D. Fla. 2010). If a Plaintiff cannot allege or prove that a Defendant has a training program and that it is deficient in its implementation or operation, a negligent training claim may not exist. See In re Mednax Services, F. Supp. 3d at 1227. Accordingly, prudent Florida businesses ensure all employees regularly receive adequate data protection training. Prudent businesses ensure their data protection training meets or exceeds the industry standard. Id.
2. Prudent Businesses Act in Accordance with Industry Standard
“Florida courts have refused to recognize a private right of action for negligence per se based on an alleged violation of a federal statute that does not provide for a private right of action.” Stevens v. Danek Medical, Inc., 1999 U.S. Dist. LEXIS 22397, 1999 WL 33217282, at *5-6 (S.D. Fla. 1999) (citing Jupiter Inlet Corp. v. Brocard, 546 So. 2d 1, 2-3 (Fla. 4th DCA 1998). In healthcare, HIPPA generally describes a medical provider’s obligation to protect patient data. Florida courts have generally found that alleged HIPAA violations cannot form the basis for a private cause of action against a healthcare provider. See Sneed v. Pan Am. Hosp., 370 F. App’x 47, 50 (11th Cir. 2010). As healthcare providers “are required by law to adhere to HIPAA without receiving any consideration,” HIPAA also “cannot create contractual obligations” between patients and healthcare providers. Brush v. Miami Beach Healthcare Grp. Ltd., 238 F. Supp. 3d 1359, 1367 (S.D. Fla. 2017).
Although allegations of HIPPA compliance cannot form the basis of a private cause of action, HIPPA non-compliance and non-compliance with other data protection statutes may still be relevant to a data breach negligence class action. A defendant’s “failure to follow industry standards is probative of the standard of care” applied to a Defendant in a negligence action. Francis v. MSC Cruises, S.A., 546 F. Supp. 3d 1258, 1262 (S.D. Fla. 2021), aff’d, No. 21-12513, 2022 WL 4393188 (11th Cir. Sept. 23, 2022). “Case law is clear that evidence of violation of industry standards is admissible as non-conclusive evidence of negligence.” Dean Witter Reynolds, Inc. v. Hammock, 489 So. 2d 761, 767 (Fla. 1st DCA 1986).
Conclusion
Prudent Florida businesses implement processes and procedures that minimize their prospective negligence liability in the event of a data breach. Data breach class action complaints often include allegations of negligent supervision and/or hiring and are often predicated on violation of the applicable standard of care. Accordingly, prudent Florida businesses often ensure they meet or exceed the industry’s standard data protection policies. While compliance with industry standards is non-conclusive, evidence of compliance with industry standards will likely help businesses limit their legal liability and present a strong defense to data breach negligence claims.