[BreachExchange] Defending The Business-To-Business Data Breach Lawsuit

[Audrey McNeil]

https://www.jdsupra.com/legalnews/defending-the-business-to-business-data-
70251/

This article originally appeared in the DRI The Voice Newsletter, Volume
16, Issue 44, November 8, 2017.

Hardly a day goes by without a headline announcing that a prominent company
has fallen victim to a data breach. These headlines are followed, almost
inevitably, by reports of class action lawsuits filed by consumers whose
data was compromised.

In the typical data-breach case, these consumers sue the breached company
before thieves have misused their data. The alleged injury, then, is
usually an increased risk of future fraud or identity theft.

Future harm, however, is often not enough to establish Article III standing
in federal court. Thus consumers have had only limited success in these
data-breach lawsuits.

When a data breach impacts a company’s business partners, on the other
hand, they’re much more likely to suffer direct financial loses that can be
readily identified. Business plaintiffs in data-breach lawsuits thus have
little trouble alleging an “injury in fact” sufficient to establish
standing.

With standing-based arguments foreclosed, how else can a company defend
against data-breach lawsuits brought by its business partners?

According to a recent decision from a federal court in Colorado, one
potentially powerful defense is the economic-loss rule, which prevents
plaintiffs who suffer economic losses stemming from a contract from trying
to recover those losses through non-contract claims.

This article examines that decision and its implications for defendants in
business-to-business data-breach lawsuits.

A Cyberattack Compromises Diners’ Payment-Card Data

SELCO Community Credit Union v Noodles & Company, No. 16-CV-02247-RBJ, 2017
WL 3116335 (D. Colo. Jul. 21, 2017), concerned a cyberattack on the Noodles
& Company restaurant chain that compromised customers’ credit and debit
card information. The plaintiffs were credit unions whose cardholders dined
at Noodles and whose information was compromised.

According to the credit unions, Noodles breached a common law duty to
protect its customers’ payment-card information by failing to implement
industry-standard data-security measures. The credit unions alleged that
this breach caused them damages, including the costs to cancel and reissue
affected cards and to refund cardholders for unauthorized charges.

The credit unions brought tort claims—all based on theories of
negligence—against Noodles. Noodles filed a motion to dismiss based on the
economic-loss rule, pointing to agreements that it and the credit unions
had entered as participants in the payment-card-processing ecosystem.

The Payment-Card Ecosystem: A Chain of Interrelated Contracts

In its motion, Noodles observed that each actor in this ecosystem signed an
agreement with at least one other actor in which it agreed to follow rules
issued by bank-card associations such as Visa and Mastercard. Importantly,
the agreements required merchants such as Noodles to maintain a certain
level of security for payment-card data—including compliance with a set of
detailed best practices for data security in the payment-card industry
called the Payment Card Industry Data Security Standard (PCI DSS).

Noodles argued that these agreements also allocated the parties’ rights and
responsibilities in the event of a cyberattack. Specifically, the
agreements called for the credit unions to guarantee cardholders zero
liability for fraudulent transactions. The credit unions, in turn, could
partially recover their losses from breached merchants through a
loss-shifting scheme managed by the bank-card associations.

Noodles accused the credit unions of trying to undermine this risk
allocation scheme—and violating the economic-loss rule—by bringing tort
claims.

An Independent Duty?

The credit unions had two main arguments in response.

First, seeking to avail themselves of the “independent-duty” exception to
the economic-loss rule, they argued that Noodles owed them a common law
duty to secure payment-card data and to prevent foreseeable harm to
cardholders. This duty, they urged, was separate and distinct from any
contract-based duty to comply with PCI DSS and could support their tort
claim.

Second, the credit unions argued that the economic-loss rule should not
apply because the credit unions had no direct contract with Noodles. Thus,
the credit unions argued, they never had the chance to “reliably allocate
risks and costs” with Noodles.

The Court’s Decision

The court sided with Noodles.

On the independent-duty argument, the court concluded that each duty that
Noodles allegedly breached was bound up in the agreements to comply with
the bank-card association rules and PCI DSS. Even if Noodles might also
have had a common law duty to protect payment-card data from a cyberattack,
that duty could not be considered “independent of a contract that
memorialize[d] it.”  SELCO, 2017 WL 3116335, at *4.

The fact that the credit unions never contracted directly with Noodles had
no analytical impact. In the court’s view, the economic-loss rule does not
mandate a one-to-one contract relationship. Instead, the court reasoned,
the rule asks whether plaintiffs had “the opportunity to bargain and define
their rights and remedies, or to decline to enter into the contractual
relationship.” Id. at *5.  The credit unions, concluded the court, had that
chance here.

Lessons for Litigants

SELCO confirms that the economic-loss rule can provide a powerful shield
against attempts—including and especially by businesses—to make end-runs
around negotiated limitations and allocations of liability for cyberattacks.

Defendants, however, must be ready to show that the contract on which they
rely imposes relevant data-security obligations. Doing so requires that the
obligations be clearly defined—well before litigation arises—in any
contracts that involve the receipt or handling of sensitive information.

Clearly defining data-security obligations in contracts is already a
recognized best practice for information-security risk management. But as
SELCO demonstrates, this type of clarity can also lay the groundwork for
deploying the economic-loss rule against business-to-business lawsuits
arising from a successful cyberattack.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171120/391f100e/attachment.html>