Every day there are new stories about data breaches involving the disclosure of thousands–and in some cases, millions–of customer records. But even smaller-scale data breaches can have a significant impact on the parties involved. And courts throughout the country continue to develop new case law in response to the threat represented by the unauthorized copying and disclosure of sensitive information.
For example, a federal judge in Alabama recently issued a decision in connection with a civil lawsuit, Standifer v. Best Buy Stores, LP, arising from an incident involving computer retailer Best Buy's “Geek Squad.” The plaintiff in this case, a self-employed accountant and business consultant, took her computer to Best Buy after a “blue screen appeared” (presumably, the Windows Blue Screen of Death). Once at the store, the plaintiff decided to purchase a new computer rather than having her existing machine repaired. She then asked the Geek Squad if it could “transfer all of the date from the original computer” to the new machine. Five days later, the plaintiff contacted Best Buy and told the Geek Squad to cancel the transfer, as she decided to purchase her new computer from a different supplier. Best Buy returned the original damaged computer and gave the plaintiff a full refund.
That should have been the end of the story. But approximately three months later, the plaintiff received a call from a captain at the local police department. It seemed the captain's father recently purchased a computer from the same Best Buy the plaintiff visited earlier. According to the captain, some of the data stored on the plaintiff's computer was now on his father's machine (which I'll refer to as the “third-party computer” for the sake of clarity.)
A forensic examination later determined that the data was copied from the plaintiff's computer to the third-party computer during a time when both machines were in the Geek Squad's possession. However, the expert could not determine exactly how this happened or who exactly transferred the data. And Best Buy's own records indicated that no data transfer was ever performed on the plaintiff's computer.
According to the plaintiff, the data on her old computer “included files containing sensitive information about [the plaintiff] and her clients,” such as tax returns. Although there was no evidence that anyone aside from the police captain and members of his immediate family saw this data, the plaintiff nevertheless claimed this breach had a direct impact on her and her business. For instance, the plaintiff said “she has worked many unbilled hours to protect her client's information by setting up new logins and changing passwords.” And at least one of the plaintiff's clients “expressed concerns that some suspicious activity on his credit report may have been related to the data transfer.”
The plaintiff subsequently sued Best Buy on a number of grounds, including breach of contract, breach of fiduciary duty, and fraud. The case is currently pending before U.S. District Judge L. Scott Coogler of Tuscaloosa, Alabama, who has scheduled a jury trial for this coming April. On January 30, Judge Coogler ruled on summary judgment motions filed by each side.
While summary judgment can be used to terminate a case without the need for a jury trial, here Judge Coogler only granted summary judgment on certain specific issues. Here is a brief rundown of some of the key points in the judge's decision.
1. The Plaintiff's Failure to Password Protect Key Files May Qualify as “Contributory Negligence” Under Alabama Law.
The plaintiff's summary judgment motion focused on a single issue–Best Buy's claim of contributory negligence. This is a legal rule that states a plaintiff may not recover any damages in a personal injury lawsuit if he or she is found even 1 percent responsible for the underlying accident or event. Alabama is in a group of just four states (and the District of Columbia) that still follows the contributory negligence rule. Most states now apply the comparative fault rule, which requires a judge or jury to apportion liability between a plaintiff and a defendant. While a plaintiff may be barred from recovering damages if his or her fault exceeds a certain threshold–such as 50 percent liability–in most cases the damage award is simply reduced to account for the plaintiff's comparative fault.
In this case, Judge Coogler said Best Buy presented sufficient evidence to present the issue of contributory negligence to a jury. Best Buy's argument rested on a number of purported mistakes made by the plaintiff that contributed to her situation. Of relevance here, the judge noted the plaintiff's admission that she did not “password protect the individual, confidential files” later viewed by the police captain and his family. Although the plaintiff did maintain a password to login to her computer, the judge said not taking the extra step of password protecting critical files could be deemed a failure “to take reasonable precautions for the safety and protection of her own person and property.”
2. Best Buy's Service Agreement Preempts a Breach of Contract Claim.
When the plaintiff brought her old computer to the Geek Squad, she signed a “Data Services Agreement” prepared by Best Buy. The plaintiff's lawsuit alleges Best Buy breached this agreement by transferring her data to the third-party computer. Best Buy, however, pointed to a number of waivers in the agreement, including a waiver of “any consequential or incidental damages against Geek Squad as a result of this service.” Under the strict terms of the contract, Best Buy maintained, the plaintiff was entitled to nothing more than a refund of her original purchase, which she already received.
Judge Coogler agreed with Best Buy that the waiver prevented the plaintiff from seeking damages strictly for breach of contract. But he also said there was some “ambiguity” as to whether the waivers covered “all aspects of Geek Squad's relationship with its customers,” or just the services contemplated by the agreement itself. For that reason, the judge held the plaintiff could proceed with several other claims against Best Buy.
3. “Conversion” Includes Depriving Someone of the Right to Control Access to Their Data.
One of those claims was for conversion. This is a type of personal injury that occurs when a defendant wrongfully takes the plaintiff's property. Typically, this involves a defendant converting property for their personal use. But under Alabama law, the judge noted, it also covers situations where the defendant has “destroyed or exercised dominion over property to which … the plaintiff had a general or specific title.” Here, the plaintiff alleged conversion occurred when Best Buy employees “misused her data.”
Judge Coogler agreed that a jury could determine “that the unauthorized data transfer seriously interfered with [the plaintiff's] possessory interest in the computer files.” Although the data breach did not prevent the plaintiff from accessing the files herself, it nevertheless took away her ability to decide “who else could access her information.” In other words, Best Buy's actions “deprived” the plaintiff of “her full ownership interest” in her data.
4. Alabama Law Likely Limits Damages for “Anticipated” Harms Caused by a Data Breach.
Even if a jury agrees with the plaintiff that Best Buy's actions legally injured her, Judge Coogler said there are limits on the type of damages the plaintiff can receive. A number of courts around the country have previously addressed the question of whether damages arising from a data breach can include “speculative” or “anticipated” harms, as opposed to actual injuries. Alabama's state courts have apparently not directly addressed this subject, Judge Coogler noted, but in other personal injury cases, the Alabama Supreme Court has stated that the “mere fear of a future injury or disease, without more, does not constitute a compensable mental or emotional injury.”
Judge Coogler therefore ruled out some of the damages claimed by the plaintiff here, including compensation for “working unbilled hours for fear that her existing clients were going to leave her and updating her business practices to ensure the confidentiality of client information.” In reality, the judge noted the plaintiff has not actually lost any clients or suffered any measurable damage to her business. Indeed, the evidence presented thus far indicates the only “unauthorized” parties to view the plaintiff's data were the police captain and his family–and they were the ones who notified the plaintiff of the breach in the first place.
That said, the judge ruled the plaintiff could ask the jury to award damages for more concrete injuries, such as the costs of retaining the one client mentioned above who suspected a link between the data breach and “suspicious activity” on his credit report. And the plaintiff can seek damages for her own “emotional distress” to the extent it is “unrelated to her fear of potential future harm.” This is because Alabama law permits damages for “mental anguish,” including professional “embarrassment,” arising from conversion and similar personal injury claims.