Surviving a motion to dismiss in a data breach case

0

by Dennis Crouch

Coffey vs. OK Foods2:21-CV-02200, 2022 WL 738072 (WD Ark. Mar. 10, 2022)

Coffey applied for a job at major poultry producer OK Foods (owned by Bachoco). The online application required him to provide substantial personally identifiable information (PII), including his name, SSN, date of birth, etc. She got the job. At some point a few years later, OK Foods’ computer system was hacked and Coffey’s information was exposed (along with that of thousands of other employees). Coffey discovered this after being notified of the violation (as required by law).

Coffey sued OK Foods, filing a class action for negligence, breach of implied contract, breach of trust, invasion of privacy, breach of fiduciary duty, and breach of covenant of good faith and fair use.

Concrete injury for data breach: Coffey’s stock suffers from the same problems seen in most cases of hacking of important personal information – concrete damages. Here, Coffey maintains that she is now suffering from a increased risk of future identity theft. The defendant pointed the district court to the 2021 decision in TransUnion LLC vs. Ramirez, 141 S.Ct. 2190 (2021). In Trans Unionthe Supreme Court held that the “mere risk of future harm” regarding a credit alert was not sufficiently concrete to meet constitutional requirements.

OK Foods sought dismissal for lack of standing, but the district court found that the future risk of the allegations in this case was substantial and concrete enough to survive a motion to dismiss. the tribunal de grande instance has particularly distinguished itself Trans Union. In this case, there was no evidence that the information had been disseminated to third parties. On the other hand, in the case of Coffee, everyone agrees that Coffee’s PII was obtained by a third party. Coffee also provided evidence of recent unknown credit inquiries on its credit report. For the district court, this configuration was sufficient to demonstrate standing. The decision here is at dawn and other courts would have rejected it. Cases are more likely to proceed when the breach includes financial or account login information such as user IDs and passwords.

Arbitration Agreement in Job Application: When Coffee applied for the job, she also clicked “I accept” for a set of terms that included an arbitration agreement. She argued, however, that the agreement is not enforceable because she was not provided with a copy of the agreement to review and she does not recall ever signing the agreement. The District Court noted two issues with OK Foods’ evidence presented thus far: (1) OK Foods did not present the “exact materials” as they appeared on the screen here during the process of 2016 request; and (2) the download link provided does not show the arbitration package. Additionally, evidence from OK Foods shows that a digitally signed arbitration agreement is dated May 3, 2016, while the plaintiff alleges that she completed her application online in April 2016.

All of these competing allegations and evidence create a question of material fact and therefore the District Court declined to force arbitration at this stage.

Next steps if:

  • Jury Trial on whether the parties have entered into a binding arbitration agreement. 9 USC § 4. Note here that jury trials on arbitrability are rarely granted. Rather, the usual approach is for the district court to decide arbitrability based on a standard of summary judgment. Here, however, the court determined that the competing evidence created a sufficient dispute.
  • If there is no arb, then a trial on plaintiff’s claims (although D will likely try to pre-empt this via summary judgment).


Source link

Share.

Comments are closed.