In a recent federal case from New York, the court dealt a blow to plaintiffs suing over data breaches. The plaintiffs had filed a putative class action suit, alleging that they (and others like them) had been harmed by the alleged exposure of their personal and financial information due to a March 2023 data breach of the American Bar Association (ABA).1
Ultimately, the court ruled in favor of the ABA, dismissing the complaint. We discuss the details below.
The American Bar Association Was Hacked in March 2023.
On March 6, 2023, an unknown hacker accessed the ABA’s data. On March 17, 2023, the ABA discovered unusual activity on its network and initiated containment and remedial actions.2 The ABA also sent email notices of the data breach to its members, which allegedly number around 1.5 million.
Two Plaintiffs Attempt to Bring a Class Action Suit.
Two ABA members filed a class action suit in the United States District Court for the Eastern District of New York on April 21, 2023, and later amended the complaint on September 1, 2023. The claims in the amended complaint included one count for breach of implied contract and multiple counts for violations of various consumer fraud statutes, including those of New York and Texas.
The Court Grants the ABA’s Motion to Dismiss.
In November 2023, the ABA moved to dismiss the complaint for failure to state a claim on any of the counts. On April 30, 2024, Judge Nicholas Garaufis granted the motion in full, disposing of both the implied contract and statutory violation counts.
As to the implied contract claim, the plaintiffs faced at least two hurdles: (1) sufficiently alleging that an implied contact existed with the ABA; and (2) sufficiently alleging that the ABA breached such a contract. The plaintiffs cleared the first hurdle, but not the second.
Notably, the court did not base the finding of an implied contract on the language of the ABA’s privacy policy. Indeed, the court found that the policy’s express disclaimer of any guarantee or warranty of data security reflected the lack of an agreement to “adopt any particular security measures or take any particular action.”
Nonetheless, the court found that an implied contract existed (for purposes of the motion to dismiss) because the ABA “allegedly failed to comply with reasonable security standards by requiring Plaintiffs to provide [names, emails, and/or credit card information] when making purchases[.]” In other words, by forcing customers provide personal and financial information in order to make a purchase, the ABA entered into an “implied contract based on industry custom” to protect the information.
But the plaintiffs then failed to allege “how ABA has breached said contract.” Granted, the plaintiffs had averred that the ABA’s used of hashed and salted passwords, together with mismanagement of the department implementing data security measures, was commercially unreasonable.3 The court, though, required the plaintiffs to identify the particular security measures that the ABA should have implemented, rather than simply criticize the (purportedly inadequate) steps that were taken.
The court then applied similar reasoning in dismissing the statutory claims. If the plaintiffs had sufficiently alleged that the use of hashed and salted passwords fell below industry standards, then perhaps such a practice would have been materially misleading under the statutes. But, the plaintiffs had failed to allege specifically whether, and how, the ABA’s practices were commercially unreasonable and misleading.
The plaintiffs also alleged that the passage of 11 days between the breach and the ABA’s responsive action was actionable. However, the court found that the ABA had not promised within its data policy to respond to a data breach within a certain time.
Finally, as the coup de grace, the court observed that the plaintiffs had not even alleged that they had read the privacy policy, which means they could not have been misled by it.
Lessons for Companies.
Companies will be held to their privacy policies. One key lesson is that companies should review their privacy policies (or analogous documents) to determine whether the company is promising to take certain actions in response to data breaches. In the same vein, companies might be promising to take such actions within certain timeframes. Companies do not necessarily need to promise to take certain actions by certain deadlines. But if companies do make such promises, and plaintiffs can allege and prove that plaintiffs actually read and relied on those broken promises, courts will likely enforce them.
Companies must protect data regardless of what their policies say. Another lesson is that, regardless of what a privacy policy says (or does not say), a company will be required to protect personal and financial information if the company compels consumers to turn over such information to process a transaction. Courts are likely to impose such a duty on a company as a matter of law—even if the company attempts to draft around that duty in a privacy policy.
Companies will be held to an “industry custom” standard. A final lesson is that a company will be held to “industry custom,” i.e., “commercially reasonable” standards in protecting consumer data. Like any other legal standard based on “custom” or “reasonableness,” there is no automatic black-and-white test to determine whether a company’s practices are legally sufficient. Certain state legislatures have even attempted—and failed—to codify the “reasonableness” standard. Still, a company would be well-served to consult with someone who can advise on what other companies in the industry are doing. Depending on the type of data a company collects, stores and processes, and its risk tolerance, the company might not need to adopt the most cutting-edge data protection practices to avoid liability. The company might need simply to ensure that it does not fall behind its peers in adopting security measures. Unless and until there is a unified regulatory scheme in this area of the law, these decisions will remain ad hoc, and the outcome of lawsuits will depend largely on the unique factual circumstances and allegations presented.
1Troy v. Am. Bar Ass’n, No. 23-CV-03053 (NGG) (VMS), 2024 BL 146954, 2024 WL 1886753 (E.D.N.Y. Apr. 30, 2024)
2 https://www.abajournal.com/news/article/aba-notifies-members-of-stolen-data
3 Password “hashing” and “salting” are methods of password management. A “hashed” password is run through a computer algorithm that turns plain text into an unintelligible series of numbers and letters. A “salted” password is one to which a random string of characters, or “salt,” is added before being hashed. Each method is intended to make passwords more secure, but neither offers maximum protection.