One of the most appealing causes of action you can bring for data breach is negligence because it allows you to recoup damages for not just the actual financial damages that the breach has caused you to incur but also, possibly for the emotional damages the breach has caused you to incur. A claim of negligence generally has multiple elements, or things that you must prove in court. In the case of Est. of Rotell ex rel. Rotell v. Kuehnle, 38 So. 3d 783, 788 (Fla. Dist. Ct. App. 2010), the Second District Court of Appeals in Florida defined the elements of a negligence claim as follows: “The elements of a cause of action in . . . [negligence] are: (1) a legal duty owed by defendant to plaintiff, (2) breach of that duty by defendant, (3) injury to plaintiff legally caused by defendant's breach, and (4) damages as a result of that injury.”
In its simplest form, a duty is a legal obligation that one person owes to another, often referred to as a duty of care. For example, you owe a general duty to those around you to operate your car in a safe manner, and similarly, you owe a duty to guests that you invite to your home to ensure that your home is safe and free from hazards that could injure them. Whether or not a duty exists is a question of law that typically must be decided by a judge. McCain v. Fla. Power Corp., 593 So. 2d 500, 502 (Fla. 1992). Moreover, a lack of duty or claiming that a defendant doesn’t owe you a duty is common defense to both negligence claims generally and to claims of negligence due to a data breach specifically.
The case of Dittman v. UPMC, 196 A.3d 1036 (Pa. 2018) out of Pennsylvania provides a good illustration. In that case, a group of employees brought a class action data breach lawsuit against their employer, the University of Pittsburgh Medical Center (“UPMC”), alleging that the employer had negligently stored their personal information, including names, birth dates, social security numbers, addresses, tax forms, and bank account information, without maintaining proper security protocols to protect it. Id. at 1038. This, the employees alleged, led to a data breach that resulted in 62,000 employees having their personal information stolen and in some cases, used to file fraudulent tax returns. Id. Moreover, the employees alleged that they were required to disclose this information to the employer in order to gain employment. Id. at 1039.
Initially, the trial court had determined that UPMC did not owe a duty to the employees to keep their personal information secure, and dismissed the employees negligence claim. Id. at 1040-41. The case was appealed, and the Pennsylvania Superior Court (the second highest appeals court in Pennsylvania) came to the same conclusion and held that UPMC did not owe a duty to its employees to keep their data safe from data thiefs. Id. at 1042. The Pennsylvania Supreme Court however concluded that the employer did owe a duty to the employees. Id. at 1048. The court reasoned that because the employer required the employees to disclose their personal information as a condition of or a prerequisite for employment, the employer engaged in an affirmative act that created a potential risk that a data breach could occur. Id. at 1047. As a result, the court concluded that “[i]n scenarios involving an actor's affirmative conduct, he is generally under a duty to others to exercise the care of a reasonable man to protect them against an unreasonable risk of harm to them arising out of the act.” Id. (internal quotations omitted).
Dittman v. UPMC demonstrates a lot of things. First, the disagreement among the courts is not uncommon. The case was decided in Pennsylvania, and courts in other states might come to a different conclusion. Second, the case demonstrates how fact-intensive the determination of whether a duty exists can be. The state supreme court held that a duty existed because the employer required the employees to disclose the information to it, but if the disclosure was voluntary, such as disclosing information to a company in order to purchase a product or service, the outcome may have been different. Finally, Dittman v. UPMC demonstrates why it is highly advisable for you to consult with a data breach attorney after learning that a breach has occurred. The case had to go before 3 separate state courts before the issue was favorably decided. Undoubtedly, this would have been difficult to accomplish if the litigants were not represented by a data breach lawyer.
The second element of a data breach lawsuit for negligence, i.e. that the defendant breached its duty, is relatively straightforward to prove because you would merely have to show what security measures the company responsible for the breach should have implemented to avoid it. The more challenging elements to prove are that the defendant’s conduct caused your injury and that you actually suffered damages. As the Florida Bar Journal put it, “we are perilously close to reaching a causation ‘tipping point’ where it is virtually impossible to determine whether a particular data breach was the proximate cause of subsequent related harm if the claimant's PII [(Personally Identifiable Information)] was previously disclosed in one or more other data breaches.” This statement pretty much sums up the uphill legal battle that victims of a data breach face. Because data breaches are happening more often on a massive scale, it has become difficult to prove that a particular data breach is responsible for the damages you have incurred. Moreover, the damages themself can be difficult to prove because they can be difficult to quantify.
As a general matter, you cannot bring a claim for negligence if you have not suffered or incurred any damages. See State, Dep't of Transp. v. Rosario, 782 So. 2d 927, 928 (Fla. Dist. Ct. App. 2001) (upholding jury verdict for defendant based on lack of damages). But the question becomes, have you incurred any damages and when did you incur them? Merely having your information exposed does not constitute damages. Rather, it is what data thieves can do with your data that can cause you to incur damages. For example, if a data thief stole your data, stole your identity, and then used your identity to purchase a house, you now have incurred damages, but if the data thief merely stole your data and sold it to someone for them to use at a later time, you have not incurred damages yet because you haven’t sustained any financial losses. As such, it’s important for you to consider speaking with a legal specialist who can evaluate the merits of your potential claim in order to determine whether it is even possible for you to even bring a negligence action.
If you have fallen victim to a data breach and had your private information compromised, don't hesitate to reach out to the experienced data breach attorney at The Peck Law Firm, P.A. Our team has been dedicated to assisting clients with their legal needs for years and is prepared to discuss your case today. Contact us now to explore how our data breach attorney can support you in seeking justice and compensation for your data breach lawsuit.