Friday, September 17, 2021
Steven Fowler was a GE employee. GE requires its employees to share personally identifiable information (PII) about themselves and their family members. GE made various pledges that it would protect employees' PII and notify employees of any data breaches. GE contracted with Canon Business Protection Services (Canon) to protect employees' PII against data breaches. Nonetheless, in March 2020, GE disclosed that a breach had occurred in February 2020.
Fowler alleges that he was subject to multiple phishing attacks after the data breach. Other members of the proposed class claim that they suffer from an increased risk of identify theft, all the attendant fraud that might accompany such theft, and the hassle and inconvenience of having to mitigate that risk, including changing passwords, getting new credit and debit cards, etc. GE offered free credit monitoring and identity theft protection for two years but no damages beyond that.
Fowler brought claims against GE and CBPS (collectively "defendants") sounding in negligence, breach of contract, violation of statutory protections against deceptive business practices, and breach of fiduciary duty. Defendants moved to compel arbitration and to dismiss on various grounds. Last month, in In re GE/CBPS Data Breach, the District Court for the Southern District of New York granted that motion in part, denied it in part, and gave Defendants about three weeks to file a responsive pleading.
In light of the Supreme Court's decision this summer in TransUnion v. Ramirez, one might have thought plaintiff would have serious standing problems. The court accepted supplemental letter briefs on TransUnion but ruled that the plaintiff had standing without referencing TransUnion. Those of you who want an account of the court's reasoning on that subject can read about it on the CivProProfs Blog or the StandingProfs Blog. If you can't find a discussion of it there, I guess you'll just have to read the case.
The court granted the defendants' motion to dismiss with regard to the negligence per se claim but denied it as to Fowler's negligence claim. We'll leave that part of the opinion for the TortsProf Blog to cover. The court granted defendants' motion with respect to Fowler's statutory and breach of fiduciary duty claims. And now on to the main event.
Fowler alleged a breach of contract based on a GE guidance document with the inviting name "The Spirit and the Letter." The document contains GE's code of conduct and includes its data protection policy. In the alternative, Fowler alleged a breach of an implied contract arising out of GE's representations that it would safeguard their PII and provide timely notice of data breaches.
The court quickly concluded that "The Spirit and the Letter," like most employee manuals, "lacks the trappings of" and therefore does not constitute an express contract. Nonetheless, the representations of the manual, coupled with GE's other representations that it would protect employees' PII suffice to establish an implied contract. The court found that Fowler had adequately alleged all elements of breach of an implied contract claim, and so it granted defendants' motion with respect to Fowler's breach of contract claim but denied it with respect to his breach of an implied contract claim.