Defending Data-Breach Lawsuits Brought by Employees (Part 2 of 2)
Ellis & Winters
Yesterday’s post examined Sackin v. TransPerfect, Inc., where an employer suffered a data breach involving its employees’ sensitive information. After the employees sued, a federal court in New York refused to dismiss claims based on theories of negligence and breach of contract.
Today’s post examines another federal case with similar facts. In this case, however, the employer ultimately defeated the employees’ negligence and contract claims.
How did the defendant in this case achieve the result that TransPerfect could not?
Stolen Laptops and Identities
In Enslin v. The Coca-Cola Company, a rogue Coca-Cola employee stole fifty-five company laptops that contained the sensitive personal information of some 74,000 other current and former Coca-Cola employees. After discovering the theft, Coca-Cola notified those employees and offered them a one-year subscription to a credit-monitoring service.
Shane Enslin, a former Coca-Cola employee who received a notification letter, sued the company in Pennsylvania. Enslin alleged that he experienced various incidents of identity theft because of the breach, including fraudulent charges to his credit cards and bank accounts. His complaint, like the Sackin complaint, asserted claims for negligence and breach of express and implied contracts.
Coca-Cola’s Motion to Dismiss
Like TransPerfect in Sackin, Coca-Cola moved to dismiss those claims.
Coca-Cola first argued that the economic-loss doctrine barred Enslin’s negligence claim. That doctrine prevents plaintiffs from suing in negligence to recover economic damages that are unaccompanied by physical injury or property damage. According to Coca-Cola, Enslin’s negligence claim fell squarely within that rule.
In response, Enslin argued that his claims fell within Pennsylvania’s “special relationship” exception to the doctrine. Under that exception, the doctrine does not apply when a plaintiff and defendant are in a relationship that involves confidentiality, the repose of trust, or fiduciary responsibilities. His employment relationship with Coca-Cola, said Enslin, satisfied that test.
As to the contract claims, Coca-Cola argued that Enslin had failed to allege facts sufficient to establish that Coca-Cola had promised to safeguard his personal information. Without identifying any specific terms, Enslin had alleged only that “part of his employment contract” contained a “mutual exchange of consideration” that included Coca-Cola’s promise to secure his personal information.
Coca-Cola’s Mixed Success under Rule 12(b)(6)
In its decision partially granting Coca-Cola’s motion to dismiss, the court agreed with Coca-Cola that the economic loss rule barred Enslin’s negligence claim because Enslin sought only to recover economic damages. The court also concluded that Enslin could not avail himself of the “special relationship” exception, because his employment with Coca-Cola reflected an “arms-length business contract” rather than a relationship of trust and confidence.
The court refused, however, to dismiss Enslin’s contract claims. The court concluded that his allegations—general though they might be—included the essential elements to make out a claim: the existence of a contract, its essential terms, and a breach by Coca-Cola. Those allegations were enough to state a claim.
Summary Judgment: Coca-Cola’s Formula to Defeat Enslin’s Contract Claims
Having lost the Rule 12(b)(6) battle to defeat Enslin’s contract claims, Coca-Cola arranged for a rematch under Rule 56.
Following discovery, Coca-Cola moved for summary judgment on the contract claims. Coca-Cola argued that the evidence showed Coca-Cola never agreed—expressly or implicitly—to protect Enslin’s personal information.
In response, Enslin pointed to Coca-Cola’s code of conduct. The code included an “Employee Records” section in which Coca-Cola made certain representations about how it would collect and use employees’ information:
The Company will safeguard the confidentiality of employee records by advising employees of all personnel files maintained on them, collecting only data related to the purpose for which the files were established and allowing those authorized to use a file to do so only for legitimate Company purposes.
This provision, argued Enslin, along with the company’s information technology policies and Enslin’s employment application, established a contract that bound Coca-Cola to protect his personal information.
The court disagreed. Its decision granting Coca-Cola’s summary judgment motion found that the code of conduct was binding on the company and enforceable by Enslin. But the Court did not read the code to establish a general contractual duty to safeguard his personal information.
To that end, the court observed that the “Employee Records” provision of the code carefully limited the scope of Coca-Cola’s responsibilities to three specific duties:
- advising employees of the personnel files maintained on them;
- collecting only data relevant to the purpose for which the files were established; and
- allowing use of the files only for legitimate company purposes.
The code’s recitation of those three specific duties, concluded the court, demonstrated that Coca-Cola had not expressly agreed to take on “a sweeping contractual duty” to safeguard Enslin’s information against criminal misappropriation.
The court also concluded that Enslin could not establish an implied contract to take on that broad duty. Under Pennsylvania law, the court observed, a contract cannot be implied in fact if an express contract covers the same subject matter.
But even if the code of conduct did not amount to an express contract, the court would still decline to imply one. That type of agreement could only be implied if the circumstances showed a common understanding that Coca-Cola intentionally took on a duty to protect Enslin’s personal information.
Unlike the Sackin court, the Enslin court refused to make that inference.
Instead, the court concluded that, at most, employers may have an implied contractual duty not to directly disclose employees’ personal information to third-parties, or to use it for non-business purposes. But the “common-sense understanding” of this duty would not include safeguarding that information against malicious third parties. That was especially true in this case, reasoned the court, where Coca-Cola’s code of conduct showed it intended to avoid taking on that broader duty.
The court therefore granted Coca-Cola’s motion for summary judgment on both of Enslin’s contract claims.
A Path to Defeating Employees’ Negligence and Contract Claims?
The Enslin decisions contain some important lessons for companies involved in employee data-breach litigation.
First, the economic loss doctrine (which we’ve previously noted can provide a potent defense in business-to-business litigation), can also provide a defense against employee data-breach claims sounding in negligence.
Second, the case confirms that defeating contract-based claims will be difficult under Rule 12(b)(6). As we saw in Sackin, allegations premised on the employment relationship—even when seemingly conclusory—can survive motions to dismiss so long as they address the essential claim elements.
Third, however, Enslin offers a potential path for defeating breach of contract claims under Rule 56. But the foundation must be laid well before a data breach occurs. To that end, employers should carefully draft their employment agreements, codes of conduct, and internal policies to avoid making unnecessarily broad commitments to secure employees’ personal information.
When the company’s data-security duties are expressly limited in those documents, Enslin suggests they can serve as a shield against employees’ express and implied contract claims.
Author: Alex Pearce