.png)
Lawyers working in almost every other area of law enjoy years, decades, and sometimes centuries of legal precedent to guide their decisions. With cybersecurity law, practitioners have only months, maybe a year of precedent. For most attorneys, this frontier-type of practice is terrifying; for the minority, it is seductive. However, every cyber law case and its dicta (language) must be carefully analyzed. Here is a snapshot of what is happening now – (HINT: look at McFarlane):
1. Greg Shepherd v. Costco Wholesale Corporation, Supreme Court of Arizona, No. CV-19-0144-PR.
Greg Shepherd visited his physician for a refill of his usual prescription. He also received a sample of erectile dysfunction ("E.D.") medication. Shepherd then went to Costco to pick up his regular prescription and was notified that a full prescription of the E.D. medication was also ready. Shepherd declined the E.D. prescription and instructed the Costco employee to cancel it. The following month, Shepherd called Costco for a refill and was again told that E.D. meds were available. Shepherd again said that he did not want the E.D. medication. The next day, Shepherd’s ex-wife, with whom Shepherd wanted to reunite, went to pick up his medications from Costco and was inadvertently given the E.D. medication in addition to desired refilled prescriptions. Shepherd’s reconciliation efforts with his ex-wife failed and he was deeply embarrassed. Shepherd eventually complained to Costco’s management and received a written response acknowledging a violation of HIPAA and Costco's privacy policy. Shepherd then sued Costco, alleging negligence, breach of fiduciary duty, fraud, negligent misrepresentation, intentional infliction of emotional distress, intrusion upon seclusion, and public disclosure of private facts based on Costco's "public disclosure of an embarrassing medication that [he] twice rejected."
Skipping the Arizona-only law claims, the Arizona high-court determined that while HIPAA does not permit a private right of action, “it is equally clear that it does not prohibit a state law claim for negligent disclosure of medical information and thus does not preclude Shepherd's [state law based] negligence claim.” Thus, the Arizona Supreme Court authorized state courts to rely upon HIPAA standards in evaluating state negligence claims. Arizona healthcare entities should prepare for a fleet of negligence claims following HIPAA violations.
2. McFarlane v. Altice United States, United States District Court for the Southern District of NY, 20-CV-1297.
This is an interesting decision on a class action’s standing to pursue claims following a November 2019 data breach. Plaintiffs are former employees of telecom provider, Altice USA, Inc. (“Altice), whose personal identifying information was stolen during a breach of Altice’s systems. Plaintiffs argue that Altice failed to institute adequate measures to protect their data, asserting claims for negligence, negligence per se, breach of implied contract, violation of the New York Labor Law, and violation of the Cable Communications Act of 1984.
Altice filed several motions to dismiss. The Court first denied Altice’s motion to dismiss for lack of subject-matter jurisdiction since all nine Plaintiffs demonstrated an injury (identity theft or substantial risk thereof) and that such injuries were traceable to Altice. Next, the Court denied Altice’s motion to dismiss for failure to state a claim, in part, by finding potential merit as to Plaintiffs’ claims of breach of implied contract (very creative on the part of the Plaintiffs’ counsel). According to the court, the Plaintiffs were required to provide personal identifying information in exchange for employment, and therefore, Altice was required to protect that information as their employer. By failing to properly safeguard that information, the Court found it possible that Altice may have allegedly breached an implied employment agreement. EMPLOYERS – you should be reading this….
Lastly, the McFarlane court deferred judgment on Altice's motion to compel arbitration as the arbitration clause was incredibly extensive and was referred to as an "infinite arbitration clause" by requiring “arbitration of any dispute between a subscriber and Altice, as well Altice's parents, subsidiaries, affiliates, …, and without regard for whether it arises from or relates to the cable services agreement of which it is part.” Therefore, the Court found “as a matter of either contract formation or unconscionability, the arbitration clause at issue does not require arbitration of claims that lack a nexus to the cable services agreement.” In short, the Court refused to enforce an over-extensive arbitration provision that was seemingly designed to wholly prevent all victims access to the courts.