IL Appellate Court: No Duty Exists to Safeguard SSNs for Purposes of a Negligence Claim

In one of InfoLawGroup’s first blogposts to kick off 2011 we surveyed a handful of privacy lawsuits that are in the process of potentially altering the privacy and security legal risk landscape. ILG recently discovered another case (through an excellent service we use called Nymity), one of the first that we are aware of in the United States, that dives deep into the issue of whether a common law duty exists to safeguard personal information. In Cooney, et. al v. Chicago Public Schools, et. al¸ an Illinois appellate court upheld a lower court’s dismissal of a lawsuit involving the unauthorized disclosure of sensitive personal information, including names, addresses, social security numbers, marital status, dates of birth, medical and dental insurers and health insurance plan information. While we have seen plenty of courts dismissing data breach cases on motion to dismiss, most of those have focused on the lack of alleged damages. In Cooney, however, the court actually rendered a decision on whether any common law duty exists to safeguard personal information for purposes of a negligence claim. The Cooney court's ultimate answer was that no such duty exists. In this blogpost we take a closer look at the court’s rationale for dismissing the plaintiffs’ negligence claim, as well as the other interesting holdings of the court.

Background

In Cooney, the main defendants were the Chicago Public Schools and its Board (“CPS”), and a printing and mailing company known as All Printing & Graphics, Inc. (“All Printing”). All Printing was retained by CPD to print, package and mail a COBRA Open Enrollment List to approximately 1,750 former CPS employees. Unfortunately each of the 1750 employees was sent a list containing the personal information of all the other 1749 former employees, including names, addresses, social security numbers, marital status, medical and dental insurers and health insurance plan information. CPS notified the employees of the breach and offered one year of free credit protection insurance. Several of the employees filed individual and class action lawsuits, which were consolidated at the trial court level. The complaints alleged several causes of action (including common law negligence), which were all dismissed by the lower court. The appellate court set out to determine whether the dismissal was in error, and ultimately held that it was proper. One of the appellate judges, however, dissented. The following is a summary of the court’s opinion for the main causes of action alleged.

Common Law Negligence

In addressing the plaintiffs’ common law negligence claim, the court laid out the traditional elements necessary to allege negligence, and first set out to determine whether CPH was under a duty to safeguard the plaintiffs’ personal information.

First, under Illinois law, a violation of a statue designed to protect human life and property may be used as prima facie evidence of negligence (e.g. it can be used to allege a “duty” for purposes of negligence, and a violation of that duty). In this case, the plaintiffs argued that HIPAA and Illinois' breach notice law (815 ILCS 530) created a duty for negligence purposes. The court, however, rejected both arguments.

On HIPAA the court indicated that 45 CFR § 160.103 excluded “employment records held by a covered entity in its role as employer” from HIPAA coverage. According to the reasoning of the majority, since the CPH "held" the plantiffs’ health insurance elections in its role as employer, the disclosure of such records was not a HIPAA violation.  Notably, however, the dissenting judge disagreed with this assessment. He indicated that the exception only applied to employment records actually “held” by the covered entity, as opposed to those disclosed (and therefore no longer held by CPH) to unauthorized third parties. In the dissent's view, then, the plaintiffs did properly plead a negligence claim based on allegations that HIPAA had been violated. If this is appealed to the Illinois Supreme Court this will likely be a key issue in the case.  One important item to note here is that it appears that both the majority and dissent agreed that a data security statute can be used to establish a duty for negligence purposes even if the underlying statute does not itself provide a private right of action.

The plaintiffs also claimed that Illinois' breach notice law was violated because a “breach of the security of the system data” had occurred as defined in that law. The court rejected this argument as well, noting that Illinois' breach notice law already provided a specific and exclusive remedy for a breach of security of the system data: notice to the data subjects (which was properly provided in this case).

Second, the court considered whether a "new" duty to safeguard personal information existed in general for negligence purposes (i.e. without having to rely on a specific statute). On this issue, the court rejected the plaintiffs’ argument that the sensitivity of personal information such as birth dates and social security numbers justified the recognition of a duty. Notably the court did not consider any “foreseeability” arguments or analyze whether a duty should have existed based on something like Judge Learned Hand's risk formula. Based on the foregoing, the court found that the lack of an alleged duty justified dismissal of the common law negligence claim against both CPH and All Printing.

IL Consumer Fraud and Deceptive Business Practices Act

Section 2QQ of Illinois Consumer Fraud and Deceptive Business Practices Act (815 ILCS 505/1, et. seq.) prohibits a “person” from publicly posting or displaying an individual’s social security number. In this case the court held the CPH Board was a “body politic” and therefore not a “person” under the Act. In addition, while All Printing does qualify as a “person” covered under the Act, the plaintiffs failed to allege actual damages as required under the Act. Relying on the large body of case law on the damages issue, the Court specifically rejected plaintiffs’ contention that increased risk of identity theft, and costs to pay for credit monitoring, constitute actual damages.

Traditional Privacy Torts

The plaintiffs also alleged “intrusion upon seclusion” and “public disclosure of private facts.” In considering these theories the court indicated that both torts require disclosure of “private” matters or facts. The court held that the privacy element was not satisfied because no law existed in Illinois defining social security numbers as private information. In addition, names and dates of birth did not qualify as private facts because they are matters of public records. Finally, while Illinois law had defined social security numbers as “personal information,” the court held that personal information does not equate to “private” information. Private information, in the court’s view, means private facts that are facially embarrassing and highly offensive, if disclosed.  As such, the court ruled that these claims were properly dismissed by the trial court.

Other Miscellaneous Causes of Action

The appellate court, sometimes in a very cursory fashion, affirmed the dismissal of other causes of action the plaintiffs attempted to allege, including:

• Negligent infliction of emotional distress (dismissed because traditional negligence elements had not been alleged, as required)

• Breach of fiduciary duty (dismissed because no authority found to indicate that a fiduciary duty exists based on the plaintiffs providing their personal information “in confidence” to the CPS)

• HIPAA violations (dismissed because the plaintiffs did not allege that they had been deprived of a constitutionally protected right caused by a “municipal policy”; and because HIPAA does not provide a private right of action against non-state actors like All Printing)

• 4th Amendment privacy violation (dismissed because the plaintiffs failed to properly raise the issue before the trial court)

Conclusion

This case is very interesting because it is one of the first (if not the first) to squarely rule on whether a common law duty exists to safeguard personal data. It will be very interesting to see if this case is appealed to the Illinois Supreme Court. Based on the strong dissent it appears as if the majority opinion may be at risk for an overturn. What is somewhat disappointing, however, is the lack of deep analysis by the appellate court (especially on the issue of whether a common law negligence duty existed). It may be that key issues were not raised or briefed by the plaintiffs, but it would have been nice to see a full-throated analysis of "law school 101" issues like foreseeability, reasonableness and risk reduction. InfoLawGroup will try to get a hold of the appellate briefs and other underlying documents to see if they provide additional insight as to how the court reached its decisions (and we will post them here once we have them).  We look forward to your thoughts, comments and questions on this case.