Questions About Tort and Contract Claims in the Cybersecurity Context Left Unsettled
Supreme Court of Virginia Declines Certified Questions from Federal Court in In re: Capital One Consumer Data Security Breach Litigation
The lawsuit In re: Capital One Consumer Data Security Breach Litigation, has already spawned new precedence related to engaging forensic experts in the cyber incident response space. But a lesser-known offshoot of this ongoing litigation is that it prompted new questions about how plaintiffs pursue claims for loss of personal information under Virginia law.
[clear]While Capital One was brought in a federal court in the Eastern District of Virginia, it prompted certified questions to the Supreme Court of Virginia regarding nuances of duties surrounding the loss of data in a cyber incident under Virginia law. This article examines these key legal questions and charts a potential practical path ahead for the cyber law savvy.
Procedural History of Capital One: Federal Court Denies Motion to Dismiss Based on Economic Loss Doctrine
The Capital One case arose out of a cyberattack that allegedly resulted in the theft of millions of consumers’ personally identifiable information. Following the attack, a putative class of plaintiffs asserted several claims against Capital One, including common law negligence under Virginia law. Capital One moved to dismiss this claim, arguing it was barred by the economic loss doctrine because the source of any duty breached arose from contractual promises, rather than a common law duty of reasonable care. In other words, because the plaintiffs asserted several contract claims, Capital One contended any duty to protect their data arose out of a contract. This would be in contrast to a duty that would arise absent a contract under a theory of simple negligence.
Under the economic loss doctrine, claims for damages that are within the contemplation of the parties when framing an agreement, “such as economic losses and damage to property that is the subject of the agreement” are the “province of the law of contracts.” Tingler v. Graystone Homes, Inc., 298 Va. 63, 98–99 (2019). “A party may not use tort claims of negligence to seek such damages.” Id.
The United States District Court for the Eastern District of Virginia denied the motion to dismiss the negligence claim under Virginia law, holding that, based on the allegations in the complaint, Capital One had voluntarily assumed a duty to safeguard the plaintiffs’ personally identifiable information. In re Capital One Consumer Data Sec. Breach Litig., 488 F. Supp. 3d 374, 400 (E.D. Va. 2020). Citing allegations regarding Capital One’s statements in its privacy notices, the court found that Capital One had affirmatively represented it is responsible for providing its customers with adequate data protection services, thereby assuming a duty to do so. Id.
Capital One moved for reconsideration or, in the alternative, to certify questions raised by its motion to the Supreme Court of Virginia. The court denied the motion but agreed to certify questions.
Procedural History of Capital One: Supreme Court of Virginia Declines Certified Questions
The District Court certified the following questions to the Supreme Court of Virginia:
- Whether the economic loss rule precludes Plaintiffs’ negligence claims under the facts and circumstances alleged?
- If not barred by the economic loss rule, does there exist under the circumstances alleged, a cause of action for negligence against Capital One based on either an extra-contractual, independent tort duty to use reasonable care to protect consumers’ personal information from disclosure or the voluntary assumption of such a duty?
The Supreme Court of Virginia has discretion to answer questions of law certified by federal district courts when “a question of Virginia law is determinative in any proceeding pending before the certifying court and it appears there is no controlling precedent on point in the decisions of this Court or the Court of Appeals of Virginia.” Va. Sup. Ct. R. 5:40. The Supreme Court of Virginia declined to answer the certified questions by order without providing reasons for its decision. Because the court is not required to provide a basis for its decision to accept or reject such questions, however, the court’s decision does not indicate it agrees with the District Court’s ruling regarding assumption of duty.
Implications of Federal Court’s Holding and Unsettled Questions
Despite the decision to decline the certified questions, there are key takeaways from the decisions of the Virginia Supreme Court and District Court:
- Be careful about promises on websites and in privacy notices.
Promises made in privacy statements or on a company’s website can be used in litigation as evidence of assuming a duty to safeguard personally identifiable information. For example, in reaching its holding on the motion to dismiss, the District Court cited allegations in the complaint about Capital One’s privacy notices, including the statement that:
At Capital One, we make your safety and security a top priority and are committed to protecting your personal and financial information. If we collect identifying information from you, we will protect that information with controls based upon internationally recognized security standards, regulations, and industry-based best practices.
Thus, businesses should take care to carefully craft statements in privacy notices to customers because their representations can be construed as an assumption of duty. Woods Rogers Cybersecurity and Data Privacy group recommends taking these statements out if they are not required by law.
- Both contract and tort damages are presently available in actions stemming from cybersecurity attacks.
The primary benefit of a negligence claim is that, unlike claims sounding in contract, punitive damages are available. In light of the District Court’s holding, plaintiffs can pursue contract and tort damages arising from a cyberattack. Whether the District Court’s holding was a proper interpretation of Virginia law remains unsettled, but due to the prevalence of cyberattacks, the Supreme Court of Virginia will likely be presented with this question again.
In summary, the United States District Court for the Eastern District of Virginia has held that under Virginia law, businesses can assume a tort duty to protect personally identifiable information by representing to customers that they carefully safeguard this information. The Supreme Court of Virginia declined to determine whether this holding is correct but may need to revisit this question. In the meantime, businesses should carefully craft statements in privacy notices to avoid assuming a tort duty to protect personally identifiable information.
Team
- Principal
- Principal | Cybersecurity & Data Privacy Practice Chair