A federal court recently refused to apply the economic loss rule to limit claims brought against a fast-food chain in the wake of a massive data breach. This case serves as a useful reminder of the variety of claims (and defenses) that can come up in data privacy litigation. In re Sonic Corp. Customer Data Sec. Breach Litig., No. 1:17-md-2807, 2021 U.S. Dist. LEXIS 9516 (N.D. Ohio Jan. 19, 2021). Read on below.
In 2017, unidentified third parties accessed Sonic customers’ payment card data. The hackers purportedly obtained customer payment card information from more than three-hundred Sonic Drive-Ins. Litigation followed, which was consolidated into multidistrict litigation (“MDL”).
In the consolidated complaint filed in the MDL, Sonic customers alleged that their personal information had been exposed to criminals and was at risk of future misuse. Some of the customers alleged that they had been victims of identity theft and fraudulent charges had been placed on their accounts—which they attributed to the data breach. Additionally, claims were also filed against Sonic on behalf of various financial institutions. This class of plaintiffs alleged they were damaged replacing debit cards and reimbursing consumers for amounts fraudulently charged to their accounts. Following settlement of the customer claims, Sonic moved to dismiss the claims of the financial institutions, arguing in part that their negligence claim was barred by the economic loss rule.
What is the economic loss rule? Good question.
The economic loss rule “provides that no cause of action exists for negligence that results solely in economic damages unaccompanied by physical or property damage.” This doctrine has come up recently in the context of data breach litigations involving common law tort theories. See, e.g., In re TJX Cos. Retail Sec. Breach Litig., 564 F.3d 489, 498 (1st Cir. 2009) (explaining in context of data breach claims that the economic loss rule “cabins what could otherwise be open-ended negligence liability to anyone affected by a negligent act.”). Sonic argued that the financial institutions did not allege any property damage or any other type of compensable injury aside from economic harm. Thus, the economic loss rule barred their request for relief under a theory of negligence.
The court disagreed, declined to dismiss the claim, and then refused to reconsider this ruling. Why? Notably, this case involved application of Oklahoma law. Oklahoma is among the minority of states that does not follow the economic loss rule. In Oklahoma, a plaintiff may seek recovery for purely economic losses under common law tort theories even when unaccompanied by allegations of physical injury or property damages.
In requesting that the court reconsider its ruling, Sonic highlighted factual dissimilarities between the parties’ dispute and the case law cited by the court in its ruling (which were product liability, not data breach cases). The court rejected this argument. In doing so, it also declined to certify to the Oklahoma Supreme Court the question of “[w]hether, in data breach cases, the economic loss rule bars a financial institution plaintiff from recovering in tort, from a party with which it is not in contractual privity and with whom it does not have a “special relationship”, for purely financial losses unaccompanied by physical harm or property damage.” This was because, the court explained, Sonic should have requested certification before receiving the ruling refusing to dismiss Plaintiffs’ claims (not after the fact).
Claims raised in data breach litigations typically involve application of state law. As such, this case is a reminder that identical claims are not treated uniformly by courts (which defendants often highlight to defeat motions for class certification). For an optimal case strategy, counsel must be mindful of such jurisdictional nuances at the onset of litigation. For more on this area of the law and emerging developments in data privacy litigation, stay tuned. CPW will be there to keep you informed.