Consumers are not the only ones suing retailers for payment card data breaches. The U.S. District Court for the Western District of Washington recently denied, in large part, a motion to dismiss a data breach class action brought by Veridian Credit Union, on behalf of itself and other financial institutions, against Eddie Bauer, LLC. The class action relates to a January 2016 payment card data breach that allegedly impacted “every Eddie Bauer store in the United States and Canada.”

The court dismissed Veridian’s negligence per se claim, but allowed Veridian’s negligence and state statutory claims to proceed. The court’s analysis of choice of law and negligence issues is worth a read.

Choice of Law

The court first had to decide whether to apply Washington law (where Eddie Bauer is headquartered) or Iowa law (where Veridian is based), after it concluded that an “actual conflict” exists between the negligence and statutory laws of those States. Iowa, but not Washington, recognizes a negligence per se action. Washington does not recognize the economic loss doctrine, which has been used to defeat negligence claims in a number of data breach class actions. Washington instead applies the “independent duty doctrine,” which allows negligence claims growing out of a contractual relationship, where a duty of care arises independent of the contract. Washington’s Consumer Protection Act and RCW 19.255.020 also permitted private causes of action here, where Iowa’s statutory law did not.

The court applied Washington law after concluding that Washington had “the most significant relationship” to the action. Eddie Bauer was headquartered in Washington, and that was where the alleged conduct (“its management’s decisions concerning [ ] internal data security and the Data Breach” and “its failure to employ adequate data security measures emanated from [its] headquarters”) occurred. Washington also had enacted a specific law (RCW 19.255.020) to provide relief to financial institutions suffering losses due to due to cyber-theft of payment card data.

Negligence

The court’s negligence analysis centered on whether Eddie Bauer owed a legal duty to Veridian. As in most states, Washington law generally imposes no duty to protect a plaintiff from the criminal actions of a third party.  A duty may nonetheless arise:  (1) from the existence of a “special relationship” between the parties; (2) if a defendant’s actions constituted malfeasance, or affirmative acts; or (3) from a statute.

The court quickly dismissed the first two grounds. First, there was no special relationship between these two sophisticated business entities, which had no contractual relationship. Second, Eddie Bauer’s alleged cybersecurity failures constituted nonfeasance, or omissions, not malfeasance.

While breach of a statute does not provide a basis for negligence per se under Washington law, it can be used as evidence of negligence. Under the Second Restatement of Torts (applied in Washington), a regulation or law can be used to determine negligence liability where it is enacted “‘(a) to protect a class of persons that includes the person whose interest is invaded, and (b) to protect the particular interest which is invaded, and (c) to protect their interest against the kind of harm which has resulted, and (d) to protect that interest against the particular hazard from which the harm results.’”

The court agreed with Eddie Bauer that Section 5 of the FTC Act did not satisfy this test because Section 5 “is not designed to protect either the class of persons that includes Veridian or the interest . . . invaded.”

The court concluded, though, that Washington statute RCW 19.255.020 imposes a duty of reasonable care upon businesses to protect against unauthorized access to payment card information in their possession. It imposes liability for businesses and processors who “fail to take reasonable care to guard against unauthorized access to account information” in their possession or control.  This statute satisfies the Second Restatement test because:  (1) financial institutions are within the statute’s protected class; (2) the security of cardholder data is the interest to be protected; and (3) the data breach resulting in monetary losses to financial institutions is the particular harm of concern and resulted in the invasion of the protected interest.

Statutory and Consumer Protection Claims

The court also rejected Eddie Bauer’s attack on Veridian’s claim for violation of RCW 19.255.020, finding that Veridian sufficiently alleged facts “to infer” the reissuance of payment cards – a statutory element.

Veridian’s Consumer Protection Act claim was viable. Eddie Bauer’s alleged failure to reasonably secure customer financial information could constitute an “unfair act,” “because it knowingly and foreseeably put Eddie Bauer’s customers and payment card financial institutions at a risk of harm from data theft and fraudulent payment card activity . . . .” The court reasoned that customers would have been unable to know that the cybersecurity measures taken by the retail store were “allegedly deficient,” and would have been unable to avoid the harms due to these security failures.

Conclusion

This decision is another in a line of federal court decisions allowing data breach class actions to proceed beyond initial motions to dismiss. It illustrates the importance of the choice of law analysis and how differences in state statutory and common law are critical in assessing potential liability for data breaches. It also follows a growing pattern of B2B litigation – as opposed to customer privacy class actions – arising out of cyber incidents that have a ripple effect on different organizations.