To date, the key question in data breach litigation has been whether plaintiffs can demonstrate that they suffered damages and, therefore, have standing to bring suit. In just the last two weeks courts have rendered decisions on whether data breach victims have standing to bring suit (See Dugas v. Starwood Hotels & Resorts Worldwide, Inc., where the victim had standing to bring suit related to hotel data breach, and Welborn v. Internal Revenue Service, et al.). While standing is still important, data breach litigation is getting beyond these basic procedural issues.

For example, data breach litigation is evolving to allow victims to name not only the breaching entity, but vendors to the breaching entity that contracted to assist in data security and storage. In Leibovic v. United Shore Mortgage, LLC, Plaintiff, Al Leibovic, applied for a mortgage through Defendant, United Shore Mortgage (United Shore). During the mortgage process, Leibovic provided personally identifiable information (PII). United Shore used a system, referred to as BlitzDocs, developed by Defendant, Xerox Mortgage Services (Xerox) to store and process Leibovic’s information on his loan application.

As part of his lawsuit, Leibovic claims his PII was compromised when “a Mexico-based criminal enterprise gained unauthorized access to United Shore’s files.” In particular, Leibovic claims the criminals hacked directly into the BlitzDocs system and took his information. Ultimately, Leibovic claims his information was used to create fraudulent credit cards and checks and to liquidate his brokerage accounts.

Xerox filed a motion to dismiss Leibovic’s claims against it and the U.S. District Court for the Eastern District of Michigan denied, in part, Xerox’s motion on the following basis:

Leibovic Has a “Plausible” Breach of Contract Claim and Survives Xerox’s Motion to Dismiss

Leibovic’s first cause of action, breach of contract as a third party beneficiary, was based on the contract that United Shore and Xerox entered into for use of the BlitzDocs system. Specifically, this contract provided that Xerox would “use commercially reasonable means to implement appropriate administrative, technical and physical safeguards to meet the requirements of the Gramm-Leach-Bliley Act” to in relevant part “protect against unauthorized access to or use of Customer Confidential Information that could result in substantial harm or inconvenience to any customer of client.” To survive Xerox’s motion to dismiss, Leibovic was required to show the contract was intended to benefit third parties and that “the benefit to the third party is ‘sufficiently immediate.,’ indicating the contracting parties assumed a duty to compensate the third party if the benefit is lost.”

Xerox took the position that Leibovic could not show the contract was intended to benefit him while Leibovic argued that the contract’s reference to “customers of the client” confers an intent to benefit third parties. Yielding to New York law on this issue, the Michigan court found a split in New York State appellate courts where some courts found “any benefit to a third party must be apparent from the face of the contract,” while other courts would look at the “surrounding circumstances” to determine the parties’ intent. Based on this split in New York law, the court held Leibovic had a “plausible claim” and, therefore, had standing to bring his breach of contract claim against Xerox.

Leibovic Has a “Plausible” Negligence Claim and Survives Xerox’s Motion to Dismiss

Xerox also argued Leibovic’s negligence claim fails because he cannot establish Xerox owed him a duty. Specifically, Leibovic asserted a duty was created when Xerox accepted his PII and Xerox breached this duty when Xerox failed to safeguard this information and failed to notify him of the breach. The court held Leibovic’s claims, which he furthered claimed to result in damages, including banking fees, “costs associated with identity protection,” and costs related to the theft of his funds, survived Xerox’s motion to dismiss.

Leibovic Has a Plausible Negligent Performance of an Undertaking Claim and Survives Xerox’s Motion to Dismiss

In applying Michigan law, the court found that a valid negligent performance of an undertaking claim must include the following three “means:”

One who undertakes, gratuitously or for consideration, to render services to another, which he should recognize as necessary for the protection of a third person or his things, is subject to liability to the third person for physical harm resulting from his failure to exercise reasonable care to protect his undertaking, if:

(a) his failure to exercise reasonable care increases the risk of such harm;
(b) he has undertaken to perform a duty owed by the other to the third person; or,
(c) the harm is suffered because of reliance of the other or the third person upon the undertaking.

Here, the court found Leibovic met this standard when he: alleged that Xerox failed to exercise reasonable care in providing data storage and security to protect his PII; alleged United Shore owed him a duty to protect his information and Xerox assumed that duty; and has been harmed because his PII has “diminished in value, since [he] no longer [has] the ability to control the information.”

Based on the above, the court held Xerox’s motion to dismiss was denied on these counts thereby requiring Xerox to argue the merits of Leibovic’s claims against it and United Shore.

The Leibovic decision may signal that data breach litigation is moving into a new phase where questions over whether a litigant has standing may not be primarily at issue. Further, this decision serves as an important reminder for data breach victims to carefully review any contracts and agreements the breaching entity had with third parties for storage and protection of the victims information. Even though Xerox and Leibovic were not contractually bound and Leibovic may not have even known Xerox handled his personal information, we see that the court left open the question of whether Leibovic’s litigation can proceed against Xerox.