The Wisconsin Court of Appeals allows negligence claims against businesses for cybersecurity attacks to move forward but holds that invasion of privacy claims require intentional conduct.
In the age of technology, more businesses are choosing to store their records in electronic databases for a variety of reasons, such as reducing paper files or to centrally locate information. It is likely that those electronically stored records contain personally identifiable information (PII) such as bank account records, social security numbers, driver’s license numbers, and dates of birth.
A recent court of appeals decision demonstrates why businesses need to ensure that they are safeguarding their employees’ and customers’ PII in a safe and secure manner. Although a business may not be criminally charged for a data breach, victims of the data breach may bring a civil claim against a business. Civil claims for negligence in data breach cases are becoming more common across the country.
In Reetz v. Advocate Aurora Health, Inc., 2022 WI App 59, Reetz, a former employee sued Aurora for negligence, invasion of privacy, breach of contract, breach of implied covenant of good faith and fair dealing, and declaratory relief related to a data breach of Aurora’s human resources system.
In January 2020, an unauthorized person gained temporary access to an Aurora human resources system through a phishing scheme. The human resources system contained the PII of current and former employees of Aurora, such as social security numbers, bank accounts used for direct deposits, birth dates, and home addresses. Aurora discovered that 63 employees had their direct deposit information changed to deposit paychecks into the intruder’s account(s). Plaintiff Reetz’s direct deposit information was not among the 63 accounts discovered as compromised.
In March 2020, Reetz filed a class action suit (for herself and those similarly situated) against Aurora. Reetz’s suit was dismissed with prejudice at the circuit court for failure to state a claim.
On appeal, the court of appeals found that Reetz had standing to sue and sufficiently alleged a claim for negligence. The court noted that Reetz had alleged that Aurora had a duty of care to safeguard her PII within its control because it was foreseeable that cybercriminals would attempt to access the PII; that Aurora breached that duty; and that as a result of Aurora’s negligence, Reetz suffered damages including monetary damages and increased risk of future harm from identity theft. Aurora argued that Reetz failed to allege actual damages; however, the court, accepting the allegations in the complaint as true, accepted that Reetz incurred fraudulent charges and overdraft fees. The pleading of those specific amounts were adequate actual damages. Further, Reetz’s damages did not only arise from overdraft fees; the court noted that the allegation of “time spent dealing with fraud attempts [and] the threat of future identity theft” was a sufficient imminent injury. 2022 WI App 59, ¶ 13 (citation omitted). The court of appeals reversed the circuit court’s order dismissing the negligence claim and remanded for further proceedings on the negligence claim and its class action ramifications.
As for Reetz’s other claims of invasion of privacy, breach of contract, breach of implied covenant of good faith and fair dealing, and declaratory relief, the court of appeals concluded that Reetz failed to state a claim for those claims and affirmed the circuit court. Importantly, in a matter of first impression, the court of appeals concluded that the publicity of private facts cause of action requires intentional conduct in Wisconsin. Id. at ¶ 19.
Although Reetz’s case was remanded back to the circuit court for the negligence claim and continues to be litigated, it is a prime example of why businesses need to implement the appropriate cybersecurity measures to protect the PII of customers and employees.
For further information on strengthening your protective safeguards against a cybersecurity attack and proactively protecting your private data, steps to take in response to a cybersecurity attack, and all other information on cybersecurity law, contact members of Stafford Rosenbaum’s Cybersecurity Practice Group: Attorney John Shanahan (firstname.lastname@example.org; 414.982.2878) and Attorney Pahoua Thao (email@example.com; 608.210.6313).
Stafford Rosenbaum LLP is a full-service law firm with two convenient office locations in Madison and Milwaukee, Wisconsin. Over 140 years of dedication to businesses, governments, nonprofits, and individuals has proven that effective client communication continues to be the heart of our practice.