In In re Ge/Cbps Data Breach Litig., 2021 U.S. Dist. LEXIS 146020, at *16-18 (S.D.N.Y. Aug. 4, 2021), Judge Polk Failla found Article III standing and a negligence case arising out of a data breach. The facts were as follows:
GE contracts with Canon to process documents relating to current and former GE employees and their beneficiaries. (Compl. ¶ 41). On March 20, 2020, GE issued a data breach notice stating that in February 2020, one of Canon’s employee email accounts had been breached by an unauthorized party. (Id. at ¶ 43). The notice states: “We were notified on February 28, 2020 that Canon had determined that, between approximately February 3-14, 2020, an unauthorized party gained access to an email account that contained documents of certain GE employees, former employees and beneficiaries entitled to benefits that were maintained on Canon’s systems…. Canon has indicated that the affected documents, which contained certain personal information, were uploaded by or for GE employees, former employees and beneficiaries entitled to benefits in connection with Canon’s workflow routing service. The relevant personal information, which was contained in documents such as direct deposit forms, driver’s licenses, passports, birth certificates, marriage certificates, death certificates, medical child support orders, tax withholding forms, beneficiary designation forms and applications for benefits such as retirement, severance and death benefits with related forms and documents, may have included names, addresses, Social Security numbers, driver’s license numbers, bank account numbers, passport numbers, dates of birth, and other information contained in the relevant forms.” (Id. at ¶ 44). Analysis by members of the public suggested that the Data Breach was the result of a “standard credential phishing attack or due to credential reuse on another site.” (Id. at ¶ 46). Canon determined that, as a result of the Data Breach, unauthorized persons may have obtained Fowler’s name, employee identification number, home address, phone number, and email address. (Allen Decl. ¶ 6). After the Data Breach, Fowler received phishing and scam emails to his personal email address, and phishing and scam phone calls to his personal phone number. (Fowler Decl. ¶¶ 2-3). Other proposed class members allegedly suffered increased risk of identity theft and fraud; the time and expense necessary to remediate and mitigate the increased risk of identity theft and fraud; the inability to use debit [*7] cards because those cards had been canceled, suspended, or otherwise rendered unusable; fraudulent debit charges; and loss of confidentiality and value of their personal and financial information. (Compl. ¶¶ 79, 88(l), 104, 112, 119, 125, 182).
The Court found Art. III standing.
Plaintiff responds that the information about him that was compromised “is not publicly available all in one place,” so far as he knows (Pl. Opp. 8 n.5), and that the exposure of his email address, phone number, employee identification number, and home address “provides hackers the means to commit fraud or identity theft by way of a social engineering attack” (id. at 9). In support, he cites several out-of-circuit decisions finding standing based on theft of this type of information, among others. See In re Zappos.com, Inc., 888 F.3d 1020, 1023-28 (9th Cir. 2018) (finding standing where “names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information” was stolen by hackers); Bass v. Facebook, Inc., 394 F. Supp. 3d 1024, 1033-35 (N.D. Cal. 2019) (finding standing where the plaintiff’s “name, email address, telephone number, date of birth, locations, work and education history, hometown, relationship status, and photographs now reside with criminals” as a result of a Facebook data breach, and the plaintiff had been “bombarded” with phishing emails and text messages); In re Marriott Int’l, Inc., Customer Data Sec. Breach Litig., 440 F. Supp. 3d 447, 454, 457-66 (D. Md. 2020) (finding injury in fact where hackers obtained “names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, gender, arrival and departure information, reservation dates, communication preferences, payment card numbers, payment card expiration dates, and tools needed to decrypt cardholder data”). While it is indisputable that the PII concerning Plaintiff that Canon claims was accessed is not as sensitive as social security numbers, account passwords, or bank account information, the Court agrees with its colleague in Bass that “information taken … need not be sensitive to weaponize hackers in their quest to commit further fraud or identity theft,” and that even an individual’s email address, mailing address, telephone number, and employment information can “provide further ammo” to nefarious actors. 394 F. Supp. 3d at 1034. Thus, while the third factor does not support Plaintiff’s claim to standing as strongly as do the first two, it also does not undermine it. In sum, the Court concludes that Plaintiff has made a sufficient showing at this stage of the litigation to establish his standing under Article III, based on the circumstances of the Data Breach, the allegations regarding misuse of PII exposed in the Data Breach, and the potential uses of the PII to target Plaintiff and other class members for identity theft or fraud. Accordingly, the Court denies Defendants’ motion to dismiss the Complaint under Rule 12(b)(1).
The Court also found that the plaintiffs stated a negligence claim.
Plaintiff adequately alleges that Defendants owed him and proposed class members a duty to exercise reasonable care in safeguarding their PII, which duty arose out of the “special relationship that existed between GE and its employees,” GE’s requirement that employees “submit non-public, sensitive personal and financial information for purposes of employment with GE[,]” and Defendants’ exclusive ability to implement security measures within their computer systems. (Compl. ¶¶ 95-97; see also id. at ¶¶ 56-57). New York courts have found a duty of care in such situations because of the asymmetries of power and capabilities between employees and employers. See, e.g., Sackin v. TransPerfect Glob., Inc., 278 F. Supp. 3d 739, 748 (S.D.N.Y. 2017) (“[E]mployers have a duty to take reasonable precautions to protect the PII that they require from employees. Employees ordinarily have no means to protect that information in the hands of the employer, nor is withholding their PII a realistic option.”). Employers are “best positioned to avoid the harm in question,” and thus may be expected to bear the burden of doing so. Id. (quoting In re N.Y.C. Asbestos Litig., 27 N.Y.3d 765, 788 (2016)); cf. Wallace v. Health Quest Sys., Inc., No. 20 Civ. 545 (VB), 2021 WL 1109727, at *9 (S.D.N.Y. Mar. 23, 2021) (finding that plaintiffs plausibly pleaded that an operator of hospitals and healthcare providers owed a duty of care to safeguard customers’ and patients’ sensitive personal information). . . [T]he Complaint alleges that Defendants breached this duty by “failing to design, adopt, implement, control, direct, oversee, manage, monitor, and audit appropriate data security processes, controls, policies, procedures, protocols, and software and hardware systems to safeguard and protect the personal and financial information entrusted to [them],” despite a reasonably foreseeable risk that such failure “would result in the unauthorized release, disclosure, and dissemination of [Plaintiff’s] and Class members’ personal and financial information.” (Compl. ¶ 98; see also id. at ¶¶ 59, 99-100). Again, this Court agrees with others that have found such allegations sufficient to sustain a negligence claim. See Wallace, 2021 WL 1109727, at *9; Sackin, 278 F. Supp. 3d at 748 (finding negligence allegations to be adequate where plaintiffs alleged that defendant “was aware of the sensitivity of PII and the need to protect it,” but despite this knowledge “failed to take reasonable steps to prevent the wrongful dissemination of Plaintiffs’ PII — including erecting a digital firewall, conducting data security training and adopting retention and destruction policies”).