Emily Keimig & Carissa Davis

In McFarlane v. Altice USA, Inc., a recent decision out of the Southern District of New York, a class of plaintiffs successfully established standing and stated a plausible claim for breach of implied contract based on a data breach caused by a cybercriminal phishing attack.

The cable company Altice was the target of a phishing scam in which employees unwittingly provided the cybercriminals access to non-encrypted customer and employee personal identifying information, including social security numbers.  Plaintiffs in McFarlane are former employees whose social security numbers were compromised.  Plaintiffs brought a variety of claims, including breach of implied contract.  Altice moved to dismiss the lawsuit for lack of standing and the implied contract claim for failure to state a plausible claim.  Altice lost on both of these arguments.

Standing, a necessary component of any lawsuit, requires plaintiffs to show they have suffered an injury caused by the defendant’s conduct and that the injury may be redressed by court intervention.  While speculative injury is insufficient, future injury may suffice so long as it is “certainly impending.”  Historically, class counsel has faced difficulty connecting a defendant’s conduct to alleged harm when a data breach occurs, especially given the frequency of data breaches and the challenge in identifying which breach caused data to be compromised.  In McFarlane, class counsel alleged that the former employees’ harm arising from the breach was traceable to Altice. The Court held that Plaintiffs had standing because three of the nine Plaintiffs were victims of identity theft and the impending prospect of the unlawful use of their misappropriated social security numbers was fairly traceable to Altice’s failure to safeguard its data.

Because they have standing, Plaintiffs may now pursue a myriad of claims, including their claim for breach of implied contract.  Relying in part on a decision from the District of Colorado involving consumer (rather than employee) claims, the Court held the Plaintiffs sufficiently alleged they had provided their personal identifying information as a condition of employment, thereby creating an implied contract.  That implied contract conferred upon Altice the obligation to take reasonable steps to safeguard the employees’ personal information.  Altice allegedly breached that contract by failing to utilize adequate email filtering software, not requiring cybersecurity training, and not encrypting sensitive documents.

The lesson?  Employers, virtually all of whom collect personal information from their employees, risk significant legal exposure if they fail to acknowledge the real likelihood of a cyber-attack in today’s digital world. Employers must implement effective data protection policies and procedures to limit the risk of inadvertent disclosure or criminal activity that could compromise sensitive data. If a breach occurs and litigation ensues, class counsel may employ counterintuitive arguments to demonstrate standing and nudge unexpected claims from conceivable to plausible.