4 LESSONS FROM THE IN RE SOLARA MED. SUPPLIES CASE AND DATA BREACH
A United States District Court again allows a lawsuit seeking to hold a commercial data breach victim accountable for its potential role in a mass data breach under the theories of negligence, breach of contract, and unfair trade practices.
Below are 4 lessons for potential defendants facing similar situations:
1. Do NOT over-promise cybersecurity functions and features.
2. Patient Bills of Rights and Privacy Policies may be found to be implied or actual contracts.
3. 5 months is too long to notify customers of a data breach in California.
4. Encrypt sensitive data and accounts.
See this In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., C.A. No.: 3:19-cv-2284-H-KSC (S.D.C.A. 2020) synopsis for more information and context:
Diabetes medical device supplier, Solara, faces a class action data privacy suit in California after six plaintiffs alleged their personal and medical information was exposed after Solara's computer systems were compromised by cyber criminals in 2019. Solara learned of the breach on June 14, 2019 and publicly announced that “an unknown actor gained access to a limited number of employee Office 365 accounts[.]” The Office 365 accounts were not encrypted. Five months later, Plaintiffs received a letter from Solara regarding the breach. Plaintiffs claim stress and anxiety from fraudulent billing issues, an increase in spam calls, an increase in phishing attempts, and loss of time/productivity as result of the breach.
Following a Motion to Dismiss, the Southern District of California maintained the following claims, while granting the Plaintiffs leave to amend and refile those claims that the Court dismissed:
Defendant argues that Plaintiffs cannot maintain a cause of action for negligence because the economic loss doctrine bars their claims. However, Plaintiffs argued exceptions to the economic loss doctrine; specifically, that: (1) Plaintiffs pled non-economic harm, (2) Solara owed them an independent duty to safeguard their information, and (3) a special relationship existed between the parties. The Court agreed: by pleading anxiety and other non-general damages, the economic loss rule did not apply.
2. Breach of Contract
Defendant argued that it did not have a contract with Plaintiffs. However, the Court found Solara’s “Notice of Privacy Practices” and “Patient Bill of Rights” constituted contracts. Specifically, the Notice of Privacy Practices stated as follows:
“Solara Medical Supplies . . . is committed to protecting your privacy and understands the importance of safeguarding your personal health information. We are required by federal law to maintain the privacy of health information that identifies you or that could be used to identify you[.]”
And, Solara's Patient Bill of Rights enumerates the following rights:
“The Client Bill of Rights is designed to recognize, promote, and protect, an individual's right to be treated with dignity and respect within the health care system. . . . As our client you have the right to . . . Confidentiality of your records and Solara Medical Supplies, LLC policy for accessing and disclosure of records.”
Plaintiffs allegedly suffered a diminution in value of their personal information resulting from the breach of these contracts, which according to In re Facebook Privacy Litigation., 572 Fed.Appx. 494 (9th Cir. 2014), creates a recoverable element of damages.
3. Breach of Implied Covenant of Good Faith and Fair Dealing
Defendant argued for the dismissal of this claim due to the absence of a conscious and deliberate act. Arguing that Solara knowingly violated its own policies and HIPAA requirements without remedial action, the Court agreed to maintain the claim. However, the Court hinted that this allegation may not survive a summary judgment following discovery.
4. Unjust Enrichment
California law permits independent claims for unjust enrichment.
5. California Confidentiality of Medical Information Act Claim
The California Confidential of Medical Information Act ("CMIA") requires health care providers to maintain medical information "in a manner that preserves [its] confidentiality" and creates a private right of action for patients' whose health care provider "negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information." Cal. Civ. Code § 56.101(a). A plaintiff may recover nominal damages at $1000.00 per violation without proving actual damages, provided that he/she can demonstrate that an unauthorized third party viewed or accessed the confidential information. Cal. Civ.Code § 56.36(b)(1).
6. California Consumer Records Act
Plaintiffs asserted claims under the California Records Act Claim ("CRA"), which "regulates businesses with regard to treatment and notification procedures relating to their customers' personal information." Corona v. Sony Pictures Ent'mt, 2015 U.S. Dist. LEXIS 85865, 2015 WL 3916744, at *6 (C.D. Cal. June 15, 2015). Specifically, a company is required to “disclose a breach … in the most expedient time possible and without unreasonable delay." Cal. Civ. Code § 1798.82(a). The Court concluded that waiting five months to notify victims was too long.
7. California Unfair Competition Law
California's Unfair Competition Law ("UCL") provides a cause of action for business practices that are (1) unlawful, (2) unfair, or (3) fraudulent. Cal. Bus. & Prof. Code § 17200, et seq. The Southern District of California maintained these claims, noting that Solara’s alleged knowledge of its insufficient cybersecurity and failure to disclose was a potential fraudulent omissions.
Claims under the Connecticut Unfair Trade Practices Claim, Michigan Identify Theft Protection Act Claim, and Pennsylvania Unfair Trade Practices Act also survived Solara’s Motion to Dismiss.