Just before the holidays we provided an end of year update on the intersection between cybersecurity and the law. See here. In the first month of 2017, the Eleventh Circuit has already ruled on a related issue when it upheld a lower court’s decision dismissing a negligence claim that arose following a data breach. The case is particularly instructive on two points: (1) the type of evidence courts are likely to require to prove duty in data breach actions; and (2) how the economic loss doctrine may become a key shield for defendants in the age of growing cybersecurity threats.
In Silverpop Sys., Inc. v. Leading Mkt. Techs., Inc., plaintiff (“Silverpop”) provided digital marketing services to businesses, including the defendant Leading Market Technologies, Inc. (“LMT”). 641 F. App’x 849, 850 (11th Cir. 2016). Under the terms of the service agreement between Silverpop and LMT, LMT would upload digital advertising content and recipient e-mail addresses to Silverpop’s web-based e-mail marketing management system. In November 2010, Silverpop’s network experienced a data breach permitting unauthorized access to LMT and other customer information. Silverpop initially brought suit against LMT seeking declaratory judgment on two issues: (1) LMT was not damaged by the data breach or that such damage was not consequential; and (2) LMT owed Silverpop payment for LMTs continued use of Silverpop’s services following disclosure of the breach. LMT counterclaimed, alleging—among other claims—that Silverpop negligently failed to keep LMT’s information secure under Georgia law. Id. at 850-51.
To prevail on a claim for negligence, it is fundamental that a plaintiff must establish the existence of a legal duty. The Eleventh Circuit held that in the context of this privacy breach, even if Silverpop had a duty to conform its conduct to a particular standard of care, LMT failed to present evidence to establish “standards that are ordinarily employed in Silverpop’s industry” were breached. Id.at 852. Although the Court does not offer a robust discussion, it makes clear that LMT needed to develop a body of evidence regarding the custom within Silverpop’s particular industry to establish that a standard of care was breached. This ruling is particularly significant in the context of cybersecurity where there remains great disparity in how companies defend against cybersecurity threats. In addition, it raises a question about whether a “standard” will truly develop within any particular industry when it comes to defending against an ever-changing threat.
The economic loss doctrine prevents recovery for claims sounding in tort where the loss suffered is purely economic in nature. Georgia law, specifically, restricts recovery in tort where a party to a contract suffers damage to property that is not the subject of the contract itself. Id. at 853. The rationale behind the doctrine—and Georgia law—is that contract law is designed to remedy economic losses and frustrated economic expectations between two contracting parties. Thus, the law forbids allowing a party to recover losses under a tort theory such as negligence where the same party could have protected itself from such losses through negotiated protections in the contract.
In Silverpop, LMT argued that its list of confidential e-mail addresses was not the subject of the service agreement between the parties, but instead was property damaged outside the terms of the contract. Accordingly, its recovery should not be constrained to claims sounding in contract rather than tort. The Court disagreed. The Eleventh Circuit concluded that LMT could not “circumvent” the economic loss doctrine because the duty—if it existed—was one that would have arisen under the contract, namely Silverpop’s duty to protect against disclosure of proprietary information. Id.at 853. The Court also noted that the contract was one for services, and not products. This holding is notable as more companies move towards web-based products and away from traditional manufacturing of products. Ultimately, the Eleventh Circuit granted Silverpop summary judgment on LMT’s negligence claim because LMT “failed to establish the applicable standard of care and the breach of that standard and, alternatively, because the economic loss rule applies to bar LMT’s recovery in tort.” Id. at 854.
Silverpop helps clarify the type of evidence a party must offer to prove that a duty existed in the context of a cybersecurity breach by an unauthorized party. Moreover, the Court’s opinion is instructive of how the economic loss doctrine can provide a shield against actions brought pursuant to tort law in the context of online web services and cybersecurity attacks. We will continue to monitor whether other courts follow the Eleventh Circuit’s example in Silverpop.