Recently, negligence claims in a putative class action brought against a cloud software provider survived a motion to dismiss in the U.S. District Court for the District of South Carolina because the judge held that the consumers pled they were owed a duty of protection. The Plaintiffs asserted claims for a putative class of third party consumers whose information was allegedly exposed in a ransomware attack in 2020.
The cloud provider offers software solutions to a variety of organizations, including institutions in the health and education sectors. In turn, these organizations collect and store their customers’ information, which is maintained by the cloud provider. The Plaintiffs alleged the company implemented a deficient security program leading to the exposure and ransom of third party consumer data, including social security numbers and account access credentials. The Plaintiffs brought claims of negligence, negligence per se, gross negligence, and unjust enrichment under South Carolina law.
The company moved to dismiss the Plaintiffs’ claims on the basis that the company owed no duty to the consumers and because the Plaintiffs failed to establish that the relevant privacy statutes provided a right of action. The judge dismissed the claims for negligence per se and unjust enrichment, but found the negligence and gross negligence claims were adequately pled. The judge held the negligence per se claim failed because the Plaintiffs’ allegations did not demonstrate that the relevant privacy statutes were enacted to protect the class of consumers to which the Plaintiffs belonged. The unjust enrichment claim failed because the Plaintiffs did not adequately plead that the company directly received a benefit from the third party consumers.
However, the negligence and gross negligence claims survived. The company argued it did not owe a duty of care to third party consumers because they were not parties to the service contract. But the judge applied South Carolina precedent to find that because the cloud provider marketed software solutions to customers who used its services to collect and protect third party information, while the cloud provider maintained control over the data, the Plaintiffs adequately stated a special circumstance to justify a duty under common law. The fact the company maintained, secured, and retained the “greatest amount of control over the security of the data” supported the Plaintiffs’ allegations that the company’s contracts imposed a duty to prevent harm associated with a data breach. The judge also rejected the company’s argument that it owed no duty to the Plaintiffs from the conduct of a third party, finding that the Plaintiffs properly alleged that the company’s negligence, not the third party’s conduct, created the risk of injury from third parties. Because the Plaintiffs adequately pled a duty and because the company only challenged Plaintiffs’ gross negligence claims based on a lack of duty, the judge declined to dismiss the gross negligence claims.
The judge also held that the Plaintiffs adequately pled damages, injuries, and causation for their negligence claim. The Plaintiffs alleged a variety of injuries: (i) risk of extortion, (ii) unauthorized disclosure to third-party criminals, (iii) loss of value, (iv) risk of future identify theft or fraud, and (v) mitigation expenses. The Plaintiffs’ allegations plausibly alleged damages caused by the Ransomware attack, satisfying the injuries and causation requirements to allege negligence under South Carolina tort law.