Third Circuit Court of Appeals Upholds Dismissal of Federal Complaint Against Post & Schell Client Alleging Data Breach
The U.S. Court of Appeals for the Third Circuit upheld on April 30, 2015 the dismissal of a federal complaint filed by a large banking and financial institution (the Bank) against a defendant medical billing company, represented by Post & Schell, arising out of alleged data theft by a former employee of the medical billing company. The plaintiff Bank had alleged the data obtained in the theft was used by a third-party fraud ring to make fraudulent withdrawals from accounts held by customers of the Bank, for which the Bank repaid its customers. The case illustrates the potential limits of data breach liability.
Throughout various versions of its amended complaints, the Bank alleged violations the federal Stored Communications Act, 18 U.S.C. § 2701 (“SCA”), the federal Computer Fraud and Abuse Act of 1984, 18 U.S.C. § 1030, and several state law claims, including negligence, fraud, equitable subrogation, and unjust enrichment. On June 16, 2014, the U.S. District Court for the Eastern District of Pennsylvania dismissed the Bank’s Second Amended Complaint and rejected its attempt to file a Third Amended Complaint. Post & Schell argued in part, and the district court agreed, that the medical billing company did not owe a legal duty of care to the Bank and that the equitable subrogation claim was not valid because the Bank’s tellers “failed to prevent the fraudulent withdrawals which led to the loss to its own customers.” The district court dismissed the federal SCA claim in part because the Bank had failed to allege any facts suggesting that it was an “aggrieved person” protected under the Act and because the Bank failed to allege any access to a stored electronic communication within the meaning of the Act.
The U.S. Court of Appeals for the Third Circuit upheld the district court's dismissal of the entire case. After dispensing with the Bank’s new claim regarding federal jurisdiction, the Third Circuit turned to the merits. The appeal focused on the claim of negligence under Pennsylvania law because the Bank had abandoned its federal law claims by the time of appeal. Ultimately, the Third Circuit found that there was no duty of care owed to the Bank because “the public has very little overall interest” in creating liability that “would effectively excuse the Bank’s own failure to ensure that withdrawals from its branches are legitimate.” The Bank was an unrelated third party that was “only derivatively connected to the company suffering the breach through their clients’ clients separate business relationships.”
As for the claim of negligence per se alleged by the Bank, which rested on an alleged violation of the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Third Circuit observed that “HIPAA was in no way intended to protect medical patients’ banks from possible financial fraud.” Further, the court declined to address an argument by the Bank regarding an alleged violation of the federal Gramm-Leach-Biley Act of 1999, which had not been sufficiently pled in the complaint.
The prevailing company in the matter was represented by attorneys in Post & Schell's Information Privacy & Security and Internal Investigations & White Collar Defense Practice Groups.