CPW has been tracking since last year the Capital One data breach multidistrict litigation (remember that privilege ruling?).  Well, today the federal judge overseeing the litigation granted Capital One’s motion to certify to the Virginia Supreme Court a question of whether there exists under Virginia state law a duty to use reasonable care to protect consumers’ personal information from disclosure.  Read on to learn more.

Recall that Capital One is a litigation involving consolidated cases transferred by the Judicial Panel on Multidistrict Litigation (“JPML”).  In all of the pending matters, Plaintiffs’ claims arise out of a cyber-attack that purportedly resulted in the theft of Plaintiffs’ personally identifiable information (“PII”) being held by Capital One (over 106 million individuals were impacted by the data event).

As relevant for purposes of the development today, Plaintiff’s claims include the assertion that Capital One was negligent with respect to the security measures it employed to protect Plaintiffs’ PII.  As a result, Plaintiffs assert they suffered certain economic harms, including the time and money spent to address actual fraud and to mitigate the risk of future fraud.  However (as with other data breach litigations), they do not allege that they suffered any physical harms or damages to their person or property.

In the Capital One litigation, the Court and parties agreed that Plaintiffs’ negligence claims are governed by Virginia law.  As such, as summarized by the Court, “[t]he viability of Plaintiffs’ negligence claim therefore depends on whether under the circumstances alleged Virginia law imposes an extra-contractual, tort duty to use reasonable care to protect consumers’ personal information from disclosure, either as an independent duty imposed by law or as one voluntarily assumed.”  However, the Court found that on this issue Virginia law is unsettled as “[t]here are no Supreme Court of Virginia or the Court of Appeals of Virginia decisions which have considered whether a tort duty of care exists with respect to the accumulation of PH under the circumstances of this case.”

Accordingly, the Court granted Capital One’s Motion to certify the following two questions of law to the Virginia Supreme Court:

  1. Whether the economic loss rule precludes Plaintiffs’ negligence claims under the facts and circumstances alleged?
  2. If not barred by the economic loss rule, does there exist under the circumstances alleged, a cause of action for negligence against Capital One based on either an extra-contractual, independent tort duty to use reasonable care to protect consumers’ personal information from disclosure or the voluntary assumption of such a duty?

Negligence claims are frequently litigated in data breach cases, making this an important issue to watch going forward.  Not to worry, CPW will be there!  Stay tuned.