Nov. 29, 2022 – A former employee who sued a company in negligence for damages related to a data breach stated a legally sufficient claim, the Wisconsin Court of Appeals has ruled.
But in Reetz v. Advocate Aurora Health Inc., 2021AP520 (Nov. 22, 2022), the Court of Appeals District I also held that the employee failed to state legally sufficient claims for invasion of privacy, contract damages, and declaratory relief.
Phishing Leads to Data Breach
In January 2020, someone gained unauthorized access to the human resources computer system of Advocate Aurora Health, Inc. (Aurora).
Jeff M. Brown is a legal writer for the State Bar of Wisconsin, Madison. He can be reached by
email or by phone at (608) 250-6126.
The system contains personal information on current and former employees of Aurora, including bank account numbers used for direct deposits.
As soon as Aurora learned of the intrusion, it locked the intruder out. But for 63 employees, the intruder had changed the direct deposit information so that their paychecks would be deposited into the intruder’s bank account.
Janet Reetz was one of the people whose information was stored in the Aurora human resources computer system. Her account was not one of the 63 whose direct deposit instructions were altered by the intruder.
Class Action Lawsuit
In March 2020, Reetz filed a class action lawsuit against Aurora in Milwaukee County Circuit Court. In the lawsuit, Reetz sought declaratory relief and made the following claims related to the data breach:
Aurora moved to dismiss the lawsuit for failure to state a claim. In December 2020, the circuit court dismissed Reetz’s lawsuit with prejudice. Reetz appealed.
Reetz had Standing
On appeal, Aurora argued the circuit court erred by concluding that Reetz had standing to bring lawsuit to begin with.
The company argued that Reetz had not shown a causal link between the data breach and the $2,700 in fraudulent charges against her bank account, as well as the $600 in insufficient funds and overdraft fees that resulted.
In particular, Aurora argued that the timing of the theft from Reetz’s account did not prove that it occurred because of the data breach.
Writing for a three-judge panel, Judge Maxine White reasoned that that argument missed the mark, given the posture of the lawsuit.
“Aurora has not offered any evidence that Reetz’s data was stolen a different way,” White wrote. “Ultimately, Aurora may be correct that Reetz’s information was exposed in another way that caused the alleged monetary losses, but that is an issue of causation to be resolved at trial or summary judgment.”
Negligence Claim Improperly Dismissed
Aurora argued that Reetz failed to state a claim for negligence because she failed to allege actual damages, and because the economic loss doctrine barred her claim.
Judge White pointed out that the standard of review required the court of appeals to accept the allegations in Reetz’s complaint as true.
As a result, she concluded, because Reetz had included specific amounts that she claimed she lost because of the data breach, she had pled actual damages sufficient to repel Aurora’s motion to dismiss.
Aurora argued that the economic loss doctrine bars negligence claims for cases involving data breaches and cited cases interpreting the laws of Colorado, Illinois, and Pennsylvania.
But, Judge White explained, those cases were not persuasive. Furthermore, she wrote, “Aurora failed to refute Reetz’s argument that the economic loss doctrine is inapplicable to services.”
Aurora also argued that because Reetz’s claims arose out of her employment contract, tort law was not applicable.
Judge White acknowledged that the Wisconsin Supreme Court, in 2001, declined to recognize a new tort of fraudulent representation in an at-will employment situation. But the holding of that case only went so far, she concluded.
“Without a clear directive that the economic loss doctrine applies to employment law and given our supreme court’s clear directive that it is not applicable to service contracts, we decline to extend a blanket application of the economic loss doctrine in the employment law context,” White wrote.
Invasion of Privacy Requires Intentional Conduct
Judge White concluded that the circuit court had properly dismissed the other four claims pressed by Reetz.
With the regard to the invasion of privacy claim, White reasoned that dismissal was proper because Reetz had failed to allege that Aurora had acted intentionally related to the data breach.
Judge White pointed out that neither Wis. Stat. section 995.50(2)(am)3 nor case law require an invasion of privacy plaintiff to allege that the defendant acted intentionally.
But she noted that invasion of privacy is classified as an intentional tort under section 893.56, the statute of limitations statute, and is grouped with intentional torts in the standard jury instructions.
Additionally, White pointed to a Wisconsin Court of Appeals case in which the court held that 1) it was impossible to accidentally commit an invasion of privacy; and 2) the tort involves intentional acts.
In her complaint, Reetz alleged that Aurora exhibited a “willful and conscious disregard for employee privacy” and had failed to prevent the data breach. But that wasn’t enough, Judge White explained.
“An allegation of failing to prevent a data breach is not an allegation that Aurora intended the disclosure or publicity of private facts,” White wrote.
Contract Claims Fail
Reetz claimed that under her employment contract with Aurora, the company was obligated to protect personally identifiable information (PII).
But White concluded that Reetz had not identified an express term in the contract related to the protection of PII and had failed to separately plead a breach of an implied contract.
The absence of any provision in the employment contract regarding the protection of PII also doomed Reetz’s claim regarding a breach of the implied covenant of good faith and fair dealing, Judge White explained.
“The good faith and fair dealing obligations must relate to the performance of the contract,” White wrote.
Reetz’s claims for declaratory relief failed, Judge White reasoned, because she didn’t specify how declaratory relief would remedy the ongoing damages she claimed she was suffering because of the data breach.