Like most healthcare entities, Indiana’s Trinity Health collects, stores, maintains and uses a large volume of particularly sensitive information about patients and others, including Personally Identifiable Information (PII) and Protected Health Information (PHI), both of which Trinity has a legal obligation to protect. In 2017, Trinity contracted with on online data storage and processing entity, Blackbaud to provide certain application services (like software and support services) and related professional services, and agreed via contract to keep Trinity’s data “in strictest confidence” and to use “reasonable care” to protect the confidential data, and warranted under the Business Associate Agreement (BAA) with Trinity that Blackbaud had reasonable physical, logical and administrative controls to protect the confidentiality of Trinity’s data and the data of its patients.
Data Breach Incident
Unfortunately, Blackbaud was hit by ransomware hackers who, while unable to “lock” the data for ransom, was able to steal data on more than 3.2 million Trinity patients from Blackbaud. Trinity sued Blackbaud (and its cyber-insurer) not only for breaches of contract and other claims, but for common law negligence. The question for the federal court in Indiana – applying Indiana law – was whether a third party has a common law duty to protect the confidentiality of data entrusted to them.
Court Ruling
On May 31, 2023, Chief Judge Jon DeGuilio of the United States District Court for the Northern District of Indiana in South Bend ruled that there was no such duty. In support of his finding of no duty to prevent or respond to data breaches, the Judge cites Indiana’s data breach notification law, which creates a duty to notify victims of a data breach. Since the law only requires notification, the court ruled there is no actual duty to prevent such a breach.
In fact, a breach of the duty to notify can only be enforced by the Indiana Attorney General, and provides no “private right of action.” As a result, the Court, following two cases in the federal Seventh Circuit found that, in order to make out a claim of a duty to protect data at common law, a victim of a data breach would have to show that they had some kind of relationship with the data holder that imposed a “special duty” to prevent the disclosure of the customers’ information (e.g., the relationship between a bank and its customer recognized as special under Indiana law). In one of these previous cases, the court specifically rejected the claim that medical monitoring damages were the kind of injury that a victim of a data breach could expect to be compensated.
Why it Matters
Of course, Trinity’s lawsuit for breach of contract continues. But “tort” damages for negligence are much broader than the mere economic damages available for breach of contract. Under tort damages, if an entity breaches a duty of due care and that breach causes harm, the impacted party can be reimbursed for the harm caused, including for lost income, inconvenience, pain and suffering, and if the breach is willful or reckless, in some circumstances for exemplary or punitive damages. By ruling that there is no cognizable duty of due care and no duty to protect privacy of health records, these damages are likely not available to victims of data breaches. The court also rejected findings by the courts considering both the Home Depot data breach and the Target data breach that held that there was, in fact, a duty to protect the privacy of consumer data. The federal court in Indiana also did not consider whether other laws, like HIPAA or other privacy laws impose a duty to prevent breaches of particular categories of data. Instead the Court noted that:
“The Indiana Supreme Court would hold there is no common law duty to safeguard the public from the risk of data exposure. Plaintiffs raise no other potential duty. Accordingly, because Plaintiff’s complaint does not plausibly allege duty, the claim for Negligence (Count IV) and Gross Negligence (Count V) must be dismissed.”
Considerations and Implications
Entities which seek to impose a duty on someone else to protect the data they entrust to them cannot rely on the common law to do so. As a result, they must either point to a statutory duty to prevent data breaches, or they must impose such a duty through a contract. The language of data protection agreements must be clear and precise, as must the remedy available for breach of contracts. However, consumers are rarely the beneficiaries of such contract language, unless they are published in an entity’s Terms of Service or Privacy Policy, and individual consumers are unlikely to sue for damages from a data breach. While business to business suits are common after data breaches (as are class action suits), in the absence of a duty to prevent breaches, suits for negligence, gross negligence, or even reckless conduct may be difficult to maintain.
