Published in Cybersecurity Law & Strategy

By Josh Hummel

Data breach lawsuits have often struggled to match up the unique realities of data breaches with traditional theories of legal liability. A recent decision from the Southern District of Indiana, however, cut through these issues by allowing a class action claim to proceed on a theory of liability often proposed by commentators as a solution to the data breach liability conundrum but until recently almost uniformly rejected by courts: the common law theory of bailment.

For as long as there have been data breaches that expose consumer data to hackers, there have been lawsuits by consumers seeking to hold companies liable for failing to protect the data collected by or entrusted to them. These lawsuits have often struggled to match up the unique realities of data breaches with traditional theories of legal liability, and courts have often dismissed data breach claims by consumers for reasons relating to lack of standing, unclear causation, nebulous harm, and speculative damages. This problem has been especially acute for plaintiffs hoping to bring claims on behalf of a class of all consumers whose personal data was compromised in a security breach.

A recent decision from the Southern District of Indiana, however, cut through these issues by allowing a class action claim to proceed on a theory of liability often proposed by commentators as a solution to the data breach liability conundrum but until recently almost uniformly rejected by courts: the common law theory of bailment. See, Krupa v. TIC International Corp., 2023 WL 143140 (S.D. Ind. Jan. 10, 2023). If other courts around the country follow Krupa’s lead, it could represent a major shift in how data breach claims are litigated, and companies that maintain Personally Identifiable Information (PII) belonging to consumers or employees should be watching closely.

Bailment-Based Liability for Data Breach: Attractive In Theory, But Mostly Rejected by Courts

The elements of a bailment action, and even the question of whether the claim sounds in contract or tort, vary from state-to-state. The underlying concept is a simple one, however; as the court in Krupa recognized, “[e]trusting your stuff to others is a bailment.” Krupa, 2023 WL 143140, at *3. More formally, a bailment relationship is “created by the delivery of personal property by one person to another in trust for a specific purpose, pursuant to an express or implied contract to fulfill that trust.” 8A Am. Jur. 2d Bailments §1 (2018). When one who holds property on behalf of another fails to take appropriate care to protect it and the property is “damaged, lost or stolen, the bailor may bring an action for recovery of damages from the bailee” based on that harm. 46 Am. Jur. Proof of Facts 3d 361.

Some commentators have long proposed that a situation in which one possesses electronic data belonging to another, which is then compromised in a security breach “is a perfect fit for a bailment analysis.” William LaRosa, New Legal Problems, Old Legal Solutions: Bailment Theory as the Baseline Data Security Standard of Care Owed to an Opponent’s Data in E-Discovery, 167 Univ. of Penn. Law Rev. 775, 806 (2019); see also, Miles Christian Skedvold, A Duty to Safeguard: Data Breach Litigation Through a Quasi-Bailment Lens, 25 J. INTELL. PROP. L. 201, 225 (2018) (proposing that “modern usage of PII and common law bailment principles lead one to conclude that commercial holders of PII may have a duty of reasonable care to protect that information against third-party criminal theft.”).

The courts, however, have mostly disagreed. Numerous courts have addressed bailment claims brought following a data breach, and nearly all have dismissed those claims. The reasons for dismissal have varied, and include rejection of plaintiff arguments that: social security numbers and other personal information constitute “personal property” under a bailment theory; the act of providing access to (or copies of) one’s personal information sufficiently constitutes a “transfer” or “delivery” of control or custody of that information; the property was not or cannot be returned to the plaintiff; or the mere exposure of one’s data (without concrete allegations of its improper use) is sufficient to establish an injury or damages. See, e.g., Savidge v. Pharm-Save, Inc., 2020 WL 265206, at *7 (W.D. Ky. Jan. 17, 2020) (rejecting claim that plaintiffs’ PII constituted “personal property,” and noting that both parties continued to maintain separate but complete possession of it); Galaria v. Nationwide Mut. Ins. Co., 2017 WL 4918634, at *2 (S.D. Ohio Oct. 31, 2017), report and recommendation adopted, 2017 WL 6375803 (S.D. Ohio Dec. 13, 2017) (rejecting bailment claim based on insufficient allegations regarding transfer of control or custody of plaintiffs’ PII to the defendant); In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942, 974 (S.D. Cal. 2012) (rejecting argument that plaintiff’s PII was “delivered” to Sony and expected to be returned); In re Target Corp. Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1177 (D. Minn. 2014) (questioning whether personal financial information constitutes “property” subject to bailment principles, and whether an agreement existed to return it to plaintiffs); Ruiz v. Gap, Inc., 540 F. Supp. 2d 1121, 1127 (N.D. Cal. 2008) (same). It seemed that it was time to bail out on a bailment theory of data breach liability.

The Krupa Court Bucks the Trend, Giving Bailment Theory a Boost

In Krupa, the plaintiff brought a putative class action on behalf of himself and other individuals whose social security numbers were exposed in a hacking of the computer systems of the defendant, a benefits administration company. Krupa’s data breach claim was based on the common law theory of bailment, which the defendant moved to dismiss on the grounds that the plaintiff lacked standing to sue and that the complaint did not sufficiently allege damages to assert a cause of action. The court held that both arguments essentially hinged on the same issue, i.e., whether the plaintiff was actually injured by the theft of his personal data, and whether his risk of future injury provided an adequate basis for recovery.

The court noted that Indiana law has recognized claims for bailment for more than two hundred years, under which “a bailment may be implied, delivery may be constructive, and acceptance may be made other than by express contract.” Krupa, 2023 WL 143140, at *3, quoting Kroger Co. v. Hammond, 877 N.E.2d 228 (Ind. Ct. App. 2007). The Krupa court initially held that bailment is not reserved solely for physical goods, as Indiana courts have recognized electronic data as a form of property in other contexts under both bailment and other civil and criminal theories such as conversion. The Krupa court found that the complaint alleged that the defendant held the plaintiff’s personal data under a “shared understanding that it would remain confidential.” Because the plaintiff also asserted that the defendant was negligent in exposing his data to hackers, the Krupa court found the complaint sufficient to establish a bailment claim.

Notably, in allowing the plaintiff’s claim to proceed, the Krupa court distinguished an Indiana case decided less than two years earlier which had dismissed a bailment claim due to the defendant’s lack of “exclusive possession” over the plaintiff’s data. See, Albanese Confectionery Grp., Inc. v. Cwik, 165 N.E.3d 139 (Ind. Ct. App. 2021), transfer denied, 169 N.E.3d 1117 (Ind. 2021). In Albanese, the plaintiff filed a bailment claim after her former employer terminated her and remotely wiped her personal smartphone, resulting in the loss of her personal data. In dismissing the claim, the court in Albanese noted that the defendant’s end user agreement allowed the plaintiff to access the company’s email server through her iPhone, but also allowed the defendant to remotely erase the phone “without warning” for security purposes. Thus, the court held that the agreement provided both parties with some degree of control over the plaintiff’s phone and its contents and, as a result, the defendant never had “exclusive possession” over that property. In Krupa, by contrast, the court observed that the plaintiff “was unable to manipulate his personal data on TIC’s servers” and the defendant “was in full control.” Krupa, 2023 WL 143140, at *5. This, in the Krupa court’s view, was sufficient to satisfy the “exclusive possession” requirement for a claim of bailment.

Significantly, in interpreting “exclusive possession” under bailment in a modern context where data can be copied or transferred many times and exist in multiple places, the Krupa court focused more on the “possession” part than the “exclusive” part. The court likewise focused more on the extent of the defendant’s control over the data in its possession, rather than on the plaintiff’s ongoing ability to possess or access the same information elsewhere.

Finally, with respect to the plaintiff’s alleged injury or damages, the Krupa court held that the “invasion of a common law right (i.e., the existence of a common law cause of action) satisfies the ‘injury’ prong” to establish standing, and that nominal damages are available for breach of bailment. As a result, the court rejected without much additional analysis the defendant’s argument that the plaintiff’s claim could not proceed because he failed to allege a specific injury arising from the data breach. Having denied the defendant’s motion to dismiss, the court directed the plaintiff to initiate class certification proceedings.

An Outlier or a Sign of Things to Come?

The approximately five-page Krupa opinion is neither detailed nor exhaustive and is based on that federal court’s interpretation of bailment principles under Indiana state law. Thus, it is not binding upon most other courts, and may simply be a one-off success story for a theory that, as noted above, an overwhelming majority of courts have consistently dismissed around the country.

But Krupa is not entirely on an island by itself. Two years ago, a federal court in New York similarly allowed a bailment claim to proceed in a data breach action. See, Wallace v. Health Quest Systems, Inc., 2021 WL 1109727, at *13-14 (S.D. N.Y. Mar. 23, 2021) (denying motion to dismiss a constructive bailment claim for data breach, holding that “the Court is persuaded New York’s courts would extend a claim for breach of bailment to … intangible information.”). Similarly, although not specifically addressed in the context of a data breach action, the court in Bessemer System Federal Credit Union v. Fiserv Solutions, LLC, 472 F.Supp.3d 142 (W.D. Pa. July 14, 2020), allowed a bailment claim to proceed where the defendant was unable to return and otherwise damaged the plaintiff’s electronic financial records due to bugs, defects, and insufficient security functions in defendant’s account processing system.

Rather than an aberration, Krupa and Wallace may instead signal the start of a new trend that, after years of failing to gain traction, courts are beginning to accept bailment as a cognizable theory of relief — at least at the pleading stage — in the increasing number of legal actions arising from data breach or data loss.

Josh Hummel is Counsel at Redgrave LLP and is based in the Firm’s Washington, DC office. He has extensive e-discovery experience and focuses his practice on the evolving intersection of law and technology. Josh advises clients on many substantive legal issues and procedural issues, often concerning high-stakes litigation matters. He is also skilled at developing efficient corporate e-discovery and information governance policies and launching new programs to improve compliance, efficiency, cost control, and risk management.

The views expressed in this article are those of the authors and not necessarily those of Redgrave LLP or its clients.