The Third Circuit recently affirmed a District Court's dismissal of a data breach class action against Benecard Services Inc. ("Benecard").

Benecard is a prescription benefit administrative services company that provides mail and specialty drug dispensing, managed vision services, and contact lens mail order services to public and private sector organizations.  The instant case arose from the 2015 data breach of Benecard's computer system.  Plaintiffs are former employees and customers of Benecard who provided their names, dates of birth, addresses, and Social Security numbers as a prerequisite to employment or use of Benecard's services.  Plaintiffs' personal information was compromised during the breach.  Specifically, Plaintiffs' personal information was used by unknown third parties to file fraudulent tax returns, and the IRS subsequently issued tax refunds to the unknown third parties rather than to Plaintiffs.  Plaintiffs brought claims against Benecard for negligence and breach of implied contract under Pennsylvania law.

The District Court held that Pennsylvania's economic loss doctrine barred Plaintiffs' negligence claim, and that Plaintiffs' breach of contract claim failed to state a claim for relief.  The Third Circuit affirmed the District Court's decision. 

First, Pennsylvania's economic loss doctrine provides that "no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage."  Because Plaintiffs' negligence claim sounds only in economic loss resulting from the fraudulent tax returns filed with their information, the economic loss doctrine bars their claim, affirmed the Third Circuit.

The Third Circuit also shot down Plaintiffs' alternative theory that Benecard breached an implied contract by failing to adequately safeguard Plaintiffs' confidential information that Plaintiffs entrusted to Benecard as a condition of employment or doing business with the company.  "This requirement alone did not create a contractual promise to safeguard that information, especially from third party hackers," held the Third Circuit.  Plaintiffs did not offer evidence of "any company-specific documents or policies from which one could infer an implied contractual duty to protect Plaintiffs' information."  In other words, "[m]erely claiming that an implied contract arose 'from the course of conduct' between Plaintiffs and Benecard is insufficient to defeat a motion to dismiss."

The class action is now dismissed in its entirety. 

The Troutman Sanders' Consumer Financial Services Law Monitor blog offers timely updates regarding the financial services industry to inform you of recent changes in the law, upcoming regulatory deadlines and significant judicial opinions that may impact your business. To view the blog, click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.