Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

District Court: Employees are not “customers” under California Customer Records Act in breach lawsuit

Privacy/Cyber Risk & Data Security Courts California CCPA CCRA State Issues Data Breach Class Action New York

Privacy, Cyber Risk & Data Security

On February 24, the U.S. District Court for the Southern District of New York granted a waste management company’s motion to dismiss putative class action data breach claims after determining, in part, that the plaintiffs failed to allege how the company breached any duty of care. Plaintiffs, comprised of current and former employees, sued the company, claiming a 2021 data breach exposed their personal identifiable information (PII) to an unauthorized actor. Several plaintiffs were victims of apparent identity theft, the complaint stated, which alleged negligence, breach of contract and implied contract, breach of confidence, breach of fiduciary duty, unjust enrichment, and breach of the California Consumer Privacy Act, the state’s Unfair Competition Law, and the California Customer Records Act (CCRA). In dismissing the case, the court concluded, among other things, that the plaintiffs failed to plead facts showing specific measures that the company did or did not take, such as data encryption, to protect employee data. Additionally, the complaint did not “contain any allegations regarding the manner in which their systems were breached.” Moreover, the court determined that the complaint did not plausibly allege that the employees qualify as “customers” under the CCRA (a “customer” under the law is defined as “an individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business,” but in this matter, the court stated the plaintiffs did not allege that they provided their PII to the company in exchange for a product or service; rather, they were required to give their PII as part of their employment). The court also ruled that the plaintiffs did not plausibly allege that the company unreasonably delayed notifying them of the data breach by waiting 24 days after the breach to provide notice.