About Us  |  About Cheetah®  |  Contact Us

Claims made by employees victimized when W-2s exposed in phishing attack tossed by court

By Brandi O. Brown, J.D.

The employees sought to add a handful of new claims to their breach-related lawsuit, including trade secret misappropriation and conversion, but were left with only their original negligence and breach claims after the employer’s motion to dismiss.

A federal district court in Kentucky, faced with an amended complaint adding novel claims of trade secret misappropriation, conversion, trespass to chattels, and bailment, in a case related to a data breach that had affected many of an employer’s employees including the plaintiffs, granted the employer’s motion to dismiss the new claims. The employees failed to sufficiently allege how their personally identifiable information (PII), W-2s that included their social security numbers, constituted trade secrets or how the employer exercised “dominion” over the information to its own use and benefit. The “bare assertions” and “bare recitations” made in support of the novel claims were insufficient for them to survive dismissal (Savidge v. Pharm-Save, Inc., January 17, 2020, Boom, C.).

Criminals went phishing. In 2016 the employer fell victim to a phishing scheme in which cybercriminals, posing as company executives, received access to W-2 forms that included information about the affected employees, including social security numbers, salary information, and addresses. Affected employees were notified and the plaintiffs, who were no longer employed by the employer at the time of the breach but were affected by it, filed suit. After a partial motion to dismiss had done away with all but negligence and breach of implied contract claims, the employees filed an amended complaint that added four new legal theories. The employer moved to dismiss those newly added claims.

Trade secret misappropriation. Claiming that their personally identifiable information constituted trade secrets, the employees sought relief for misappropriation of that information under the Kentucky Uniform Trade Secrets Act. The court agreed that certain PII, such as social security numbers, could meet some of the prongs of the trade secret definition contained in that Act. For example, it is “information” that is not “generally known to” or “readily ascertainable by” others and in the hands of cybercriminals it could acquire “economic value.”

However, the full definition of a trade secret under the Act required not only a lack of general knowledge, but also independent economic value must be derived from that secrecy. The employees’ allegations in that regard were “slim” and speculative in nature. The complaint stated that the criminals “may continue” to exploit or sell the data. It did not state how the employees derived economic value from their PII or how criminals’ possession of it had diminished its economic value.

Moreover, the employees failed to plausibly allege how transmission of their PII constituted misappropriation. The court noted that the parties involved in trade secret litigation are usually business competitors, whereas this case involved employees suiting their former employer. “A misappropriation claim, however,” the court explained, “’is based on the improper use of a trade secret to gain an advantage over the plaintiff.’” In this case, the court asked, what advantage was there to be gained by the employer in exposing the personal information of employees? The employees’ allegations did not answer that question.

Conversion. In the amended complaint the employees also claimed that the employer committed the tort of conversion but the court concluded that the claim “does not fit within the framework of a conversion tort.” The court noted that the elements of a conversion claim “remain unsettled under Kentucky law,” but under either of the two standards the court identified, the claim as alleged was insufficient in multiple aspects. The employees did not indicate how the employer exercised “dominion” over the data to its own use and benefit. Instead, the court noted, the employer had been a victim of a phishing scheme and the court struggled to understand how being the victim of such a crime benefitted the employer.

The only benefit identified by the employees, which the court found insufficient, was that the employer was able to verify employee identity and maintain required tax records. More importantly, perhaps, the court noted that the employees completely failed to allege that the employer intended to exercise control over their PII. The employees retained their names and social security numbers and were not precluded from using the compromised information.

Trespass to chattels and bailment. The two remaining claims, trespass to chattels and bailment, were likewise subject to dismissal because of “bare assertions” and “shortcomings.” With regard to the trespass claim, the court was able to at least draw a reasonable inference that the employer intended to use the PII, but it remained deficient in other respects. The employees failed to allege anywhere that their PII was personal property, which also doomed their bailment claim. Moreover, the trespass claim was insufficiently alleged because the data acquisition had not required “physical invasion or confiscation of actual property” that was in the possession of the employees. Any interference that occurred was with the employer’s computer systems.