By David Kessler and Sue Ross
Although there is scant case law on the question, it is generally accepted that it is not a violation of one’s duty not to disclose information if it is stolen from you. Put another way, disclosure is an affirmative act, and, absent an affirmative duty to protect information from unauthorized access, theft of information is not a violation of a duty not to disclose.
This question, however, was at the heart of the decision in Gerber v. Twitter, Inc., case no. 4:23-cv-00186-KAW (N.D. Cal. Dec. 18, 2024) (2024 WL 5173313). Judge Kandis Westmore ruled that a social media platform’s duty not to disclose personal information is not the same as the duty to protect that information against theft. Further, the duty not to disclose does mean the social media platform has a duty to notify individuals if the social media platform is breached. As a result, the court granted in part and denied in part the defendant’s motion to dismiss the plaintiffs’ complaint. (Id.)
Background
The incidents leading to the complaint began in June 2021 through January 2022, when the plaintiffs alleged that “a defect in Twitter’s application programming interface (“API”) allowed threat actors to access and obtain PII associated with an estimated 200 million Twitter users.” The stolen data was subsequently offered for sale on the dark web. Plaintiffs alleged that Twitter had “taken no remedial action to recover the data or mitigate the damage,” and that the breach did not represent an isolated incident, but, rather, was “the foreseeable result of the reckless way that Twitter has chosen to operate its business.” The plaintiffs filed a class action complaint, alleging breach of contract, breach of implied contract, negligence, gross negligence, unjust enrichment, violation of California Unfair Competition Law, and declaratory judgment. The defendant moved to dismiss the complaint.
Court Ruling
This post will focus on the court’s ruling on the contract claims and the declaratory judgment. The plaintiffs alleged that the Terms of Services and Privacy Policy contained promises about security that the defendant breached. The court granted the defendant’s motion on the breach of express contract claim, ruling:
Moreover, Plaintiffs conflate the Privacy Policy’s promise of not disclosing users’ information to third parties without their consent with a promise to maintain adequate data security measures. (See Pls.’ Opp’n at 12 (citing CCAC ¶¶ 184-185.)) This is simply not the same, as “disclosure” is tantamount to selling user information. See Bass v. Facebook, Inc., 394 F. Supp. 3d 1024, 1038 (N.D. Cal. 2019) (Using social media is not “cost-free,” because “[t]he user incurs the cost of having his information mined and shared.”) Thus, there are no express promises made in the User Agreement regarding data security.
Slip op at *9. In other words, the court ruled that the contractual obligation not to disclose personal information was not a contractual obligation to keep the data secure. Nor does this appear to be an obligation to inform plaintiffs of the incident.
On the other hand, the court denied the motion to dismiss with respect to the breach of implied contract, ruling that Twitter’s representations on its site that the company was
“committed to protecting the information you share with us” on its Security and Privacy Webpage; representing that its “security procedures strictly limit access to and use of users’ personal information and require that each of us take measures to protect user data from unauthorized access” in its Code of Business Conduct and Ethics; and representing that “[p]rotecting and defending user privacy is at the heart of our work.”
Id. Those representations were sufficient for the court to find that the plaintiffs could proceed with a breach of implied contract claim.
The plaintiffs also asked the court for a declaratory judgment that “Twitter owes a legal duty to secure consumers’ PII and to timely notify them of a data breach, and that it continues to breach that duty by failing to employ reasonable measures to secure consumers’ PII.” Slip op. at *11. At this stage in the proceedings, the plaintiffs had to demonstrate that they had successfully pled a predicate claim, which the court ruled they had, so the court refused to dismiss this request.
Our Take
As a practical matter, many privacy policies include non-disclosure requirements (or conditions on disclosure) but do not make guarantees relating to security. Nevertheless, statements regarding security—frequently not written by attorneys—can subject a company to an implied breach of contract claim if there’s a security incident. Of course, if the company has a security incident, legal requirements (statutes and regulations) can require notice, regardless of the working of any privacy policy, but these obligations often only apply to personal data.
If a party has a duty not to disclose commercial data and no obligations to secure it, then there likely will be no contractual violation if the commercial data is exfiltrated. And, even if the party does have a duty to secure the data (e.g. “a party must take reasonable precautions to protect the information”), that does not necessarily obligate the company to notify the other side of the theft, which means it may never know. If you are concerned about the data you are providing to a third party, you should include language to cover all three issues: (a) duty not to disclose; (b) duty to secure and protect; and (c) obligation to inform the data owner of a potential violation of either (a) or (b). You cannot enforce your rights regarding (a) or (b), if you are unaware of the issue.