Although repeatedly asserted in cases of stolen personal data, bailment claims have been given generally short shrift by the courts. But the reasons provided for rejecting these claims do not hold up to scrutiny in light of the way in which bailment principles have traditionally been interpreted and applied. On its face, a claim for bailment would seem to be a very good fit for the situation where an individual (the bailor) provides valuable personal data to a corporate entity such as an online merchant (the bailee). The bailor allows that entity to store that information for future transactions between the parties, often subject to reassurances from the entity that the information will be kept safe and secure. The courts that have addressed bailment claims in the context of data breaches have rejected the claim for a variety of reasons, but they have provided little analysis or reasoning to their decisions, often citing to no authority for their holdings.
Bailment Theories in Data Breach Cases
In one of the first data breach cases to address the claim, the Northern District of Illinois defined a bailment as “the delivery of property for some purpose upon a contract, express or implied, that after the purpose has been fulfilled, the property shall be redelivered to the bailor, or otherwise dealt with according to his directions, or kept until he reclaims it.” Richardson v. DSW, Inc., No. 05-C-4599, 2005 WL 2978755, at *4 (N.D. Ill. Nov. 3 2005). Initially, the Richardson court accepted that intangible property can be the subject of a bailment claim. The sole reason provided by the court for rejecting the bailment claim in Richardson was that there was no agreement by the bailee to return the information to the bailor. The court cited to no authority to support that this was even an element of a bailment claim. Indeed, the definition provided by the Richardson court for a bailment included situations where the property is not returned, but “dealt with according to [the bailor’s] directions, or kept until he reclaims it.” Id. Either of these results could be expressly or impliedly part of providing personal data to a store or other corporate entity. There would appear to be no basis for rejecting a bailment claim on the basis of a lack of agreement to “return” the property, especially where the claim is based on intangible data, which would never need to be “returned.”
Bailment Theories Rejected by Courts
Subsequent to Richardson, the Southern District of California rejected a bailment claim in the Sony Network cases for similarly unsupportable reasons. First, the Sony court held that there were no allegations of “intentional conduct” by Sony to retain the information. See In re Sony Gaming Networks and Customer Data Security Breach Litigation, 903 F. Supp. 2d 942, 974 (S.D. Cal. 2012). But that is not the standard for bailments. Rather, where a bailment is for mutual benefit of the bailee and bailor, the bailee must exercise “ordinary care” or “reasonable care and diligence” with respect to handling and use of the subject matter. See C.J.S. Bailments § 65. If the bailment were interpreted as for the benefit of Sony, Sony was obligated to exercise “great care” or “extraordinary diligence” in protecting the property. Id. at § 82. In either case, Sony would be liable for failing to exercise the proper care, it need not “intend” to steal or misuse the data. Finally, the Sony court also reasoned that the damages sought by the bailment claim were duplicative of other claims, such as negligence or consumer protection statutes. Sony Gaming Networks, 903 F. Supp. 2d at 974-75. But the court had largely dismissed those other claims, so the fact that the damages may have been “duplicative” of dismissed claims seems hardly a reason to dismiss the bailment claim. Again, the court cited no authority for the proposition that a separate cause of action can be dismissed merely because it seeks the same damages of another cause of action.
More recently, the District of Minnesota dismissed bailment claims in the Target data breach case. In re Target Corp. Customer Data Security Breach Litigation, 2014 WL 7192478, at *21 (D. Minn. Dec. 18 2014). Relying on Richardson and Sony, the court found that the bailment claims could not stand because (1) the data was not “to be returned” to the bailor and (2) there was no allegation that Target “wrongfully retained that information” (i.e., the no “intent” argument from Sony). Id. For the reasons above, neither of these bases stands up in light of the law surrounding bailment. Again, the court provided essentially no analysis of bailment claims, the standard of care applicable, or the issue of whether “return” of the property is an element at all, let alone where the property is intangible.
Bailment Claims Should be Viable in Data Breach Litigation
No court to date has given sufficient thought or analysis to bailment claims in the context of data breaches. The claim is a natural fit for a situation where an individual provides valuable and private information to a third party for safekeeping, and the remedy, based on the value of the property lost or damaged, would provide a distinct injury and an ascertainable measure of damages. The one distinction that has some merit – the fact that data is an intangible good that cannot be “delivered” in the traditional sense – has not been the issue, nor should it be. See Thyroff v. Nationwide Mutual Ins., 864 N.E.2d 1272, 832 N.Y.S.2d 873, 8 N.Y.3d 283 (2007) (explanation and analysis on why, in today’s world of commerce, traditional torts such as conversion should be read to apply to intangible “data”). Bailment is a long-standing, well-developed, and relevant cause of action that deserves better analysis and evaluation in data breach cases than it has received from courts to date.
In future litigation, data breach victims should place a greater focus on the bailment claim both in pleading the cause of action and at the motion to dismiss stage to ensure that this claim is forcefully alleged.