Brooks v. Peoples Bank: Court Weighs Liability for Cyber Breach

The case of Brooks v. Peoples Bank involved a class-action lawsuit against Peoples Bank, which had merged with Limestone Bank, following a data breach that compromised sensitive customer information. The plaintiffs alleged that the bank failed to adequately protect their personally identifiable information (PII) and sought damages for negligence, breach of implied contract, breach of fiduciary duty, and unjust enrichment. The United States District Court for the Southern District of Ohio ruled on the defendant’s motion to dismiss, granting it in part and denying it in part.

Background and Legal Issues

Between November 2022 and March 2023, Limestone Bank suffered a data breach that resulted in the theft of customers’ PII, including social security numbers, names, dates of birth, and financial account details. In April 2023, Limestone merged with Peoples Bank, which then became responsible for handling the aftermath of the breach.

The plaintiffs claimed they suffered significant harm, including:

• Time spent mitigating the effects of the breach (monitoring accounts, signing up for credit monitoring, changing passwords and financial details, etc.).
• Increased risk of identity theft and fraud.
• Emotional distress due to privacy concerns and an influx of spam calls and fraudulent attempts to access financial accounts.

The plaintiffs filed suit against Peoples Bank, asserting claims for:

1. Negligence – Alleging that the bank failed to implement reasonable security measures.
2. Negligence Per Se – Based on alleged violations of federal regulations regarding consumer data protection.
3. Breach of Implied Contract – Contending that the bank implicitly agreed to safeguard customers' data.
4. Breach of Fiduciary Duty – Asserting that the bank owed a special duty of care to its customers.
5. Unjust Enrichment – Claiming the bank retained benefits without providing adequate data protection.

Court’s Analysis and Findings

The court analyzed whether the plaintiffs had standing to sue and whether their claims were legally sufficient. It found:

• The plaintiffs sufficiently alleged an injury-in-fact by demonstrating actual harm, including time and money spent mitigating potential fraud.
• The injuries were fairly traceable to the data breach and the bank’s alleged failure to implement proper security measures.
• The plaintiffs adequately pleaded redressability, meaning their claims could be addressed through damages or other relief.

Regarding the specific claims:

• Negligence: The court upheld the claim, finding that the plaintiffs sufficiently alleged that the bank had a duty to protect their data and breached that duty.
• Negligence Per Se: The court dismissed this claim, ruling that violations of federal consumer protection statutes (such as the Federal Trade Commission Act) do not create a private right of action.
• Breach of Implied Contract: The court allowed this claim to proceed, reasoning that an agreement between the bank and customers to protect PII could be inferred from their banking relationship.
• Breach of Fiduciary Duty: The court dismissed this claim, ruling that a typical banking relationship does not inherently establish a fiduciary duty unless special circumstances exist.
• Unjust Enrichment: The court dismissed this claim, finding that the plaintiffs failed to show that the bank unjustly retained a benefit directly tied to the breach.

Conclusion and Ruling

The court granted in part and denied in part the bank’s motion to dismiss. The claims for negligence and breach of implied contract survived, while the claims for negligence per se, breach of fiduciary duty, and unjust enrichment were dismissed. This case highlights the importance of data security for financial institutions and the potential legal consequences of failing to protect customer information.

Legal Guidance for Businesses

Businesses handling sensitive customer data must implement strong security measures to minimize legal risk. Our team at Whitcomb, Selinsky, PC provides expert legal counsel on data privacy, compliance, and litigation matters.