American Bar Association successfully defends against data breach class action

In a recent legal development, the American Bar Association (ABA) triumphed in a proposed class action alleging its failure to safeguard the personal information of 1.5 million individuals compromised in a March 2023 data breach.

 

Judge Nicholas G. Garaufis of the US District Court for the Eastern District of New York dismissed the case, ruling that plaintiffs Tiffany Troy and Eric J. Mata did not sufficiently identify reasonable security measures the ABA neglected to implement for data protection.

 

While Garaufis granted the ABA’s motion to dismiss, he allowed the plaintiffs to file an amended complaint.

 

The lawsuit contended that the breach resulted from the ABA’s mismanagement of its IT department and failure to adhere to adequate security standards. However, Judge Garaufis found that the plaintiffs failed to specify how the ABA breached an implied contract or violated consumer protection statutes.

 

Although the plaintiffs alleged the existence of an implied contract with the ABA, they did not demonstrate how it was breached. Garaufis also noted that the plaintiffs’ assertion regarding the ABA’s use of "hashed and salted passwords" was insufficient to establish a claim of non-compliance with industry practices.

 

Furthermore, the judge deemed allegations of deceptive business practices inadequate due to insufficient substantiation. Additionally, the plaintiff’s failure to identify specific security measures or deceptive practices under relevant state statutes led to dismissing those claims.

 

Dismissal of the remaining state law claims followed the rejection of the named plaintiff’s claims under New York and Texas laws.