Sackin v. TransPerfect Global, Inc.
278 F. Supp. 3d 739
S.D.N.Y.2017Background
- TransPerfect experienced a January 2017 phishing breach in which employee W-2/payroll data (names, addresses, DOBs, Social Security numbers, direct-deposit account and routing numbers) were sent to hackers.
- Plaintiffs are current/former employees whose sensitive PII was exposed; they purchased identity-theft monitoring/mitigation services after the breach.
- TransPerfect maintained a privacy policy and security manual but allegedly failed to implement key protections (employee security training, firewalls, retention/destruction protocols).
- Plaintiffs sued in a putative class action asserting negligence (common-law and per se), breach of express and implied contract, unjust enrichment, and violation of N.Y. Labor Law § 203-d.
- TransPerfect moved to dismiss under Fed. R. Civ. P. 12(b)(1) (lack of standing) and 12(b)(6) (failure to state claims).
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Standing (Article III injury) | Exposure of sensitive PII to hackers creates a certainly impending risk of identity theft; mitigation costs are concrete injuries | No concrete injury; speculative risk and mitigation expenditures insufficient | Standing exists: imminent risk of identity theft and reasonable mitigation costs suffice for injury-in-fact; 12(b)(1) denied |
| Negligence (duty/breach/injury) | Employer owed duty to safeguard employee PII; failed to implement reasonable protections; mitigation costs are recoverable damages | No cognizable injury; economic-loss rule bars claim | Negligence claims (common law and negligence per se) survive; duty and breach plausibly pleaded; mitigation costs are recoverable |
| Breach of express contract | Plaintiffs allege employment agreements promised secure PII | No specific contractual provision alleged; complaint lacks express terms or contract text | Express contract claim dismissed for failure to identify contractual terms |
| Breach of implied contract / Unjust enrichment | Employer implicitly promised to protect PII by collecting it and by company privacy/security statements; TransPerfect unjustly enriched by cost-savings from inadequate security | Argues no enforceable implied contract; may challenge existence of contract | Implied contract and unjust enrichment claims survive; plausible implied promise and bona fide dispute allows quasi-contract claim to proceed |
| N.Y. Labor Law § 203-d (private right of action) | Statute protects employees’ PII; private right of action fairly implied to effectuate statutory purpose | No express private cause of action in text | Court finds a private right of action implied: plaintiffs are within protected class, remedy promotes legislative purpose, and scheme supports private enforcement |
Key Cases Cited
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (injury-in-fact/standing framework)
- Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (concrete-and-particularized-injury requirement)
- Clapper v. Amnesty Int’l USA, 568 U.S. 398 (distinguishing speculative future harm from certainly impending risk)
- Remijas v. Neiman Marcus Group, 794 F.3d 688 (7th Cir. 2015) (data-breach plaintiffs sufficiently alleged imminent risk of identity theft)
- Attias v. CareFirst, Inc., 865 F.3d 620 (D.C. Cir. 2017) (same)
- Carter v. HealthPort Techs., LLC, 822 F.3d 47 (2d Cir. 2016) (pleading standard for standing at motion-to-dismiss stage)
- Katz v. Donna Karan Co., 872 F.3d 114 (2d Cir. 2017) (material risk analysis for data-exposure standing)