Shymikka Griggs v. NHS Management, LLC
SC-2023-0784
SUPREME COURT OF ALABAMA
November 15, 2024
OCTOBER TERM, 2024-2025
Notice: This opinion is subject to formal revision before publication in the advance sheets of Southern Reporter. Readers are requested to notify the Reporter of Decisions, Alabama Appellate Courts, 300 Dexter Avenue, Montgomery, Alabama 36104-3741 ((334) 229-0650), of any typographical or other errors, in order that corrections may be made before the opinion is printed in Southern Reporter.
Appeal from Jefferson Circuit Court (CV-23-902261)
PARKER, Chief Justice.
This appeal arises from the Jefferson Circuit Court‘s dismissal of Shymikka Griggs‘s data-breach action against NHS Management, LLC (“NHS“), a consulting firm that provides management services for
I. Facts
The relevant facts are set forth in Griggs‘s complaint. NHS provides administrative services for nursing homes and physical-rehabilitation facilities in Alabama, Arkansas, Florida, and Missouri. In providing those services, NHS collects sensitive personal-identification information and personal-health information from employees, patients, and vendors at each of the facilities that it services. The information that NHS collects includes the following:
- Name, address, phone number, and email address;
- Date of birth;
- Demographic information;
- Social Security number;
- Driver‘s license number;
- Information relating to individual medical history;
- Insurance information and coverage;
- Health information;
Information concerning a patient/resident‘s doctor, nurse, or other medical providers; - Photo identification;
- Employer information;
- Payment information; and
- Similar information for patient/residents’ family members or guardians.
In May 2021, NHS discovered what it described as a “sophisticated cyberattack” on its computer network (hereinafter “the data breach“). An investigation revealed that cybercriminals had had unfettered access to NHS‘s network for 80 days between February and May 2021. In October 2021, NHS notified the United States Department of Health and Human Services of the data breach.
In March 2022, NHS notified the individuals whose data was potentially accessed of the data breach, including Griggs, a former employee of NHS. In its notice, NHS notified the potential victims that the breached information included their names, dates of birth, Social Security numbers, medical information, and health-insurance information.
In her class-action complaint, Griggs asserted claims of negligence, negligence per se, breach of contract, invasion of privacy, unjust enrichment, breach of confidence, breach of fiduciary duty, and violation of the Alabama Deceptive Trade Practices Act,
In August 2023, NHS moved to dismiss Griggs‘s complaint. In its motion, NHS argued that Griggs could not establish “standing” because the injuries she alleged were not injuries in fact. NHS also argued that Griggs had failed to state a claim on which relief could be granted. On October 10, 2023, the circuit court dismissed Griggs‘s complaint “pursuant to Rule 12(b),”
II. Standard of Review
Although the circuit court did not expressly indicate which of the grounds for dismissal listed in
When reviewing an order of dismissal under
“On appeal, a dismissal is not entitled to a presumption of correctness. Jones v. Lee County Commission, 394 So. 2d 928, 930 (Ala. 1981); Allen v. Johnny Baker Hauling, Inc., 545 So. 2d 771, 772 (Ala. Civ. App. 1989). The appropriate standard of review under Rule 12(b)(6) is whether, when the allegations of the complaint are viewed most strongly in the pleader‘s favor, it appears that the pleader could prove any set of circumstances that would entitle her to relief. Raley v. Citibanc of Alabama/Andalusia, 474 So. 2d 640, 641 (Ala. 1985); Hill v. Falletta, 589 So. 2d 746 (Ala. Civ. App. 1991). In making this determination, this Court does not consider whether the plaintiff will ultimately prevail, but only whether she may possibly prevail. Fontenot v. Bramlett, 470 So. 2d 669, 671 (Ala. 1985); Rice v. United Ins. Co. of America, 465 So. 2d 1100, 1101 (Ala. 1984). We note that a Rule 12(b)(6) dismissal is proper only when it appears beyond doubt that the plaintiff can prove no set of facts in support of the claim that would entitle the plaintiff to relief. Garrett v. Hadden, 495 So. 2d 616, 617 (Ala. 1986); Hill v. Kraft, Inc., 496 So. 2d 768, 769 (Ala. 1986).”
Nance v. Matthews, 622 So. 2d 297, 299 (Ala. 1993).
III. Analysis
Griggs contends that she sufficiently pleaded each of her claims. As noted above, Griggs asserted claims of negligence, negligence per se, breach of contract, invasion of privacy, unjust enrichment, breach of confidence, breach of fiduciary duty, and violation of the Alabama Deceptive Trade Practices Act. In her response to NHS‘s motion to dismiss, Griggs conceded that her claim alleging violation of the Alabama
A. Negligence
To sufficiently plead a negligence claim, Griggs had to allege (1) that NHS owed her a duty, (2) that NHS breached that duty, (3) that NHS‘s breach of duty caused her damage, and (4) that she incurred damages. See Prill v. Marrone, 23 So. 3d 1, 6 (Ala. 2009) (“‘The elements of a negligence claim are a duty, a breach of that duty, causation, and damage.‘” (citation omitted)).
First, Griggs contends that she sufficiently alleged that NHS owed her a duty. She points to the following allegations in her complaint:
- “[NHS] had clearly-defined and mandatory obligations created by HIPAA, [i.e., the Health Insurance Portability and Accountability Act] contract, industry standards, common law, and representations made to [Griggs] and Class Members, to keep their
Personal Information confidential and to protect it from unauthorized access and disclosure.” - “[NHS] has obligations created by HIPAA, industry standards[,] and common law to keep Class Members’ Personal Information confidential and to protect it from unauthorized access and disclosure.”
- “NHS is a business associate of a ‘covered entity’ under HIPAA. Business associates of covered entities must implement safeguards to ensure the confidentiality, integrity, and availability of [Personal Health Information]. Safeguards must include physical, technical and administrative components.”
- “NHS‘s duty included a responsibility to implement processes by which [it] could detect a breach of its security systems in a reasonably expeditious period of time and to give prompt notice to those affected in the case of a cyberattack.”
- “[NHS‘s] duty of care to use reasonable security measures arose due to the special relationship that existed between it and the Class, which is recognized by laws and regulations including but not limited to HIPAA, as well as common law. [NHS] was in a position
to ensure that its systems were sufficient to protect against the foreseeable risk of harm to Class Members from a cyberattack and data breach.”
Griggs fails to demonstrate that those allegations were sufficient to allege that NHS owed her a duty under Alabama law. The only authority that Griggs cites in this section of her principal brief is Martin v. Arnold, 643 So. 2d 564 (Ala. 1994), which she cites for the elements of a negligence claim. However, as this Court has repeatedly held, citing authority merely for the elements of a cause of action is generally not sufficient to argue in an appellate brief that the allegations in a complaint met the pleading standard regarding each element. See Davis v. Sterne, Agee & Leach, Inc., 965 So. 2d 1076 (Ala. 2007), and S.B. v. Saint James Sch., 959 So. 2d 72 (Ala. 2006) (overruled on other grounds, as recognized in Flickinger v. King, 385 So. 3d 504, 517 (Ala. 2023)). In Davis, a widow sued her sons and the family‘s financial-management firm, asserting claims of negligence, wantonness, and conspiracy (among other claims), after the sons allegedly stole the funds from their deceased father‘s IRA and the firm failed to prevent the theft. The trial court entered a summary judgment for the defendants. On appeal, the widow
Similarly, in S.B., this Court reviewed a summary judgment in favor of a private school and its administrator on certain negligence claims asserted against them by the parents of certain students. In particular, the plaintiffs claimed that the school was negligent in failing to prevent students from uploading pornographic images onto the
computers in the school‘s computer lab. In their brief on appeal
Like the appellants’ arguments in Davis and S.B., Griggs‘s argument before this Court is deficient. Davis and S.B., like this case, presented legal theories in which the existence of a duty was not necessarily obvious. Under such circumstances, citation to the traditional negligence test alone constitutes citation to only a general proposition of law. Aside from her lone citation to Martin, Griggs merely quotes the allegations in her complaint. Griggs‘s argument that NHS owed her a duty to safeguard her personal information or to timely notify her after
Griggs also relied on the ADBNA at oral argument, but because Griggs, in effect, failed to timely cite the ADBNA in her briefs, her reliance on the ADBNA at oral argument was the equivalent of raising the issue for the first time at oral argument. But an issue cannot be raised for the first time at oral argument. Hutchins v. Shepard, 370 So. 2d 275, 276-77 (Ala. 1979) (refusing to consider an argument raised for the first time during oral argument).
Because Griggs fails to demonstrate that she sufficiently pleaded an essential element of her negligence claim, we need not consider that claim any further. Nevertheless, we note that Griggs‘s arguments that she sufficiently alleged the elements of breach and causation fail for the same reason -- she cited no authority demonstrating that her allegations regarding those elements were sufficient. Again, she simply restates the allegations of her complaint and baldly asserts that those allegations were sufficient.
Although we recognize that the issue of the sufficiency of pleadings alleging negligence in the specific context of a data breach is a question of first impression in Alabama, that fact alone does not relieve an appellant from his obligation to cite some authority in support of his
For these reasons, we conclude that Griggs fails to demonstrate that the circuit court erred in dismissing her negligence claim as insufficiently pleaded.
B. Negligence Per Se
Next, Griggs contends that she sufficiently alleged the elements of her claim of negligence per se. Griggs contends that, in that claim, she sufficiently alleged the elements of duty and breach by alleging that NHS violated various provisions of the Health Insurance Portability and Accountability Act (“HIPAA“), Pub. L. No. 104-191, 110 Stat. 1936 (1996),
Although Griggs recognizes that neither of those statutes creates a private right of action, she contends that even a statute that creates no private right of action can serve as the basis for a negligence per se claim. In support of that argument, Griggs relies on Allen v. Delchamps, Inc., 624 So. 2d 1065 (Ala. 1993), in which this Court allowed a negligence per se claim to proceed under the Food, Drug, and Cosmetic Act (“the FDCA“),
Here, Griggs contends only that she alleged that “HIPAA and the FTCA established a duty or standard of care in support of her negligence per se claim.” She makes no argument that she pleaded that NHS‘s
C. Invasion of Privacy
Next, Griggs contends that she sufficiently pleaded her invasion-of-privacy claim because the personal information that was accessed -- Social Security numbers, names, and birth dates -- was highly sensitive and because failure to secure such information would be highly offensive to a reasonable person. Griggs relies on federal cases for the proposition that a third party‘s procurement of personal data can give rise to a claim of invasion of privacy.
“‘This Court defines the tort of invasion of privacy as the intentional wrongful intrusion into one‘s private activities in such a manner as to outrage or cause mental suffering, shame, or humiliation to a person of ordinary sensibilities.‘” Rosen v. Montgomery Surgical Ctr., 825 So. 2d 735, 737 (Ala. 2001) (emphasis added; citation omitted).
“invasion of privacy consists of four limited and distinct wrongs: (1) intruding into the plaintiff‘s physical solitude or seclusion; (2) giving publicity to private information about the plaintiff that violates ordinary decency; (3) putting the plaintiff in a false, but not necessarily defamatory, position in the public eye; or (4) appropriating some element of the plaintiff‘s personality for a commercial use.”
Johnston v. Fuller, 706 So. 2d 700, 701 (Ala. 1997). Regardless of the type of invasion of privacy Griggs alleges occurred as a result of the data breach, Griggs makes no effort to demonstrate that she alleged that NHS‘s conduct was intentional. This omission is fatal to her claim.
D. Unjust Enrichment
Next, Griggs contends that she sufficiently pleaded her unjust-enrichment claim by alleging that she conferred a benefit on NHS. Specifically, Griggs points to her allegation that “[p]art of the wages or pay terms that these Class Members negotiated with [“NHS“] was intended to be used by [“NHS“] to fund adequate security of [“NHS‘s“] computer property and [Griggs‘s] and Class Members’ Personal Information.” She also points to her allegation that NHS “retained the benefits of its unlawful conduct including the amounts received for data
“To establish a cause of action for unjust enrichment/restitution, a Plaintiff must show that ‘1) the plaintiff has conferred a benefit on the defendant; 2) the defendant has knowledge of the benefit; 3) the defendant has accepted or retained the benefit conferred; and 4) the circumstances are such that it would be inequitable for the defendant to retain the benefit without paying fair value for it.‘”
693 F.3d at 1328 (quoting Della Ratta v. Della Ratta, 927 So. 2d 1055, 1059 (Fla. Dist. Ct. App. 2006)).
Griggs‘s allegation that she somehow conferred a benefit on NHS in exchange for data protection is insufficient. As the United States District Court for the Central District of Illinois noted when dismissing an unjust-enrichment claim in a data-breach action, the plaintiff “paid for food products. She did not pay for a side order of data security and protection.” Irwin v. Jimmy John‘s Franchise, LLC, 175 F. Supp. 3d 1064, 1072 (C.D. Ill. 2016). Further, as NHS notes, Resnick is distinguishable because there the plaintiffs alleged that they had paid a monthly
E. Breach of Confidence
Next, Griggs contends that she sufficiently pleaded her claim of breach of confidence. In support, Griggs relies on Muransky v. Godiva Chocolatier, Inc., 979 F.3d 917 (11th Cir. 2020), for the proposition that “[a] breach of confidence ‘is rooted in the concept that the law should recognize some relationships as confidential to encourage uninhibited discussions between the parties involved.‘” 979 F.3d at 932 (quoting Young v. United States Department of Justice, 882 F.2d 633, 640 (2d Cir. 1989)). Griggs further cites Muransky for the proposition that “[a] breach of confidence ... involves ‘the unconsented, unprivileged disclosure to a third party of nonpublic information that the defendant has learned within a confidential relationship.‘” Id. (quoting Alan B. Vickery, Note, Breach of Confidence: An Emerging Tort, 82 Colum. L. Rev. 1426, 1455 (1982)). Based on that authority, Griggs contends that she sufficiently alleged a breach-of-confidence claim by alleging that she provided NHS her personal information with the expectation and understanding that
NHS would protect it from unauthorized access and disclosure, but that NHS breached that confidence by failing to secure her personal information.
However, Griggs does not identify any Alabama authority recognizing breach of confidence as a cause of action under Alabama law. Further, as NHS points out, even if breach of confidence were a cognizable claim under Alabama law, Griggs does not demonstrate that she alleged that NHS affirmatively disclosed her information. Affirmative disclosure is a necessary element of breach of confidence; theft by a third party is not sufficient. Purvis v. Aveanna Healthcare, LLC, 563 F. Supp. 3d 1360, 1378 (N.D. Ga. 2021) (holding that plaintiffs failed to plead breach-of-confidence claim because they did not allege facts suggesting that the defendants had disclosed the plaintiffs’ information; they alleged only that their information had been stolen by third parties). For these reasons, Griggs fails to demonstrate that breach of confidence is a recognized cause of action in Alabama, let alone that she sufficiently pleaded it.
F. Breach of Fiduciary Duty
Finally, Griggs contends that she sufficiently pleaded her breach-of-fiduciary-duty claim. She cites various cases from this Court holding that, under Alabama law, a fiduciary relationship exists when one person has influence or dominion over another person. She also contends that Alabama does not have a rule that there can never be a fiduciary relationship between employees and employers. She contends that a fiduciary relationship can be inferred from her allegations that NHS collects and stores sensitive personal information as a precondition to employment. She contends that, as a result, NHS has influence and dominion over her and the class members and that NHS has obligations to keep that information confidential.
Griggs alleged that she was an employee of NHS. Generally, in Alabama, “‘a principal or employer is not the fiduciary of the agent or employee.‘” Miller v. SCI Sys., Inc., 479 So. 2d 718, 720 (Ala. 1985) (quoting and adopting the trial court‘s order). Griggs seeks to undermine that rule by arguing that “Alabama does not have a hard and fast rule that there can never be a fiduciary relationship between employees and employers.” The only case that Griggs cites for that proposition is Lanfear v. Home Depot, Inc., 536 F.3d 1217, 1224 (11th Cir. 2008). Griggs also
In short, Griggs cites no authority supporting her contention that the relationship between her and NHS was an exception to Miller‘s general rule that an employer is not a fiduciary of an employee, and she does not respond to NHS‘s reliance on Miller in her reply brief. Griggs contends that she alleged that there is a fiduciary relationship between her and NHS because NHS voluntarily collected and stored her personal information, thereby exercising influence and dominion over her. Griggs contends that, as a result, NHS had a duty to keep her personal
IV. Conclusion
Based on the foregoing, Griggs fails to demonstrate that she sufficiently pleaded her claims against NHS. Accordingly, Griggs does not demonstrate that the circuit court erred in dismissing her claims under
AFFIRMED.
Wise, Bryan, Sellers, Mendheim, and Mitchell, JJ., concur.
Cook, J., concurs specially, with opinion.
Shaw, J., concurs in the result, with opinion.
Stewart, J., concurs in the result.
COOK, Justice (concurring specially).
I concur with our Court‘s decision to affirm the Jefferson Circuit Court‘s dismissal of Shymikka Griggs‘s data-breach action against NHS Management, LLC (“NHS“). However, because data-breach actions are likely to become more frequent in the future, I write specially to provide additional guidance to the bench and bar on the types of claims that may be alleged in such actions and to note issues that counsel may wish to address in a future appropriate case.
I. Initial Observations
I start with a few initial observations about what this case concerns and what it does not concern. First, although this is a class action, the only claims before this Court today are the claims raised by the named class representative -- Griggs -- against her former employer, NHS, a consulting firm that provides management services for nursing homes and physical-rehabilitation facilities in Alabama, Arkansas, Florida, and Missouri.3 In other words, at this point, this is a case involving the theft
Second, this is a case in which no express contract governing the protection or use of the data at issue exists. Again, if there were such a contract, the outcome here might (or might not) have been different.
Third, the parties agree that Alabama law controls in this case. If Griggs were attempting to state a claim under the law of a different state
Although Griggs raised several claims in her complaint below,4 I believe that, at its core, this is a negligence case because the bulk of Griggs‘s claims against NHS rest on a duty that she contends it owed her to keep her personal information safe from a cyberattack. While I agree with the main opinion that Griggs failed to sufficiently argue that she had adequately pleaded this element of both her negligence and negligence per se claims, this does not mean that there will never be a situation in which a defendant may owe a duty to a plaintiff to safeguard such data from a criminal engaging in a cyberattack. And, even when such a duty does exist, as I also explain below, a plaintiff may still have to sufficiently allege that he or she has been damaged as a result of the breach of that duty.
II. To Recover for Negligence, a Plaintiff Must Establish That a Legal Duty Exists to Protect Personal Information from a Cyberattack by Criminals
As explained in the main opinion, a negligence claim under
In her brief on appeal, Griggs argues, among other things, that she sufficiently alleged in her complaint that NHS owed her a duty to protect her personal information from a cyberattack. Specifically, she notes that, in her complaint, she alleged (1) that NHS had “‘clearly-defined and mandatory obligations created by HIPAA [i.e., the Health Insurance Portability and Accountability Act], contract, industry standards, common law, and representations made to [her] and class members, to keep their Personal Information confidential and to protect it from unauthorized access and disclosure,‘” Griggs‘s brief at 43, and (2) that “NHS had obligations created by HIPAA, contract, industry standards, common law and representations made to class members, to keep class members’ [personal information] confidential and to protect it from
A. Griggs‘s Failure to Comply with Rule 28(a)(10), Ala. R. App. P.
In making these assertions in her brief, however, Griggs fails to cite any relevant legal authority -- from this State or from another jurisdiction -- that supports her assertion that her employer, NHS, had a duty to prevent a third-party criminal from stealing her personal information off of its network. See Griggs‘s brief at 43-47. Our Court has repeatedly stated that
”
Rule 28(a)(10), Ala. R. App. P. , requires that arguments in an appellant‘s brief contain ‘citations to the cases, statutes, other authorities, and parts of the record relied on.’ Further, ‘it is well settled that a failure to comply with the requirements ofRule 28(a)(10) requiring citation of authority in support of the arguments presented provides this Court with a basis for disregarding those arguments.’ State Farm Mut. Auto. Ins. Co. v. Motley, 909 So. 2d 806, 822 (Ala. 2005)(citing Ex parte Showers, 812 So. 2d 277, 281 (Ala. 2001)). This is so, because ‘“it is not the function of this Court to do a party‘s legal research or to make and address legal arguments for a party based on undelineated general propositions not supported by sufficient authority or argument.“’ Butler v. Town of Argo, 871 So. 2d 1, 20 (Ala. 2003) (quoting Dykes v. Lane Trucking, Inc., 652 So. 2d 248, 251 (Ala. 1994)).”
Jimmy Day Plumbing & Heating, Inc. v. Smith, 964 So. 2d 1, 9 (Ala. 2007).
Given that this lawsuit concerns claims arising out of an area of the law that our Court has not yet had a chance to address -- a data breach involving the alleged theft of an employee‘s personal information -- I agree with the main opinion that Griggs‘s failure to provide such legal authority is fatal to the question of whether a duty exists here and therefore whether a negligence claim can be maintained in this case.
B. Under Alabama Law, Does an Employer Have a Legal Duty to Protect an Employee from Third-Party Criminal Activity?
In the event that we were to reach this question in a future appropriate case, I note that the general rule in Alabama is that “an employer is not liable to its employees for criminal acts committed by third persons against an employee.” Carroll v. Shoney‘s, Inc., 775 So. 2d 753, 755 (Ala. 2000). However, our Court has recognized that an exception to that general rule exists “when a special relationship or
In her complaint, Griggs pleaded that she had been an employee of NHS and that it was this relationship that created a duty for NHS to protect her data from the cyberattack at issue here. However, other than generally alleging that NHS had a duty to protect her against a general
Given that our caselaw discussed above has not been overruled and given that it would clearly apply to Griggs‘s allegation concerning the duty that she believes NHS owed to her, it was essential for Griggs to plead facts demonstrating that those circumstances existed here.
In making this observation, however, I do not wish to be understood as reaching or deciding what should be pleaded or what is necessary to prove the duty element for a negligence claim in a future data-breach case concerning a nonemployee in a sensitive context or when a special relationship exists or sensitive data is involved.6
C. The Alabama Data Breach Notification Act Does Not Establish a Legal Duty Actionable by a Private Plaintiff
Rather than addressing the caselaw discussed above, Griggs instead argues on appeal that NHS -- regardless of its status as her employer -- owed her a duty under the Alabama Data Breach Notification Act of 2018, (“the ADBNA“),
This argument is mistaken, at least as to private litigants.
By recently passing the ADBNA in 2018, the Legislature made clear that it was concerned with cybersecurity and cybercrime. In doing so, the Legislature made an important policy choice -- expressed in the text of the statute -- that the State of Alabama through the Attorney General‘s office has the authority and discretion regarding when and how
D. Is There an Actionable Legal Duty Requiring Timely Notification of a Data Breach?
In addition to arguing that she sufficiently pleaded that NHS had breached its duty to her by failing to prevent the cyberattack in this case, Griggs also contends that she sufficiently plead that NHS had breached its duty by failing to timely notify her of the data breach itself. It appears undisputed by the parties that NHS did not notify Griggs as well as others impacted by the data breach until 10 months after it discovered that the breach had occurred. This 10-month period is troubling to me.
In my view, it might be possible to argue that a duty exists once an employer like NHS becomes aware of the data breach. In other words,
III. Does an Alleged Violation of Federal Regulations Create a Legal Duty for a Negligence Per Se Claim?
Griggs also argues on appeal that she sufficiently alleged the elements of her negligence per se claim. However, as the main opinion correctly notes, Griggs contends only that she alleged that the Health
However, in the event that we were to reach this question in a future appropriate case, I note that in Allen v. Delchamps, Inc., 624 So. 2d 1065, 1067 (Ala. 1993) (quoting Fox v. Bartholf, 374 So. 2d 294, 295-96 (Ala. 1979)), our Court explained that a plaintiff must allege the following in order to establish a claim of negligence per se:
“(1) The statute must have been ‘enacted to protect a class of persons which includes the litigant seeking to assert the statute‘;
“(2) The injury complained of must be ‘of a type contemplated by the statute‘;
“(3) ‘The party charged with negligent conduct must have violated the statute‘; and
“(4) ‘The jury must find [that] the statutory violation proximately caused the injury.‘”
(Emphasis added.)
Here, although Griggs relies on Delchamps in support of her assertions related to her negligence per se claim, she does not point to a violation of any specific statutory provisions in either HIPAA or the FTCA in arguing that those statues created a duty for her employer, NHS. Instead, all of her allegations in her complaint concern HIPAA violations based upon violations of HIPAA regulations.10
Moreover, I would be especially concerned with extending the words of Delchamps when a broader rule would cause significant constitutional and prudential concerns. For instance, allowing regulations issued by an agency (not a legislature) to create private legal liability would cause serious separation-of-powers concerns. These concerns are heightened because the legislative branch made a deliberate decision to vest
Such an extension would also create federalism concerns. These regulations were issued by an entirely different sovereign -- the federal government. Because of this federalism concern, there would be other practical problems that such an expansion of liability standards would bring. Defendants in future cases could (and I am sure would) attack such regulations as improper under federal law -- that is, as being inconsistent with the federal legislation authorizing the regulation or otherwise arbitrary and capricious. Courts in our State would then need to determine the validity of federal regulations under federal law. See Loper Bright Enters. v. Raimondo, 603 U.S. ___, 144 S. Ct. 2244 (2024) (explaining that courts should not defer to agency interpretation of an ambiguity in a law that the agency enforces). In sum, if Alabama wishes to subcontract its decision to create tort claims to federal agencies, our Legislature rather than our Court needs to make such a significant decision.
Finally, the text of the Delchamps decision is ambiguous as to whether it is ruling on the “duty” question or the “standard of care” question. Delchamps, 624 So. 2d at 1068. The question before our Court today is a question of duty, and I do not reach the question whether a federal regulation might (or might not) constitute evidence of a standard of care for a state-law tort claim in particular situations.
The only other case that Griggs cites on this point is Smith v. Triad of Alabama LLC (Case No. 1:14-CV-324-WKW, Sept. 29, 2015) (M.D. Ala. 2015) (not reported in Federal Supplement). Smith was a medical-data-breach case that involved allegations invoking HIPAA. In that case, the United States District Court for the Middle District of Alabama cited our Court‘s decision in Delchamps for its negligence per se analysis, and it is therefore distinguishable for the same reasons that Delchamps is distinguishable. Smith is also distinguishable because the plaintiffs in that case were medical patients. In other words, unlike in this case, in Smith there were allegations showing that the plaintiffs were part of the “class of persons” protected by HIPAA.
Additionally, Griggs‘s argument that NHS owed her a duty under the FTCA is even weaker. In support of this assertion, Griggs, in her complaint, relied on (1) a nonbinding “publication” (Protecting Personal Information: A Guide for Business, Federal Trade Commission (2016)), and (2) an administrative decision (citing In the Matter of LabMD, Inc., 2016-2 Trade Cas. (CCH), ¶ 79708 (July 28, 2016)).
If a plaintiff in a future data-breach case were to raise a negligence per se claim similar to the one that Griggs alleges here, he or she would have to plead (at least) that he or she was part of the actual “class of persons” that the statute he or she is relying on was enacted to protect and that the injury complained of -- the theft of personal information as a result of a cyberattack -- was “contemplated by the statute.” He or she would also have to plead (at least) that the defendant not only violated the statute but that the injury complained of proximately caused the injury. Without such allegations, a plaintiff may not be able to proceed with his or her negligence per se claim.
IV. Even If a Duty Exists in a Data-Breach Case, a Plaintiff Must Still Plead That He or She Suffered Damages As a Result of Any Alleged Breach of a Duty to Protect Personal Information
With all of this said, this case is at the pleading stage and not yet at the summary-judgment stage. Alabama is a notice-pleading state. Extensive caselaw (including cases that I have authored) states that a dismissal on the pleadings is not allowed if “‘“it appears that the pleader could prove any set of circumstances that would entitle her to relief.“‘” Flickinger v. King, 385 So. 3d 504, 511 (Ala. 2023) (emphasis altered;
At oral argument, counsel for NHS could not deny that there were “any set of circumstances” that would constitute damage. Thus, the problem with my conclusion and the acknowledgement by NHS‘s counsel during oral argument is that plausibility is not the pleading standard today in Alabama. Because of this, I cannot rely upon the lack of actual damages to affirm the dismissal on the pleadings and must instead base my concurrence on the other issues discussed above.
In contrast to Alabama‘s pleading standard, I note that federal courts do consider whether a plausible claim has been pleaded. See, generally, Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007), and Ashcroft v. Iqbal, 556 U.S. 662, 679 (2009) (requiring that the complaint state a “plausible claim“). Notably, the substance of the relevant Alabama rules of civil procedure are identical to the relevant federal rules of civil procedure. Compare Rules 8 and 12, Ala. R. Civ. P., with Rules 8 and 12, Fed. R. Civ. P.
I have previously noted this inconsistency between the Alabama
Yet, NHS has not asked us to reconsider our current pleading standard and adopt the federal pleading standard as discussed in Iqbal and Twombly, supra. Absent extraordinary circumstances, our Court will not reach out and overrule past precedent without an express request to do so. See, e.g., American Bankers Ins. Co. of Florida v. Tellis, 192 So. 3d 386, 392 n.3 (Ala. 2015) (noting that the Court follows “‘controlling precedent‘” unless “‘invited to‘” overrule it (citation omitted)). However, I raise this issue here to once again invite parties in a future appropriate case to argue whether we should reconsider our pleading standard in light of the federal pleading standard.
V. Conclusion
It is for all of these reasons that I agree that the circuit court‘s dismissal of Griggs‘s data-breach action against NHS is due to be affirmed.
I concur in the result. Additionally, I note the following.
I agree that the plaintiff below, Shymikka Griggs, has not demonstrated on appeal that the dismissal of her negligence claim is due to be reversed. In its motion to dismiss, the defendant below, NHS Management, LLC (“NHS“), acknowledged the elements of a negligence action, which, generally stated, require a plaintiff to show a duty, a breach of that duty, causation, and damages. But NHS argued that no legal duty existed in this case. Specifically, NHS cited caselaw and provided a discussion of the various factors and considerations used to determine when the law imposes a duty and argued that, under that authority and analysis, no duty existed in this case. See, e.g., DiBiasi v. Joe Wheeler Elec. Membership Corp., 988 So. 2d 454, 461-63 (Ala. 2008) (discussing “a number of factors [used] to determine whether a duty exists” and noting that the foreseeability of a risk of harm alone can be insufficient to create such a duty), and New Addition Club, Inc. v. Vaughn, 903 So. 2d 68, 73-76 (Ala. 2004) (discussing when one has a duty to protect another from the criminal acts of a third person). Whether a duty exists is a question of law. Bryan v. Alabama Power Co., 20 So. 3d 108,
Thus, it was incumbent upon Griggs, in her initial brief on appeal, to present a legal argument as to whether the law imposes a duty in this case, or the issue is deemed waived. Soutullo v. Mobile Cnty., 58 So. 3d 733, 739 (Ala. 2010), and Fogarty v. Southworth, 953 So. 2d 1225, 1232 (Ala. 2006). While Griggs argues on appeal that her complaint alleged that a duty existed and alleged that there was a foreseeable risk, this does not address the issue, presented to the trial court, that, despite those allegations, no duty existed. Although I am not wholly convinced that, in a case like this, the law will not impose a duty for purposes of a negligence action, the issue has been waived.
Notes
However, as NHS points out in its motion to strike portions of Griggs‘s reply brief, Griggs did not rely on that statute in her response to NHS‘s motion to dismiss or in her opening brief on appeal. Although Griggs cited the ADBNA once in a footnote in the facts section of her opening brief, she did so only to note that NHS‘s notice of the data breach was untimely. Because Griggs cited the ADBNA in support of her duty argument for the first time in her reply brief, Griggs has waived the issue whether the ADBNA imposed a duty on NHS.
In her response to the motion to strike, Griggs contends that she merely cited the ADBNA as additional authority to refute NHS‘s arguments, which she says opened the door to her to cite statutes that impose a duty on NHS to safeguard personal information. That argument might be plausible if Griggs had cited some authority in her opening brief. But without any authority cited in the first place, any authority cited in the reply brief cannot be additional. Authority cited for the first time in a reply brief cannot cure a complete failure to cite authority in
