Opinion
# 2015-018-657 Claim No. 126333 Motion No. M-87177
11-10-2015
No Appearance ERIC T. SCHNEIDERMAN Attorney General of the State of New York By: Ray A. Kyles, Esquire Assistant Attorney General
Synopsis
Defendant brings an unopposed pre-answer motion to dismiss the claim. Based upon the facts alleged, Claimant has not stated a private cause of action for money damages. Claim is dismissed.
Case information
UID: | 2015-018-657 |
Claimant(s): | RICHARD H. LIVINGSTON |
Claimant short name: | LIVINGSTON |
Footnote (claimant name) : | |
Defendant(s): | STATE OF NEW YORK |
Footnote (defendant name) : | The Court has sua sponte amended the caption to reflect the State of New York as the only proper defendant. |
Third-party claimant(s): | |
Third-party defendant(s): | |
Claim number(s): | 126333 |
Motion number(s): | M-87177 |
Cross-motion number(s): | |
Judge: | DIANE L. FITZPATRICK |
Claimant's attorney: | No Appearance |
Defendant's attorney: | ERIC T. SCHNEIDERMAN Attorney General of the State of New York By: Ray A. Kyles, Esquire Assistant Attorney General |
Third-party defendant's attorney: | |
Signature date: | November 10, 2015 |
City: | Syracuse |
Comments: | |
Official citation: | |
Appellate results: | |
See also (multicaptioned case) |
Decision
Defendant brings an unopposed pre-answer motion to dismiss the claim for failure to state a cause of action.
On June 22, 2015, Claimant filed a claim against the State of New York and United Parcel Service seeking damages for exposure to identity theft and the late notice of this exposure. Claimant alleges the State is responsible for the loss or theft of his personal information, including his name, social security number, and NYSID number, and that the State failed to give him timely notice of the loss or theft. As a result, Claimant asserts that he has been exposed to identity theft causing him economic and personal hardship. The claim states that the negligent acts began in July 2014, and have continued to date. Claimant alleges that he has been damaged by the State's failure to follow the standards and rules in violation of General Business Law section 899-aa because the Department of Corrections and Community Supervision (DOCCS) waited almost 12 months to notify Claimant of his stolen or lost personal information. Attached to the claim is a copy of a letter dated April 30, 2015, Claimant received from DOCCS notifying him that in June 2014, it sent a computer out for service that contained sensitive parolee information including names, dates of birth, social security numbers, New York State Identification Numbers (NYSID) and DOCCS Department Identification Numbers (DIN). The computer was sent to an out of state vendor via United Parcel Service (UPS) and was tracked. On July 1, 2014, the package was scanned and received at the UPS distribution center in Greenville, South Carolina, but was subsequently lost. As of April 30, 2015, the computer had not been recovered. The letter indicates that personal information may have been compromised and makes a few recommendations for action to limit or reduce any impact on access to credit or credit history. Claimant seeks $5 million in damages.
Defendant brings this motion to dismiss, arguing that the claim fails to state a cause of action and argues that the claim fails to identify conduct by the State or a relationship with a vendor that would give rise to a cognizable cause of action. Defendant also argues that there is no precedent for a civil cause of action for "exposure to identity theft." Defendant owed Claimant no duty and; therefore, Claimant cannot make out a common law negligence cause of action. Defendant also indicates that Claimant has not demonstrated that he has suffered any injury specific to him.
On a motion to dismiss for failure to state a cause of action, the Court engages in a very focused review of the claim. The Court accepts all the allegations made by the Claimant as true, gives the pleading a liberal construction and affords the claim every favorable inference (Carlson v American Intl. Group, Inc., 130 AD3d 1479, 1480 [4th Dept 2015], quoting Simkin v Blank, 19 NY3d 46, 52 [2012]). On the motion, The Court reviews the legal sufficiency of the claim, or in other words, " 'determine whether the facts as alleged when taken together set forth any cognizable legal theory . . . and the criterion is whether the proponent of the pleading has a cause of action, not whether he [or she] has stated one.' (Miller v Allstate Indem. Co., 125 AD3d 1306, 1307 [4th Dept 2015]; quoting Leon v Martinez, 84 NY2d 83, 88 [1994]; Heckl v Walsh, 122 AD3d 1252 [4th Dept 2014])." It is not a summary judgment motion where admissible proof establishing a prima facie case must be provided (see Edmond v International Bus. Machs. Corp. 91 NY2d 949, 951-952 [1998]; Matherson v Marchello, 100 AD2d 233, 238-239 [2d Dept 1984]); thus, based upon the burden on this motion, even a lack of response by a Claimant may result in the motion to dismiss being denied, if a cause of action is sufficient on its face, and Defendant's submissions do not conclusively disprove the alleged facts (see Lawrence v Graubard Miller, 11 NY3d 588, 595 [2008]; Rovello v Orofino Realty Co., 40 NY2d 633, 636 [1976]).
Dismissal is warranted for any cause of action against UPS for the loss of the computer with Claimant's personal information. The Court of Claims is a Court of limited jurisdiction which may only hear claims authorized by statute against the State of New York (Court of Claims Act § 9). This Court lacks jurisdiction over a private entity, such as UPS.
Turning to Claimant's allegations against DOCCS, Claimant asserts that DOCCS is liable for an unintentional tort for breaching its duty to timely advise him of the loss or theft of his personal information based upon General Business Law section 899-aa, also known as the Information Security Breach and Notification Act. That statute requires any person or business which conducts business in the State or owns or licenses computerized data including private information to disclose any breach of security of the system, following discovery or notification of the breach in security, to any resident of the State whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization. The statute requires that the notification be made "in the most expedient time possible and without unreasonable delay" and describes the way notification is to be made (General Business Law § 899-aa [2], [5]).
In determining the application and meaning of a statute, a court must try to determine and apply the intent of the legislature (Riley v County of Broome, 95 NY2d 455, 463 [2000]; Patrolmen's Benevolent Assn. of City of N.Y. v City of New York, 41 NY2d 205, 208 [1976]). Typically, the analysis begins with the plain language used in the statute, and if it is unambiguous, the Court need look no further (Majewski v Broadalbin-Perth Cent. School Dist. 91 NY2d 577, 583 [1998]; Matter of Roosevelt Raceway v Monaghan, 9 NY2d 293, 304 [1961]). Although the language of the statute, General Business Law section 899-aa, clearly applies to any person or business, the question is whether the statute would apply to the State. Although governmental entities are not mentioned, in other sections of the General Business Law, the legislature specifically excluded the State and its municipal subdivisions when it intended for a law not to apply to a governmental entity (see General Business Law § 399-ddd [2]). Only when the application of the statute is not clear from its face, is a Court authorized to look beyond the language of the statute and consider the legislative history to discern legislative intent (see Matter of Amorosi v South Colonie Ind. Cent. School Dist., 9 NY3d 367, 372-373 [2007]; Sega v State of New York, 60 NY2d 183, 191 [1983], rearg denied 61 NY2d 670 [1983]). In this case, as part of the bill jacket, a letter urging the signature of then Governor George E. Pataki dated August 1, 2005, from James Brennan, a Member of the Assembly, makes clear that the intent of the statute was to apply to businesses and any "governmental entity." Yet, even if applicable to the State, the question becomes whether the legislation authorizes a private right of action for a breach.
Letter from James Brennan, New York State Assembly, August 1, 2005 at 3, Bill Jacket, L. 2005, ch 442)
Where a statute does not explicitly authorize or preclude a private right of action based upon a breach, a determination must be made whether a private cause of action is implied. "A statutory command . . . does not necessarily carry with it a right of private enforcement by means of tort litigation." (Uhr v East Greenbush Cent. School Dist., 94 NY2d 32, 38 [1999]). Only if the legislative intent was to create a private right of action may one be implied, and that requires analysis of the statutory language and the legislative history (Carrier v Salvation Army, 88 NY2d 298, 302 [1996]). Three factors must be considered: (1) whether the claimant is one of the class intended to be protected by the statute; (2) whether a private right of action would promote the legislative purpose; and (3) whether a private right of action would be consistent with the legislative plan (Sheehy v Big Flats Community Day, 73 NY2d 629, 633 [1989]). The third factor is the most important (id. at 634). Even if we, for this discussion, accept that the first two factors support finding the statute was intended to provide a private right of action, the third factor does not.
First, the statute itself provides that the Attorney General has the right to bring an action on behalf of the people of the State of New York seeking damages and a civil penalty (General Business Law § 899-aa [6] [a]). In cases where the legislature has provided a remedy for breach, finding a private right of action may be viewed as inconsistent with the legislative scheme (see Cruz v TD Bank, N.A., 22 NY3d 61, 70-71 [2013]; Sheehy,73 NY2d at 629, 636 ["Where the Legislature has not been completely silent but has instead made express provision for civil remedy, albeit a narrower remedy than the plaintiff might wish, the courts should ordinarily not attempt to fashion a different remedy, with broader coverage . . ."]). The statute also provides that the right of the Attorney General to bring an action is in addition to any other remedies available (General Business Law § 899-aa [6] [b]). The provisions of the statute, however, are exclusive and may not be preempted (General Business Law § 899-aa [9]). This language seems to indicate that although other remedies are not precluded, the statute itself does not provide the grounds for the other remedy.
Moreover, the letter to Governor Pataki from Assemblyman Brennan urging the Governor to sign the legislation, notes that the Attorney General can "recover damages for individuals" when notification has not taken place. This clearly indicates that the Attorney General and not individuals directly would pursue damages for a breach of the statute - permitting individualized actions would undermine this purpose. Based upon the foregoing, Claimant may not pursue a cause of action directly against the State for any alleged breach of General Business Law section 899-aa (see Abdale v North Shore-Long Is. Jewish Health Sys. Inc. 49 Misc 3d 1027 [Sup Ct, Queens County 2015]).
Letter from James Brennan, New York State Assembly, August 1, 2005 at 3-4, Bill Jacket, L.2005, ch 442.
The next question is whether Claimant's allegations set forth any other cognizable cause of action. There is a "Personal Privacy Protection Law" which sets forth how State agencies may collect and store private information and restricts its disclosure (Public Officers Law art 6-A). This statute, however, also provides remedies for breach and has been held to not create a new private right of action (see Lawrence v State of New York, 180 Misc 2d 337 [Ct Cl 1999]; Fernandez v State of New York, 43 Misc 3d 1221 (A) [Ct Cl 2014]; Gosselin v State of New York, UID No. 2000-015-021 [Ct Cl, Collins, J., April 6, 2000]). Similarly, section 399-ddd of the General Business Law protects the confidentiality of one's social security number from unauthorized disclosure, however, again, this statute also provides that the Attorney General may pursue a civil penalty of not more than $1,000 for the first single violation and not more than $100,000 for multiple violations. This section also does not authorize a private right of action (see General Business Law § 399-ddd; Abdale, 49 Misc 3d 1027; Axis Capital, Inc. v JAINA Sys. Network, Inc., 49 Misc 3d 350 [Sup Ct, Nassau County 2015]).
Public Officers Law section 97 (1)-(3), provides for civil remedies including an Article 78 proceeding, and does not limit or abridge the right for judicial review or pecuniary or other relief in any other forum or upon any other basis.
This Court has not found any common law right of action for money damages for the untimely notification of the loss or possible theft of one's personal information. There is no "common law right of privacy" except to the extent provided under Civil Rights Law section 50 and 51, neither of which applies to the facts here (see Messenger v Gruner + Jahr Print. & Publ., 94 NY2d 436 [2000]; Farrow v Allstate Ins. Co., 53 AD3d 563 [2d Dept 2008]). There is a cause of action for breach of a fiduciary duty to maintain confidentiality in the context of a physician-patient relationship (see CPLR 4504; Williams v Roosevelt Hosp., 66 NY2d 391 [1985]; MacDonald v Clinger, 84 AD2d 482, 485-487 [4th Dept 1982]). Some courts have found the potential for an implied duty of confidentiality in other relationships of trust and confidence as in certain business relationships (LCR Tech. Inc., v HSBC Bank, USA, N.A. 37 AD3d 766 [2d Dept 2007]; Boccardo v Citibank, 152 Misc 2d 1012 [Sup Ct, NY County 1991] [references some recognition for an implied duty to keep a bank customer's banking transactions confidential]; Anonymous v CVS Corp., 293 AD2d 285 [1st Dept 2002] [permitted class certification for persons whose medical and prescription information was sold or transferred to defendant pharmacy without their knowledge or consent]; Daly v Metropolitan Life Ins. Co., 4 Misc 3d 887 [Sup Ct, NY County 2004] [found insurance company had duty to protect confidential information provided by potential insured seeking to purchase life insurance policy]).
In this case, the facts do not fit into any of the circumstances where courts have discussed a potentially viable cause of action for breach of confidentiality. Nor has Claimant alleged any facts that would support a cause of action for negligent infliction of emotional distress (see Johnson v State of New York, 37 NY2d 378 [1975] [negligently reported death of mother]; Albert v Solimon, 252 AD2d 139 [4th Dept 1998] [no danger to claimant's physical safety or risk of physical harm]). Based upon the facts alleged, Claimant has not stated a private cause of action for money damages.
Accordingly, Defendant's motion is GRANTED and the claim is DISMISSED.
November 10, 2015
Syracuse, New York
DIANE L. FITZPATRICK
Judge of the Court of Claims The Court has considered the following in deciding this motion: 1) Notice of Motion. 2) Affirmation of Ray A. Kyles, Esquire, Assistant Attorney General, in support, with exhibits attached thereto.