Communications Litigation Today was a Warren News publication.

Judge Grants ABA’s Motion to Dismiss Case Arising From March 2023 Data Breach

U.S. District Judge Nicholas Garaufis for Eastern New York in Brooklyn granted the American Bar Association’s Nov. 21 motion to dismiss Tiffany Troy and Eric Mata's amended complaint arising from the March 2023 data breach that exposed the records of 1.4 million ABA members (see 2311220034), said the judge’s signed memorandum and order Tuesday (docket 1:23-cv-03053). The judge dismissed the case in its entirety for failure to state a claim under Rule 12(b)(6), it said. While the plaintiffs sufficiently alleged that an implied contract exists between them and the ABA, their claim still fails because the plaintiffs don’t allege how ABA has breached that contract, said the memorandum and order. Troy and Mata specifically fail to identify which commercially reasonable security measures that ABA didn’t implement to protect their data, it said: “Instead, they assume that ABA's practice of using hashed and salted passwords was inadequate and thus violative of industry-standard security measures.” The plaintiffs argue that the process of using hashed and salted passwords, coupled with the defunding and mismanaging of the department that implements data security measures, indicates a failure to implement commercially reasonable security measures that constitute a breach of the implied agreement, said the memorandum and order. But the court disagrees “that this sole allegation concerning the handling of personal information is sufficient to state a claim that industry practices were not followed,” it said. Absent allegations identifying the security measures ABA purportedly failed to implement, the plaintiffs “cannot sustain their breach of implied contract claim,” it said.