proofread privacy law assignment 3_gardner
TRANSCRIPT
![Page 1: PROOFREAD Privacy Law Assignment 3_Gardner](https://reader035.vdocuments.us/reader035/viewer/2022071900/55c08039bb61eb877e8b46c6/html5/thumbnails/1.jpg)
UNITED STATES DISTRICT COURT DURHAM COUNTY
JANE DOE, a fictitious name to protect privacy, ) Plaintiff, ) ) v. ) Civil No. _________ ) NC THERMAVIEW, ) Defendant.
COMPLAINT
NOW COMES Plaintiff, by and through her undersigned counsel, asserting the following as her Complaint.
JURISDICTION, PARTIES, AND VENUE
1. Plaintiff JANE DOE, a fictitious name to protect privacy, is a resident of Durham County, North Carolina.
2. Defendant NC THERMAVIEW is a North Carolina business that provided thermal imaging mammography services to a Durham County resident.
3. Venue is in this Court pursuant to N.C. Gen. Stat. §1-82.
FACTUAL BACKGROUND
4. JANE DOE is a 60-year-old Durham resident. She purchased thermal heat imaging services from NC Thermaview, a Raleigh business managed by a licensed nurse. NC Thermaview performs thermal heat imaging mammography as an alternative to conventional mammograms and sends the resulting images to the physician each patient designates.
5. During her initial consultation, NC Thermaview’s receptionist assured JANE DOE that all information associated with her visit would be confidential. JANE DOE also read a company brochure which stated that services would be provided “in a confidential and supportive environment.” JANE DOE paid with her credit card and requested that the results be sent to her doctor, Dr. Wilhelmina Prosser. NC Thermaview sent the images to Dr. Prosser through a password-protected website and sent a copy via U.S. mail.
6. Between January 2014 and March 2014, JANE DOE’s identity was stolen. Three credit cards were opened in JANE DOE’s name amassing over $180,000 in charges. In May 2014, JANE DOE’s bank identified suspicious transactions in which someone tried to transfer funds out of her savings and money market accounts.
7. In October 2014, NC Thermaview sent JANE DOE a data security breach notice. The notice said that
her credit card and other information had suffered a “possible exposure” to a hacking attack during “a period of time from January of 2014 through June of 2014.” The notice said that NC Thermaview had alerted law enforcement and hired data security experts to repair the system.
8. JANE DOE believes the data breach allowed an identity thief to access her information. She estimates that she has spent 200 hours in work to restore and protect her credit and to search for the identity thief, taking away time from her work. She is self-employed and ordinarily earns between
![Page 2: PROOFREAD Privacy Law Assignment 3_Gardner](https://reader035.vdocuments.us/reader035/viewer/2022071900/55c08039bb61eb877e8b46c6/html5/thumbnails/2.jpg)
eighteen and thirty dollars per hour. She is concerned that she has been unproductive and unable to focus. Dr. Prosser referred JANE DOE to a psychiatrist for anxiety therapy.
9. JANE DOE worries that the mammography images will become public. She is concerned about negative associations of a public photo displaying her torso, and concerned about the possibility that anyone who viewed the images might erroneously think she was ill.
COUNT 1 UNFAIR AND DECEPTIVE TRADE PRACTICES
10. Paragraphs __ through __ of this Complaint are incorporated by reference as if fully set forth herein. 11. NC Thermaview advertised its services as “confidential.” 12. NC Thermaview failed to adequately encrypt the website containing JANE DOE’s thermal imaging
pictures and other personally identifying medical information. 13. The misrepresentation of NC Thermaview’s services as confidential, while the company expressly
fails to meet HIPAA-recommended security standards, is a deceptive business practice 14. NC Thermaview failed to quarterly check for authorized and non-authorized access wireless points
pursuant to the PCI Standards Security Council guidelines, an industry-wide standard for all merchants which accept credit card payments.
15. The failure to meet industry-wide data security standards is an unfair business practice. 16. JANE DOE is entitled to recovery under the North Carolina Unfair and Deceptive Trade Practices
Statute. COUNT 2
NORTH CAROLINA IDENTITY THEFT ACT VIOLATION
17. Paragraphs __ through __ of this Complaint are incorporated by reference as if fully set forth herein. 18. NC Thermaview disposed of JANE DOE’s personally identifying information when the company
forwarded it to Dr. Prosser. 19. NC Thermaview did not comply with the NC Identity Theft Act by failing to destroy her personally
identifying information after disposal. 20. JANE DOE is entitled to recovery under the North Carolina Identity Theft Act.
COUNT 3
BUSINESS INTERRUPTION
21. Paragraphs __ through __ of this Complaint are incorporated by reference as if fully set forth herein. 22. The NC Thermaview data breach caused JANE DOE to miss 200 hours of work due to inability to
focus. JANE DOE is self-employed and earns between $18 and $30 per hour. 23. JANE DOE is entitled to recovery of her lost earnings.
COUNT 4 BREACH OF CONTRACT
24. Paragraphs __ through __ of this Complaint are incorporated by reference as if fully set forth herein. 25. NC Thermaview and JANE DOE were parties to a contract in which NC Thermaview promised a
“confidential environment.” Instead of enjoying confidentiality as promised, JANE DOE’s personally identifying information has been potentially subjected to online hackers.
26. JANE DOE is entitled to recovery for NC Thermaview’s breach of contract.
COUNT 5 BREACH OF IMPLIED COVENANT OF GOOD FAITH AND FAIR DEALING
27. Paragraphs __ through __ of this Complaint are incorporated by reference as if fully set forth herein. 28. NC Thermaview breached the implied covenant of good faith and fair dealing by consciously failing
to encrypt their website and failing to timely check for data security breaches.
![Page 3: PROOFREAD Privacy Law Assignment 3_Gardner](https://reader035.vdocuments.us/reader035/viewer/2022071900/55c08039bb61eb877e8b46c6/html5/thumbnails/3.jpg)
29. JANE DOE is entitled to recovery for NC Thermaview’s breach of the implied covenant of good faith and fair dealing.
COUNT 6
BREACH OF FIDUCIARY DUTY
30. Paragraphs __ through __ of this Complaint are incorporated by reference as if fully set forth herein. 31. NC Thermaview breached its fiduciary duty to JANE DOE by failing to ensure adequate data security
of her personally identifying information. 32. JANE DOE is entitled to recovery for NC Thermaview’s breach of fiduciary duty.
WHEREFORE, Jane Doe respectfully requests trial by jury of all issues triable before a jury and judgment for compensatory and punitive damages against Defendant, and any other relief as this Court deems just and proper. This 12th day of December, 2014. Respectfully Submitted, <<Signature>> Supervising Attorney (Bar. No. 12345) Warren & Brandeis
![Page 4: PROOFREAD Privacy Law Assignment 3_Gardner](https://reader035.vdocuments.us/reader035/viewer/2022071900/55c08039bb61eb877e8b46c6/html5/thumbnails/4.jpg)
To: Supervising Attorney From: Ikee Gardner Re: Jennifer Laura Entz Date: December 12, 2014
SUMMARY
NC Thermaview is likely liable for violation of the North Carolina Unfair and Deceptive Trade Practices
Act, violation of the North Carolina Identity Theft Act, business interruption breach of contract, violation of the
breach of the implied covenant of good faith and fair dealing, and breach of fiduciary duty. Ms. Entz may have a
claim against Dr. Prosser, however the claim is untenable and she should sue NC Thermaview only. Ms. Entz
should be evaluated by a psychiatrist to determine whether there is diagnosable emotional harm which can be
integrated into her complaint. A data security expert should be hired to evaluate Thermaview’s data, to determine
whether the data breach proximately caused Ms. Entz’s identity to be stolen. Ms. Entz should also be advised on the
benefits and detriments of filing a Jane Doe lawsuit.
FACTS
Jennifer Laura Entz is a 60-year-old Durham resident and candidate for re-election to the Durham School
Board. She purchased thermal heat imaging services from NC Thermaview, a Raleigh business managed by a
licensed nurse. NC Thermaview performs thermal heat imaging mammography and sends the resulting images to
the physician each patient designates. During her initial consultation, NC Thermaview’s receptionist assured Ms.
Entz that all information associated with her visit would be confidential. Ms. Entz also read a company brochure
which stated that services would be provided “in a confidential and supportive environment.” Ms. Entz paid with
her credit card and requested that the results be sent to her doctor, Dr. Wilhelmina Prosser. NC Thermaview sent the
images to Dr. Prosser through a password-protected website and sent a copy via U.S. mail.
Between January 2014 and March 2014, Ms. Entz’s identity was stolen. Three credit cards were opened in
Ms. Entz’s name amassing over $180,000 in charges. In May 2014, Ms. Entz’s bank identified suspicious
transactions in which someone tried to transfer funds out of her savings and money market accounts.
In October 2014, NC Thermaview sent Ms. Entz a data security breach notice. The notice said that her
credit card and other information had suffered a “possible exposure” to a hacking attack during “a period of time
from January of 2014 through June of 2014.” The notice said that NC Thermaview had alerted law enforcement and
hired data security experts to repair the system.
Ms. Entz believes the data breach allowed an identity thief to access her information. She estimates that
she has spent 200 hours in work to restore and protect her credit and to search for the identity thief, taking away time
from her work as a freelance technology manual editor. She ordinarily earns between eighteen and thirty dollars per
hour as an editor. She is concerned that she has been unproductive and unable to focus. Dr. Prosser referred Ms.
Entz to a psychiatrist for anxiety therapy.
Ms. Entz worries that the mammography images will become public. She believes that if the images
became public it could compromise her re-election to the Durham School Board. She is concerned about negative
associations of a public photo displaying her torso, and concerned about the possibility that anyone who viewed the
images might erroneously think she was ill.
![Page 5: PROOFREAD Privacy Law Assignment 3_Gardner](https://reader035.vdocuments.us/reader035/viewer/2022071900/55c08039bb61eb877e8b46c6/html5/thumbnails/5.jpg)
DISCUSSION
I. Pseudonymous Pleading and Venue Considerations.
It may be beneficial for Ms. Entz to litigate under a pseudonym, such as “Jane Doe.” Ms. Entz has
expressed her concern that the thermal images may reach the public, and may not wish for a potential lawsuit against
NC Thermaview to be associated with her name. Public association with a lawsuit may negatively affect her
chances for re-election. Voters in the School Board election may think that she is combative (due to being involved
in litigation), unhealthy (due to having mammography imaging) or unable to fulfill her School Board responsibilities
(due to her anxiety and inability to focus). Alternatively, the lawsuit may benefit her public image. Voters may
think she is determined (due to her attempts to track down the identity thief) and relatable (mammograms are
common experiences for women). The lawsuit may present an opportunity for her to demonstrate character traits
towards which voters are sympathetic. Ms. Entz should carefully consider the advantages and disadvantages of a
Jane Doe lawsuit. North Carolina county courts do not require a motion to file pseudonymously.1
Filing the case in Durham County may provide Ms. Entz with a jury more sympathetic to her case – she is a
Durham resident, whereas the defendant is located in Wake County. A jury in Durham County Court may look
favorably on a local plaintiff. On the other hand, if specifics are known about the judge(s) in Wake County court
which may weigh in Ms. Entz’ favor, then we should file in Wake County.
II. Negligence Claims Against NC Thermaview
NC Thermaview is likely liable for negligence in failing to comply with HIPAA, and for negligence in
failing to timely discover the data breach. Negligence occurs when a defendant owes the plaintiff a duty, breaches
that duty, and the plaintiff’s injury is proximately caused by the breach.2 A "duty" is defined as a legal obligation
requiring a person to conform to a certain standard of conduct.3 Here, NC Thermaview owed Ms. Entz a duty to
conform to applicable security standards and a duty to routinely check for data breaches. However, with the
exception of the 200 hours of work lost, Ms. Entz’s existing financial harm does not have a clear nexus to the data
breach. Further investigation is needed – for example, bringing in an expert to assess Thermaview’s records – in
order to establish whether the data breach proximately caused the identity theft. There are also problems
establishing harm. A formal diagnosis by Ms. Lutz’s psychiatrist will determine whether or not there is any
emotional harm. A psychiatric diagnosis can also determine whether the identity theft proximately caused the
emotional harm.
1 North Carolina appears to accept pseudonymous plaintiffs implicitly. See Doe v. Duke University, 455 S.E.2d 470 (N.C. Ct. App. 1995), ACT-UP Triangle (AIDS Coalition to Unleash Power Triangle) v. Comm’n for Health, 472 S.E.2d 605 (N.C. Ct. App. 1996), Doe v. Jenkins, 547 S.E.2d 124 (N.C. Ct. App. 2001). The 4th Circuit uses a balancing test with the following factors: whether the plaintiff simply wants to avoid criticism or wants to preserve “privacy of a sensitive and highly personal nature,”whether being identified puts the plaintiff or third parties at risk of physical or mental harm, the plaintiff’s age, whether the action is against a governmental or private party, and the risk of unfairness to the defendant from allowing an action from an anonymous plaintiff. James v. Jacobson, 6 F. 3d 233, 238 (4th Cir. 1993). 2 22 Strong’s North Carolina Index 4th Negligence § 8 (2014). 3 Whisnant v. Carolina Farm Credit, 693 S.E.2d 149 (N.C. Ct. App. 2010).
![Page 6: PROOFREAD Privacy Law Assignment 3_Gardner](https://reader035.vdocuments.us/reader035/viewer/2022071900/55c08039bb61eb877e8b46c6/html5/thumbnails/6.jpg)
A. NC Thermaview Negligently Failed to Implement HIPAA and HITECH Act Data Security Standards
Compliance with HIPAA has been recognized as a duty owed in North Carolina.4 For example, under
Acosta v. Byrum, a plaintiff alleged that her psychiatrist allowed a third party to see her medical records. The court
ruled that HIPAA “provid[es] evidence of the duty of care owed.”5 Here, NC Thermaview owes Ms. Entz the duty
to comply with HIPAA standards.
NC Thermaview is a ‘business associate’ under HIPAA. Under the HITECH Act, business associates are
required to comply with the security requirements as HIPAA covered entities.6 HIPAA defines a ‘covered entity’ as
a health care provider who transmits any health information in electronic form.7 Assuming Prosser transmits as well
as receives electronic health information, Prosser is a covered entity. HIPAA defines a ‘business associate’ as a
person who “other than in the capacity of a member of the workforce of such covered entity…performs, or assists in
the performance of: [a] function or activity involving the use or disclosure of individually identifiable health
information.”8 NC Thermaview “assists” in the “performance” of thermal imaging services and “discloses” the
individually identifying images to Prosser. NC Thermaview thus qualifies as a business associate.
As a business associate, NC Thermaview has a duty to “encrypt electronic protected health information
whenever deemed appropriate.”9 Under HIPAA, encryption methods qualify as making data at rest unusable,
unreadable, and undecipherable if the encryption is consistent with NIST Special Publication 800-111.10 Failure to
encrypt the website is a breach of NC Thermaview’s duty under HIPAA. As reviewed above, causation and harm
cannot be established under the present facts.
B. Negligence: NC Thermaview’s Failure to Timely Discover the Breach.
NC Thermaview’s statement that it “only recently discovered” the data breach indicates a breach of duty to
follow industry standards. Under the HITECH act, a breach will be treated as “discovered” on the date when the
business associate “reasonably should have known” of the breach.11 Thermaview failed to comply with industry
4 Acosta v. Byrum, 638 SE 2d. 246, 249-253 (N.C. App. 2006). 5 Id. at 253. 6 The HITECH act states that “[s]ections 164.308, 164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity.” High Information Technology for Economic and Clinical Heatlh Act (HITECH Act), §13401(a), available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf (last visited Dec. 11, 2014). 7 45 CFR 160.03. We should find out whether Dr. Prosser does transmit health information electronically. In Ms. Entz’s case, Dr. Prosser is receiving electronic information but we do not know if she transmits information electronically. Regardless, most doctors’ offices send patient data electronically for billing/administrative purposes. By doing business with any doctors’ office that transmits electronic information, NC Thermaview is a business associate. 8 45 CFR 160.103 9 High Information Technology for Economic and Clinical Heatlh Act (HITECH Act) §13401(a), available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf (last visited Dec. 11, 2014); 45 C.F.R §164.312(a)(2)(iv). 10 U.S. Department of Health and Human Services, Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html (last visited Nov. 12, 2014). 11 High Information Technology for Economic and Clinical Heatlh Act (HITECH Act) §13402(c), available at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechact.pdf (last visited Dec. 11, 2014);
![Page 7: PROOFREAD Privacy Law Assignment 3_Gardner](https://reader035.vdocuments.us/reader035/viewer/2022071900/55c08039bb61eb877e8b46c6/html5/thumbnails/7.jpg)
standards governing when it reasonably should have known that hackers had breached its system.12 PCI DSS, the
industry standard for the payment card industry, applies to all entities that store, process or transmit cardholder data,
including merchants and service providers.13 “Cardholder data” is defined as account numbers, names, expiration
dates, and service codes. In addition to requirements on encrypting cardholder data14 and maintaining secure
systems15, PCI DSS institutes a timing requirement to detect all authorized and unauthorized wireless access points
“on a quarterly basis.”16 . Thermaview processed Ms. Entz’s cardholder data when it accepted her credit card
payment. According to PCI DSS, a data breach which began in January should have been caught in March. If the
data breach began in June, it should have been caught in September. Thermaview reasonably should have known of
the breach at the latest in September, at the start of the third quarter.17 Thermaview breached its duty to comply
with industry standards by failing to complete quarterly detection of wireless access points. As reviewed above,
causation and harm cannot be established under the present facts.
III. Violation of NC Unfair & Deceptive Trade Practices Act/ “Little FTC Act”
NC Thermaview’s failure to complete quarterly wireless access point inspections and failure to encrypt the
website are likely violations of the North Carolina Unfair and Deceptive Trade Practices Act. Under North Carolina
law, unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting
commerce, are unlawful.18 In Johnson v. Phoenix Mutual Life Ins. Co., the plaintiff and defendant entered into a
contract to negotiate a mortgage loan. The defendant’s representative mistakenly misrepresented the financial
consequences of substituting one commercial leaseholder for another commercial leaseholder.19 The court ruled that
the defendant’s actions were neither unfair nor deceptive.20 The defendant was cooperative at all times and never
“exerted itself in any manner which would have contributed to the problem” of getting tenants.21 The defendant did
not act deceptively but “undertook to keep the partnership accurately and clearly informed of the state of affairs.” 22
The instant case can be distinguished from Johnson. NC Thermaview was not cooperative with Ms. Entz.
Thermaview waited too long to check its systems for a breach in noncompliance with industry standards.
Thermaview did not keep Ms. Entz clearly informed. Ms. Entz received notice of the breach in the fourth quarter of
the year, when according to the data breach notice the breach began in January. Quarterly wireless access point
inspections would have revealed a January breach in March, and would have revealed a June breach in September.
A court would likely rule that NC Thermaview is in violation of the UDTPA.
12 PCI standards are established by the PCI Security Standards Council, founded by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. PCI Security Standards Council, About The PCI Security Standards Council, https://www.pcisecuritystandards.org/organization_info/ (last visited Dec. 12, 2014). 13 PCI SECURITY STANDARDS COUNCIL, PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARD: REQUIREMENTS AND SECURITY ASSESSMENT PROCEDURES VERSION 3.0 at* 7. (2013) https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf. 14 Id. at 44. 15 Id. at 49. 16 Id. at 89. 17 Id. at 7-8. 18 N.C. Gen. Stat. § 75-1.1(a) (2014) 19 Johnson v. Phoenix Mutual Life Ins. Co., 266 S.E.2d. 610, 616-18 (1980). 20 Id. at 623. 21 Id. at 622. 22 Id. at 622-623.
![Page 8: PROOFREAD Privacy Law Assignment 3_Gardner](https://reader035.vdocuments.us/reader035/viewer/2022071900/55c08039bb61eb877e8b46c6/html5/thumbnails/8.jpg)
In Pearce v. American Defender Life Ins. Co., the plaintiff’s late husband bought a life insurance policy
which he believed would cover him.23 After his death, the insurance company refused to pay part of the policy. 24
His wife sued.25 The court ruled that a defendant’s actions are unfair and deceptive if they have “capacity…to
deceive,” based on the judgment of the average consumer, and if the plaintiff suffered actual injury as a proximate
result.26 NC Thermaview’s actions are unfair and deceptive according to the definition in American Defender. The
average consumer would assume that the marketing statement “confidential and supportive” in the NC Thermaview
brochure meant that their personal information was safe from hackers. The data breach proximately caused Ms. Entz
to lose 200 hours of work.
A court will award treble damages for violations of the UDTPA.27 Presently, lacking evidence that the data
breach proximately caused her identity theft or proximately caused a diagnosable emotional disorder, Ms. Entz is
likely entitled to treble her lost work revenue. If evidence of proximate cause becomes available, or a further
medical diagnosis becomes available, Ms. Entz would be entitled to treble the amount a jury assigns to all three
harms.
IV. Violation of North Carolina Identity Theft Act.
NC Thermaview may be liable for violation of the North Carolina Identity Theft Act, because the business
failed to delete or destroy the images after sending them to Dr. Prosser. Under the Act, any business that does
business in NC or maintains/possesses personal measures of an NC resident is required to “take reasonable measures
to protect against unauthorized access to or use of the information in connection with or after its disposal.”28 These
“reasonable measures” must include the implementation of policies to erase electronic media containing personal
information so that it can no longer be read or reconstructed.29
Mailing the images to Prosser may be a form of “disposal.” Since Thermaview is run by a nurse (as opposed to
a physician) she could not expect to do any further medical procedures, diagnoses, or treatments after obtaining the
thermal imaging scans. After obtaining the scans, she is turning them over to Prosser w/o expecting to use them any
more. This counts as “disposal” because the nurses who run NC Thermaview do not intend to use the information
further after it is sent to the patient’s doctor of choice – the information is “dispos[ed] of by sending it to Prosser.
NC Thermaview is liable for violation of the NC Identity Theft Act by failing to destroy the information. Under
N.C.G.S. 75-64(f), Ms. Entz is entitled to treble damages and attorney’s fees for the violation.30
V. Business Interruption
Ms. Entz will likely be able to recover damages for business interruption. Under Young v. Stewart, a
plaintiff is entitled to recover for lost profits when business earnings are due to her personal efforts (as opposed to
hired employees), when the defendant tortiously causes the reduction in the plaintiff’s earning capacity and there is
23 Id. at 176. 24 Id. at 177. 25 Id. 26 Id. at 180. 27 N.C. Gen. Stat. § 75-16 (2014). 28 N.C. Gen. Stat. § 75-64(a) (2014). 29 N.C. Gen. Stat. § 75-64(b) (2014). 30 N.C. Gen. Stat. §75-64(f) (2014).
![Page 9: PROOFREAD Privacy Law Assignment 3_Gardner](https://reader035.vdocuments.us/reader035/viewer/2022071900/55c08039bb61eb877e8b46c6/html5/thumbnails/9.jpg)
sufficient evidence of the plaintiff’s past earnings.31 Here, Ms. Entz lost at least $3600 and at most $6000
(calculated using the range of $18 to $30 per hour charged, times 200 hours spent restoring her credit and looking
for the identity thief). Like the plaintiff in Young v. Stewart, whose earnings and commissions were drastically
reduced when the defendant caused her chronic back pain by crashing into her vehicle, Ms. Entz’s earning ability
has been drastically reduced when the NC Thermaview data breach caused her loss of ability to focus.32 Ms. Entz is
likely entitled to recover damages in the amount of the profits she reasonably would have made, were she not
distracted from her work. She should see a psychiatrist to determine whether she has a diagnosable inability to
focus or clinical anxiety disorder caused by the data breach. A medical diagnosis, if available, will bolster her
business interruption claim. She should also prepare evidence of her past earnings, such a list of accounts receivable
or invoices.
VI. Negligent Infliction of Emotional Distress
A claim for negligent infliction of emotional distress (“NIED”) is likely to succeed in the event that Ms.
Entz has a diagnosable emotional or mental disorder (such as PTSD, chronic anxiety, or depression) caused by the
data breach. Under North Carolina law, to state a NIED claim, the plaintiff must show that the defendant’s conduct
was negligent, that the defendant’s conduct would foreseeably cause severe emotional distress to the plaintiff, and
that the defendant’s actions did in fact cause severe emotional distress.33 Proximate cause of severe distress is
required.34 Severe emotional distress is defined as “any emotional or mental disorder…which may be generally
recognized and diagnosed by professionals trained to do so.”35 In Reilly v. Ceridian, plaintiffs sued a payroll
processing firm for emotional distress after a security breach of their personal information. The court ruled that
emotional distress could not exist if there was no change in the status quo and no human health concern at stake.
The facts of the instant case can be distinguished from Reilly v. Ceridian. Here, the status quo has changed. Ms.
Entz has lost over $180,000 and her income as a freelance editor has been compromised. Her inability to focus
represents a health concern. A medical diagnosis, if available, would further support the argument that a weighty
health concern at stake.
VII. Breach of Contract
NC Thermaview is liable for breach of contract. Breach of contract occurs when there is existence of a
valid contract and breach of the terms of that contract.36 A valid contract is formed when there is assent, mutuality,
and definite terms including consideration.37 Here, Ms. Entz and NC Thermaview formed a contract when she paid
for the services with her credit card. Her credit card payment was the acceptance of NC Thermaview’s offer of
thermal imaging in a “confidential” environment. Ms. Entz assented to the offer by paying. The amount she paid
for the thermal imaging was Ms. Entz’s consideration. Breach of contract occurred because Ms. Entz’s treatment
was not confidential. Ms. Entz justifiably relied on the premise that her information would be kept confidential.
31 Young v. Stewart, 101 N.C. App 312, 316-7 (1991). 32 Id. at 312-313. 33 22 Strong’s North Carolina Index 4th Negligence § 43 (2014). 34 Johnson v. Ruark Obstetrics and Gynecology Assocs. P.A., 327 N.C. 283, 304 (1990). 35 Id. 36 6 Strong’s North Carolina Index 4th Contracts § 87 (2014). 37 6 Strong’s North Carolina Index 4th Contracts § 3 (2014).
![Page 10: PROOFREAD Privacy Law Assignment 3_Gardner](https://reader035.vdocuments.us/reader035/viewer/2022071900/55c08039bb61eb877e8b46c6/html5/thumbnails/10.jpg)
VIII. Breach of Implied Covenant of Good Faith & Fair Dealing
NC Thermaview likely breached the implied covenant of good faith and fair dealing by failing to comply with
HIPAA security standards and PCI quarterly monitoring standards. When Ms. Entz paid for the imaging services
with her credit card, she entered into an enforceable contract with NC Thermaview. NC Thermaview offered
thermal imaging sent to her doctor, with a confidential and supportive environment. Ms. Entz accepted by payment
with consideration equal to the cost of the services. Any party who enters an enforceable contract is “required to act
in good faith and to make reasonable efforts to perform his obligations under the agreement.” 38 A breach of this
implied covenant occurs when there is a breach of an express term of the contract, prompted by the defendant’s
conscious and deliberate act.39 In Resnick v. Avmed, plaintiffs became victims of identity theft when Avmed laptops
were stolen. The court ruled that there was no breach of the covenant of good faith and fair dealing because Avmed
did not commit a conscious and deliberate act causing the identity theft.40 Here, NC Thermaview breached an
express term of the agreement by failing to provide a “confidential” environment. The failure to provide
confidentiality did not occur through NC Thermaview’s mistake, but through the deliberate decision to password-
protect the website (leaving it more vulnerable than encryption) and to avoid compliance with PCI quarterly
monitoring of wireless access points. NC Thermaview’s failure to encrypt the website, and failure to comply with
PCI standards for between four and ten months, demonstrate two deliberate acts which compromised the privacy of
Ms. Entz’s personal data.
IX. Breach of Fiduciary Duty
Breach of fiduciary duty occurs when a defendant fails to "act in good faith and with due regard to
plaintiff's interests.”41 For example, in White v. Consolidated Planning, an insurance company hired the plaintiff’s
son, who misappropriated funds from his parents’ account. The court ruled that the insurance company violated
fiduciary duty by breaching trust and allowing the parents to rely on false representations.42 Here, NC Thermaview
also did not act with due regard to Ms. Entz’s best interest. The company allowed her to rely on the representation
that its services were confidential. NC Thermaview failed to encrypt the website where her data was listed and
failed to regularly check for unauthorized wireless access.
X. Negligence Claims Against Dr. Prosser
Dr. Prosser may be liable for negligence due to failure to set up a HIPAA-compliant contractual business
associate relationship with NC Thermaview. As discussed in Section I, assuming Prosser transmits as well as
receives electronic health information, Prosser is a covered entity under 45 CFR 160.103. NC Thermaview is then a
business associate under 45 CFR 160.103. A covered entity can only allow a business associate to “create, receive,
maintain, or transmit protected health information on its behalf,” if the covered entity “obtains satisfactory assurance
38 6 Strong’s North Carolina Index 4th Contracts § 56 (2014). 39 Resnick v. AvMed, Inc., 693 F. 3d 1317, 1329 (11th Cir. 2012). 40 Id. at 1329-30. 41 White v. Consolidated Planning, Inc. 166 N.C. App 283, 293 (2004) (quoting Vail v. Vail, 233 N.C. 109, 114 (1951)). 42 Id. at 294.
![Page 11: PROOFREAD Privacy Law Assignment 3_Gardner](https://reader035.vdocuments.us/reader035/viewer/2022071900/55c08039bb61eb877e8b46c6/html5/thumbnails/11.jpg)
that the business associate will appropriately safeguard the information.”43 Prosser may be obligated to set up a
contract with business associates requiring them to use appropriate data security standards. Thermaview’s failure to
implement appropriate data security practices may be attributable to the doctor for negligence.
Although Prosser likely represents a more monetarily viable target for suit than NC Thermaview due to
insurance, Ms. Entz probably should only sue NC Thermaview. The claim against Dr. Prosser is not strong. Since
NC Thermaview only sent the images to Dr. Prosser once, Prosser will argue that a one-time interaction does not
constitute a business associate relationship and does not necessitate a contract under HIPAA. The type of covered
entity – business associate relationship likely intended by the statute is a long-term relationship, such as that
between a doctor’s office and a payroll firm, or between a hospital and an administrative staffing company. The
claims against NC Thermaview are significantly stronger than any claims against Prosser. Dr. Prosser may be a key
witness or supply a key deposition as to Ms. Entz’s emotional state, in the event that Ms. Entz has a diagnosable
emotional condition resulting from the data breach. Ms. Entz should consider whether a possible larger payout on a
less tenable claim outweighs Dr. Prosser’s value as a witness to her anxious and agitated state in a suit against
Thermaview.
XI. Claims Presently Unlikely to Succeed
No defamation has occurred under present facts. If the thermal images ever actually appear on the Internet
paired false information, such as a statement that Ms. Entz is sickly, the individual posting the photos would likely
be liable for defamation.44 Ms. Entz could use a reputation defender service (such as Reputation.com) to regularly
search the internet for any photos of her torso.45 If the photos are posted, a reputation defender would minimize the
damage to Ms. Entz’s public image by identifying the photos quickly and attempting to eliminate them from search
engines.
A fraud claim will likely fail because there is no evidence that NC Thermaview intended for its customers’
data to be stolen or to deceive customers.46 Thermaview’s promissory misrepresentation of a “confidential”
environment does not constitute fraud, because there is no evidence that Thermaview intended to cause harm.47
Intentional Infliction of Emotional Distress claim will fail because there is no evidence of Thermaview intended to
cause her any anxiety and, as of yet, no medical diagnosis of Ms. Entz’s anxiety.48 North Carolina recognizes
neither the Public Disclosure of Private Facts tort nor the False Light in Public Eye tort.49
43 45 C.F.R. § 160.103 44 Defamation occurs when a falsehood is published as a statement of fact and proximately causes injury. Tyson v. L'Eggs Products, Inc., 84 N.C.App. 1 (1987). 45 Reputation.com helps individuals and businesses control their online personae. “About Us,” http://www.reputation.com (last visited Dec. 11, 2014). 46 Fraud occurs when there is false representation or concealment of a material fact, reasonably calculated to deceive, made with intent to deceive, which does in fact deceive, resulting in damage to the injured party. Ragsdale v. Kennedy, 286 N.C. 130, 130 (1974). 47 Pierce v. American Fidelity Fire Ins. Co, 240 N.C. 567, 567 (1954). 48 Intentional Infliction of Emotional Distress occurs when an actor who by extreme and outrageous conduct intentionally or recklessly causes severe emotional harm to another, is subject to liability for that emotional harm, and if the emotional harm causes bodily harm, also for the bodily harm. Dickens v. Puryear, 302 N.C. 437, 447 (1980). 49 See Hall v. Post, 355 S.E.2d 819 (N.C. Ct. App. 1987). Public Disclosure of Private Facts occurs when one who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of his privacy, if the matter publicized is of a kind that a) would be highly offensive to a reasonable person and b) is not of
![Page 12: PROOFREAD Privacy Law Assignment 3_Gardner](https://reader035.vdocuments.us/reader035/viewer/2022071900/55c08039bb61eb877e8b46c6/html5/thumbnails/12.jpg)
XII. Conclusion
Ms. Entz should wait to file suit (while still staying within the statute of limitations) until she receives a
psychiatric evaluation and until a data security expert can investigate a potential nexus between the data breach and
Ms. Entz’s identity theft. Presently, she is likely able to recover on six claims, two of which offer treble damages.
However, she will be unable to allege negligence without proof of proximate cause. She will be unable to allege
NIED without a medical diagnosis of emotional distress. A psychiatric evaluation and the opinion of a data security
expert may provide Ms. Entz with more claims to raise in litigation and strengthen the claims on which she is
already likely to prevail.
This work complies with the UNC Honor Code.
legitimate concern to the public. RESTATEMENT 2ND OF TORTS §652D (1977). False light in the public eye occurs when one who gives publicity to a matter concerning another places the other before the public in a false light, is subject to liability to the other for invasion of privacy if a) the false light in which the other was placed would be highly offensive to a reasonable person, and b) the actor had knowledge of or acted in reckless disregard as to the falsity of the publicized matter and the false light in which the other would be placed. RESTATEMENT 2ND OF TORTS §652E (1977).