Shymikka Griggs v. NHS Management, LLC, [Ms. SC-2023-0784, Nov. 15, 2024] __ So. 3d __ (Ala. 2024). The Court (Parker, C.J.; Wise, Bryan, Sellers, Mendheim, and Mitchell, JJ., concur; Cook, J., concurs specially; Shaw, J., concurs in the result; Stewart, J., concurs in the result) affirms the Jefferson Circuit Court’s dismissal of a data-breach class action filed by Shymikka Griggs against NHS Management, LLC, and holds that Griggs failed to sufficiently plead her claims under Alabama law.
NHS, a management company for nursing homes and rehabilitation facilities, discovered a data breach in May 2021 but did not notify affected individuals, including its former employee Griggs, until March 2022. Griggs alleged that the breach exposed her Social Security number, medical information, and insurance details, resulting in fraudulent activity, increased spam communications, and the need for ongoing credit monitoring. She filed a class-action complaint asserting negligence, negligence per se, invasion of privacy, unjust enrichment, breach of confidence, breach of fiduciary duty, and a violation of the Alabama Deceptive Trade Practices Act (ADTPA).
Writing for the Court, Chief Justice Parker underscores the importance of following Alabama’s established legal standards when pleading claims, especially in data-security litigation. While acknowledging the serious concerns stemming from data breaches, Chief Justice Parker emphasizes that courts cannot extend liability without explicit legislative or legal precedent and that litigants must provide citations to authority, even if outside of the jurisdiction, in support of arguments made in appellate briefs in accordance with Rule 28(a)(10). Ms. *12.
Regarding invasion of privacy, the Court cites Rosen v. Montgomery Surgical Ctr., 825 So. 2d 735, 737 (Ala. 2001), and Johnston v. Fuller, 706 So. 2d 700, 701 (Ala. 1997), emphasizing that such claims require proof of an intentional wrongful intrusion, which Griggs fails to allege. Ms. ** 16-17. Similarly, the Court holds her unjust enrichment claim is insufficient under Irwin v. Jimmy John’s Franchise, LLC, 175 F. Supp. 3d 1064, 1072 (C.D. Ill. 2016), which rejects similar claims where no direct financial benefit was conferred on the defendant for providing data security. Ms. *19. Griggs’s breach-of-confidence claim lacks allegations of affirmative disclosure by NHS, as required under Purvis v. Aveanna Healthcare, LLC, 563 F. Supp. 3d 1360, 1378 (N.D. Ga. 2021), and her fiduciary duty claim fails under Miller v. SCI Sys., Inc., 479 So. 2d 718, 720 (Ala. 1985), which holds that employers generally do not owe fiduciary duties to employees. Ms. **21-22.
Chief Justice Parker emphasizes that claims of negligence or negligence per se require the plaintiff to plead and prove essential elements, including duty, causation, and damages, as outlined in Prill v. Marrone, 23 So. 3d 1, 6 (Ala. 2009). A plaintiff must establish the existence of a specific duty owed to her by the defendant. Under Alabama law, employers are generally not required to protect employees’ personal information from criminal acts by third parties unless extraordinary circumstances or a special relationship exist. Ms. **30-31, citing Carroll v. Shoney’s, Inc., 775 So. 2d 753,755-56 (Ala. 2000). The Court notes Griggs fails to demonstrate foreseeability or any specialized knowledge by NHS sufficient to establish such a duty.
The Court also rejects Griggs’s negligence per se claim, explaining that neither HIPAA nor the Federal Trade Commission Act (FTCA) provide a private right of action or establish enforceable duties under Alabama law. For a statutory duty to apply under state law, it must be intended to protect a class that includes the plaintiff and specifically addresses the alleged harm. Citing Allen v. Delchamps, Inc., 624 So. 2d 1065 (Ala. 1993) and Fox v. Bartholf, 374 So. 2d 294 (Ala. 1979), the Court concludes that Griggs did not demonstrate that these statutes were intended to protect her or that they contemplated her alleged harm. Ms. **37-39.
Further, the Court emphasizes that Alabama law requires plaintiffs to allege a “manifest, present injury” to recover in tort, citing Southern Bakeries, Inc. v. Knipp, 852 So. 2d 712, 716 (Ala. 2002) (citing Hinton ex rel. Hinton v. Monsanto Co., 813 So. 2d 827, 829 (Ala. 2001) (plurality opinion)); DeArman v. Liberty Nat’l Ins. Co., 786 So. 2d 1090 (Ala. 2000); Stringfellow v. State Farm Life Ins. Co., 743 So. 2d 439 (Ala. 1999); Williamson v. Indianapolis Life Ins. Co., 741 So. 2d 1057 (Ala. 1999); and Pfizer, Inc. v. Farsian, 682 So. 2d 405 (Ala. 1996)). Ms. **42-43. Griggs’s allegations of potential future harm and general inconveniences, such as monitoring her credit, did not meet this threshold.
Justice Cook concurs specially, discussing negligence and negligence per se claims in the data-breach context as these issues will likely continue to be presented to the Court. Justice Cook also again invites litigants with an appropriate case to challenge Alabama’s notice pleading standard in favor of the plausibility standard used in federal courts established by Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007), and Ashcroft v. Iqbal, 556 U.S. 662, 679 (2009). Ms. *45.