Please ensure Javascript is enabled for purposes of website accessibility

Data breach claims against Bojangles largely survive dismissal

Data breach glitchy style words on abstract binary code background. Internet crime, privacy problem concept

Data breach claims against Bojangles largely survive dismissal

Listen to this article
Summary:

The North Carolina Business Court allowed former and current employees of to proceed with most of their proposed class action arising from a 2024 , holding that the complaint plausibly alleged the company failed to implement reasonable cybersecurity measures and delayed notifying affected individuals of the breach.

The lawsuit arose after hackers allegedly infiltrated the defendant’s computer systems between February and March 2024 and exfiltrated approximately 295 gigabytes of employee data, including Social Security numbers, financial account information, driver’s license numbers and health information. The plaintiffs alleged the stolen data appeared on the hackers’ dark web leak site shortly after the attack but that the defendant waited approximately eight months before notifying affected employees. According to the complaint, that delay hindered their ability to protect themselves from identity theft and fraud, resulting in mitigation costs, diminished value of their personal information, emotional distress and, in one instance, fraudulent financial activity.

The Business Court concluded that the complaint adequately alleged the defendant owed employees a duty to exercise reasonable care in safeguarding their sensitive information. The court found it reasonably foreseeable that cybercriminals would target employee data and that the alleged injuries were sufficiently pleaded to survive a motion to dismiss. Questions concerning whether the breach ultimately caused those injuries, the court explained, should be resolved through discovery rather than at the pleading stage.

The court also allowed claims for breach of implied contract, unjust enrichment, violations of the North Carolina Unfair and Deceptive Trade Practices Act and to proceed. It held that requiring employees to provide sensitive personal information as a condition of employment plausibly created an implied obligation to use reasonable measures to protect that information. The declaratory judgment claim likewise survived because the complaint alleged the defendant continues to retain employee data while maintaining inadequate cybersecurity practices.

The court dismissed claims for negligence per se, concluding that neither the Federal Trade Commission Act nor HIPAA constitutes a public safety statute capable of supporting such a claim under North Carolina law. It also dismissed the invasion of privacy claim because the plaintiffs voluntarily provided their information to the defendant and did not allege an intentional intrusion into their private affairs.

The 34 page opinion is Dougherty v. Bojangles Restaurants Inc., Lawyers Weekly No. 020-060-26.


Top Legal News

See All Top Legal News

Commentary

See All Commentary