A letter or three per year, alerting of a data breach at a company with which you’ve interacted, is now par for the course. Hackers, and the companies whose data they seek, are engaged in a near-daily volley of attacks and defenses.

In a trio of cases brought against Gaston College, a community college in Dallas, North Carolina, three former students got a “notice of breach” letter from their school, as opposed to more familiar senders like on-line merchants or big-box stores. The hacking target being a State actor introduced a host of immunity issues the Business Court tackled on motions to dismiss.

In Vernon v. Trs. of Gaston Coll., 2024 NCBC 54, the court weighed contract and tort claims arising from a February 2023 data breach at the college that was disclosed to each of the plaintiffs in August 2023.

The comparatively easy part for the court was a determination that the college was immune from suit as a State institution, and that this sovereign immunity was “absolute and unqualified” unless waived. Id. ¶ 41 (quoting Guthrie v. N.C. State Ports Auth., 307 N.C. 522, 534 (1983). That led to a prompt disposition of several claims.

 Plaintiffs’ negligence-based allegations suffered from a “right claim, wrong forum” failing. They benefitted from an express waiver in the State Claims Tort Act, N.C.G.S. § 143-291, to allow them to be brought, but were dismissed without prejudice because “[j]urisdiction to hear such claims [is] vested in the Industrial Commission.” Id. ¶ 49 (quoting Guthrie). Moreover, one plaintiff alleged a Chapter 75 claim for unfair and deceptive practices, but that was dismissed because the college is not a “person, firm, or corporation” against which the statute can be applied. Id. ¶ 47 (citing N.C.G.S § 75-16; Sperry Corp. v. Patterson, 73 N.C. App. 123, 125 (1985) (Chapter 75 doesn’t create “a cause of action against the State, regardless of whether sovereign immunity may exist”)).

Plaintiffs’ breach of contract claims survived on the well-settled principle that “[w]hen the State enters into a valid contract, [it] implicitly consents to be sued for damages on the contract in the event” of breach. Id. ¶ 57. Relying upon the relative ease of pleading” a contract breach in a notice-pleading regime, Judge Robinson found plaintiffs met that bar with allegations that each plaintiff contracted with the college for educational services (including promises to safeguard their identifying data) and that there was a breach. Id. ¶¶ 60-61.

Worth Noting

  • The all day, every day, cybersecurity challenges faced by Gaston College and the legion of companies which hold personal data are immense. Forbes recently published a sobering picture of this landscape that noted in 2023 (i) there were 2,365 cyber-attacks, with more than 343 million victims; and (ii) there was a 72 percent increase in data breaches compared with 2021.  

Brad Risinger is a partner in the Raleigh office of Fox Rothschild LLP.