Supreme Court, New York County, May 20, 2004

APPEARANCES OF COUNSEL

Jeffrey Samel & Partners, New York City, for American Building Maintenance Company, third-party defendant. Moran & D'Arcambal, New York City, for defendant and third-party plaintiff. George David Rosenbaum, New York City, for plaintiffs.

Walter B. Tolub, J.

With the emergence of identity theft as one of this country's growing concerns, this court is required to address what promises to be a new area of law; namely, the duties and responsibilities incidental to the safeguarding of confidential personal information, and, more particularly, whether liability may attach to an entity that fails to safeguard personal and confidential information obtained in conjunction with the purchase of a life insurance policy.

On March 29, 2001, plaintiff Sara E. Daly, a New York State resident,^[FN1] completed an application for a life insurance policy (No. 201064781A) from defendant and third-party plaintiff Metropolitan Life Insurance Company (Met Life). To effectively complete this application, [*2]Ms. Daly was required to provide personal information including, but not limited to, her full name, her date of birth, her driver's license, and her Social Security number.

Upon completion, Ms. Daly's life insurance application was processed by Met Life. Although Ms. Daly was a resident of New York at the time she applied for and purchased the policy, the application she completed was processed at Met Life's Moosic, Pennsylvania office. Ms. Daly signed and received the life insurance policy on May 1, 2001 after meeting with Met Life representative Rick Vodilko.^[FN2]

At some point after completing the application, but prior to issuance of the policy, Ms. Daly received a "Privacy Notice"{**4 Misc 3d at 889} from Met Life detailing the company's privacy policy, and how confidential information is both stored and shared. The notice included the following statement:

"How We Protect What We Know About You: We treat what we know about you confidentially. Our employees are told to take care in handling your information. They may get information about you only when there is a good reason to do so. We take steps to make our computer data bases secure and to safeguard the information we have about you" (affidavit in opposition, exhibit E).

Between March 29, 2001 and April 23, 2001, plaintiffs claim that defendant Met Life negligently allowed non-Met Life employees unfettered access to Ms. Daly's confidential information. Specifically, plaintiffs allege that Met Life negligently allowed Arthur Strickland, a janitor responsible for cleaning Met Life's Moosic, Pennsylvania offices, Sandra Strickland, and Dorothy Walters access to Ms. Daly's confidential personal information. These individuals then used that information to fraudulently establish and use numerous credit card accounts.^[FN3]

Ms. Daly first became aware that her personal information had been fraudulently used in early May of 2001 when she was contacted by a Sears representative seeking to verify information for a new credit card application. After Ms. Daly confirmed that she had not applied for a credit card and that the current application was fraudulent, Ms. Daly contacted Experian, Equifax, and TransUnion (credit bureaus), nationally recognized agencies that provide personal and corporate credit reports, and notified them of the fraud. A subsequent check of Ms. Daly's credit report revealed that between April 24, 2001 and the time the credit bureaus were notified, Ms. Daly's stolen personal information had been used to create numerous fraudulent credit [*3]accounts.^[FN4] The credit reports also indicated that the parties possessing Ms. Daly's stolen information also attempted to create accounts {**4 Misc 3d at 890}in the name of Ms. Daly and her father, plaintiff John S. Daly. Each of the accounts successfully established used Ms. Daly's personal information and one of several different Pennsylvania addresses.

After reporting the suspected fraud to the credit agencies and the respective stores issuing the fraudulently obtained credit lines, Ms. Daly filed a police report detailing the fraud with the Hoboken Police (affirmation in opposition, exhibit D).^[FN5] Ms. Daly then contacted Met Life's Melville, New York office to report the fraud. The fraud allegation was further investigated by Met Life's office in Hauppauge, New York (affirmation in opposition, exhibit B). In September 2002, plaintiffs commenced the instant action comprised of two causes of action alleging negligence and seeking damages for compromising plaintiffs' personal lines of credit.

In response to the instant action, in November 2002, defendant and third-party plaintiff Met Life commenced a third-party action against defendants American Building Maintenance Company (ABM), Sardoni Enterprises, and John Does 1-10. Third-party defendant ABM is a domestic corporation incorporated in Pennsylvania and authorized to conduct business in the States of Pennsylvania and New York, with its principal place of business located in San Francisco, California. ABM is in the business of cleaning, servicing and/or maintaining offices, buildings and/or commercial spaces. Third-party defendant Sardoni is the owner of the building occupied by Met Life in Moosic, Pennsylvania. Defendant and third-party plaintiff Met Life claims that Sardoni retained the services of ABM to clean Met Life's offices. Arthur Strickland, a janitor employed by ABM, is alleged to have stolen Ms. Daly's personal information from Met Life's Moosic, Pennsylvania office.

In the instant motion made by third-party defendant American Building Maintenance Company, ABM seeks dismissal of plaintiffs' complaint and the third-party complaint of defendant and third-party plaintiff Metropolitan Life Insurance Company pursuant to CPLR 301 and 327 on the grounds of forum non conveniens and lack of jurisdiction.{**4 Misc 3d at 891}

Defendant and third-party plaintiff Metropolitan Life Insurance Company cross-moves for summary judgment against plaintiff pursuant to CPLR 3212.

The court first addresses the cross motion of defendant and third-party plaintiff Met Life for summary judgment, as if granted, it would eliminate the necessity of addressing the motions of third-party defendant ABM.

As we have oft said, a motion for summary judgment limits this court's role to finding issues, and not resolving them. To succeed, it is thus incumbent upon the movant to provide the [*4]court with admissible evidence sufficient to demonstrate an absence of any triable issues of fact, thereby demonstrating entitlement to judgment as a matter of law (Sillman v Twentieth Century-Fox Film Corp., 3 NY2d 395 [1957]; Winegrad v New York Univ. Med. Ctr., 64 NY2d 851, 853 [1985]; see generally, Barr, Altman, Lipshie, and Gerstman, New York Civil Practice Before Trial §§ 37:91-37:92 [James Publ 2001-2003]).

The opposing party bears the burden of producing evidentiary proof in admissible form that is sufficient to establish the existence of material issues of fact requiring trial. Mere conclusions, expressions of hope, or unsubstantiated allegations are insufficient for this purpose (Zuckerman v City of New York, 49 NY2d 557 [1980]), and, if there is any doubt that triable issues of fact exist, summary judgment will not be granted.

A prima facie cause of action in negligence is established when a plaintiff demonstrates (1) a duty owed to plaintiff, (2) breach of that duty, and (3) that plaintiff suffered an injury proximately caused by the breach (Solomon v City of New York, 66 NY2d 1026 [1985]). In support of its motion, Met Life asserts that plaintiffs have not established a right to recovery under a theory of negligence, and cannot establish that defendant Met Life was negligent in how it maintained plaintiffs' confidential information. Additionally, Met Life posits that, even if a duty to plaintiffs was owed by them, plaintiffs, to date, are unable to demonstrate tangible damages and, even if those damages could be established, Met Life bears no responsibility to plaintiffs because of the intervening acts of a nonparty tortfeasor.

This court is not aware of any case law that is directly on point on these issues, and concedes that this case may in fact be one of first impression in New York. However, it does not agree with Met Life's argument that summary judgment dismissing the complaint is warranted.{**4 Misc 3d at 892}

The gravamen of plaintiffs' claims is that, in order to obtain a life insurance policy, Ms. Daly had to provide sensitive personal information for herself and for her father. Met Life represented that this information would be protected and would remain fully confidential. Relying on that promise, Ms. Daly released her personal information to Met Life, only to later discover that Met Life failed to safeguard that information, which was stolen from Met Life's Moosic, Pennsylvania office by a nonparty tortfeasor and used to plaintiffs' detriment.

Plaintiffs' claims are similar to those seen in causes of action for breach of fiduciary duty of confidentiality. This cause of action, seen within the context of physician-patient relationships, arises as a result of a physician's unauthorized disclosure of a patient's confidential medical records (see, Tighe v Ginsberg, 146 AD2d 268 [4th Dept 1989]). The duty not to disclose confidential personal information in these types of cases does not, however, arise from a statutory right (Doe v Community Health Plan—Kaiser Corp., 268 AD2d 183 [3d Dept 2000]; CPLR 4504, 4508; Public Health Law § 4410). It is derived from "the implied covenant of trust and confidence that is inherent in the physician patient relationship, the breach of which is actionable as a tort" (Doe, 268 AD2d at 187; MacDonald v Clinger, 84 AD2d 482, 485-487 [4th Dept 1982]).

A similar covenant of trust and confidence may be inferred in business dealings. Indeed, it is well established under New York law that "a fiduciary duty arises, even in a commercial transaction, where one party reposed trust and confidence in another who exercises discretionary functions for the party's benefit or possesses superior expertise on which the party relied" (Anonymous v CVS Corp., 188 Misc 2d 616, 620 [Sup Ct, NY County 2001]; Wiener v Lazard Freres & Co., 241 AD2d 114 [1st Dept 1998]). While this concept has never before been applied to issues surrounding the protection of confidential personal information, perhaps in the absence of appropriate legislative action, it should.

Identity theft, without question, is becoming one of the fastest growing criminal offenses in the 21st century. The Federal Trade Commission (FTC) estimates that in a five-year period prior to early 2003, in the United States alone, there were 27.3 million reported cases of identity theft (Thomas Fedorek, Computers + Connectivity = New Opportunities for Criminals and Dilemmas for Investigators, 76 NY St BJ 10, 15 [Feb. 2004]). The ensuing fraud caused damages in the billions for businesses,{**4 Misc 3d at 893} financial institutions and consumers, and subjected the victims to hours upon hours of work related to straightening out problems caused by the theft of their identity.^[FN6]

It is therefore not surprising that the issue of whether liability may attach to an entity that fails to safeguard its clients' personal and confidential information is of great importance and concern. Nor is surprising that many public and private entities have already attempted to thwart this growing problem in the absence of formal legislation. Recently enacted HIPPA (Health Insurance Portability and Accountability Act of 1996) legislation now governs the distribution of confidential medical records. Confidentiality agreements are routinely signed by incoming employees as a condition of employment where companies seek to protect client bases and trade secrets, and, among banking and finance entities, "privacy notices" or "privacy policies" are routinely issued as a way to assure and apprise their clientele of the numerous ways in which the company is protecting personal and confidential information from unauthorized use.

On the papers presented by the parties in this case, this court is convinced that Met Life had a duty to protect the confidential personal information provided by the plaintiffs. When Ms. Daly wished to purchase a life insurance policy from Met Life, she was required to, and agreed to, supply Met Life with highly sensitive personal information including her full name, her Social Security number, and her date of birth. Implicit in this agreement was a covenant to safeguard this information. Met Life, in fact, recognized that obligation, and issued a privacy notice to their customers stating that they took great care in safeguarding their customers' personal information.

It should be noted that, at this juncture, the court is not persuaded by Met Life's argument that plaintiffs have not presented evidence of damages. The amount of damages in any case alleging personal injury is a question of fact for a jury to decide (Lamb v Babies 'R' Us, 302 AD2d 368 [2d Dept 2003]; Fares v Fox, 198 AD2d 396 [2d Dept 1993]; Durso v City of New York, 96 AD2d 458 [1st Dept 1983]). As such, that issue, as well as the issue of whether Met Life's responsibility for damages is lessened or eliminated under the theory that the theft of plaintiffs' {**4 Misc 3d at 894}information by a third party was an unforeseeable intervening event, are reserved as issues for trial. Inasmuch as there remain considerable questions of fact concerning the precautions taken by Met Life to safeguard plaintiffs' personal information, at this juncture, [*5]summary judgment cannot be awarded. The court therefore now directs its attention to the issue of whether or not this matter has been brought in the appropriate forum.

"Founded upon the equitable principles of justice, fairness and convenience, the common-law doctrine of forum non conveniens, as codified in CPLR 327, is a highly flexible concept whereby a court, after considering and balancing certain competing factors, may entertain or decline to entertain jurisdiction over an action" (Intertec Contr. A/S v Turner Steiner Intl., S.A., 6 AD3d 1, 2-3 [1st Dept 2004]; see generally, Barr, Altman, Lipshie, and Gerstman, New York Civil Practice Before Trial § 36:503 [James Publ 2001-2003]). The decision is one that is squarely within the discretion of the court after it has weighed relevant factors including, but not limited to, the residence of the parties, the location of the witnesses, the location of the transaction giving rise to the cause of action, applicability of the laws of another state or country, location of the witnesses, and the location of any pending discovery (National Bank & Trust Co. of N. Am. v Banco De Vizcaya, 72 NY2d 1005 [1988], cert denied 489 US 1067 [1989]; Islamic Republic of Iran v Pahlavi, 62 NY2d 474, 478 [1984], cert denied 469 US 1108 [1985]).

In the instant litigation, third-party defendant ABM contends that New York is not the proper forum for this litigation, arguing that the case has no nexus with the State of New York.{**4 Misc 3d at 895} This court disagrees. Contrary to the assertions of third-party defendant ABM, Ms. Daly was a New York resident when she applied for and obtained an insurance policy from defendant Met Life, a New York company. Ms. Daly was in New York when she purchased the policy, she made telephone calls from New York to Met Life to discuss the policy, and, when it became apparent that Ms. Daly's personal information had been fraudulently used, it was Met Life's office in Melville, New York, that initially processed Ms. Daly's complaint, which was then investigated by Met Life's Hauppauge, New York office. These facts indicate that there indeed exists a significant nexus with the State of New York.

The court recognizes that third-party defendants Sardoni and ABM as well as the parties accused of stealing Ms. Daly's identity and using it to her detriment are residents of the State of Pennsylvania. The court further concedes that this litigation may require testimony from witnesses who are Pennsylvania residents. Indeed, there is no one state which is convenient to all of the parties. However, after weighing all relevant factors, this court is confident that both the primary and third-party actions are properly within the State of New York. As there is no valid reason to transfer this action from the State of New York to the State of Pennsylvania, the branch of the motion of third-party defendant ABM to remove the instant action on the grounds of forum non conveniens is denied.

The portion of third-party defendant ABM's motion to dismiss predicated on lack of jurisdiction is also denied. ABM failed to raise lack of jurisdiction as an affirmative defense when it answered the third-party complaint. Inasmuch as this motion was brought after having answered the complaint, any defenses based on lack of jurisdiction are deemed waived pursuant to the CPLR (CPLR 3211 [e]; Air Tite Mfg. v Acropolis Assoc., 202 AD2d 1067 [4th Dept 1994]; see also, Aretakis v Tarantino, 300 AD2d 160 [1st Dept 2002]; Worldcom, Inc. v Dialing Loving Care, 269 AD2d 159 [1st Dept 2000]). Accordingly, the branch of third-party defendant ABM's motion seeking to dismiss the action in entirety for lack of [*6]jurisdiction is denied.

Accordingly, it is ordered that the motion of defendant and third-party plaintiff Metropolitan Life Insurance Company for summary judgment is denied with leave to renew upon the conclusion of discovery; and it is further ordered that the motion of third-party defendant American Building Maintenance Company to dismiss plaintiffs' complaint and the third-party complaint of defendant and third-party plaintiff Metropolitan Life Insurance Company pursuant to CPLR 301 and 327 on the grounds of forum non conveniens and lack of jurisdiction is denied.