Stevens v. First Interstate Bank , 167 Or. App. 280 ( 2000 )

Plaintiffs appeal from a summary judgment dismissing their claim for “breach of confidentiality,” which sought emotional distress damages against defendant, First Interstate Bank of California (FICAL). That claim arises from FICAL’s alleged failure to protect from third-party misappropriation and wrongful use certain personal and credit information that plaintiffs had provided to their bank. We conclude that plaintiffs’ claim is not properly for “breach of confidentiality” and that, to the extent that plaintiffs’ claim is properly characterized as one for negligent infliction of emotional distress, the relationship between plaintiffs, as depositors, and the defendant bank does not give rise to the sort of separate “legally protected interest” necessary to support such a claim. Accordingly, we affirm.

For purposes of summary judgment, the material facts are uncontroverted. Plaintiffs, husband and wife, maintained checking accounts with First Interstate Bank of Oregon (FIOR). In connection with those accounts, FIOR required plaintiffs to disclose to it certain private and confidential information, including social security numbers and dates of birth.

On June 27,1994, FICAL, an affiliate of FIOR, hired Stanley C. Stevenson as a collector in its credit card department. Stevenson had a criminal conviction for grand theft. However, Stevenson lied and failed to disclose that conviction in completing FICAL’s employment application, which specifically asked whether the applicant had ever been convicted of a criminal offense involving dishonesty or breach of trust. After Stevenson began work, FICAL, in accordance with bank policy and procedure, forwarded Stevenson’s fingerprints to the FBI for a background check.

Between his hiring and early October 1994, Stevenson, through his job, had access to the shared customer database of FIOR and FICAL. Through that database, Stevenson gained access to plaintiff Stanley Stevens’s private and confidential information. Stevenson used that information to procure numerous charge cards and loans.

*283On October 3, 1994, three months after Stevenson began working, FICAL received a report from the FBI that disclosed Stevenson’s prior grand theft conviction. FICAL promptly suspended and then terminated Stevenson because of his access to records with the “potential for * * * finding information that’s not appropriate.”

As a consequence of Stevenson’s misappropriation and misuse of Stanley Stevens’s “credit identity” in fraudulent credit-related transactions, plaintiffs were subject to collection calls for debts that they did not owe. They had to expend considerable effort to clear and correct their credit record and reputation. Although plaintiffs did not incur any monetary obligation as a result of Stevenson’s activities, they suffered anxiety, embarrassment, and distress.

In April 1997, plaintiffs filed this action, naming as defendants Stevenson, FICAL, and FIOR. In February 1998, plaintiffs filed their operative second amended complaint against Stevenson and FICAL.1 That complaint did not allege that Stevenson had acted within the course and scope of his employment with FICAL in misappropriating and disclosing plaintiffs’ personal and credit information. Rather, the complaint alleged that Stevenson, individually, had committed a trespass2 and that FICAL was liable for “breach of confidentiality”:

“15. FICA[L] had a duty to protect the private and confidential information concerning plaintiffs that was contained in its computer data base of customer information.

“16. FICA[L] breached that duty by hiring Stevenson and either:

*284“(a). Allowing him access to its computer data base of customer information, including the private and confidential information which plaintiffs were required to disclose to [the bank], without first having conducted a reasonable investigation of Stevenson’s criminal records history or

“(b). Not adequately protecting such private and confidential information from being accessed by unauthorized employees such as Stevenson.” (Emphasis added.)

Plaintiffs alleged that they had suffered emotional distress and anxiety and, consequently, sought to recover compensatory damages of $60,000 for Harriett Stevens and $90,000 for Stanley Stevens.

Two related aspects of plaintiffs’ claims are central to our analysis and bear immediate emphasis. First, plaintiffs’ “breach of confidentiality” claim against FICAL alleges direct liability, not vicarious liability for Stevenson’s conduct. Second, and concomitantly, plaintiffs’ claim against FICAL is not based on Stevenson’s use and disclosure of their information, but on FICAL’s failure to protect that information from wrongful appropriation by third parties.

FICAL answered and, on February 13,1998, moved for summary judgment against plaintiffs’ claim for breach of confidentiality. Before the court ruled on that motion, plaintiffs moved for leave to amend their complaint to seek punitive damages from FICAL for breach of confidentiality. That matter was deferred pending the disposition of the summary judgment motion.

In March 1998, the trial court granted FICAL’s summary judgment motion, concluding that plaintiffs did not have a “claim at all for breach of confidentiality.” The court explained:

“It doesn’t make any sense to me; okay? * * * Here’s what I’m saying: The bank has a contractual duty of confidentiality, as far as I’m concerned. * * * Now, if they are negligent, then they have some other duty. Part of negligence is a duty. But it isn’t a duty to confidentiality, it’s a duty to hire competent people who don’t steal from their customers. That’s the duty that you’re saying they breached.”

*285Alternatively, the court stated that, even if it had concluded that plaintiffs had stated a tort-based claim for breach of confidentiality, it would have granted FICAL’s motion on grounds that emotional distress damages were insufficient to sustain plaintiffs’ claim. Specifically, the court stated that it would have granted FICAL’s motion on grounds that “the kind of special relationship that creates [liability for emotional distress damages], or the kind of societal harm” necessary to recover solely for emotional distress damages was not present. Accordingly, the court entered an ORCP 67 B judgment for FICAL. That, in turn, rendered moot plaintiffs’ motion to amend to seek punitive damages. This appeal followed.3

On appeal, plaintiffs raise two assignments of error: (1) The trial court erred in concluding that plaintiffs’ claim against FICAL was insufficient in that it failed to state a claim for breach of confidentiality and, alternatively, that plaintiffs’ claim, even if otherwise sufficient, did not support recovery of emotional distress damages only. (2) The court erred in denying plaintiffs’ motion to amend to seek punitive damages. As described below, we affirm the trial court with respect to the first assignment of error. That disposition obviates the second assignment.

Before addressing the merits, we clarify and emphasize the issue presented here. In that regard, it is useful to identify what this case is not about. As framed by plaintiffs’ pleadings and the parties’ summary judgment submissions, this case does not involve: (a) a bank’s (or its agent’s) affirmative disclosure or misappropriation of a customer’s personal or credit information; (b) a bank’s failure to protect information provided to it as a trustee, in the course of a lending relationship, or in reliance on, and pursuant to, an express promise of protection; or (c) a claim for damages other than emotional distress damages. Rather, the issue presented here is precise: Where a third party misappropriates personal or credit information that a depositor had provided to a bank, and that misappropriation is the result of the bank’s failure to adequately protect the information from *286such misappropriation, is the bank liable for the depositor’s resulting emotional distress?

With the issue properly so described, it is apparent that — whatever plaintiffs’ claim against FICAL may be — it is not a claim for “breach of confidentiality.” The gravamen of the tort of breach of confidentiality,4 in Oregon and nationally, is the affirmative disclosure of information by a person to whom the confidential information has been entrusted. See Humphers v. First Interstate Bank, 298 Or 706, 717-19, 696 P2d 527 (1985); Note, Breach of Confidence: An Emerging Tort, 82 Colum L Rev 1429 (1982). As noted, this case is not about FICAL’s affirmative disclosure of information. Rather, it is about the bank’s alleged failure to protect information provided to it by a depositor from misappropriation by a bank employee acting outside the scope of his employment. Plaintiffs identify no authority — and we have found none — that expands the tort to impose liability where the defendant has not affirmatively disclosed the “entrusted” or “confidential” information. We decline to do so. See Humphers, 298 Or at 718 (referring to a breach of confidence as the “legal duty not to speak”).

That does not, however, end our inquiry. Plaintiffs’ claim, even if misdenominated, could, nevertheless, withstand summary judgment if it could otherwise support the recovery of emotional distress damages only. Cf. Curtis v. MRI Imaging Services II, 327 Or 9, 13-14, 956 P2d 960 (1998) (“characterization of the claim does not relieve [the] court of its responsibility to explain why purely psychological harm might be actionable”). As the trial court observed, plaintiffs’ claim is, at least most obviously, one for common-law negligence —i.e., negligent hiring of Stevenson. Accordingly, in the absence of physical injury, to recover emotional distress damages only, plaintiffs must demonstrate that their relationship with FIOR/FICAL gave rise to some distinct “legally protected interest” beyond liability grounded in the general obligation to “take reasonable care not to cause a risk of * * * *287foreseeable * * * harm” to plaintiffs. Nearing v. Weaver, 295 Or 702, 708, 670 P2d 137 (1983); see also Fazzolari v. Portland School Dist. No. 1J, 303 Or 1, 17, 734 P2d 1326 (1987).

Plaintiffs contend that the relationship between a bank and its depositors imposes a duty on the bank to protect information that transcends the general common-law duty to exercise reasonable care to prevent foreseeable harm. We disagree. The relationship between plaintiffs, as depositors, and their bank was not of the sort that Oregon courts have found gives rise to the requisite distinct “legally protected interest.” See Curtis v. MRI Imaging Services II, 148 Or App 607, 941 P2d 602 (1997), aff'd on other grounds 327 Or 9, 956 P2d 960 (1998) (examining those relationships giving rise to a duty that transcends generic, common-law foreseeability).

A depositor-bank relationship is a highly regulated, arm’s-length commercial relationship, in which the bank’s ability to act vis-a-vis its depositors is expressly limited. See generally ORS ch 74. In that respect, the depositor-bank relationship differs materially from trustee-trustor or lender-borrower relationships in which a party may entrust confidential information to the bank for a particular purpose and in which that party must rely on the bank’s exercise of independent professional judgment to achieve an agreed purpose. See generally Conway v. Pacific University, 324 Or 231, 240, 924 P2d 818 (1996).5 Rather, the depositor-bank relationship is, in our view, more analogous to a merchant-customer relationship in which the customer, in transacting a credit card or other noncash purchase, provides certain information to the merchant. There, as here, the relationship is at arm’s-length, to achieve a specific economic end, and does not *288require the merchant to exercise independent judgment on the customer’s behalf. See Transamerica Ins. Co. v. U.S. Nat’l Bank, 276 Or 945, 956 n 11, 558 P2d 328 (1976) (“A bank deposit creates a debtor-creditor relationship; the incidents of that relationship are provided by law (although they may, within limits, be varied by agreement.)” (citations omitted)); Dahl & Penne, Inc. v. State Bank of Portland, 110 Or 68, 72, 222 P 1090 (1924) (relationship between bank and depositor is that of “debtor and creditor”: “The contract between the parties is purely legal, and has no element of a trust in it.”).6

Plaintiffs argue, nevertheless, that Banaitis v. Mitsubishi Bank, Ltd., 129 Or App 371, 377-78, 879 P2d 1288 (1994), rev dismissed 321 Or 511, 900 P2d 508 (1995), recognizes — and, indeed, is premised on — a distinct, legally enforceable obligation to protect bank customer information. Plaintiffs’ reading of Banaitis is overbroad.

Banaitis was a wrongful discharge case. There, the plaintiff had worked as a vice-president of the Bank of California, which was acquired by defendant, Mitsubishi. Because Mitsubishi Group companies competed internationally with some of the bank’s customers, those customers demanded, and received, assurances that their financial information would not be disclosed to Mitsubishi. A Mitsubishi manager subsequently requested that the plaintiff disclose information about one of the bank’s customers who had requested assurances of confidentiality. When the plaintiff refused to disclose that information, he was ultimately forced to resign. The plaintiff sued the Bank of California for wrongful discharge and Mitsubishi for tortious interference with a contractual relationship. The jury awarded compensatory and punitive damages against both defendants, and we sustained that verdict.

In reviewing the sufficiency of the wrongful discharge claim, we agreed with the plaintiff that his discharge implicated a societal obligation or public policy against a *289bank’s disclosure of customers’ confidential financial information. In particular, we reviewed “state and federal statutes that generally protect business information from discovery by or disclosure to the public or to government agencies”:

“The Federal Right to Financial Privacy Act of 1978, 12 USC § 3401 et seq, prohibits, with certain exceptions, the disclosure of a customer’s records by a financial institution to a government authority without the customer’s consent. The Federal Freedom of Information Act, 5 USC § 552, similarly exempts from disclosure by public agencies any ‘commercial or financial information’ that is privileged or confidential. 5 USC § 552(b)(4). * * *

“Various criminal statutes reflect a public interest in protecting the confidentiality of commercial financial records. ORS 165.095(1) provides that a person who ‘misapplies’ property entrusted to a financial institution commits a crime. Removal or disclosure of a bank’s files or other property is a Class C felony. ORS 708.715.” Banaitis, 129 Or App at 378 (footnote omitted).

We also canvassed common-law authority from other jurisdictions:

“At common law, the courts in a number of jurisdictions have recognized a bank’s duty not to divulge to a third party, without the customer’s consent, any information relating to the customer acquired through the keeping of the customer’s account. As the Idaho Supreme Court said in Peterson v. Idaho First National Bank, 83 Idaho 578, 367 P2d 284 (1961):

“ ‘It is inconceivable that a bank would at any time consider itself at liberty to disclose the intimate details of its depositors’ accounts. Inviolate secrecy is one of the inherent and fundamental precepts of the relationship of the bank and its customers or depositors.’ 83 Idaho at 588, [367 P2d 284],

“Consistent with that rule, BanCal’s own internal policy prohibits the disclosure of confidential customer financial information.” Banaitis, 129 Or App at 379 (citations omitted).

*290Based on our review of those authorities, we concluded:

“Those statutory provisions, rules and common law principles reflect a common concern for the protection of valuable commercial financial information, particularly when that information has been entrusted to a bank. Permitting a bank to discharge with impunity its employee for refusing to disclose confidential customer financial information would violate that public policy and compromise the protections that the statutes, rules and common law duties were designed to afford.” Id.

Banaitis itself and all the authorities on which it relies pertain to a bank’s obligation of nondisclosure. Neither Banaitis nor those authorities recognize that the depositor-bank relationship gives rise to a distinct “legally protected interest,” transcending a common-law duty of due care, to protect depositors’ financial information from tortious misappropriation by third parties.7 In short, Banaitis corroborates the availability of a breach of confidentiality claim when a bank affirmatively discloses a customer’s financial information without the customer’s consent, but it does not support a free-standing claim for emotional distress damages flowing from negligent hiring.

Finally, and contrary to the dissent, Edwards v. Talent Irrigation District, 280 Or 307, 309, 570 P2d 1169 (1977), and Macca v. Gen. Telephone Co. of N.W., 262 Or 414, 495 P2d 1193 (1972), do not compel reversal. Plaintiffs’ pleadings do not allege that, as in Macea and Edwards, defendant’s conduct resulted in an invasion of any right to enjoy their *291property without unreasonable interference.8 Nor did plaintiffs make such an argument to the trial court or in their briefs on appeal. Thus, plaintiffs here never contended that this case somehow implicates a separate “legally protected interest” in a property law-based right of use and enjoyment. See State ex rel Juv. Dept. v. Pfaff, 164 Or App 470, 480 n 6, 994 P2d 147 (1999) (“[A]lthough it is axiomatic that we may affirm on grounds not argued to the trial court, there is no authority for the proposition that, without invoking ‘plain error,’ we can reverse the trial court on grounds not argued to it.” (emphasis in original)).9

The trial court properly dismissed plaintiffs’ claim against FICAL.

Affirmed.