Class Actions Brief Blog

In recent years, defendants in data breach class action lawsuits filed in the state courts in North Carolina have succeeded in designating these disputes to the North Carolina Business Court. The Business Court has accepted data breach cases involving ransomware attacks, phishing email incidents and tracking technology cases. This post reviews these cases, as well as a recent decision where the Business Court rejected designation, to provide an overview of the Court’s approach to determining which cases will qualify.

To request designation as a “mandatory complex business case,” the defendant must file a notice with the state court within 30 days of service under Section 7A-45.4 of the North Carolina General Statutes. The notice must state that the case meets one (or more) statutory criteria, which provide for designation of cases that involve material issues relating to the law governing corporations, securities and antitrust matters, among others.[1]

In 2014, the General Assembly broadened the scope of one of these criteria, codified at Section 7A-45.4(a)(5). This section was previously limited to disputes involving “intellectual property law, including software licensing disputes.” Following the amendment, parties may designate cases that involve a material issue relating to “[d]isputes involving the ownership, use, licensing, lease, installation, or performance of intellectual property, including computer software, software applications, information technology and systems, data and data security, pharmaceuticals, biotechnology products, and bioscience technologies.” As Judge Gale noted in an opinion overruling an opposition to designation in Southeastern Automotive Inc. v. Genuine Parts Co., this allowed the Business Court to hear a “dispute that involves a material issue regarding the use or performance of intellectual property, including computer software and data, without requiring a dispute regarding ownership of the intellectual property or another dispute that may require application of principles of the body of law known as intellectual-property law.”

Since 2014, defendants have repeatedly designated data-breach cases to the Business Court under this section, including in the following cases:

• McManus v. Dry, No. 22 CVS 1776 (N.C. Super. July 22, 2022) (Bledsoe, J.) (seeking designation under (a)(5) based on malware installed on defendant’s servers)
• Williams v. Monarch, No. 23 CVS 105 (N.C Super. Apr. 10, 2023) (Bledsoe, J.) (seeking designation under (a)(5) based on cyberattack by cybercriminals on defendant’s systems that resulted in exfiltration of private information)
• Vernon v. Trustees of Gaston College, No. 23 CVS 3059 (N.C. Super. Oct. 27, 2023) (Robinson., J.) (seeking designation under (a)(5) based on hacking incident but also under Rule 2.1).
• Luther v. Columbus Regional Healthcare System, No. 24 CV 88 (N.C. Super. Feb. 26, 2024) (Brown, J.) (seeking designation under (a)(5) based on hacking incident on defendant’s computer systems)
• Weddle v. WakeMed Health and Hospitals, 22 CVS 13860 (N.C. Super. Dec. 16, 2023) (Conrad, J.) (seeking designation under (a)(5) based on allegations of use of Meta Pixel on defendant’s website but also in the alternative under Rule 2.1)
• Stewart v. Greensboro College Inc., No. 24 CVS 4980 (N.C. Super. May 10, 2024) (Earp, J.) (seeking designation under (a)(5) based on suspicious activity on defendant’s computer systems leading to unauthorized access by third parties but also in the alternative under Rule 2.1)

But in a decision earlier this year, the Business Court signaled that a case is not automatically eligible for designation just because it touches on data security in some way. In an unpublished order in ECA General Partnership LLC v. First Bank, the Business Court concluded that a complaint was not properly designated as a mandatory complex business case. The complaint alleged that ECA had maintained various bank accounts at First Bank, and that First Bank had received a phishing email that was spoofed to look as if it had come from ECA. First Bank reached out to confirm that the email was legitimate, but did not receive that confirmation. Nonetheless, according to ECA, First Bank granted the phishing perpetrator access to ECA’s bank accounts, resulting in over $1 million of damages.  

First Bank served (but apparently, did not file) a notice with the Business Court seeking designation under section 7A-45.4(a)(5). First Bank stated in the notice that Plaintiff alleged a “series of fraudulent transactions initiated by a cybercriminal” and that “First Bank failed to verify the legitimacy of emails requesting access to Plaintiffs’ bank account.” First Bank further stated that its “electronic banking compliance and systems, data and security procedures are at issue in this action making this a mandatory complex business case.”

Judge Robinson rejected the designation, first observing that the notice was not filed with the Pitt County Clerk of Superior Court within 30 days of service of the complaint. Judge Robinson also noted that, even though procedures had been followed, the notice of Business Court designation should be rejected because it did not involve a complex technology.

Judge Robinson pointed to other decisions from the Business Court rejecting designation where “straightforward” contract or fraud claims could be resolved without requiring any analysis of more technical issues underlying the dispute that involved the use or performance of software. He reviewed ECA’s allegations closely, observing that defendants’ basis for Business Court designation was “First Bank’s electronic banking compliance and systems, data and security procedures.” But, he concluded, the complaint’s ultimate focus was a First Bank employee’s failure “to verify the legitimacy of emails requesting access to Plaintiff’s bank account with Defendant.” In other words, the plaintiff’s allegations were tied to “security procedures and negligent conduct, rather than a failure of the underlying intellectual property characteristics of First Bank’s banking software or computer systems.” Although he rejected designation, Judge Robinson left open the door for the case to be treated as a Rule 2.1 exceptional case.

It remains to be seen whether ECA will have any implications for the kinds of data-breach class actions that the Business Court routinely accepts. ECA was not a class action, and the Business Court has continued to accept designation of data-breach class action complaints since the ECA decision. For instance, in Woodsmall v. Asheville Eye Associates PLLC, the notice of designation stated that the complaint alleges both inadequate security policies as well as inadequacies in the use or performance of defendant’s data retention and data security systems. No. 25 CV 809 (N.C. Super. Mar. 21, 2025) (Davis, J.).

ECA also differs from most data breach class actions because the plaintiff’s allegations focused on defendant’s alleged failure to verify the validity of a spoofed email, not directly on the alleged performance or failure of the defendant’s software or security systems. Like straightforward contract cases that did not present material issues involving the use or performance of intellectual property, the allegations in ECA also would not have required the Business Court to review sophisticated software or technology issues underlying the claim.  Nonetheless, ECA serves as a good reminder to defendants to make sure to follow the correct procedures in filing a designation with the superior court, explain the basis for designation in the notice and seek designation as an “exceptional” or “complex” case under Rule 2.1 in the alternative.

[1] To effectuate the designation under section 7A-45.4(c), a party must file the notice of designation in the county superior court where the complaint was filed and contemporaneously serve the notice on the opposing parties and the Chief Business Court Judge as well as via email to the Chief Justice of the Supreme Court. A defendant can also ask the Chief Justice of the Supreme Court of North Carolina, at any time, to consider designating the case as an “exceptional” or “complex” case under Rule 2.1 of the General Rules of Practice for the Superior and District Courts. Cases that are removed to federal court can first be designated to the state Business Court prior to removal.