Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
In a recent published decision, the Ninth Circuit court of appeals held that the threat of identity theft arising from stolen personal information about current and former Starbucks’ employees contained on a company laptop computer was enough of an injury to establish the plaintiffs’ standing to sue the company in federal court. This victory was short-lived, however, because the court also held — consistent with many other courts deciding security breach notification cases — that the plaintiffs had not pleaded, and could not prove, that Starbucks’ actions caused them any cognizable harm under state tort or contract law.
In 2008, someone stole a laptop computer from Starbucks containing the unencrypted names, addresses, and social security numbers of nearly 100,000 Starbucks employees. The company informed all affected employees of the theft and offered them one year of free credit monitoring services. Three current and former Starbucks employees who were affected brought two nearly identical putative class action lawsuits against Starbucks, alleging that the compromise of their personal information amounted to negligence and a breach of an implied contract:
- One plaintiff asserted she had been “extra vigilant about watching her banking and 401(k) accounts,” spent a “substantial amount of time doing so,” and will pay out-of pocket for credit monitoring services once the free service expires.
- The second plaintiff alleged he “spent and continues to spend substantial amounts of time checking his 401(k) and bank accounts,” placed fraud alerts on his credit cards, and “has generalized anxiety and stress regarding the situation.”
- The third plaintiff maintained that his bank notified him in December 2008 that someone had attempted to open a new account using his social security number. The bank closed the account, and he did not allege that he suffered any financial loss.
In its decision, the Ninth Circuit addressed the issue of whether the plaintiffs had standing to sue Starbucks. All parties agreed that standing requires a plaintiff to show that: (1) he or she has suffered an injury that is concrete and particularized, as well as actual or imminent rather than conjectural or hypothetical (injury in fact); (2) the injury in fact is fairly traceable to the challenged action of the defendant (causation); and (3) it is likely that the injury will be redressed by a favorable decision (redressability).
Starbucks conceded both causation and redressability, so the Ninth Circuit addressed only injury in fact. It noted that the alleged victim of identity theft would have an injury in fact when he or she faces a credible threat of harm. It then held that each of the plaintiffs below had alleged a credible threat of real and immediate harm stemming from the theft of the Starbucks laptop. In so doing, the Ninth Circuit reached a result similar to that of the Seventh Circuit, but contrary to the application of what appears to be a stricter standard in the Sixth Circuit.
In a second, unpublished memorandum opinion issued the same day, the Ninth Circuit held that even if the plaintiffs' allegations were true, they would not support a claim under state tort or contract law. Under Washington law, said the court, “[t]he mere danger of future harm, unaccompanied by present damage,” was insufficient to support a negligence claim. The court then rejected the plaintiffs’ argument that there was an implied contract between the plaintiffs and Starbucks and dismissed both claims.
Although Starbucks ultimately prevailed, this case underscores three practical lessons. First, employers continue to incur attorneys’ fees, litigation and credit monitoring costs, and the imputed costs associated with staff resources that must be devoted to defending against such class action lawsuits. Second, the prospect of having to incur such costs creates a strong incentive to mitigate the potential risk of a security breach by proactively implementing safeguards for employee data now. Third, the putative plaintiff class included former employees, highlighting the need to extend safeguards to the personal information not only of current employees but also of job applicants and former employees.