Losing Your Employees’ Personal Data Can Cost You – Whether or Not It Costs Them

Guidance Software Class Actions Can Go Forward Even if Employees Suffer No Actual Damages

March 18, 2011

In Krottner v. Starbucks, 628 F.3d 1139 (9th Cir. Dec. 14, 2010), a copy of which is here, the United States Court of Appeals for the 9th Circuit ruled that a class action lawsuit could proceed when a company-owned laptop, which contained employees’ names, social security numbers and addresses, was stolen, even though the data was not misused.

In October of 2008, a laptop computer owned by Starbucks was stolen. The computer contained the unencrypted names, addresses, and social security numbers of approximately 97,000 Starbucks employees. Shortly thereafter, Starbucks sent a letter to all affected employees alerting them to the breach and informing them the company would pay for credit watch services for one year. There was no indication that any personal information had been misused.

Two similar class action lawsuits were filed by Starbucks’ employees in connection with the stolen laptop. The employees alleged negligence and breach of implied contract. The district court in Washington State, ruled that the parties have standing under Article III of the Constitution, but could not allege a cognizable injury under state law. The parties appealed to the 9th Circuit.

The 9th Circuit was presented with the question: Does the risk of future identity theft constitute and injury in fact under Article III in order to confer standing? This was an issue of first impression for the 9th Circuit. The Court ultimately ruled that the parties do have standing under Article III, adopting a standard by the 7th Circuit.

In Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. Aug. 23, 2007) the 7th Circuit ruled that plaintiffs had suffered an injury in fact when their personal data had been stolen, but not yet used for any fraudulent or criminal purpose. The only injury the Pisciotta plaintiffs alleged was increased risk associated with potential future misuse of personal data. None of the plaintiffs alleged any actual loss. The 7th Circuit noted, “as many of our sister circuits have noted, the injury in fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff otherwise would have faced, absent the defendant’s actions.”

The 9th Circuit agreed with this view and found the Starbucks’ employees to have standing. “Here, Plaintiffs-Appellants have alleged a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal information.” The Court noted that if the plaintiffs had brought a similar suit without the theft, they would not have standing because the threat to their personal information would be too remote.

The circuits are not uniformly behind the view of the 7th and 9th Circuits. A split does appear to be present. The 6th Circuit does not necessarily adopt the view that future loss satisfies the injury in fact requirement of Article III. In Lambert v. Hartman, 517 F.3d 433 (6th Cir. Feb. 25, 2008) one of the plaintiff’s allegations was that the theft of her identity exposed her to future risk of additional identity theft. Without analysis the 6th Circuit stated that the risk of future identity theft was “somewhat ‘hypothetical’ and conjectural.’”

The positions taken by the 7th and 9th Circuit are important to note, because it could potentially lead to a flood of litigation in cases where a company has compromised personal information to a third party, but no actual damage has actually occurred. By allowing a party to have standing in a case where the only injury-in-fact is the threat of future harm has the potential to lead to many lawsuits. It also leads to another issue: if a plaintiff were successful, how would a court calculate damages based off the threat of a future injury? Companies need to be aware that they are potentially liable for losing the personal information of their employees, without those employees suffering any actual, immediate and measurable damage.

No comments :

Post a Comment