I have been following a case concerning an employer’s obligation to protect employee data that has now come to a conclusion with two Ninth Circuit decisions. Krottner et al. v. Starbucks arose from the 2008 theft of a laptop that contained the unencrypted names, addresses, and Social Security Numbers of approximately 97,000 Starbucks employees. On November 19, 2008, Starbucks sent a letter to affected employees alerting them to the theft and stating that Starbucks had “no indication that the private information has been misused.” Nonetheless, the letter continued:
As a precaution, we ask that you monitor your financial accounts carefully for suspicious activity and take appropriate steps to protect yourself against potential identity theft. To assist you in protecting this effort [sic], Starbucks has partnered with Equifax to offer, at no cost to you, credit watch services for the next year.
This situation resulted in the filing of two nearly identical putative class action complaints against Starbucks, alleging negligence and breach of implied contract. On August 14, 2009, the district court granted Starbucks's motion to dismiss, holding that the Plaintiffs had standing under Article III but had failed to allege a cognizable injury under Washington law. The Ninth Circuit issued two separate opinions, one for publication and one not for publication, that affirmed the lower court’s ruling. The opinion for publication dealt with the standing issue. In analyzing the issue the Court applied a four-part test for standing: (1) an “injury in fact” that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision. It was undisputed that the second and third parts of the test had been met. In analyzing the first prong, the Court noted that one of the Plaintiff’s alleged injuries were “generalized anxiety and stress,” which was sufficient to confer standing. The other Plaintiff’s allegations concerned their increased risk of future identity theft. After considering the decisions of several other courts, the Ninth Circuit concluded that if a plaintiff faces “a credible threat of harm,” and that harm is “both real and immediate, not conjectural or hypothetical,” the plaintiff has met the injury-in-fact requirement for standing under Article III. Thus, the Plaintiff’s had alleged a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data. The court noted that if the allegations had been more conjectural or hypothetical — for example, if no laptop had been stolen, and Plaintiffs had sued based on the risk that it would be stolen at some point in the future — it would have found the threat far less credible.
While that opinion was good news for the Plaintiffs, the unpublished opinion was not. In that opinion, the Court held that the Plaintiff did not adequately allege the elements of their state law claims. The Court noted that their conclusion that the Plaintiffs had standing to sue did not necessarily mean that they had adequately pled damages for their substantive claims. Under state law, the negligence claims required actual loss or damage; the threat of future harm is insufficient. Although one Plaintiff alleged that someone attempted to open a bank account in his name, he did not allege that he suffered any actual harm. The arguments that alleged anxiety was an actionable injury was waived by the Plaintiffs and not considered. As to the other claim, breach of implied contract, the Court concluded that it to was not adequately pled. The Plaintiffs had pointed to three documents but did not allege that they had read or even saw the documents, or that they understood them to be an offer. Thus, the Ninth Circuit affirmed the lower court’s decision to dismiss the case.
As implied by the Ninth Circuit’s election to publish one opinion and not the other, the important part of this case is the standing issue. The Ninth Circuit has gone along with the Seventh Circuit in specifically extending standing to potential harm in the case of identity theft. This holding is consistent with decisions from the Second, Fourth, Sixth and Ninth Circuits granting standing for potential injuries in the context of toxic substance, medical monitoring and environmental claims. The takeaway from this case is that the door is wide open for lawsuits against employers who do not adequately protect employee data. In this particular case, the Plaintiffs did not have sufficient facts (or did not plead them) to make it past a motion to dismiss. In the future, I suspect that Plaintiffs’ attorneys will do a better job developing facts and drafting pleadings, making if more difficult to dispose of such cases.
What can you do to avoid claims? First, review security procedures and practices with your technology group. Consider using encryption software and other security measures for employee laptops. Second, review data security procedures with human resources. Is it really necessary for any employee to be carrying significant amounts of employee data on a laptop? If not, leave it in the workplace; if so, put procedures in place to protect the data. Assuming one of these cases makes it past the pleading stage, the unlucky employer being sued will need to demonstrate that reasonable care was exercised to protect employees. Can you meet that standard?
Topics/Tags
Select- Labor & Employment Law
- Department of Labor
- Employment Law
- Discrimination
- Coronavirus
- FLSA
- Overtime Pay
- Labor Law
- Non-Compete Agreements
- National Labor Relations Board
- Wage & Hour
- Federal Trade Commission
- Privacy
- Reasonable Accommodation
- NLRB
- Workplace Accommodations
- Employee Benefits and Executive Compensation
- Pregnancy Discrimination
- FMLA
- Arbitration
- Employment Litigation
- Workplace Violence
- Religion Discrimination
- Medical Marijuana
- IRS
- Litigation
- Social Media
- Employer Policies
- Americans with Disabilities Act
- Disability Discrimination
- Retirement
- Medical Cannabis Dispensaries
- National Labor Relations Act
- Race Discrimination
- Sexual Orientation Discrimination
- Accommodation
- OSHA
- Employer Handbook
- ERISA
- Whistleblower
- EEOC
- ADAAA
- United States Supreme Court
- ACA
- Affordable Car Act
- Unions
- Title VII
- Employer Rules
- Sexual Harassment
- Technology
- Federal Arbitration Act
- NLRA
- Transgender Issues
- Disability
- 401(k)
- Employment Settlement Agreements
- Sixth Circuit
- Equal Employment Opportunity Commission
- Fair Labor Standards Act
- Paycheck Protection Program
- Benefits
- Class Action Litigation
- Disability Law
- Gender Identity Discrimination
- Posting Requirements
- Securities Law
- E-Discovery
- Evidence
- Preventive Care Benefits
- Health Savings Account
- SECURE Act
- Environmental Law
- Family and Medical Leave Act
- US Department of Labor Employee Benefits Security Administration
- Privacy Laws
- Representative Election Regulations
- Department of Justice
- Healthcare Reform
- Older Workers' Benefit Protection Act (OWBPA)
- Affirmative Action
- Electronically Stored Information
- Equal Opportunity Clause
- Telecommuting
- Compensable Time
- Occupational Safety and Health Administration
- Security Screening
- Supreme Court
- E-Discovery Case Law
- Electronic Data Discovery
- ESI
- Unemployment Insurance Integrity Act
- American Medical Association
- Attendance Policy
- Return to Work
- Seniority Rights
- Classification
- Confidentiality
- Disability Leave
- Equal Pay
- Fair Minimum Wage
- Federal Minimum Wage
- Genetic Information Discrimination
- Media Policy
- Misclassification
- National Origin Discrimination
- Retaliation
- Social Media Content
- State Minimum Wage
- Wage Increase
- Employment Incentives
- HIRE Act
- Social Security Tax
- Taxation
- Antitrust
Recent Posts
- Federal Court Overturns Expansion of Overtime Requirements
- U.S. Supreme Court to Review Title VII Reverse Discrimination Case
- NLRB General Counsel Expands Focus on Non-Compete Agreements and Stay-Or-Pay Agreements
- FTC's Non-Compete Rule Struck Down
- District Court Finds in Favor of FTC, Declines to Issue Injunction
- DOL Increases Compensation Threshold for Exemption Eligibility
- Federal Trade Commission Announces New Rule Invalidating Non-Compete Agreements
- EEOC Announces Final Rule Providing Guidelines under the PWFA
- The Practical Employment Law Podcast: Immediate Termination
- The Practical Employment Law Podcast: Labor & Employment Law Update February 2024