Oct 06

Standing on the Spectrum of Data Breach Harm

In another victory for class-action data theft/breach plaintiffs, last week in Enslin v. The Coca-Cola Co., the Eastern District of Pennsylvania denied a motion to dismiss the case for lack of standing. There, Shane Enslin sued the Coca-Cola Company and various other Coca-Cola entities (“Coke”) in a class action after a Coke employee allegedly stole fifty-five laptops containing the personal identification information (“PII”) of 74,000 current and former Coke employees. 2015 WL 5729241, at *1 (E.D. Pa. Sept. 30, 2015).

Coke moved to dismiss for, among other things, lack of Article III standing. It argued that any future harms Enslin might suffer and preparations he made in anticipation of those harms “are speculative, hypothetical, and not an injury-in-fact.” Id. at *5. And Coke also claimed that even if Enslin did suffer injury-in-fact from any misuse of his PII, “these injuries are not fairly traceable to the conduct of” Coke. Id.

Article III standing requires that the plaintiff show: (1) he suffered actual or imminent harm; (2) that is fairly traceable to the defendant; and (3) that judicial action will likely redress the harm. Id. at *3. The “fairly traceable” requirement is “‘akin to ‘but for’ causation,’” and “‘[is] met even where the conduct in question might not have been a proximate cause of the harm, due to intervening events.’” Id. at *7 (quoting Edmonson v. Lincoln Nat. Life Ins. Co., 725 F.3d 406, 415 (3d Cir. 2013)).

The Court easily disposed of Coke’s first argument. Unlike the plaintiffs in Clapper v Amnesty Int’l, USA, 133 S.Ct. 1138 (2013) and Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), Enslin had “already suffered palpable harm, including the alleged theft of funds from his bank accounts on two occasions, unauthorized use of four credit cards, and the unauthorized issuance of new credit cards in Plaintiff’s name.” Id. at *6. Nor were Enslin’s “efforts to combat his exposure to future harms” based on speculative or hypothetical concerns—Enslin closed his bank account after unauthorized access and spent time and effort protecting his other accounts and credit cards. And he did not do this in response to hypothetical harms, but rather “in response to ongoing harms.” Id. at *6.

Likely recognizing that the theft from Enslin’s bank accounts as well as the alleged credit card fraud made its lack of imminent harm argument an uphill battle, Coke also attacked the causation prong for Article III standing. Id. at *7. Coke claimed: (1) Enslin quit his job with Coke in 2007, but his data was not misused until 2014—“too great” a period to fairly trace his injuries to Coke; (2) only one of the Coke defendants (Enslin’s former employer) “had any relation to the harm suffered sufficient to confer standing”; and (3) “the information lost on the laptops was insufficient to give rise to the types of harms Plaintiff suffered.” Id.

The Court rejected Coke’s first attack on Enslin’s claim, finding at the motion to dismiss stage Enslin plausibly alleged “that, ‘but for’ the Coke Defendants’ mishandling his PII, it would not have been lost[, and] that ‘but for’ the Coke Defendants’ misrepresentations and breach of contract, he would not have suffered harm.” Id. at *7. Despite the seven year hiatus between Enslin’s departure from Coke and the theft, the “chain linking the loss of Plaintiff’s SSN, credit cards, and banking information, and the subsequent identity attacks Plaintiff suffered, is plausible. The connection between the loss of sensitive PII like SSN and banking information and subsequent identity attacks is apparent from Plaintiff’s complaint.” Id. at *8.

Nor did the Court buy Coke’s argument that only Enslin’s “direct” employer had any relation to Enslin or his PII. Coke relied on Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451, 463-65 (D.N.J. 2013), contending that the court there granted a motion to dismiss for failure to satisfy the causation requirement for lack of standing because the plaintiff did not allege that defendant healthcare provider “ever treated or interacted with the plaintiff or … ever held or transferred the plaintiff’s personal health information.” Id. But the Court explained that unlike in Polanco, Enslin “plausibly alleged that each Coke Defendant either held or transferred Plaintiff’s PII at some time during the events that allegedly led to Plaintiff’s injuries.” Id. Having “some direct control over the plaintiff’s PII” was a sufficient level of causation. Id. at *9.

Finally, the Court rejected Coke’s argument that the PII stolen was not sufficient “to enable the identity thieves to commit the types of identity attacks on Plaintiff’s identity that he allegedly suffered[.]” The Court distinguished In re Science Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 31-32 (D.D.C. 2014), where the court concluded there was no casual connection between the harm and the loss of PII when the plaintiffs claimed they suffered financial injury as a result of the theft of their PII but did not allege their bank account or credit card information was stolen. Id. at *9. Enslin, in contrast, alleged he gave Coke “his full legal name, address, SSN, bank account information, credit card information, driver’s license, driving records, and date of birth.” Id. And he alleged that identity thieves used this information to steal money from his bank account, open new credit cards, and even obtain a job. Id.

So is the standing tide turning in plaintiffs favor? Is Enslin a further indication that courts are more sympathetic to data-theft/breach plaintiffs as more and more theft and breaches occur? Or was Enslin an easy case—after all, Enslin’s money was stolen, credit cards were opened in his name, and somebody even got a job using his PII. The spectrum of standing continues to evolve as more data breach/theft cases reach the courts. At one end, loss of credit or increased risk of identity theft only may not be enough to establish standing. On the other end, as in Enslin and Neiman Marcus, plaintiffs who suffer “identifiable identity attacks,” in particular actual financial harm such as stolen money from accounts or unauthorized use of credit cards, have standing to advance their claims.

Leave a Reply