Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit — Krottner v. Starbucks
[Post by Venkat]
Starbucks employees sued Starbucks due to a data breach resulting from the theft of a laptop computer which contained “names, addresses, and social security numbers of approximately 97,000 Starbucks employees.” The trial court dismissed the lawsuit, finding that Washington law doesn’t recognize a cause of action where the sole damage is “risk of future harm.” The trial court also held that the plaintiffs had not alleged sufficient facts to bring an implied contract claim.
The Ninth Circuit largely agreed, noting that under Washington law, “actual loss or damage is an essential element” of a negligence claim. The sole plaintiff who alleged that his data had been misused did not point to any actual loss from the data misuse. Finally, the court notes that plaintiffs waived the argument that “anxiety constitutes actionable injury.” With respect to the contract claim, the court found that none of the documents (employee policy statements) included “an offer to safeguard data.” Although the plaintiffs sought to have the question certified to the Washington Supreme Court, the Ninth Circuit declined, finding that resolution of the case was sufficiently clear under Washington law.
Separately, the court issued an opinion finding that the plaintiffs had Article III standing (“‘generalized anxiety and stress’ as a result of [the data breach] is sufficient to confer standing”). Unfortunately, this represents the hollowest of victories for the plaintiffs, since the court found that even though plaintiffs had Article III standing, they still could not maintain a cause of action under Washington law.
I’m not sure what to make of the fact that the Ninth Circuit spent the bulk of its energy discussing the standing issue while at the same time affirming the dismissal of claims in an unpublished opinion. It’s tempting to see the Ninth Circuit’s standing decision as a glimmer of hope, but I don’t think that’s the case. Other cases have found standing in the data breach context, only to turn around and rebuff the claims for lack of cognizable harm. (Pisciotta v. Old National Bankcorp, discussed by the Ninth Circuit in this case, is one example.) Whether a data breach claim is cognizable typically turns on state law (absent an applicable statute), and I’m not aware of any cases (whether or not they find plaintiffs have standing) that have allowed data breach plaintiffs to recover, absent out of pocket loss. Even in California! In any event, the uniform trend is that if you’re proceeding under state negligence or contract claims, no out of pocket loss = no recovery. (See, e.g., Ruiz v. Gap; Amburgy v. Express Scripts, Inc.; Pinero v. Jackson Hewitt; Bell v. Acxiom; In re JetBlue.) While the Article III ruling may be of interest from the point of view of legal doctrine, it doesn’t much help the plaintiffs here. Also, you have to see this ruling as hostile to data breach plaintiffs. Although the court gave a nod to the possibility of an claim premised on anxiety or risk of future harm, the court rejected the appeal in a case that stemmed from a data breach potentially encompassing 97,000 employees. If there was ever a case where a friendly court would have contorted the rules to give plaintiffs a chance, this would have been it.
One interesting data point (or lack of a data point) is that the data breach occurred in this case on October 2008. The data of some 97,000 employees was compromised. Yet, in the trial court proceedings (a year later) plaintiffs put forth no evidence of anyone having actually suffered out of pocket loss. I realize that the plaintiffs are not required to put forth this type of data at the pleading stage, but if hordes of people actually had their data misused, you would think counsel of plaintiffs would have casually mentioned evidence to this effect? (During oral argument (which is well worth a listen and which you can access here), one of the judges asked whether plaintiffs counsel “[had] any idea how many of the 97,000 people have suffered identity theft that’s traceable to this [incident] . . . [and whether plaintiffs made] any allegations to that effect.” In response, counsel for plaintiff cites to one example of the named plaintiff who had a bank account opened in his name, but who did not suffer any out of pocket loss as a result.) The fact that plaintiffs did not do so is not conclusive, but I think is telling, and this larger point is something worth exploring when thinking about data breach and harm generally. What does the data say about whether and to what extent plaintiffs who have had their data compromised actually suffer out of pocket losses?