On December 14, 2010, the U.S. Court of Appeals for the Ninth Circuit ruled that victims of a data breach had standing to sue in federal court under Article III of the Constitution for negligence and breach of implied contract.  The court's ruling appears in Krottner v. Starbucks Corp., No. 09-35823, 2010 WL 5141255 (9th Cir. Dec. 14, 2010).  Despite the ruling for plaintiffs on standing, the plaintiffs' victory was bittersweet.  The Court of Appeals affirmed dismissal of the plaintiffs' claims on the merits for lack of an injury under Washington state law.  Click here for a copy of the court's opinion.

Alas, the tale of woe begins in the usual fashion.  Someone stole a laptop from Starbucks in October 29, 2008.  Starbucks failed to encrypt the information on it.  As a result, the unencrypted names, addresses, and social security numbers of around 97,000 Starbucks employees fell into the hands of the thief.  Two class actions followed the theft.  Plaintiffs are current or former affected employees. 

Starbucks notified the affected employees, who obtained free credit watch services from Starbucks.  Nonetheless, plaintiff Krottner claimed that she would pay on her own for the service after the free period expired, and also contended she spent a substantial amount of time to monitor her credit.  Another plaintiff contended he suffered anxiety and stress from the incident.  Yet another plaintiff alleged that someone tried to open a new account with his social security number, but did not allege any financial damages. 

The U.S. District Court for the District of Washington granted Starbucks' motion to dismiss.  The lower court held that the plaintiffs had standing to assert their claims in federal court under Article III of the U.S. Constitution, but dismissed the claims under Washington law, because the plaintiffs failed to allege a cognizable injury.  The Court of Appeals affirmed.

The Court of Appeals held that plaintiffs adequately alleged that they suffered concrete harm, as opposed to hypothetical injuries, to satisfy the requirement of an "injury-in-fact."  The plaintiff that allegedly incurred anxiety and stress adequately claimed a present injury sufficient to confer standing.  Moreover, plaintiffs alleged an increased risk of future harm from identity theft.  The Court of Appeals held that this allegation was adequate to confer standing. 

Although the Court of Appeals ruled in plaintiffs' favor, the ultimate impact of the ruling may prove to be modest.  The standing requirement may not bar plaintiffs at the courthouse door, but once they put the merits of the case at issue, they may not get very far.  Courts are skeptical that plaintiffs are able to allege damages cognizable under state law, as was the case here.  Although the favorable ruling on standing did not bar plaintiffs here, they did not overcome Starbucks' motion to dismiss.  The standing issue simply made no difference in this case, and is unlikely to make a difference in other cases in the future, as the case law on data breach damages currently stands. 

Stephen Wu

Partner, Cooke Kobrick & Wu LLP