The debate over standing in data breach litigation is gaining more attention lately. While many courts have hesitated to find standing prior to lost personally identifiable information (PII) actually being misused, the U.S. District Court for the Eastern District of Pennsylvania recently joined other courts who have found standing when the plaintiff has already suffered identifiable identity attacks, marking the first time a Pennsylvania federal court has allowed a data breach class action to proceed beyond the motion to dismiss stage.
In Enslin v. The Coca-Cola Co., No. 2:14-CV-06476 (E.D. Pa. Sept. 29, 2015), Shane Enslin, a former employee, brought a class action against Coca-Cola and several of its divisions based upon the theft of 55 stolen laptops that occurred between 2007 and 2013. Enslin alleged the stolen laptops contained the PII of over 74,000 people, including himself. According to Enslin, the theft of the laptops led to unauthorized access to his PII, which resulted in the theft of his identity, including theft from his bank account, unauthorized charges on his credit cards, opening of new credit accounts in his name, and the use of his identity to obtain a job at UPS.
Following the identity theft, Enslin brought ten claims against the Coca-Cola defendants – violation of the Driver’s Privacy Protection Act, negligence, negligent misrepresentation, fraud, breach of express contract, breach of implied contract, breach of covenant of good faith and fair dealing, unjust enrichment, bailment, and civil conspiracy. The Coca-Cola defendants moved to dismiss all of Enslin’s claims on the grounds that Enslin had no standing because he failed to properly allege an actual case or controversy and for failure to state a claim upon which relief can be granted.
In arguing lack of standing, the Coca-Cola defendants asserted “that all future harms that [Enslin] may suffer from the loss of his PII and the preparations he has made in anticipation of these harms were speculative, hypothetical, and not an injury-in-fact.” The court disagreed, holding that Enslin’s harms were not speculative or hypothetical, but, due to the actual fraudulent purchases made with his accounts, ongoing, present harms that gave him standing.
The Coca-Cola defendants also argued that Enslin lacked standing because his harms were not causally connected to the Coca-Cola defendants’ conduct. Specifically, the Coca-Cola defendants argued the seven year time period between the end of Enslin’s employment and the misuse of the information was “too great,” the defendants, other than Enslin’s employer, Keystone Coke, had no relation to the harm suffered, and the information lost was not enough to give rise to the type of harm suffered. The court disagreed again, noting that Enslin plausibly alleged each Coca-Cola defendant had direct control over the laptops at some point prior to the theft, and the loss of Enslin’s PII is fairly traceable to Enslin’s former employer, Keystone Coke.
After establishing Enslin had standing, the court addressed the Coca-Cola defendants’ argument that Enslin failed to state a claim upon which relief could be granted. The court agreed in part and dismissed the majority of Enslin’s claims, including violation of the Driver’s Privacy Protection Act, fraud, breach of covenant of good faith and fair dealing, bailments, and civil conspiracy.
Following the lead of previous federal and state courts, the court also dismissed Enslin’s claim for negligence and negligent misrepresentation based upon Pennsylvania’s “Economic Loss Doctrine.” The Economic Loss Doctrine requires economic damages to be accompanied by physical injury or property damage for a claim in negligence to stand and the court found Enslin asserted only economic damages. While Enslin argued he had a special relationship with the Coca-Cola defendants, such that his claims fell under the “special relationship” exception to the Economic Loss Doctrine, the court disagreed and found no special relationship between the two parties.
After dismissing most of Enslin’s claims, the court allowed Enslin’s claims for breach of contract and restitution to move forward. The court allowed Enslin’s breach of contract claim to proceed because Enslin fairly alleged the existence of an express and/or implied contract between Coca-Cola and Enslin that required Coca-Cola to protect Enslin’s PII. The court allowed Enslin’s restitution claim to proceed because the Coca-Cola defendants’ breach of contract may have been deliberate, with the theory being that the Coca-Cola defendants deliberately failed to safeguard the laptops and encrypt the information to save money on cybersecurity.
Whether Enslin’s class action will ultimately be successful remains to be seen, but for now, companies should be aware that plaintiffs who are able to allege a concrete injury following a data breach will likely have standing to pursue their claims.