The decision does not change the law on what is necessary to prove standing, although it does reinforce the notion that a plaintiff will have standing if he or she can allege a concrete injury.

In the latest in a slew of highly publicized class actions arising from data breaches, Judge Leeson of the U.S. District Court for the Eastern District of Pennsylvania found that a former employee of Keystone Coca-Cola Bottling Company, later purchased by Coca-Cola, had standing to pursue breach of contract and restitution claims against the soft drink company.

Background

In Enslin v. Coca-Cola Co., No. 2:14-CV-06476 (E.D. Pa. Sept. 29, 2015), a former employee sought to pursue a class action against Coca-Cola arising from the theft of 55 company laptop computers that occurred between 2007 and 2013. The former employee alleged that the 55 stolen laptops contained his personal identifying information (PII) as well as the PII of approximately 74,000 other Coca-Cola employees.

According to the plaintiff, the computer theft resulted in unauthorized access to his PII, and this unauthorized access led to theft of his identity, which included credit accounts being opened in his name, unauthorized charges, withdrawals from his bank accounts and efforts to impersonate him to obtain employment. The plaintiff alleged 10 causes of action, including a claim for violation of the Driver’s Privacy Protection Act, bailment, civil conspiracy, five tort claims, breach of contract and restitution. The Coca-Cola defendants moved to dismiss all of the claims, arguing that the plaintiff lacked standing to pursue them because he neither alleged an injury in fact nor a causal connection between the stolen laptops and the subsequent identity theft. The Coca-Cola defendants also moved to dismiss each of the causes of action for failure to state a claim upon which relief can be granted.

District Court Opinion

In holding that the plaintiff had standing, the court found that the plaintiff’s allegations of specific damages arising from the theft of his identity were sufficient to satisfy the standing requirements outlined in Clapper v. Amnesty International and its progeny. Specifically, the court found that the plaintiff adequately alleged harm that was ongoing, present, distinct and palpable to confer standing.

The court also found that the plaintiff adequately alleged a causal connection between the theft of the laptops and the incidences of identity theft to establish standing. In this regard, Coca-Cola contended that the alleged incidences of identity theft were “not fairly traceable” to the Coca-Cola defendants’ conduct for three reasons: (1) the seven-year lapse between the end of the plaintiff’s employment and the misuse of the information was “too great”; (2) the Coca-Cola defendants (other than the employer, Keystone Coca-Cola) had no relationship to the alleged injuries; and (3) the type of information lost could not cause the type of harm alleged.

The court rejected these arguments and found that the causal connection as pled between the plaintiff’s employment and the harm suffered was “plausible,” that each Coca-Cola defendant had control of the laptop(s) at some point prior to the theft, and that the injury as pled “could be fairly traced” to the PII allegedly lost. In so finding, Judge Leeson reasoned that “courts are generally lenient in applying the ‘but for’ causation requirement at this early stage of litigation.”

After addressing standing, the court proceeded to address Coca-Cola’s arguments that all of the plaintiff’s causes of action failed to state claims upon which relief could be granted. In this regard, the court dismissed most of the plaintiff’s claims, including all of his tort claims for negligence, negligent misrepresentation, breach of the covenant of good faith and fair dealing, and fraud. The court followed the lead of previous federal and state courts in applying the “economic loss doctrine,” which bars tort claims in the absence of a physical injury or property damage. The court found that the plaintiff’s alleged damages were purely economic.

The court also dismissed the plaintiff’s claim for violation of the Driver’s Privacy Protection Act on the ground that the Coca-Cola defendants’ loss of the plaintiff’s PII did not constitute a “knowing disclosure” of the plaintiff’s driver information, which is a prerequisite for liability under the act. Specifically, the court found that the defendants did not take any “voluntary action” to disclose the information. The court also dismissed the plaintiff’s claim for violation of the law of bailments on the ground that PII lost by a party holding that information is not “property” or “personalty” for the purposes of the law of bailment.

The court allowed the plaintiff’s breach of contract claim to proceed, however, recognizing that, at least at the motion to dismiss stage, there might be an express and/or implied contract between Coca-Cola and its employees that required Coca-Cola to safeguard and protect the plaintiff’s PII. Such an express or implied contract is unusual in the employment context, and other courts have dismissed such claims as not having the requisite “meeting of the minds.” In fact, the plaintiff’s breach of contract claim is somewhat akin to alleging that the employer owed a fiduciary duty to safeguard employee information, which the court expressly rejected in the context of the plaintiff’s negligence claim.

The court also let stand the plaintiff’s restitution claim — at least for now. The court correctly stated the general rule that restitution claims are not available when there is a breach of contract. However, the court allowed the claim to proceed on the narrow exception for restitution claims where a breach of contract is deliberate. The theory is that Coca-Cola deliberately failed to safeguard the laptops and encrypt the information in an effort to avoid spending money on cybersecurity. It seems inconsistent that the court found that such allegations of deliberate conduct were sufficient to survive a motion to dismiss, given that the court had determined earlier in the opinion that the disclosure of the plaintiff’s PII was not a “knowing disclosure” or a “voluntary action.”

It is likely that the court allowed the breach of contract and restitution claims to move forward in an effort to keep the plaintiff’s lawsuit alive in light of the concrete injuries he suffered.

Next Steps in the Case

Although the court permitted the plaintiff to proceed past the motion to dismiss stage, he still faces significant hurdles. First, he must establish causation. The plaintiff may have an uphill climb to establish through evidence (as opposed to allegations) that there is a causal connection between the unauthorized access to PII that occurred in 2007 and his specific identity theft, which occurred in 2014. In order to proceed on his individual claim, the plaintiff will need to trace the damages he suffered all the way back to the 2007 breach, while, at the same time, eliminating potential intervening causes that occurred during this same seven-year time span.

In addition, the plaintiff’s chances of success in certifying the class action are remote. It is unlikely that the plaintiff will be able to satisfy the requirements to proceed as a class action under Federal Rule of Civil Procedure 23(b)(2), which is limited to actions seeking primarily injunctive or declaratory relief, because his complaint predominantly seeks monetary damages that include “actual, punitive, treble and statutory damages.” Where, as is the case here, a plaintiff’s primary relief is money damages, courts have often denied class certification.

Similarly, the plaintiff most likely will have difficulty obtaining certification because he must be able to establish commonality or a reliable method to ascertain class members for the court to certify a class. The issues related to causation and traceability of damages are not common to each and every class member, and proof of causation would require “mini trials” tracing the damages of each and every class member back over an eight-year period. These unique evidentiary issues will likely preclude this case from being permitted to proceed as a class action. If class certification is denied, the case will likely settle or be withdrawn.

Takeaways

The Coca-Cola decision does not change the law on what is necessary to prove Article III standing, although it does reinforce the notion that a plaintiff will have standing if he or she can allege a concrete injury. This court was somewhat lenient, at least at the motion to dismiss stage, with regard to the plausibility of allegations that the injury was traceable to the conduct of the defendants.

The opinion also reinforces the decision of previous courts that the economic loss doctrine will bar any claim for negligence where the damages alleged are purely economic. [For more information on the economic loss doctrine, read out prior client alert.] Companies should take heed, however, that a plaintiff’s pleading of breach of contract may withstand a motion to dismiss, despite some decisions in at least one other court to the contrary.

Finally, there are some steps that companies can take to avoid a data breach suit:

  • Take affirmative steps to encrypt employee data.
  • Adhere to the “Ten Steps to Protecting Personal Information” developed by the Federal Trade Commission. [For more information on this topic, access our webinar discussion.]
  • Map data so that the company and any successor companies can track for losses or theft.
  • Make sure that cybersecurity is on the due diligence checklist for every acquisition.