In Krottner v. Starbucks Corp.,1 the Ninth Circuit Court of Appeals found that three current or former Starbucks Corporation employees had standing to bring claims against Starbucks arising out of the theft of a laptop containing unencrypted, personally identifiable information (PII), despite the fact the plaintiffs had not suffered any financial harm. However, the court also affirmed the district court’s finding that plaintiffs did not have a cause of action for negligence or contract liability under Washington law. In reaching its conclusion that the plaintiffs had standing, the Ninth Circuit found that the possibility of identify theft was “a credible threat of harm” sufficient to meet the injury-in-fact requirements of standing.2
Facts of Krottner
In 2008, PII of 97,000 Starbucks employees was stolen. Shortly after the theft of the laptop containing the unencrypted information, Starbucks sent a letter to affected employees alerting them of the breach and stating that although there was “no indication that the private information had been misused,” Starbucks had partnered with Equifax, a creditwatch service, to offer employees monitoring for the next year, at no cost. Further, the letter requested that, as a precaution, employees “monitor [their] financial accounts carefully for suspicious activity and take appropriate steps to [protect] against potential identity theft.” Starbucks also referred employees to identity theft protection literature from the Federal Trade Commission.3
After receiving the letter from Starbucks, Laura Krottner and Ishaya Shamasa together, and Joseph Lalli separately, filed class action complaints against Starbucks, alleging negligence and breach of implied contract. The substance of the claims was similar among plaintiffs.
Lalli, who did not enroll in the credit-watch services provided by Starbucks, alleged that the only injury he had suffered at the time of the filing was generalized anxiety and stress, and that he had spent, and continued to spend, substantial amounts of time checking his 401(k) and bank accounts and placing fraud alerts on his credit cards. The remaining allegations related to the risk of future harms that might result from identity theft.
Krottner and Shamasa, who both enrolled in the Starbucks-provided credit-watch services and monitored their accounts, did not allege that any theft or out-of-pocket losses had occurred. Instead, Krottner and Shamasa alleged that they had to be extra vigilant in monitoring their accounts and guarding against future identity theft. Specifically, Krottner alleged that she had been extra vigilant about watching her banking and 401(k) accounts, spending a substantial amount of time doing so, and would pay for credit-monitoring services when the complementary services expired. Finally, Shamasa alleged that a potential breach had occurred when someone attempted to open a bank account with his social security number; however, the account closed before Shamasa suffered any financial loss.
Starbucks moved to dismiss both actions, arguing that the “bare increase in the risk of identity theft is not a constitutionally cognizable injury,” and, therefore, plaintiffs could not allege injury-infact sufficient for the court to have standing to bring the claim.4 The district court disagreed, finding that although that plaintiffs had no “cognizable injury” the increased costs associated with monitoring were a sufficient injury for the purposes of standing.
Despite finding that the plaintiffs had standing, the district court dismissed plaintiffs’ claims, observing that the Washington Supreme Court would likely not recognize claims “based solely on the increased risk of identity theft and associated monitoring costs.” Notably, in reaching its conclusion, the district court observed that, “Starbucks apparently concedes that some degree of monitoring is an appropriate response in the wake of the laptop theft, because it has offered a monitoring served to affected employees. If Plaintiffs have suffered no present injury, then why is Starbucks offering them a present remedy?”5
Plaintiffs appealed the district court’s findings.
Findings on Appeal
The court of appeals affirmed the district court, finding that plaintiffs had alleged sufficient injuries for Article III standing,6 even where the stolen PII had not been misused.7 In a separate opinion, the court of appeals affirmed that the plaintiffs had failed to allege negligence or breach of contract.8
To establish standing to bring a claim, a plaintiff must show: (i) an “injury-in-fact”; (ii) that the injury is fairly traceable to the challenged action of the defendant; and (iii) that it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.9 Further, to demonstrate an “injury-in-fact,” the plaintiff must show that the injury is (i) concrete and particularized and (ii) actual or imminent, not conjectural or hypothetical. The court of appeals, like Starbucks, focused on the “injury-infact” element.
In finding that the employees had adequately alleged injury-in-fact, the court of appeals noted that while it had not previously decided whether an increased risk of identity theft constituted an injury-in-fact, it had, in other contexts, found that the threat of future harm may be sufficient to confer standing. In cases where “the possibility of future injury may be sufficient to confer standing on plaintiffs … threatened injury constitutes ‘injury-in-fact,’”10 such as threat of future environmental or medical harms. More specifically, a plaintiff “may allege a future injury in order to comply with [the injury-in-fact] requirement, but only if he or she ‘is immediately in danger of sustaining some direct injury as the result of the challenged … conduct and the injury or threat of injury is both real and immediate, not conjectural or hypothetical.’”11
The court of appeals also cited two other somewhat conflicting circuit court decisions addressing identity theft. In a Seventh Circuit case, Pisciotta v. Old National Bancorp, that court held that plaintiffs “whose data had been stolen but not yet misused had suffered an injury-in-fact sufficient to confer Article III standing.”12 Yet, in contrast, the Sixth Circuit, in Lambert v. Hartman, found that while the actual financial injuries from the theft of personal data were sufficient to confer standing, any “risk of future identity theft” was “somewhat ‘hypothetical’ and ‘conjectural.’”13
In Starbucks, the Ninth Circuit found an injuryin- fact sufficient to confer standing because plaintiffs “alleged a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data.” Yet, the court hedged, “[w]ere Plaintiffs- Appellants’ allegations more conjectural or hypothetical—for example, if not laptop had been stolen, and Plaintiffs had sued based on the risk that it would be stolen at some point in the future—we would find the threat far less credible.”
Dismissal of State-LawClaims
However, the Ninth Circuit also affirmed the district court’s dismissal of the state-law claims, as plaintiffs-appellants, underWashington law, had “not established a cognizable injury for purposes of their negligence claim” and had “not adequately alleged the existence of an implied contract.”14 As such, the court did not address whether Starbucks’ credit monitoring would have been an available remedy or whether the damages would be barred where plaintiffs failed to show monetary harm.15
Implications for Data Privacy
Increasing amounts of PII are collected and maintained by employers in electronic format. Entities that collect PII must take steps to adequately protect the information that has accrued. Suits such as Krottner demonstrate the extent of potential liability that an organization could face in the event of a cognizable breach. The district court also highlighted Starbucks’ decision to provide credit monitoring services to its employees as evidence that injury could occur, demonstrating the importance of carefully considering the appropriate response to a breach.16 It is essential that entities that are in possession of PII implement policies and procedures that not only protect the data, but also contemplate the steps that will be taken in the event of a breach.