New breaches of individuals’ personally identifiable information (“PII”) are announced every week, but so far plaintiffs have had limited success in pursuing class actions against breached companies because they usually cannot plead injury-in-fact sufficient to establish standing. However, plaintiffs are using creative approaches in an effort to overcome the standing hurdle, including pleading claims that provide for statutory damages, avoiding the question of actual damages and whether the plaintiffs suffered any actual injury at all (although the viability of using statutory damages to create standing is currently being challenged in a certiorari petition pending before the Supreme Court). For example, a former employee recently brought a class-action claim alleging that the Coca-Cola Company failed to secure employees’ driver’s license and motor vehicle records in violation of the federal Driver’s Privacy Protection Act (“DPPA”). The statute provides a private right of action and statutory damages for individuals. If the plaintiff prevails, Coca-Cola could be liable to the class for more than $185 million.
The plaintiff in the Coca-Cola case brought claims on behalf of himself and a putative class of 74,000 current and former employees under the DPPA, 18 U.S.C. § 2724. Complaint at 24, Enslin v. The Coca-Cola Co., No. 2:14-CV-06476 (E.D. Pa. Nov. 12, 2014), ECF No. 1. The DPPA provides that “[a] person who knowingly obtains, discloses or uses personal information, from a motor vehicle record for a purpose not permitted under this chapter shall be liable to the individual to whom the information pertains.” Personal information is defined broadly as “any information that identifies an individual.” Motor vehicle records could include such personal information as a phone number, driver identification number, social security number, name, address, individual photograph, and medical or disability information. For violations of the DPPA, a court may award (1) actual damages, but not less than liquidated damages in the amount of $2,500 per person; (2) punitive damages upon proof of willful or reckless disregard of the law; (3) reasonable attorneys’ fees and costs; and (4) other equitable relief as deemed necessary by the court.
The plaintiff alleges that, as a condition of employment with Coca-Cola, he and members of the class had to submit their driver’s license information and authorize the company to obtain their driving records. The plaintiff also alleges that Coca-Cola stored employees’ driver’s license information and other information from employees’ motor vehicle records in an unencrypted and unsecured format on the company’s computer network and on company laptops. Finally, the plaintiff alleges that from 2007 to 2013, thieves stole 55 laptop computers containing employees’ unencrypted personal information. The plaintiff claims that “[b]y knowingly retaining the information in an unencrypted and unsecured manner,” Coca-Cola disclosed the plaintiffs’ PII, driver’s license information, and driving records to the thieves who stole the laptops.
The plaintiff’s DPPA claim – though creative – faces at least two obstacles. First, there is a question as to whether the DPPA applies to the alleged conduct. In 2013, the Eleventh Circuit upheld the dismissal of a class-action DPPA claim against Best Buy in Siegler v. Best Buy Co. because it found that the DPPA only applied to information originating from a state’s department of motor vehicles. In that case, Best Buy obtained driver’s license information from the plaintiffs themselves, rather than from the state.
Although likely persuasive, the Eleventh Circuit’s decision in Siegler is not binding in the Coca-Cola case, which plaintiffs brought in the Eastern District of Pennsylvania, which is in the Third Circuit. Moreover, the plaintiff alleges that Coca-Cola may have obtained some of the plaintiffs’ information directly from motor vehicle records provided by the Pennsylvania Department of Transportation and other states’ department of motor vehicles through plaintiffs’ authorizations. Thus, the Coca-Cola case may be distinguishable.
Additionally, there is a question as to whether statutory damages (or “injury-in-law”) may constitute the “injury-in-fact” required to establish Article III standing. The issue has been presented to the U.S. Supreme Court in a pending petition for writ of certiorari in Spokeo, Inc. v. Robins. The plaintiff in that case alleged that Spokeo violated the Fair Credit Reporting Act and sought statutory damages on behalf of a class. The district court dismissed the case for lack of standing, but the Ninth Circuit reversed, holding that alleged violations of statutory rights were “sufficient to satisfy the injury-in-fact requirement of Article III” and that allegations of actual harm were unnecessary.
If the plaintiffs overcome these hurdles and prevail against Coca-Cola, the company could be liable for up to $185 million in damages under the DPPA, and the case could highlight a viable avenue for class recovery regardless of whether a plaintiff has suffered out-of-pocket losses.
The Coca-Cola case not only demonstrates how plaintiffs are pleading statutory damages in order to establish standing, but it also shows how statutory damages in a class-action suit can add up quickly. As plaintiffs find success in their efforts to plead claims that include statutory damages, companies may face increased potential exposure from data breach incidents. In the meantime, companies that store PII obtained from a state department of motor vehicles should make sure that their collection, use, protection, and disclosure of the data comply with the DPPA.