The United States Court of Appeals for the Ninth Circuit held that that an increased risk of identity theft is sufficient to confer Article III standing, even though no data has been misused, nor any financial loss has been incurred. However, in a separate Memorandum, the 9th Circuit held that plaintiffs-appellants did not adequately allege the elements of their state-law claims.
Plaintiffs were employees of Starbucks Corporation (Starbucks), who were among the 97, 000 Starbuck’s employees whose unencrypted names, addresses, and social security numbers were stored on a laptop stolen from Starbucks. Starbucks sent all affected employees a letter stating that the company had “no indication that the private information has been misused” and offered them a year of free credit watch services. Plaintiffs enrolled in the free credit watch services, and also spent time personally monitoring their accounts for fraud. However, they have not suffered any financial losses.
Plaintiffs filed two class actions suits against Starbucks, claiming that Starbucks, by failing to protect plaintiffs’ personal data, had acted negligently and had breached an implied contract under Washington law. The United States District Court for the Western District of Washington granted Starbuck’s motion to dismiss, holding that Plaintiffs indeed have standing under Article III of the Constitution, which limits federal-court jurisdiction to “cases” and “controversies,” but had failed to allege a cognizable injury under Washington law. Plaintiffs appealed, and the Ninth Circuit affirmed the District Court’s dismissal, finding that they had indeed suffered an injury sufficient to confer them standing.
Under the case or controversy requirement of Article III, Section 2 of the Constitution, a plaintiff must have suffered an ‘injury in fact’ in order to have standing. This ‘injury in fact’ must be (1) concrete and particularized and actual or imminent. It must be (2) fairly traceable to the defendant’s action, and it must be (3) likely that the injury will be redressed by a favorable decision. It was undisputed before the District Court that Plaintiffs had sufficiently alleged causation (2) and redressability (3).
Did plaintiffs suffer an injury-in-fact? One of the plaintiffs had suffered “generalized anxiety and stress,” and the Ninth Circuit found it sufficient to confer standing. The other plaintiffs were concerned about their increased risk of future identity theft. No theft had occurred, even though someone had attempted to open a bank account in the name of one of the plaintiffs. The account was closed by the bank before any loss could occur. Does it constitute an injury-in-fact? The Ninth Circuit quoted Pisciotta v. Old National Bancorp, 499 F.3d 629, 634 (7th Cir.2007). In this case, plaintiffs had stated that they had incurred expenses in order to prevent their confidential personal information to be used, and would have to continue to incur these expenses in the future, yet had not alleged any direct financial loss to their accounts as a result of a security breach. For the Seventh Circuit “the injury in- fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant’s actions.” However, the Seventh Circuit ruled in that case that “Indiana law would not recognize the costs of credit monitoring that the plaintiffs seek to recover in this case as compensable damages.”
The 9th Circuit also quoted Lambert v. Hartman, 517 F.3d 433, 437 (6th Cir. 2008). In Lambert, the plaintiff had alleged that her identity was stolen after her personal information had been published on the Clerk’s website of an Ohio court. Her financial security and credit rating suffered as a result, and she also had claimed that because of the nature of the identity theft, she had been exposed to the risk that people had accessed her personal information on the Internet and would be able to use that information to commit future acts of identity theft against her. The Sixth Circuit held that “[a]lthough this latter injury is somewhat “hypothetical” and “conjectural,” her actual financial injuries are sufficient to meet the injury-in-fact requirement.”
In the Starbucks case, the 9th Circuit held that plaintiff had alleged “a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data. Were Plaintiffs-Appellants’ allegations more conjectural or hypothetical—for example, if no laptop had been stolen, and Plaintiffs had sued based on the risk that it would be stolen at some point in the future—we would find the threat far less credible.”
So if the risk of future identity theft is “conjectural” or “hypothetical, “there would be no injury-in-fact. The threshold seems however to be low. The mere fact that personal data is stored, unencrypted, on a laptop, which is somewhat easier to steal than a bigger computer, does not mean that plaintiffs would meet the injury-in-fact requirement for standing. But if the laptop is stolen, and if it contains unencrypted personal data, the threat is sufficiently credible.
However, as, under Washington law, an actual loss or damage is an essential element for a cause of action in a negligence suit, and “[t]he mere danger of future harm, unaccompanied by present damage, will not support a negligence action,” the 9th Circuit affirmed the dismissal of plaintiffs’ negligence claim.