Starbucks Employees File Class Action Over Data Breach
Last Thursday lawyers filed a class complaint against Starbucks asserting claims arising out of the theft of a Starbucks laptop computer which resulted in the breach of (approximately) 97,000 employees' personal information. The information compromised included contact information and social security numbers. The complaint was filed in the Western District of Washington (Seattle), and you can access a copy [pdf] here.
What makes this case different from Pinero? Two possibilities. First, Washington law could differ from Louisiana law. Washington could have a more expansive duty with respect to privacy, and damages theories which are not as restrictive as those under Louisiana law. The second, is the existence of employer-specific statutes or rules, which restrict the disclosure of personal information. I don't know the answer one way or the other on this issue. It's worth noting that Washington does have a data breach statute in place [link] and it appears that Starbucks complied with it, by (i) notifying plaintiff of the breach and (ii) possibly going above and beyond, and offering free credit monitoring services. (The complaint notes that monitoring services were offered to all affected employees, but argues that these services are inadequate.)
Ultimately, the struggle in this case will be the speculative terms in which the harm is presented. The complaint is replete with references to the hypothetical, grave consequences of a data breach, but it does not appear that anyone has actually had their identity stolen or lost money as a result of the data breach.
NB: my anecdotal observation is that federal courts in Seattle are somewhat unhospitable to class actions, even though they aren't necessarily a particularly friendly forum for defendants.