Starbucks Employees File Class Action Over Data Breach


Last Thursday lawyers filed a class complaint against Starbucks asserting claims arising out of the theft of a Starbucks laptop computer which resulted in the breach of (approximately) 97,000 employees' personal information.  The information compromised included contact information and social security numbers.  The complaint was filed in the Western District of Washington (Seattle), and you can access a copy [pdf] here.

My first impression: read a summary of Pinero v. Jackson Hewitt Tax Service (e.g., here and here) to get a feel for the hurdles plaintiffs are likely to face here.  In Pinero, the plaintiff's tax returns were discarded and found in a dumpster.  She asserted claims under the privacy policy, contract, and under tort principles (all under Louisiana law, except for a federal claim specific to tax return information).  The court was skeptical to say the least.  Citing to several other federal court cases, the court in Pinero ruled that a data breach sans actual damages is not actionable.

What makes this case different from Pinero?  Two possibilities.  First, Washington law could differ from Louisiana law.  Washington could have a more expansive duty with respect to privacy, and damages theories which are not as restrictive as those under Louisiana law.  The second, is the existence of employer-specific statutes or rules, which restrict the disclosure of personal information.  I don't know the answer one way or the other on this issue.  It's worth noting that Washington does have a data breach statute in place [link] and it appears that Starbucks complied with it, by (i) notifying plaintiff of the breach and (ii) possibly going above and beyond, and offering free credit monitoring services.  (The complaint notes that monitoring services were offered to all affected employees, but argues that these services are inadequate.)

Ultimately, the struggle in this case will be the speculative terms in which the harm is presented.  The complaint is replete with references to the hypothetical, grave consequences of a data breach, but it does not appear that anyone has actually had their identity stolen or lost money as a result of the data breach. 

NB:  my anecdotal observation is that federal courts in Seattle are somewhat unhospitable to class actions, even though they aren't necessarily a particularly friendly forum for defendants. 
 
 
Trackbacks
  • No trackbacks exist for this post.
Comments
  • No comments exist for this post.
Leave a comment

Submitted comments are subject to moderation before being displayed.

 Name (required)

 Email (will not be published) (required)

 Website

Your comment is 0 characters limited to 3000 characters.