A federal judge in Pennsylvania has allowed a data breach class action against Coca-Cola and several bottling companies to proceed, finding that the plaintiff has Article III standing even though he had left Coca-Cola’s employment seven years earlier. This is the first time a Pennsylvania federal court has permitted a data breach class action to proceed beyond the motion to dismiss stage. 

Enslin v. The Coca-Cola Company, et al., arose out of the theft of 55 laptops containing personal identification information (PII) of plaintiff and 74,000 other current and former employees of the Coca-Cola Company and six related entities. The PII included the plaintiff’s Social Security number, address, bank account information, credit card numbers, driver’s license information, and motor vehicle records, all of which was allegedly stored in an unencrypted format.  

Within months of being notified of the breach in 2014, the plaintiff alleges he began to experience unauthorized uses of his finances and identity by unknown persons. He commenced a class action against each of the Coca-Cola defendants. He alleged they failed to take reasonable steps to safeguard his PII, engaged in misrepresentation, fraud, and conspiracy by failing to disclose the true extent of the data breach, and violated the U.S. Driver’s Privacy Protection Act, which prohibits the disclosure of a person’s driving information unless authorized under the Act. The defendants moved to dismiss for lack of standing and failure to state a claim.

The defendants challenged Article III standing on two grounds. They alleged the future harms that the plaintiff may suffer from the loss of his PII, and the monies he expended in anticipation of these harms, are speculative, hypothetical, and thus not an injury-in-fact sufficient to confer federal standing. Second, the defendants alleged that even if the plaintiff has suffered an injury-in-fact, his injuries are not fairly traceable to the conduct of the defendants.    

In rejecting both arguments, the court distinguished Reilly v. Ceridian Corp., a data breach class action wherein the Third Circuit, citing Clapper v. Amnesty Int’l, USA, found that the plaintiffs’ claims of future harm were “speculative” and “hypothetical.” By contrast, the court in Enslin found the plaintiff had suffered “ongoing, present, distinct, and palpable harms,” including the alleged theft of funds from his bank accounts on two occasions, unauthorized use of four credit cards, and unauthorized issuance of new credit cards in his name. The court also found the time, effort, and expense the plaintiff expended to combat these actual, imminent, and impending harms, constituted an actionable injury-in-fact.

Although seven years had passed between the plaintiff’s end of employment and the alleged misuse of the information, the court concluded the “chain linking the loss of plaintiff’s Social Security number, credit cards, and banking information, and the subsequent identity attacks plaintiff suffered, is plausible.” The court allowed the plaintiff’s breach of express and implied contract to survive, along with his unjust enrichment claim, but dismissed his remaining claims.

Enslin is the first case in which a Pennsylvania federal court has permitted a data breach class action to proceed beyond the motion to dismiss stage. It follows a number of recent federal cases from other jurisdictions, notably the Seventh and Ninth Circuits, where courts have held that plaintiffs in data breach class actions have Article III standing. One question left unanswered by the Enslin case is whether Pennsylvania federal courts will allow claims to go forward where a data breach plaintiff has only alleged a fear of future harm, without having suffered actual identity theft.

Ballard Spahr’s Privacy and Data Security Group assists clients in complying with regulatory privacy and data security requirements and responding to data breaches. In the event of a breach, members of the Group work with clients to quickly and effectively launch a comprehensive response under the protection of attorney-client privilege, assess the situation, and—if necessary—notify and respond to state, federal, and international regulators.

If you have questions, please contact Privacy and Data Security Group Practice Leaders Philip N. Yannella or Daniel JT McKenna, or the Ballard Spahr attorney with whom you work.

Copyright © 2015 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.