Cup Only Half Full for Victims of Data Security Breach

  Starbucks appeared to be headed for a venti-sized mess when a company laptop containing unencrypted names, addresses and social security numbers of 97,000 employees was stolen in 2008.  The smell of fear - fear of identity theft - replaced the ever-present (and, in this blogger’s opinion, luscious) aroma of the coffee at Starbucks stores everywhere.  Starbucks offered free credit monitoring to its employees for a year and everyone hoped for the best.

 

 

Fortunately for everyone involved, no incidents of identity theft percolated from the laptop theft.  It is quite possible that the theft was a petty theft, and that the perpetrator stole the machine for its street value, without the intention or wherewithal to use its contents to steal identities.  That is always the best-case scenario in a laptop theft, but it is usually impossible to figure out the crook’s objectives, so everyone is left to wait and worry.  And sometimes, sue.

 

Despite the fact that no identity theft arose from the theft of the laptop, a group of baristas threw down their aprons and filed class action lawsuits claiming that Starbucks was negligent in losing their personal information and subjecting them to possible identity theft.  Starbucks challenged the lawsuits, arguing that none of the employees was harmed, because no identity theft actually occurred.

 

This week, a Federal Appeals Court found that the employees had standing to sue, because the theft of a laptop containing their unencrypted personal data was sufficient to establish the threat of real and immediate harm (even without actual harm sustained).  This meant only that the employees had the legal and Constitutional right to initiate a lawsuit.  Before the baristas could celebrate their standing, however, the court dismissed their claims holding that the employees could not pursue a negligence claim against Starbucks because they really had not been injured, as under applicable law (State of Washington), “the mere danger of future harm, unaccompanied by present damage, will not support a negligence claim.”  Clearing up what might seem at first glance to be contradictory rulings: the court found that the employees had the right to bring a lawsuit, but that the lawsuit was no good under Washington law.

 

Despite the court’s ultimate dismissal of the employees’ claims, the decision will help future plaintiffs in overcoming the initial hurdle of establishing standing to sue.  The outcome of the claims will be based upon applicable state law and the plaintiffs’ ability to plead an injury under that law.

 

  Starbucks certainly spent significant amounts of money to rectify and address the situation, including credit monitoring fees and legal fees.  Also, the theft created significant public relations and employee relations headaches.

 

One key takeaway from the Starbucks story is that all portable electronic media containing personal information should be encrypted.  For personal information of Massachusetts residents, it is required.

 

If you have any data security questions, like the state of your compliance with the new Massachusetts Data Security Regulations, please fill out the attached form and a member of HRW’s Data Security Team  would be glad to sit down with you to discuss, perhaps over a cup of coffee.

Image: laptop.firstblogfirst.com