KROTTNER v. STARBUCKS CORP. Nos. 09-35823, 09-35824.
628 F.3d 1139 (2010)
Laura KROTTNER; Ishaya Shamasa, individually and on behalf of all others similarly situated, Plaintiffs-Appellants, v. STARBUCKS CORPORATION, a Washington Corporation, Defendant-Appellee. Joseph Lalli, individually and on behalf of all others similarly situated, Plaintiff-Appellant, v. Starbucks Corporation, a Washington Corporation, Defendant-Appellee.
United States Court of Appeals, Ninth Circuit.
Filed December 14, 2010.
Lynn Lincoln Sarko, Mark A. Griffin, and Gretchen Freeman Cappio, Keller Rohrback L.L.P., Seattle, WA; Mila F. Bartos, Karen J. Marcus, and Eugene J. Benick, Finkelstein Thompson LLP, Washington, DC; and Ben Barnow, Barnow and Associates, P.C., Chicago, IL, for the plaintiffs-appellants.
Gavin W. Skok and Karl J. Quackenbush, Riddell Williams, P.S., Seattle, WA, for the defendant-appellee.
Before: ALEX KOZINSKI, Chief Judge, and SIDNEY R. THOMAS and MILAN D. SMITH, JR., Circuit Judges.
M. SMITH, Circuit Judge:
Plaintiffs-Appellants Laura Krottner, Ishaya Shamasa, and Joseph Lalli appeal the district court's dismissal of their negligence and breach of contract claims against Starbucks Corporation. Plaintiffs-Appellants are current or former Starbucks employees whose names, addresses, and social security numbers were stored on a laptop that was stolen from Starbucks. Their complaints allege that, in failing to protect Plaintiffs-Appellants' personal data, Starbucks acted negligently and breached an implied contract under Washington law.
Affirming the district court, we hold that Plaintiffs-Appellants, whose personal information has been stolen but not misused, have suffered an injury sufficient to confer standing under Article III, Section 2 of the U.S. Constitution. We affirm the dismissal of their state-law claims in a memorandum disposition filed contemporaneously with this opinion.
FACTUAL AND PROCEDURAL BACKGROUND
On October 29, 2008, someone stole a laptop from Starbucks. The laptop contained the unencrypted names, addresses, and social security numbers of approximately 97,000 Starbucks employees.
On November 19, 2008, Starbucks sent a letter to Plaintiffs-Appellants and other
Krottner and Shamasa allege that after receiving the letter, they enrolled in the free credit watch services that Starbucks offered. Krottner alleges that she "has been extra vigilant about watching her banking and 401(k) accounts," spending a "substantial amount of time doing so," and will pay out-of-pocket for credit monitoring services once the free service expires. Lalli alleges that he "has spent and continues to spend substantial amounts of time checking his 401(k) and bank accounts," has placed fraud alerts on his credit cards, and "has generalized anxiety and stress regarding the situation." Shamasa alleges that his bank notified him in December 2008 that someone had attempted to open a new account using his social security number. The bank closed the account, and Shamasa does not allege that he suffered any financial loss.
Plaintiffs-Appellants filed two nearly identical putative class action complaints against Starbucks, alleging negligence and breach of implied contract. On August 14, 2009, the district court granted Starbucks's motion to dismiss, holding that Plaintiffs-Appellants have standing under Article III but had failed to allege a cognizable injury under Washington law. Plaintiffs-Appellants appealed, and we have jurisdiction under 28 U.S.C. § 1291.
We have an independent obligation to examine standing to determine whether it comports with the case or controversy requirement of Article III, Section 2 of the Constitution. See Steel Co. v. Citizens for a Better Env't,
Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc.,
It was undisputed before the district court that Plaintiffs-Appellants had sufficiently alleged causation and redressability, the second and third standing requirements. We thus turn to the first
Plaintiffs-Appellants' remaining allegations concern their increased risk of future identity theft. Krottner and Shamasa enrolled in credit watch services, but Starbucks provided those services at no cost to affected employees. Krottner and Lalli allege that they have been vigilant in monitoring their accounts—that is, in guarding against future identity theft—but they do not allege that any theft has actually occurred. Shamasa alleges that someone attempted to open a bank account in his name, but that the bank closed the account before he suffered any loss.
Although we have not previously determined whether an increased risk of identity theft constitutes an injury-in-fact, we have addressed future harm in other contexts, holding that "the possibility of future injury may be sufficient to confer standing on plaintiffs; threatened injury constitutes `injury in fact.'" Cent. Delta Water Agency, 306 F.3d at 947. More specifically,
Scott v. Pasadena Unified Sch. Dist.,
In Pisciotta v. Old National Bancorp, the Seventh Circuit extended that reasoning to the identity-theft context, holding that plaintiffs whose data had been stolen but not yet misused had suffered an injury-in-fact sufficient to confer Article III standing.
Id. at 634 (footnotes omitted). Because the plaintiffs had alleged an act that increased their risk of future harm, they had alleged an injury-in-fact sufficient to confer standing. Id.
The Sixth Circuit, while not explicitly analyzing the issue, appears to disagree. In Lambert v. Hartman, the plaintiff alleged both that she had suffered financial loss as a result of identity theft and that the theft had exposed her to the risk of additional, future identity theft.
On these facts, we reach a different conclusion. If a plaintiff faces "a credible threat of harm," Cent. Delta Water Agency, 306 F.3d at 950, and that harm is "both real and immediate, not conjectural or hypothetical," Lyons, 461 U.S. at 102, 103 S.Ct. 1660 (internal quotation marks omitted), the plaintiff has met the injury-in-fact requirement for standing under Article III. Here, Plaintiffs-Appellants have alleged a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data. Were Plaintiffs-Appellants' allegations more conjectural or hypothetical—for example, if no laptop had been stolen, and Plaintiffs had sued based on the risk that it would be stolen at some point in the future—we would find the threat far less credible. On these facts, however, Plaintiffs-Appellants have sufficiently alleged an injury-in-fact for purposes of Article III standing.
- No Cases Found