Let’s say you’re an employer that maintains unencrypted employee information on a laptop computer and the computer gets stolen. Could you be liable for the possible harm that could come to employees if their personal information were disclosed? In a recent decision, the Ninth U.S. Circuit Court of Appeals held that affected employees might have a claim based on the potential for injury — even though the claims in this case were dismissed.
Stolen laptop raises fears
On October 29, 2008, someone stole a laptop computer from Starbucks. The laptop contained unencrypted names, addresses, and social security numbers for some 97,000 Starbucks employees.
A couple of weeks later, Starbucks sent a letter to employees whose information was on the stolen laptop alerting them to the theft and stating that the company had “no indication that the private information has been misused.” Even so, Starbucks urged employees to monitor their financial accounts for suspicious activity and take steps to protect themselves against possible identity theft. Starbucks offered free credit-watch services through Equifax for a period of one year.
Laura Krottner and Ishaya Shamasa were two of the employees who received the letter and enrolled in the free credit-watch services. Shamasa’s bank notified him that someone had tried to open an account using his social security number, but the bank closed out the account and he lost nothing. Joseph Lalli, another employee, said that he spent substantial personal time monitoring his accounts and placed fraud alerts on his credit cards. He claimed the situation caused him generalized anxiety and distress.
In two separate class actions filed on behalf of themselves and others, the three employees claimed that Starbucks had been negligent and had breached an implied contract under Washington law. A threshold question for the trial court was whether, in the absence of any actual financial loss or other injury, the employees had “standing” to sue. In other words, was the mere potential for harm enough to entitle them to proceed with the lawsuit? The trial court found that they did have standing, but it then dismissed their state-law claims. The employees appealed.
Is fear enough for a lawsuit?
Under the U.S. Constitution, a federal court has jurisdiction to hear a case only if the person who filed the suit has actually suffered an injury or is very likely to suffer an injury that can be traced back to something done by the party that’s being sued. In this case, Starbucks argued that nothing bad had happened to the employees. None had suffered any financial loss. Was the type of generalized anxiety and distress described by Lalli enough of an injury to give the employees standing to sue?
The Ninth Circuit had to decide whether the threat of something bad happening was sufficient. The employees clearly had a potential injury — namely, an increased risk of identity theft. The court found that if someone faces a “credible threat of harm,” that can give him a basis for going to court. Unfortunately for these employees, however, the right to file a lawsuit didn’t mean the underlying state-law claims had merit. The Ninth Circuit affirmed the dismissal of those claims. Krottner v. Starbucks Corp. , Case No. 09-35823 (9th Cir., Dec. 14, 2010).
Reminder: Safeguard personal information!
This age of technology brings risks along with the benefits. We’ve read many stories about stolen laptops and other breaches of security, and employees are rightly concerned about access to information that could make them victims of identity theft. Be sure you take appropriate measures to limit access to personal information. If for some reason that information must be retained on a laptop, take steps to encrypt it. And make certain that employees who use or take the laptop off-site are aware of their responsibility to keep it secure.