From Casetext: Smarter Legal Research

Krottner v. Starbucks Corp.

United States Court of Appeals, Ninth Circuit
Dec 14, 2010
406 F. App'x 129 (9th Cir. 2010)

Summary

holding that threat of potential identity theft created by theft of a laptop known to contain plaintiffs' unencrypted names, addresses, and social security numbers was sufficient to confer standing, but that "more conjectural or hypothetical" allegations would make threat "far less credible"

Summary of this case from Atlas v. Fox

Opinion

Nos. 09-35823, 09-35824.

Argued and Submitted October 6, 2010.

Filed December 14, 2010.

Lynn Lincoln Sarko, Mark A. Griffin, and Gretchen Freeman Cappio, Keller Rohrback L.L.P., Seattle, WA; Mila F. Bartos, Karen J. Marcus, and Eugene J. Benick, Finkelstein Thompson LLP, Washington, DC; and Ben Barnow, Barnow and Associates, P.C., Chicago, IL, for the plaintiffs-appellants.

Gavin W. Skok and Karl J. Quackenbush, Riddell Williams, P.S., Seattle, WA, for the defendant-appellee.

Appeal from the United States District Court for the Western District of Washington, Richard A. Jones, District Judge, Presiding. D.C. Nos. 2:09-cv-00216-RAJ, 2:09-cv-00389-RAJ.

Before: ALEX KOZINSKI, Chief Judge, and SIDNEY R. THOMAS and MILAN D. SMITH, JR., Circuit Judges.


OPINION


Plaintiffs-Appellants Laura Krottner, Ishaya Shamasa, and Joseph Lalli appeal the district court's dismissal of their negligence and breach of contract claims against Starbucks Corporation. Plaintiffs-Appellants are current or former Star-bucks employees whose names, addresses, and social security numbers were stored on a laptop that was stolen from Star-bucks. Their complaints allege that, in failing to protect Plaintiffs-Appellants' personal data, Starbucks acted negligently and breached an implied contract under Washington law.

Affirming the district court, we hold that Plaintiffs-Appellants, whose personal information has been stolen but not misused, have suffered an injury sufficient to confer standing under Article III, Section 2 of the U.S. Constitution. We affirm the dismissal of their state-law claims in a memorandum disposition filed contemporaneously with this opinion.

FACTUAL AND PROCEDURAL BACKGROUND

On October 29, 2008, someone stole a laptop from Starbucks. The laptop contained the unencrypted names, addresses, and social security numbers of approximately 97,000 Starbucks employees.

On November 19, 2008, Starbucks sent a letter to Plaintiffs-Appellants and other affected employees alerting them to the theft and stating that Starbucks had "no indication that the private information has been misused." Nonetheless, the letter continued,

As a precaution, we ask that you monitor your financial accounts carefully for suspicious activity and take appropriate steps to protect yourself against potential identity theft. To assist you in protecting this effort [sic], Starbucks has partnered with Equifax to offer, at no cost to you, credit watch services for the next year.

Krottner and Shamasa allege that after receiving the letter, they enrolled in the free credit watch services that Starbucks offered. Krottner alleges that she "has been extra vigilant about watching her banking and 401(k) accounts," spending a "substantial amount of time doing so," and will pay out-of-pocket for credit monitoring services once the free service expires. Lalli alleges that he "has spent and continues to spend substantial amounts of time checking his 401 (k) and bank accounts," has placed fraud alerts on his credit cards, and "has generalized anxiety and stress regarding the situation." Shamasa alleges that his bank notified him in December 2008 that someone had attempted to open a new account using his social security number. The bank closed the account, and Shamasa does not allege that he suffered any financial loss.

Plaintiffs-Appellants filed two nearly identical putative class action complaints against Starbucks, alleging negligence and breach of implied contract. On August 14, 2009, the district court granted Starbucks's motion to dismiss, holding that Plaintiffs-Appellants have standing under Article III but had failed to allege a cognizable injury under Washington law. Plaintiffs-Appellants appealed, and we have jurisdiction under 28 U.S.C. § 1291.

DISCUSSION

We have an independent obligation to examine standing to determine whether it comports with the case or controversy requirement of Article III, Section 2 of the Constitution. See Steel Co. v. Citizens for a Better Env't, 523 U.S. 83, 95, 118 S.Ct. 1003, 140 L.Ed.2d 210 (1998); see also Equity Lifestyle Props., Inc. v. Cnty. of San Luis Obispo, 548 F.3d 1184, 1189 n. 10 (9th Cir. 2008) ("The jurisdictional question of standing precedes, and does not require, analysis of the merits."). The case or controversy requirement, which constitutes "the irreducible constitutional minimum of standing," Lujan v. Defenders of Wildlife, 504 U.S. 555, 560, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992), requires that a plaintiff show

(1) it has suffered an `injury in fact' that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.

Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 180-81, 120 S.Ct. 693, 145 L.Ed.2d 610 (2000). The party asserting federal jurisdiction bears the burden of establishing these requirements at every stage of the litigation, as it does for "any other essential element of the case." Cent. Delta Water Agency v. United States, 306 F.3d 938, 947 (9th Cir. 2002). On appeal from a motion to dismiss, a plaintiff need only show that the facts alleged, if proven, would confer standing. See id.

It was undisputed before the district court that Plaintiffs-Appellants had sufficiently alleged causation and redressability, the second and third standing requirements. We thus turn to the first standing requirement: whether Plaintiffs-Appellants adequately alleged an injury-in-fact. Lalli's allegation that he "has generalized anxiety and stress" as a result of the laptop theft is the only present injury that Plaintiffs-Appellants allege. This is sufficient to confer standing, but only as to Lalli. See Doe v. Chao, 540 U.S. 614, 617-18, 624-25, 124 S.Ct. 1204, 157 L.Ed.2d 1122 (2004) (suggesting that a plaintiff who allegedly "was `torn . . . all to pieces' and \vas greatly concerned and worried' because of the disclosure of his Social Security number and its potentially `devastating' consequences" had no cause of action under the Privacy Act, but nonetheless had standing under Article III (ellipsis in original) (internal quotation marks omitted)).

Plaintiffs-Appellants' remaining allegations concern their increased risk of future identity theft. Krottner and Shamasa enrolled in credit watch services, but Starbucks provided those services at no cost to affected employees. Krottner and Lalli allege that they have been vigilant in monitoring their accounts — that is, in guarding against future identity theft — but they do not allege that any theft has actually occurred. Shamasa alleges that someone attempted to open a bank account in his name, but that the bank closed the account before he suffered any loss.

Although we have not previously determined whether an increased risk of identity theft constitutes an injury-in-fact, we have addressed future harm in other contexts, holding that "the possibility of future injury may be sufficient to confer standing on plaintiffs; threatened injury constitutes `injury in fact.'" Cent. Delta Water Agency, 306 F.3d at 947. More specifically,

[a] plaintiff may allege a future injury in order to comply with [the injury-in-fact] requirement, but only if he or she "is immediately in danger of sustaining some direct injury as the result of the challenged . . . conduct and the injury or threat of injury is both real and immediate, not conjectural or hypothetical."

Scott v. Pasadena Unified Sch. Dist., 306 F.3d 646, 656 (9th Cir. 2002) (emphasis in Scott) (quoting City of Los Angeles v. Lyons, 461 U.S. 95, 102, 103 S.Ct. 1660, 75 L.Ed.2d 675 (1983)). Thus, in the context of environmental claims, a plaintiff may challenge governmental action that creates "a credible threat of harm" before the potential harm, or even a statutory violation, has occurred. See Cent. Delta Water Agency, 306 F.3d at 948-50. Similarly, a plaintiff seeking to compel funding of a medical monitoring program after exposure to toxic substances satisfies the injury-in-fact requirement if he is unable to receive medical screening. See Pritikin v. Dep't of Energy, 254 F.3d 791, 796-97 (9th Cir. 2001).

In Pisciotta v. Old National Bancorp, the Seventh Circuit extended that reasoning to the identity-theft context, holding that plaintiffs whose data had been stolen but not yet misused had suffered an injury-in-fact sufficient to confer Article III standing. 499 F.3d 629, 634 (7th Cir. 2007). In Pisciotta, the plaintiffs' only alleged injury was the increased risk that their personal data would be misused in the future; none alleged any completed financial or other loss. Id. at 632. The court surveyed case law addressing toxic substance, medical monitoring, and environmental claims in the Second, Fourth, Sixth, and Ninth Circuits. Id. at 634 n. 3 (citing Denney v. Deutsche Bank AG, 443 F.3d 253, 264-65 (2d Cir. 2006) (toxic substances); Sutton v. St. Jude Med. S.C., Inc., 419 F.3d 568, 574-75 (6th Cir. 2005) (medical monitoring); Cent. Delta Water Agency, 306 F.3d at 947-48 (environmental harm); Friends of the Earth, Inc. v. Gaston Copper Recycling Corp., 204 F.3d 149, 160 (4th Cir. 2000) (en banc) (environmental harm)). It concluded:

As many of our sister circuits have noted, the injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant's actions. We concur in this view. Once the plaintiffs' allegations establish at least this level of injury, the fact that the plaintiffs anticipate that some greater potential harm might follow the defendant's act does not affect the standing inquiry.

Id. at 634 (footnotes omitted). Because the plaintiffs had alleged an act that increased their risk of future harm, they had alleged an injury-in-fact sufficient to confer standing. Id.

The Sixth Circuit, while not explicitly analyzing the issue, appears to disagree. In Lambert v. Hartman, the plaintiff alleged both that she had suffered financial loss as a result of identity theft and that the theft had exposed her to the risk of additional, future identity theft. 517 F.3d 433, 437 (6th Cir. 2008). The Lambert court held that the plaintiffs actual financial injuries resulting from the theft of her personal data were sufficient to confer standing. Id. It also noted, without analysis, that the risk of future identity theft was "somewhat `hypothetical' and `conjectural.'" Id.

On these facts, we reach a different conclusion. If a plaintiff faces "a credible threat of harm," Cent. Delta Water Agency, 306 F.3d at 950, and that harm is "both real and immediate, not conjectural or hypothetical," Lyons, 461 U.S. at 102, 103 S.Ct. 1660 (internal quotation marks omitted), the plaintiff has met the injury-in-fact requirement for standing under Article III. Here, Plaintiffs-Appellants have alleged a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data. Were Plaintiffs-Appellants' allegations more conjectural or hypothetical — for example, if no laptop had been stolen, and Plaintiffs had sued based on the risk that it would be stolen at some point in the future — we would find the threat far less credible. On these facts, however, Plaintiffs-Appellants have sufficiently alleged an injury-in-fact for purposes of Article III standing.

AFFIRMED.


Summaries of

Krottner v. Starbucks Corp.

United States Court of Appeals, Ninth Circuit
Dec 14, 2010
406 F. App'x 129 (9th Cir. 2010)

holding that threat of potential identity theft created by theft of a laptop known to contain plaintiffs' unencrypted names, addresses, and social security numbers was sufficient to confer standing, but that "more conjectural or hypothetical" allegations would make threat "far less credible"

Summary of this case from Atlas v. Fox

holding that threat of potential identity theft created by theft of a laptop known to contain plaintiffs' unencrypted names, addresses, and social security numbers was sufficient to confer standing, but that "more conjectural or hypothetical" allegations would make threat "far less credible"

Summary of this case from Stephen v. Montejo

holding that threat of potential identity theft created by theft of a laptop known to contain plaintiffs' unencrypted names, addresses, and social security numbers was sufficient to confer standing, but that "more conjectural or hypothetical" allegations would make threat "far less credible"

Summary of this case from Biggins v. Kernan

holding that threat of potential identity theft created by theft of a laptop known to contain plaintiffs' unencrypted names, addresses, and social security numbers was sufficient to confer standing, but that "more conjectural or hypothetical" allegations would make threat "far less credible"

Summary of this case from Baker v. Cal. Corr. Health Care Servs.

holding that threat of potential identity theft created by theft of a laptop known to contain plaintiffs' unencrypted names, addresses, and social security numbers was sufficient to confer standing, but that "more conjectural or hypothetical" allegations would make threat "far less credible"

Summary of this case from Driskell v. Matolon

holding that threat of potential identity theft created by theft of a laptop known to contain plaintiffs' unencrypted names, addresses, and social security numbers was sufficient to confer standing, but that "more conjectural or hypothetical" allegations would make threat "far less credible"

Summary of this case from Pavageau v. Cal. Corr. Health Care Servs.

holding that threat of potential identity theft created by theft of a laptop known to contain plaintiffs' unencrypted names, addresses, and social security numbers was sufficient to confer standing, but that "more conjectural or hypothetical" allegations would make threat "far less credible"

Summary of this case from Atkins v. Cal. Corr. Health Care Servs.

holding that threat of potential identity theft created by theft of a laptop known to contain plaintiffs' unencrypted names, addresses, and social security numbers was sufficient to confer standing, but that "more conjectural or hypothetical" allegations would make threat "far less credible"

Summary of this case from Higgins v. Cal. Corr. Health Care Serv.

holding that threat of potential identity theft created by theft of a laptop known to contain plaintiffs' unencrypted names, addresses, and social security numbers was sufficient to confer standing, but that "more conjectural or hypothetical" allegations would make threat "far less credible"

Summary of this case from Sharp v. Kelso

holding that threat of potential identity theft created by theft of a laptop known to contain plaintiffs' unencrypted names, addresses, and social security numbers was sufficient to confer standing, but that "more conjectural or hypothetical" allegations would make threat "far less credible"

Summary of this case from Lucas v. Brown

holding that "generalized anxiety and stress" was sufficient to confer standing

Summary of this case from Bartl v. Enhanced Recovery Co.

holding that threat of potential identity theft created by theft of a laptop known to contain plaintiffs' unencrypted names, addresses, and social security numbers was sufficient to confer standing, but that "more conjectural or hypothetical" allegations would make threat "far less credible"

Summary of this case from Ross v. Cal. Health Care Servs.

holding that threat of potential identity theft created by theft of a laptop known to contain plaintiffs' unencrypted names, addresses, and social security numbers was sufficient to confer standing, but that "more conjectural or hypothetical" allegations would make threat "far less credible"

Summary of this case from Valdez v. Matolon

holding that threat of potential identity theft created by theft of a laptop known to contain plaintiffs' unencrypted names, addresses, and social security numbers was sufficient to confer standing, but that "more conjectural or hypothetical" allegations would make threat "far less credible"

Summary of this case from Cassells v. McNeal

holding that threat of potential identity theft created by theft of a laptop known to contain plaintiffs' unencrypted names, addresses, and social security numbers was sufficient to confer standing, but that "more conjectural or hypothetical" allegations would make threat "far less credible"

Summary of this case from Hoffman v. Cal. Corr. Health Care Servs.

holding that threat of potential identity theft created by theft of a laptop known to contain plaintiffs' unencrypted names, addresses, and social security numbers was sufficient to confer standing, but that "more conjectural or hypothetical" allegations would make threat "far less credible"

Summary of this case from Perryman v. C.C.H.C.S.

holding that threat of potential identity theft created by theft of a laptop known to contain plaintiffs' unencrypted names, addresses, and social security numbers was sufficient to confer standing, but that "more conjectural or hypothetical" allegations would make threat "far less credible"

Summary of this case from Venson v. Cal. Corr. Health Care Servs.

holding that threat of potential identity theft created by theft of a laptop known to contain plaintiffs' unencrypted names, addresses, and social security numbers was sufficient to confer standing, but that "more conjectural or hypothetical" allegations would make threat "far less credible"

Summary of this case from Gachett v. Cal. Corr. Health Care Servs.

holding that threat of potential identity theft created by theft of a laptop known to contain plaintiffs' unencrypted names, addresses, and social security numbers was sufficient to confer standing, but that "more conjectural or hypothetical" allegations would make threat "far less credible"

Summary of this case from Moore v. Horch

holding that threat of potential identity theft created by theft of a laptop known to contain plaintiffs' unencrypted names, addresses, and social security numbers was sufficient to confer standing, but that "more conjectural or hypothetical" allegations would make threat "far less credible"

Summary of this case from Gonzalez v. Matolon

holding that threat of potential identity theft created by theft of a laptop known to contain plaintiffs' unencrypted names, addresses, and social security numbers was sufficient to confer standing, but that "more conjectural or hypothetical" allegations would make threat "far less credible"

Summary of this case from Turner v. Matolon

holding that threat of potential identity theft created by theft of a laptop known to contain plaintiffs' unencrypted names, addresses, and social security numbers was sufficient to confer standing, but that "more conjectural or hypothetical" allegations would make threat "far less credible"

Summary of this case from Chubbuck v. Cal. Corr. Health Care Servs.

holding that threat of potential identity theft created by theft of a laptop known to contain plaintiffs' unencrypted names, addresses, and social security numbers was sufficient to confer standing, but that "more conjectural or hypothetical" allegations would make threat "far less credible"

Summary of this case from Miles v. Cal. Corr. Health Care Servs.

holding that threat of potential identity theft created by theft of a laptop known to contain plaintiffs' unencrypted names, addresses, and social security numbers was sufficient to confer standing, but that "more conjectural or hypothetical" allegations would make threat "far less credible"

Summary of this case from Dukes v. Cal. Corr. Health Care Servs.

holding that threat of potential identity theft created by theft of a laptop known to contain plaintiffs' unencrypted names, addresses, and social security numbers was sufficient to confer standing, but that "more conjectural or hypothetical" allegations would make threat "far less credible"

Summary of this case from Patterson v. Cal. Corr. Health Care Servs.
Case details for

Krottner v. Starbucks Corp.

Case Details

Full title:Laura KROTTNER; Ishaya Shamasa, individually and on behalf of all others…

Court:United States Court of Appeals, Ninth Circuit

Date published: Dec 14, 2010

Citations

406 F. App'x 129 (9th Cir. 2010)
406 F. App'x 129

Citing Cases

Holmes v. Countrywide Fin. Corp.

The actions arise when these businesses misplace or lose large amounts of sensitive information through…

Stasi v. Inmediata Health Grp.

(Id. at 13.) Plaintiffs respond by arguing that under Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir.…