A federal judge in Pennsylvania has allowed a data breach class action against Coca-Cola and several bottling companies to proceed, finding that the plaintiff has Article III standing even though he had left Coca-Cola’s employment seven years earlier. This is the first time a Pennsylvania federal court has permitted a data breach class action to proceed beyond the motion to dismiss stage. 

Enslin v. The Coca-Cola Company, et al., arose out of the theft of 55 laptops containing personal identification information (PII) of plaintiff and 74,000 other current and former employees of the Coca-Cola Company and six related entities. The PII included the plaintiff’s Social Security number, address, bank account information, credit card numbers, driver’s license information, and motor vehicle records, all of which was allegedly stored in an unencrypted format.  

Within months of being notified of the breach in 2014, the plaintiff alleges he began to experience unauthorized uses of his finances and identity by unknown persons. He commenced a class action against each of the Coca-Cola defendants. He alleged they failed to take reasonable steps to safeguard his PII, engaged in misrepresentation, fraud, and conspiracy by failing to disclose the true extent of the data breach, and violated the U.S. Driver’s Privacy Protection Act, which prohibits the disclosure of a person’s driving information unless authorized under the Act. The defendants moved to dismiss for lack of standing and failure to state a claim.

The defendants challenged Article III standing on two grounds. They alleged the future harms that the plaintiff may suffer from the loss of his PII, and the monies he expended in anticipation of these harms, are speculative, hypothetical, and thus not an injury-in-fact sufficient to confer federal standing. Second, the defendants alleged that even if the plaintiff has suffered an injury-in-fact, his injuries are not fairly traceable to the conduct of the defendants.    

In rejecting both arguments, the court distinguished Reilly v. Ceridian Corp., a data breach class action wherein the Third Circuit, citing Clapper v. Amnesty Int’l, USA, found that the plaintiffs’ claims of future harm were “speculative” and “hypothetical.” By contrast, the court in Enslin found the plaintiff had suffered “ongoing, present, distinct, and palpable harms,” including the alleged theft of funds from his bank accounts on two occasions, unauthorized use of four credit cards, and unauthorized issuance of new credit cards in his name. The court also found the time, effort, and expense the plaintiff expended to combat these actual, imminent, and impending harms, constituted an actionable injury-in-fact.

Although seven years had passed between the plaintiff’s end of employment and the alleged misuse of the information, the court concluded the “chain linking the loss of plaintiff’s Social Security number, credit cards, and banking information, and the subsequent identity attacks plaintiff suffered, is plausible.” The court allowed the plaintiff’s breach of express and implied contract to survive, along with his unjust enrichment claim, but dismissed his remaining claims.

Enslin is the first case in which a Pennsylvania federal court has permitted a data breach class action to proceed beyond the motion to dismiss stage. It follows a number of recent federal cases from other jurisdictions, notably the Seventh and Ninth Circuits, where courts have held that plaintiffs in data breach class actions have Article III standing. One question left unanswered by the Enslin case is whether Pennsylvania federal courts will allow claims to go forward where a data breach plaintiff has only alleged a fear of future harm, without having suffered actual identity theft.