Last week, the Ninth Circuit issued two opinions in connection with the theft of an unencrypted laptop that contained personal information about Starbucks employees. First, the court held in a published opinion that Starbucks employees whose names, addresses and Social Security numbers were on the stolen computer could show that they had suffered enough injury to sustain their claim for purposes of getting into federal court. Specifically, the court found that the increased risk of identity theft satisfies the requirement that plaintiffs show an injury so long as there is a “credible threat of harm” that is “both real and immediate, not conjectural or hypothetical.” The court also found that “generalized anxiety and stress” are other kinds of harm that could satisfy the requirement.
Although the Starbucks employees satisfied the injury requirement, a second, unpublished Ninth Circuit opinion issued the same day indicated that they had not shown damages — a key issue in privacy litigation. “The mere danger of future harm, unaccompanied by present damage, will not support a negligence action,” held the court. (We have elsewhere reported on the challenges that individuals affected by security breaches face in establishing damages.) The Ninth Circuit also found that the Starbucks employees failed to show the existence of an implied contract under Washington law.