No. 09-35823 (and Consolidated Case No. 09-35824) IN THE UNITED STATES COURT OF APPEALS FOR THE NINTH CIRCUIT __________________________________________________ LAURA KROTTNER, ISHAYA SHAMASA, and JOSEPH LALLI, Plaintiffs - Appellants, v. STARBUCKS CORPORATION, Defendant - Appellee. __________________________________________________ Appeal from the United States District Court for the Western District of Washington __________________________________________________ PLAINTIFFS – APPELLANTS’ OPENING BRIEF __________________________________________________ Lynn Lincoln Sarko Mark A. Griffin Gretchen Freeman Cappio KELLER ROHRBACK L.L.P. 1201 Third Avenue, Suite 3200 Seattle, WA 98101-3052 Telephone: (206) 623-1900
Mila F. Bartos Karen J. Marcus Eugene J. Benick FINKELSTEIN THOMPSON LLP 1050 30th Street, NW Washington, DC 20007 Telephone: (202) 337-8000
Ben Barnow BARNOW AND ASSOCIATES, P.C. One North LaSalle, Suite 4600 Chicago, IL 60602 Telephone: (312) 621-2000 Attorneys for Plaintiffs - Appellants
TABLE OF CONTENTS Page I.
JURISDICTION.................................................................................................1
II.
STATEMENT OF THE ISSUES ......................................................................1
III. STATEMENT OF THE CASE..........................................................................2 IV. STATEMENT OF THE FACTS .......................................................................5 V.
SUMMARY OF ARGUMENT ...................................................................... 12
VI. STANDARD OF REVIEW ............................................................................ 13 VII. ARGUMENT ................................................................................................. 15 A.
Starbucks Breached Its Contractual Duty to Plaintiffs, Resulting in Injury and Compensable Damages. ............................................................ 15 1.
Plaintiffs have adequately pled the existence of an implied contract under Washington law. ........................................................................... 18
2.
Plaintiffs have plausibly pled the elements of a breach of a contract. ... 22
3.
Starbucks’ breach of implied contract damaged Plaintiffs..................... 23
4.
Plaintiffs’ Claims Are Ripe for Adjudication......................................... 27
B.
Starbucks Was Negligent In Allowing Plaintiffs’ PII To Be Compromised And Should Be Held Legally Accountable......................... 28 1.
Plaintiffs Have Pled Plausible Prima Facie Elements of Negligence Entitling Plaintiffs To Survive A Motion To Dismiss............................ 29
i
2.
Injury, Harm and Damages are Discrete Legal Concepts, The Understanding Of Which Are Critical To The Proper Adjudication Of The Plaintiffs’ Negligence Claim...................................................... 32 a.
The Concepts of “Injury,” “Harm,” and “Damage” Are Distinct Legal Concepts Which Should Not Be Blurred.................................. 32
b.
Plaintiffs Have Alleged an Injury ....................................................... 34 (i)
Injury For Standing Encompasses Injury For Negligence Claim... 35
(ii) Plaintiffs Are Seeking Remedy Of A Modern Problem Under Well Established Causes Of Action......................................................... 37 (iii) Washington Would Not Be The First Jurisdiction To Find Increased Risk of Identity Theft As Cognizable Claim Under State Law.................................................................................................. 38 c.
Harm Exists for Plaintiffs’ Negligence Claim As Plaintiffs Have Experienced the Loss of Their PII Because of Starbucks' Data Mishandling......................................................................................... 39 (i)
3.
Plaintiffs Have Alleged Sufficient Damages Under Washington Law .. 43
4.
The Economic Loss Rule Does Not Apply............................................. 45
C.
D.
“Proof” Is Not Required At This Stage of The Litigation.............. 42
Credit Monitoring Is an Available Remedy Under Washington Law. ....... 50 1.
Washington Courts Traditionally Protect Plaintiffs in Areas of Developing Case Law ……………………………………………….…51
2.
Plaintiffs’ Duty to Mitigate Implicates the Remedy of Credit Monitoring. ............................................................................................. 54 In the Alternative, This Court Should Certify Issues to the Washington Supreme Court ............................................................................................ 56
ii
VIII. CONCLUSION ............................................................................................. 59 REQUEST FOR ORAL ARGUMENT…………………………………………...59 STATEMENT OF RELATED CASES .................................................................. 60 CERTIFICATE OF COMPLIANCE WITH FED. R. APP. P. 32(A)(7)(C) AND CIRCUIT RULE 32-1............................................................................................. 61
iii
TABLE OF AUTHORITIES Cases
Page(s)
Affiliated FM Ins. Co. v. LTK Consulting Serv. Inc., 556 F.3d 920 (9th Cir. 2009) ............................................................................58 Alejandre v. Bull, 153 P.3d 864 (Wash. 2007) ........................................................................47, 48 Arizonans for Official English v. Ariz., 520 U.S. 43 (1997)............................................................................................57 Ashcroft v. Al-Kidd, No. 06-36059, 2009 WL 2836448 (9th Cir. Sept. 4, 2009)..............................14 Ashcroft v. Iqbal, 129 S. Ct. 1937 (2009)......................................................................................14 Banknorth N.A. v. B.J.'s Wholesale, 442 F. Supp. 2d 206 (M.D. Pa. 2006).........................................................48, 49 Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007)..........................................................................................14 Bernsen v. Big Bend Elec. Co-op., Inc., 842 P.2d 1047 (Wash. Ct. App. 1993)..............................................................26 Boucher v. Shaw, 483 F.3d 613 (9th Cir. 2007) ............................................................................57 Bravo v. Dolsen Cos., 888 P.2d 147 (Wash. 1995) ........................................................................51, 52 Broad v. Mannesmann Anlagenbau AG, 196 F.3d 1075 (9th Cir. 1999) ..........................................................................57
iv
Brotherson v. Prof'l Basketball Club, 604 F. Supp.2d 1276 (W.D. Wash. 2009) ..................................................18, 21 Brust v. Newton, 852 P.2d 1092 (Wash. Ct. App. 1993)..............................................................25 Burchfiel v. Boeing Corp., 205 P.3d 145 (Wash. Ct. App. 2009)................................................................54 Bush v. Safeco Ins. Co. of Am., 596 P.2d 1357 (Wash. Ct. App. 1979)..............................................................28 Cartozian & Sons, Inc., v. Ostruske-Murphy, Inc., 390 P.2d 548 (Wash. 1964) ..............................................................................22 Caudle Towers, Perrin, Forster & Crosby, Inc 580 F.Supp.2d 273 (S.D.N.Y. 2008) ................................................................53 Colorado Structures, Inc. v. Ins. Co. of the West, 167 P.3d 1125 (Wash. 2007) ......................................................................22, 24 Crest Inc. v. Costco Wholesale Corp., 115 P.3d 349 (Wash. Ct. App. 2005)................................................................25 Crowson v. Quality Food Ctrs., Inc., No. 04-2-05608-0, 2004 WL 1530885 (Wash. Super. June 14, 2004) ...........................................................................................................51, 52 Daly v. Metropolitan Life Ins. Co., 2 N.Y.S.2d 530, 4 Misc. 3d (N.Y. 2004)....................................................35, 44 Daly v. Metropolitan Life Ins. Co., 782 N.Y.S.2d 530 (N.Y. Sup. Ct. 2004)...........................................................38 Denny's Rest., Inc. v. Security Union Title Ins. Co., 859 P.2d 619 (Wash. Ct. App. 1993)................................................................28
v
Donovan v. Philip Morris, 455 Mass. 215, 225, 914 N.E.2d 891 (2009)..............................................52, 57 Doss v. Southern Cent. Bell Tel. Co., 834 F.2d 421, 424 (5th Cir. 1987) ....................................................................54 Duncan v. Northwest Airlines, Inc., 203 F.R.D. 601 (W.D. Wash. 2001) ...........................................................50, 55 Everest & Jennings, Inc. v. American Motorists Ins. Co., 23 F.3d 226 (9th Cir. 1994) ..............................................................................13 Federal Signal v. Safety Factors, 886 P.2d 172 (Wash. 1994) ................................................................. 26, 27, 54 Federal Trade Comm'n v. Neovi, Inc., 598 F. Supp. 2d 1104 (S.D. Cal. 2008).............................................................44 First Maryland Leasecorp v. Rothstein, 864 P.2d 17 (Wash. Ct. App. 1993)..................................................................39 Frazee v. Western Dairy Products, 47 P.2d 1037 (Wash. 1935) ..............................................................................33 Guy Stickney, Inc. v. Underwood, 410 P.2d 7 (1966)..............................................................................................21 Hansen v. Mountain Fuel Supply Co., 858 P.2d 970, 977 (Utah 1993).........................................................................52 Heaton v. Imus, 608 P.2d 631 (Wash. 1980) (en banc) ..............................................................19 Huff v. Roach, 106 P.3d 268 (Wash. Ct. App. 2005)................................................................32 Hui v. Sunnyside Sch. Dist. No. 201, 132 Wash. App. 1015, 2006 WL 775164, (Wash. Ct. App. 2006) ..................31
vi
Hutchins v. 1001 Fourth Ave. Assocs., 802 P.2d 1360 (Wash. 1991) ............................................................................30 In Re Hannaford Bros. Co. Customer Data Security Breach Litigation, No. 2:08-MD-1954 , 2009 WL 3193158 ..........................................................57 In re TJX , 524 F. Supp. 2d 83 (D. Mass. 2007).................................................................49 Jackowski v. Borchelt, 209 P.3d 514 (Wash. Ct. App. 2009)................................................................46 Jacob's Meadow Owners Ass'n v. Plateau 44 II, LLC, 162 P.3d 1153 (Wash. Ct. App. 2007)..............................................................23 Jaeger v. Cleaver Constr., Inc., 201 P.3d 1028 (Wash. Ct. App. 2009)..............................................................55 Johnson, Christenson, Viger Constructors, Inc. v. Perry, Shelton, Walker & Assoc., PLLC, 133 Wash. App. 1008, 2006 WL 1462743 (Wash. Ct. App. 2006) .................40 Jones v. Commerce Bancorp, Inc., 2006 WL 1409492 (S.D.N.Y. May 23, 2006) ..................................... 33, 38, 44 Jordache Enter., Inc v. Brobeck, Phleger & Harrison, 56 Cal.Rptr.2d 661 (Cal. App. 2 Dist. 1996)....................................................32 Katz v. United States, 389 U.S. 347 (1967)..........................................................................................30 Keystone Land & Development Co. v. Xerox Corp., 94 P.3d 945 (Wash. 2004) (en banc) ................................................................18 Keystone Land & Dev't Co. v. Xerox Corp., 353 F.3d 1093 (9th Cir. 2003) ..........................................................................58
vii
Kilthau v. Covelli, 563 P.2d 1305 (Wash. Ct. App. 1977)..............................................................19 King v. Rice, 191 P.3d 946 (Wash. Ct. App. 2008)................................................................46 Kuhn v. Capital One Financial Corp., 855 N.E.2d 790, 2006 WL 3007931 (Mass. Ct. App. Oct. 23, 2006) .............................................................................................. 35, 37, 44, 45 Lehrer v. State, Dept. of Social and Health Services, 5 P.3d 722 (Wash. Ct. App. 2000)....................................................................15 Lew v. Goodfellow Chrysler-Plymouth, Inc., 492 P.2d 258 (Wash. Ct. App. 1971)................................................................40 Love v. United States, 915 F.2d 1242 (9th Cir. 1990) ..........................................................................13 Mayer v. Huesner, 107 P.3d 152 (Wash. Ct. App. 2005)................................................................30 McFarland v. Commercial Boiler Works, 116 P.2d 288 (Wash. 1941) ..............................................................................33 McKeown v. First Interstate Bank, 240 Cal.Rptr. 127 (Cal. Ct. App. 1987)............................................................41 Mendez v. Palm Harbor Homes, Inc., 45 P.3d 594 (Wash. Ct. App. 2002)............................................................20, 21 Microsoft Corp. v. Immersion Corp., No. 07-936, 2008 WL 2998238 (W.D. Wash. Aug. 1, 2008) ..........................26 Migliori v. Boeing N. Am., Inc., 97 F. Supp. 2d 1001 (C.D. Cal. 2000) ..............................................................54
viii
Moore v. The Sally J., 27 F.Supp.2d 1255 (W.D. Wash. 1998) .....................................................33, 39 Moss v. U.S. Secret Serv., 572 F.3d 962 (9th Cir. 2009) ............................................................................14 Multicare Med. Ctr. v. Dep't of Soc. & Health Servs., 790 P.2d 124 (Wash. 1990) ..............................................................................19 Navarro v. Block, 250 F.3d 729 (9th Cir. 2001) ............................................................................14 O'Hartigan v. Department of Personnel, 821 P.2d 44 (Wash. 1991) (en banc) ................................................................40 Oscar v. University Students Coop. Ass'n, 965 F.2d 783 (9th Cir.), cert. denied, 506 U.S. 1020 (1992)............................13 Panag v. Farmers Ins. Co. of Washington, 204 P.3d 885 (Wash. 2009) ..............................................................................41 Pennsylvania State Employees Credit Union v. Fifth Third Bank, 398 F. Supp. 2d 317 (M.D. Pa. 2005).........................................................49, 50 People v. Dolbeer, 29 Cal.Rptr. 573, 214 Cal. App. 2d 619 (1963) ...............................................41 People v. Kozlowski, 117 Cal.Rptr.2d 504, 96 Cal. App. 4th 853 (Cal. Ct. App. 2002) ....................40 Presidio Group, LLC v. GMAC Mortg., LLC, No. C08-5298RBL, 2008 WL 5110845 (W.D. Wash. 2008)...........................42 Reese v. Malone, No. C08-1008MJP, 2009 WL 506820 (W.D. Wash. 2009) .............................42 Reid v. Pierce County, 136 Wash.2d 195, 961 P.2d 333 (Wash. 1998) ................................................30
ix
Rettkowski v. Department of Ecology, 910 P.2d 462 (Wash. 1996) ..............................................................................36 Ross v. Harding, 391 P.2d 526 (Wash. 1964) ..............................................................................22 Rouse v. Glascam Builders, Inc., 677 P.2d 125 (1984)..........................................................................................21 Ruiz v. Gap Inc., 540 F.Supp.2d 1121 (N.D.Cal. 2008).................................................. 35, 37, 38 Safeco Ins. Co. v. Barcom, 773 P.2d 56 (Wash. 1989) ................................................................................28 Schwindt v. Commonwealth Ins. Co., 997 P.2d 353 (Wash. 2000) ..............................................................................28 Shqeirat v. U.S. Airways, Inc., 515 F. Supp. 2d 984 (D. Minn. 2007)...............................................................38 Sign-O-Lite Signs, Inc. v. DeLaurenti Florists, Inc., 825 P.2d 714 (Wash. Ct. App. 1992)................................................................44 Silvas v. E*Trade Mortg. Corp., 514 F.3d 1001 (9th Cir. 2008) ..........................................................................31 Sofie v. Fibreboard Corp., 771 P.2d 711 (Wash. 1989) ..............................................................................25 State ex rel. Macri v. City of Bremerton, 111 P.2d 612 (Wash. 1941) ........................................................................33, 34 State v. Mayze, 622 S.E.2d 836 (Ga. 2005) ...............................................................................40 State v. Robinson, 145 Wash. App. 1022, 2008 WL 2505445 (Wash. Ct. App. 2009) .................31
x
Steele v. Organon, Inc., 716 P.2d 920, 106 Wash.2d 1008 (1986) .........................................................40 Stephens v. Omni Ins. Co., 159 P.3d 10 (Wash. Ct. App. 2007)..................................................................44 Stockton Heartwoods, Ltd. v. Bielski, No. 4:04CV1675MLM, 2006 WL 571983 (E.D. Mo. Mar. 8, 2006) ..............26 Stollenwerk v. Tri-West Health Care Alliance, No. 03-0185, 2005 WL 2465906 (D. Ariz. Sept. 8, 2005).................. 37, 52, 53 Stollenwerk v. Tri-West Health Care Alliance, 254 Fed. Appx. 664 (9th Cir. 2007)......................................... 37, 41, 42, 45, 53 Tacoma Northpark LLC. v. NW LLC, 96 P.3d 454 (Wash. Ct. App. 2004)..................................................................21 Tallmadge v. Aurora Chrysler Plymouth, Inc., 605 P.2d 1275 (Wash. Ct. App. 1979)..............................................................41 Tanner Elec. Coop. v. Puget Sound Power & Light Co., 911 P.2d 1301 (Wash. 1996) ............................................................................18 Thompson v. St. Regis Paper Co., 685 P.2d 1081(Wash. 1984) .......................................................................20, 21 Townsend v. Quadrant Corp., 2009 WL 3337228 (Wash. Ct. App. Oct. 19, 2009).........................................46 Trendwest Resorts, Inc. v. Ford, 12 P.3d 613, 616 (Wash. Ct. App. 2000)..........................................................18 Trustees of Constr. Indus. & Laborers Health & Welfare Trust v. Hartford Fire Ins. Co., 482 F.3d 1064 (9th Cir. 2007) ..........................................................................55
xi
Veith v. Xterra Wetsuits, LLC, 183 P.3d 334 (Wash. Ct. App. 2008)................................................................19 Wells v. State, 846 P.2d 589 (Wyo. 1992)................................................................................39 Whited v. Parking Violations Bureau, 111 Fed. Appx. 953 (9th Cir. 2004)..................................................................30 Witriol v. LexisNexis Group, No. C05-02392 MJJ, 2006 WL 4725713 (N.D. Cal. Feb. 10, 2006) ...............36 Young v. Whidbey Island Bd. of Realtors, 638 P.2d 1235 (Wash. 1982) ............................................................................51
Statutes 28 U.S.C. § 1291......................................................................................................1 28 U.S.C. § 1332......................................................................................................1 Rules Fed. R. App. P. 4......................................................................................................1 Fed. R. Civ. P. 8 .......................................................................................................4 Fed. R. Civ. P. 12 ...............................................................................................3, 14 Other Authorities Ga. Code. Ann. § 16-9-125....................................................................................40 Wash. Rev. Code Ann. 19.108.010........................................................................25
xii
I.
JURISDICTION
Subject matter jurisdiction existed below pursuant to the Class Action Fairness Act of 2005, 28 U.S.C. § 1332(d). The district court’s final judgment is appealable, and this Court has jurisdiction, under 28 U.S.C. § 1291. The district court entered final judgment on August 14, 2009. ER 1.1 Plaintiffs Laura Krottner, Ishaya Shamasa, and Joseph Lalli (“Plaintiffs”) filed their notice of appeal on September 11, 2009 pursuant to Fed. R. App. P. 4. ER 19. II.
STATEMENT OF THE ISSUES
This appeal raises the following issues: 1.
Did Starbucks’ failure to safeguard Plaintiffs’ Personal Identifiable
Information, despite a contractual duty to do so, result in a cognizable injury under contract law in Washington, whether or not Plaintiffs can prove at the pleading stage that their PII was misused? 2.
Did Starbucks’ failure to safeguard Plaintiffs’ PII, despite a common
law duty to do so, result in a cognizable injury under negligence law in Washington, whether or not Plaintiffs can prove at the pleading stage that their PII was misused? 1
The abbreviation “ER” refers to Plaintiffs-Appellants’ Excerpts of Record concurrently filed herewith.
1
3.
Under Washington state law, does credit monitoring constitute an
available remedy for an injured party? III. STATEMENT OF THE CASE This appeal arises from two almost-identical putative class action complaints filed in the Western District of Washington by Plaintiffs Lalli, Krottner, and Shamasa, against Starbucks Corp. (“Starbucks” or “Defendant”). Plaintiffs are employees2 of Starbucks, and brought two claims against Starbucks for breaches of contract and negligence. ER 103, 267. The complaints relate to the October 2008 theft of a laptop on which Starbucks had stored, in unencrypted form, the Personally Identifying Information (“PII”)3 of 97,000 Starbucks employees. ER 103, 268. The stolen PII included the employees’ names, addresses, and social security numbers. ER 103, 268. To date, the laptop has never been recovered. Plaintiffs’ injuries included the loss of confidentiality of their PII and a heightened risk of future identity theft. ER 115. The corresponding damages include time and expenses for ongoing monitoring of their credit as a result of Starbucks’ negligence 2
The term “employee” refers to both current and former employees, as both were affected by the breach.
3
“PII” generally refers to information that can be used uniquely to identify a single individual, such as social security numbers or birthdates.
2
and breach of its contract with Plaintiffs. ER 118, 123. Additionally, at least one named Plaintiff had already experienced an instance of identity theft within months of this laptop theft—a crime that the lower court recognized as inferentially connected to the laptop theft. ER 106, 16. By offering them one year of credit monitoring after the theft, Starbucks acknowledged that the theft had in fact injured and damaged employees. ER 129. In a letter sent to each affected individual, Starbucks’ admonished its own employees to “take appropriate steps to protect [themselves].” ER 129, 293. Plaintiffs found the offer to be inadequate based on the type of sensitive information stolen and have requested injunctive relief, additional remedies and damages, including but not limited to further credit monitoring, identity theft insurance, credit restoration services, and periodic compliance audits by a third party of the security of Starbucks’s computer systems. ER 125. On May 7, 2009, Starbucks filed motions to dismiss both complaints pursuant to Fed. R. Civ. P. 12(b)(6). ER 71. Starbucks alleged that Plaintiffs: (a) lacked standing for failure to plead injury; (b) failed to allege damages; (c) failed to state a breach of implied contract claim; and (d) were barred by the economic loss rule from asserting negligence claims. ER 72.
3
On August 14, 2009, the district court issued orders granting Starbucks’ motions to dismiss. ER 2, 18. The district court ruled that Plaintiffs had suffered injury under Article III and, therefore, had standing to bring their claims. ER 8, 11. Acknowledging what it perceived to be a dearth of controlling precedent in Washington, the district court nonetheless dismissed Plaintiffs’ complaints for lack of “cognizable injury.” ER 16-17. Given the current state of evolving technology and the advent of electronic, portable personal data (including PII), as well as available technology to secure this data, this case raises cutting-edge issues related to the duties and rights associated with keeping certain personal information private. While Plaintiffs recognize that the legal landscape surrounding personal privacy protection inevitably evolves along with applicable technology, Plaintiffs also believe that their causes of action are redressable by this Court under current legal precedent. The primary issue before this Court is whether Plaintiffs’ complaints meet the pleading standards of Fed. R. Civ. P. 8. Plaintiffs contend that the district court erred when it granted the motions to dismiss for three reasons. First, Plaintiffs have plausibly pled the injury element of their breach of contract claim. Second, Plaintiffs have plausibly pled the injury element of their negligence claim. Third, given that Washington has recognized medical monitoring as a remedy, credit
4
monitoring would be an available remedy for negligence and/or contract claims under Washington law. IV. STATEMENT OF THE FACTS Starbucks’ name is synonymous with coffee. It is an international retailer of coffee and coffee beans, employing approximately 176,000 people worldwide. ER 103, 268. Starbucks owes its success and preeminence in the coffee industry to many factors, one of which is doubtless the protection of the confidentiality of its trade secrets, research and development files. However, when it comes to protecting its employees’ private information, such as social security numbers and birth dates, Starbucks’ record is far from stellar. In 2006, Starbucks lost a laptop containing PII, including the unencrypted names and social security numbers, of roughly 60,000 employees. ER 100, 265. A few years ago, Starbucks was also the subject of an identity theft ring that included one or more of Starbucks’ own employees who accessed a computer system with the intent of stealing employee information. ER 100, 265. This lawsuit arises from a third incident of unauthorized disclosure of Starbucks employees’ PII—the theft of a laptop that occurred in or near Seattle, Washington in October of 2008. ER 103-104, 268. The laptop contained the unencrypted names, addresses, and social security numbers of roughly 97,000
5
employees. ER 100, 265. The theft of a company’s laptop containing any personal information is always cause for concern. But in this case, not only did Starbucks imprudently store PII on an unprotected and portable laptop, it even failed to encrypt the PII—a violation of standard industry procedures in this electronic age. ER 100-101, 104, 107-108, 265-266, 268, 270-271. Worse, Starbucks failed to promptly report the theft to employees. ER 105, 269. More than twenty days after the theft, Starbucks mailed a letter to some of its employees (“Notice Letter”) that the PII of 97,000 Starbucks employees had been stolen while the PII was in Starbucks’ possession and control. ER 104, 268-269. In the Notice Letter, Starbucks stated that it had “no indication that the private information has been misused,” even though Starbucks has not, and cannot, verify this statement, because the employees’ PII was in one or more criminals’ control. ER 129, 293. Starbucks has provided no basis for this perfunctory conclusion, nor any guarantees that the information would not be misused in the future. ER 118, 281-282. Each Plaintiff and Starbucks entered into a contract (“Contract Documents”) when the Plaintiffs began employment. ER 112-113, 275-276. As a condition of employment, Starbucks gathers and uses social security numbers to aid it in hiring, promoting, transferring and reassigning employees. ER 112, 275. In its Owner
6
Staffing Services Brochure, Starbucks sets forth various, specific terms of the agreement: “In consideration of an application for employment, or a current employee for promotion, transfer, reassignment or retention, Starbucks Coffee Company may inquire into the individual’s background. This background inquiry may include, but is not limited to obtaining a consumer credit report and/or an investigative consumer credit report for the purposes of validation of a social security number . . . .” ER 112, 236, 275, 397. According to the Application Contract, Plaintiffs provided their social security numbers to Starbucks with the understanding that Starbucks would safeguard the information. ER 112, 276. Starbucks states that “[c]onfidential information may be shared on a need-toknow basis,” and that access to the information is limited. ER 112, 237, 276, 398. Implied in this bargain is that Starbucks will protect its employees’ PII from disclosure or loss as part of the employment relationship. ER 112, 276. Once someone becomes a Starbucks employee, Starbucks also identifies certain standards for maintaining the privacy of its employees in its “Standards of Business Conduct.” ER 113, 276. In this document, Starbucks lays out the “legal and ethical standards that we all must follow on a day-to-day basis.” ER 113, 245, 276, 406. Under the item “PARTNER PRIVACY AND PERSONAL ACTIVITIES,” Starbucks states that “[t]reating each other with respect and dignity
7
includes respecting one another’s privacy.” ER 113, 246, 276-277, 407. Starbucks also states that it “strives to provide a safe work environment for all partners.” ER 113, 247, 277, 408. On its website, Starbucks promises to secure the information that it collects. ER 114, 227-278. Thus, Starbucks values encryption for its customers’ PII, but has not done so for its employees. After the theft, Starbucks recognized that its employees had been injured. The Notice Letter recommended that employees undertake certain preventive measures and mitigation efforts. ER 129-130, 293-294. The Notice Letter requested that employees monitor their “financial accounts carefully for suspicious activity and take appropriate steps”4 to protect themselves from potential identity theft. ER 129, 293. “To assist” their employees in that “effort,” Starbucks offered its victims a remedy of one year of low-level credit monitoring from Equifax through its Equifax Credit Watch™ Silver (“Equifax Package”). ER 129-130, 293-294. Employees bore the burden of taking the affirmative step to apply for its limited protection. ER 105, 269-270. Further, there is nothing to stop any identity thief from using the information as soon as all 97,000 employees’ one year of credit monitoring expires. ER 118-119, 282-283. In fact, as pled in the Amended 4
These measures included enrolling in the Equifax Package, placing a fraud alert on their credit report, and purchasing credit monitoring after Starbucks’ year of free credit monitoring expired. ER 130.
8
Complaint, thieves now typically use the information more than one year from the date of the theft. ER 117, 281. Although the offer of credit monitoring was a step in the right direction, as Plaintiffs alleged, a one-year service has proven to be inadequate. ER 106, 119, 282-283. Starbucks’ failure to maintain reasonable and adequate security procedures to protect against the theft of Plaintiffs’ PII have put Plaintiffs and the proposed Class at an increased risk of becoming victims of identity theft. ER 115, 279. In addition to having their PII compromised, Plaintiffs and the proposed Class have incurred—and will continue to incur—out-of-pocket costs, lost time, and other damages as a result of monitoring their credit card accounts, credit reports, and other financial information to protect their PII from misuse now and in the future. ER 101, 266. Plaintiffs Lalli, Shamasa, and Krottner have spent time, exerted effort, and incurred expenses in safeguarding their PII as a result of Starbucks’ loss. ER 105106, 269-270. For example, Plaintiff Lalli signed up and paid out-of-pocket expenses for Experian TripleAlert, a service which costs $16 per month for daily monitoring of his credit with the three credit reporting agencies: Experian, TransUnion, and Equifax. ER 270. Plaintiff Lalli also placed fraud alerts on his credit cards. ER 269. Plaintiff Lalli spent and continues to spend substantial
9
amounts of time checking his 401(k) and bank accounts. ER 269-270. Ultimately, Plaintiff Lalli experienced general anxiety and stress regarding the situation caused by Starbucks. ER 270. Upon receiving the Notice Letter from Starbucks, Plaintiff Krottner signed up for the one year the Equifax Purchase. ER 105. Approximately one week after receiving the letter, Plaintiff Krottner called her bank and asked them to monitor her accounts for suspicious activity. Id. Since receiving the notice letter, Plaintiff Krottner has been extra-vigilant about monitoring her bank and 401(k) accounts, checking these accounts nearly every day and spending a substantial amount of time doing so. Id. Furthermore, upon the expiration of the credit monitoring offered by Starbucks, Plaintiff Krottner will have to pay out-of-pocket for credit monitoring she did not otherwise need or use prior to Starbucks losing her PII. Id. Like Plaintiff Krottner, Plaintiff Shamasa signed up for the Equifax Package monitoring program that Starbucks offered. ER 105. In December 2008, Chase Bank contacted Plaintiff Shamasa to inquire whether he had received checks for his new checking account. ER 106. Plaintiff Shamasa informed Chase Bank that he did not open this new checking account. Id. Chase Bank then explained that there had been an attempt to open up a new checking account with his social
10
security number and worked with Plaintiff Shamasa to close the unauthorized account. Id. Plaintiff Shamasa believes that his identity was stolen as a result of Starbucks’ loss of his PII, and the district court agreed that this inference was permissible on a motion to dismiss. ER 105-106, 16. Although he signed up for the Equifax Purchase, Plaintiff Shamasa was not informed by Equifax when his PII was apparently misused to set up a new, unauthorized bank account, illustrating the inadequacy of Starbucks’ proposed remedy. ER 105-106. Despite Starbucks’ feeble efforts to remedy the loss of its employees’ PII, Plaintiffs and the proposed Class have spent and will continue to spend considerable time and money attempting to prevent identity theft and monitoring their financial accounts for fraudulent activity. ER 119, 283. As a direct result of Starbucks’ failure to safeguard its employees’ PII, Plaintiffs and members of the proposed Class have had their PII compromised, invaded, and taken from their exclusive control. ER 101, 266. Moreover, they have incurred – and will incur – attempted identity and/or out-of-pocket costs, lost time, and other damages relating to the vigilant monitoring of their credit card accounts, credit reports, and other financial information. ER 101, 266.
11
V.
SUMMARY OF ARGUMENT
Despite “lacking controlling precedent on which to rely” and the fact that “[n]o Washington court has considered whether a plaintiff has either a contract or negligence cause of action arising from an increased risk of identity theft,” the district court dismissed Plaintiffs’ negligence and breach of contract claims based on lack of “cognizable injury.” ER 12, 16. Plaintiffs present three arguments on appeal as to why this ruling was in error. First, Starbucks’ breach of its implied contract with Plaintiffs resulted in the loss of the privacy of their PII and an increased risk of identity theft, which provide grounds for the award of breach of contract damages and injunctive relief to Plaintiffs. Plaintiffs plausibly pled an implied contract, Starbucks’ breach of that contract, and resultant damages. Second, Starbucks’ breach of its common law duty to Plaintiffs injured Plaintiffs and entitles them to damages for negligence. Starbucks does not deny the facts giving rise to the breach of its duties to Plaintiffs, and implicitly recognized their injury when it offered them a year of credit monitoring. Plaintiffs have plausibly pled duty, breach of duty, causation, injury and damages. Hence, the negligence claim likewise has been sufficiently pled for purposes of overcoming a motion to dismiss. Third, given Washington’s recognition of medical monitoring as a
12
remedy and its preference for upholding complaints related to developing areas of law, Plaintiffs should be permitted to seek the remedy of credit monitoring. Alternatively, this Court should certify two issues to the Washington Supreme Court: (1) whether Washington law recognizes an increased risk of identity theft as a cognizable injury for purposes of negligence and/or breach of contract claims, and (2) whether loss of time and money for credit monitoring constitute cognizable damages for negligence and/or breach of contract claims under Washington law.
VI. STANDARD OF REVIEW This Court reviews a district court’s dismissal order de novo. Everest & Jennings, Inc. v. American Motorists Ins. Co., 23 F.3d 226, 228 (9th Cir. 1994) (citing Gobel v. Maricopa County, 867 F.2d 1201, 1203 (9th Cir. 1989)); Oscar v. University Students Coop. Ass’n, 965 F.2d 783, 785 (9th Cir.) (en banc), cert. denied, 506 U.S. 1020 (1992) (citing Kruso v. Int’l Tel. & Tel. Corp., 872 F.2d 1416, 1421 (9th Cir. 1989), cert. denied, 496 U.S. 937 (1990)). All allegations of material fact are taken as true and construed in the light most favorable to the nonmoving party. Love v. United States, 915 F.2d 1242, 1245 (9th Cir. 1990).
13
The standard of review on a Fed. R. Civ. P. 12(b)(6) motion to dismiss requires a court to assess the legal sufficiency of the plaintiff’s claims. Navarro v. Block, 250 F.3d 729, 732 (9th Cir. 2001). Dismissal is appropriate only where a complaint fails to allege “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). A complaint withstands the plausibility test “when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the conduct alleged.” Ashcroft v. Iqbal, 129 S. Ct. 1937, 1949 (2009) (citing Twombly, 550 U.S. at 556 (noting that plausibility lies somewhere between allegations that are “merely consistent” with liability and a “probability requirement”)); see also Moss v. U.S. Secret Serv., 572 F.3d 962, 969 (9th Cir. 2009) (citing Iqbal, 129 S. Ct. at 1949) (“In sum, for a complaint to survive a motion to dismiss, the nonconclusory ‘factual content,’ and reasonable inferences from that content, must be plausibly suggestive of a claim entitling the plaintiff to relief”); Ashcroft v. AlKidd, No. 06-36059, 2009 WL 2836448, at *24 (9th Cir. Sept. 4, 2009) (“Twombly and Iqbal do not require that the complaint include all facts necessary to carry the plaintiff’s burden”). Plaintiffs’ claims for relief are plausible and sufficiently pled.
14
VII. ARGUMENT A.
Starbucks Breached Its Contractual Duty to Plaintiffs, Resulting in Injury and Compensable Damages Plaintiffs have more than plausibly shown that: (1) Starbucks had a
contractual duty to safeguard Plaintiffs’ PII; (2) Starbucks breached that contractual duty; and (3) Plaintiffs suffered damage as a result. See Lehrer v. State, Dept. of Social and Health Serv., 5 P.3d 722, 727 (Wash. Ct. App. 2000) (citing Northwest Indep. Forest Mfrs. v. Department of Labor & Indus., 899 P.2d 6 (Wash. Ct. App. 1995); Restatement (Second) of Contracts § 235(2) (1981)) (“Any failure to perform a contractual duty constitutes a breach…, and the injured party is generally entitled to damages which put the party in the same position in which it would have been had the breach not occurred.”). The Amended Complaints adequately pled the breach of an implied contract, and seek relief in the form of contract damages and injunctive relief that are available in Washington. ER 123125, 286-288. Plaintiffs identify three specific documents that give rise to an implied contract, which are collectively referred to as “Contract Documents.” ER 123-124, 287. The Contract Documents, coupled with the parties’ course of dealing, show that Starbucks had both an implied contractual duty to maintain the confidentiality of Plaintiffs’ PII, which Starbucks breached, thereby damaging Plaintiffs.
15
The first of the Contract Documents can be seen in Starbucks’ solicitation of PII from applicants “in consideration of an application for employment, or a current employee for promotion, transfer, reassignment, or retention.” ER 236, 397. Starbucks does not deny that this document is Starbucks’ corporate communication to prospective employees regarding Starbucks’ inquiries into their backgrounds, including validation of social security numbers. ER 91. Second, the Starbucks “Standards of Business Conduct” states that “[j]ust as we take care to protect our information, Starbucks respects the information of others,” and that Starbucks and its employees should not “accept or use anyone else’s confidential information (or agree to maintain anyone’s information in confidence) except under an agreement approved by the Law and Corporate Affairs department.” ER 256, 417. Starbucks issued the Standards of Business Conduct “to restate Starbucks [sic] longstanding commitment to follow the law and to act ethically in all situations.” Starbucks asserted that “the Starbucks Board of Directors, senior management team and I [Chairman Howard Schultz], are all bound by the Standards and the Standards have our full support.” ER 243, 404. Starbucks does not deny that the Standards of Business Conduct pertain to workplace conduct and the need of employees to “respect one another’s privacy.” ER 92.
16
Third, Starbucks’ online Privacy Statement explicitly governs Starbucks’ use of Plaintiffs’ PII. Available at www.starbucks.com/customer/privacy.asp, ER 114, 278. The policy states: “The provision of personal information to Starbucks means that you agree and consent that we may collect, use and share your personal information in accordance with this privacy policy.” The policy defines the information to which it applies as including “employment-related information, such as may be found on resumes, applications, background verification information, or in employment references.” It states that Starbucks may use the personal information collected on the site to “communicate with you about specific jobs.” The policy describes how employees’ personal information is secured (as well as the larger universe of all Starbucks’ customers’ information): “Starbucks strives to maintain appropriate physical, technical and administrative security with respect to its offices and information systems so as to prevent loss, misuse, unauthorized access, disclosure, or modification of personal information.” It states that “[b]y using our services and viewing this Site, you are consenting to the information collection, use and disclosure practices described in this privacy policy.” Starbucks admits that this website is a Starbucks communication regarding privacy responsibilities (though, despite the language quoted above, it mystifyingly denies that the Privacy Statement applies to employees). ER 92.
17
Starbucks did not provide Plaintiffs with the opportunity to negotiate or modify the Contract Documents. Rather, Starbucks presented their terms to Plaintiffs as take-it-or-leave-it arrangements: Either Plaintiffs could seek employment with Starbucks and accept all the conditions imposed by the Contract Documents, or Plaintiffs could elect not to pursue employment with Starbucks. Starbucks’ Contract Documents clearly required Plaintiffs to share their PII with Starbucks in order to be considered for hire and retention, and indicated that Starbucks and Plaintiffs were expected to abide by standards of conduct that included the protection of confidential information. 1.
Plaintiffs have adequately pled the existence of an implied contract under Washington law
To establish if there is a duty under an implied contract, Washington courts apply the “objective manifestation test” in ruling on the existence of a contract: A court considers the “objective acts or outward manifestations of the parties” to conclude whether they have reached “mutual assent.” Brotherson v. Prof’l Basketball Club, 604 F. Supp. 2d 1276, 1283 (W.D. Wash. 2009) (citing Keystone Land & Dev. Co. v. Xerox Corp., 94 P.3d 945, 949 (Wash. 2004) (en banc); Trendwest Resorts, Inc. v. Ford, 12 P.3d 613, 616 (Wash. Ct. App. 2000), rev'd on other grounds, 43 P.3d 1223 (Wash. 2002) (en banc); Multicare Med. Ctr. v. Department of Soc. & Health Servs., 790 P.2d 124, 132-33 (Wash. 1990) (en
18
banc)). The parties’ assent does not need to be perfect; their assent to a “core of common meaning” is sufficient. Id. (citing Ford, 12 P.3d at 616-17). A contract is interpreted to discern the parties’ intent, based on, among other considerations, the language of the agreement, “all the circumstances surrounding the making of the contract, the subsequent acts and conduct of the parties to the contract, and the reasonableness of respective interpretations advocated by the parties.” Tanner Elec. Coop. v. Puget Sound Power & Light Co., 911 P.2d 1301, 1310 (Wash. 1996) (en banc) (citing Scott Galvanizing, Inc. v. Northwest EnviroServices, Inc., 844 P.2d 428 (Wash. 1993) (en banc)) (internal quotations omitted). An implied in fact contract is “an agreement of the parties arrived at from their conduct rather than their expressions of assent.” Heaton v. Imus, 608 P.2d 631, 632 (Wash. 1980) (en banc). A contract consists of offer, acceptance, and consideration. See Veith v. Xterra Wetsuits, LLC, 183 P.3d 334, 337 (Wash. Ct. App. 2008) (citing Christiano v. Spokane County Health Dist., 969 P.2d 1078 (Wash. Ct. App. 1998)). The existence of an implied contract is a question for the trier of fact. Kilthau v. Covelli, 563 P.2d 1305, 1306 (Wash. Ct. App. 1977). The Amended Complaints adequately allege the existence of an implied contract. ER 112-115, 123-124, 275-278, 286-287.
19
Starbucks offered to assess Plaintiffs for employment, and later for retention and promotion, if Plaintiffs would provide Starbucks access to their PII. ER 236, 397. Indeed, to accept its offer to be considered for employment or retention as an employee, Starbucks required Plaintiffs to provide their PII to Starbucks. ER 236, 397. The Contract Documents also indicate that in return for the benefit of receiving employees’ PII, Starbucks agreed to retain employees’ information in a confidential manner, in keeping with Starbucks’ legal and ethical responsibilities. ER 112-113, 237, 275-276, 398. In consideration for the possibility of employment or retention, and under the condition of its safekeeping, Plaintiffs communicated their PII to Starbucks. Just as a reasonable person takes pains to protect the confidentiality of his or her social security number, Plaintiffs would not have provided their PII to Starbucks without being required to do so to obtain the benefit of assessment for employment or retention. ER 112-113, 275-276. Starbucks possessed all of the bargaining power, and presented the Contract Documents to Plaintiffs as a fait accompli. Plaintiffs could “take or leave” the Contract Documents’ terms, and there was “no true equality of bargaining power between the parties.” Mendez v. Palm Harbor Homes, Inc., 45 P.3d 594, 602 (Wash. Ct. App. 2002) (citing Yakima County (W.Valley) Fire Prot. Dist. No. 12 v. City of Yakima, 858 P.2d 245 (Wash. 1993) (en banc)) (internal quotations
20
omitted). Ambiguities in adhesion contracts such as the present implied contract should be construed against the drafter—in this case, Starbucks. See id. (citing Rouse v. Glascam Builders, Inc., 677 P.2d 125 (en banc) (1984); Guy Stickney, Inc. v. Underwood, 410 P.2d 7 (1966)). Washington case law recognizes that employee handbook documents, such as the “Starbucks Standards of Business Conduct,” ER 242-262, can serve as contracts that bind the employer. See, e.g., Thompson v. St. Regis Paper Co., 685 P.2d 1081, 1087 (Wash. 1984) (en banc) (collecting cases). Additionally, whether or not the elements of a contract exist, the Washington Supreme Court has held that “employers may be obligated to act in accordance with policies as announced in handbooks issued to their employees.” Id. The Thompson court recognized that “employers expect, if not demand, that their employees abide by the policies expressed in such manuals,” giving rise to employees’ reasonable expectation that their employers will abide by the policies as well. Id. at 1088. Whether or not Plaintiffs have read the Contract Documents has no bearing on the existence of a contract. Brotherson, 604 F. Supp. 2d at 1285 (citing Yakima County, 858 P.2d at 255). If failure to read a contract is relevant at all, only the person who failed to read the contract can raise the failure as a defense to contract formation. Brotherson, 604 F. Supp. 2d at 1285 (citing Yakima County, 858 P.2d at 255).
21
Based on the previously referenced Contract Documents and the course of dealing between the Plaintiffs and Starbucks, this court should find that Plaintiffs adequately plead the existence of an implied contract under Washington law. 2.
Plaintiffs have plausibly pled the elements of a breach of a contract.
Starbucks’ failure to safeguard the confidentiality of Plaintiffs’ PII constitutes a breach of its contract with Plaintiffs. When a party to a contract fails to perform a promise or contract, it has breached the contract, and the injured party is entitled to damages. Colorado Structures, Inc. v. Ins. Co. of the West, 167 P.3d 1125, 1131 (Wash. 2007) (en banc) (citing Cartozian & Sons, Inc., v. OstruskeMurphy, Inc., 390 P.2d 548 (Wash. 1964); Ross v. Harding, 391 P.2d 526 (Wash. 1964); Tacoma Northpark LLC. v. NW LLC, 96 P.3d 454 (Wash. Ct. App. 2004); Restatement (Second) of Contracts §346 cmt. a (1981)). Starbucks does not dispute the fact of the breach. Starbucks has never denied that Plaintiffs’ PII was saved in unsecured form on the laptop of a Starbucks employee, or that the laptop was stolen and has never been recovered. ER 73. Nor does it dispute the content of the Contract Documents, which assured Plaintiffs that Starbucks “respects the information of others,” “take[s] care to protect our information,” and is “bound by the Standards” of Business Conduct requiring maintenance of “physical, technical, and administrative security.” ER
22
256, 243, 417, 404. Further, Starbucks has never contended that it lacks the institutional capacity to protect the confidentiality of sensitive information. In fact, its Contract Documents acknowledge that the protection of proprietary information is essential to its business. ER 255, 416. Thus, the fact of Starbucks’ contractual breach is not in dispute. 3.
Starbucks’ breach of implied contract damaged Plaintiffs
Every breach of contract gives rise to a cause of action, “even when the aggrieved party has not suffered any actual damage.” Jacob’s Meadow Owners Ass’n v. Plateau 44 II, LLC, 162 P.3d 1153, 1160 (Wash. Ct. App. 2007) (citing Ford, 43 P.3d 1223). Thus, even if the damages were not clear, a breach would suffice to give rise to a contract cause of action under Washington law. Here, however, the resulting harm and damages stemming from Starbucks’ breach of contract are clear. Plaintiff Shamasa’s harm is his loss of his ability to control access to his PII and his damages are that following the theft, Plaintiff Shamasa is now required to monitor his financial accounts on a regular, ongoing basis. ER 106. Likewise, Plaintiffs Lalli and Krottner have also suffered the same harm and damages, as they will now be required to expend time and money monitoring their financial accounts on a regular, ongoing basis. ER 105, 270. They will also have to pay out-of-pocket for credit monitoring once the single year of credit monitoring
23
services supplied by Starbucks expires. ER 105, 269-270. Indeed, Plaintiff Lalli has already paid out-of-pocket for his credit monitoring. In its motion to dismiss, Starbucks attacked Plaintiffs’ damages theory. However, the district court’s opinion discussed injury.5 Whether the district court intentionally rejected Defendant’s arguments against damages or unintentionally conflated injury and damages is unclear. What is clear is that at crucial points throughout the district court’s opinion, concepts of injury, harm, and damages were used interchangeably. This led the district court to inconsistent and incorrect analyses. See Section VII.B.2., infra. However, even if injury were required to establish a breach of contract, Starbucks’ offer to pay for one year of credit monitoring reinforces the determination that Plaintiffs indeed suffered an injury due to Starbucks’ breach of contract. Plaintiffs have suffered the injuries of increased risk of identity theft, 5
The concept of injury is actually subsumed in the breach of contract. While plaintiffs in this case were injured by the breach of the contract, plaintiffs do not need to show injury in order to recover damages as a result of the breach. See Colorado Structures, 167 P.3d at 1131 (citing Cartozian & Sons, 390 P.2d 548; Ross, 391 P.2d 526; Tacoma Northpark, 96 P.3d 454; Restatement (Second) of Contracts §346 cmt. a) (explaining that plaintiffs can recover damages even for nominal or partial breaches of contract). Moreover, the district court erred in ruling that injury for standing did not support injury for the common law claims. Cf. ER 8-10 with §VII. B.2.b.i., infra.
24
emotional distress, and the loss of privacy as their PII is now in the ether or worse. The injury here is similar to the exposure of a trade secret, regardless of the subsequent uses to which the disclosed trade secret is put. See WASH. REV. CODE ANN. 19.108.010(2) (West 2009) (defining “misappropriation” under Washington’s Uniform Trade Secrets Act to include “disclosure or use of a trade secret of another without express or implied consent”). As the district court observed, “If Plaintiffs have suffered no present injury, then why is Starbucks offering them a present remedy?” ER 8. Thus Starbucks’ breach of their contractual duty to safeguard Plaintiffs’ PII resulted in injury equivalent to that they would have suffered had their PII been displayed on a billboard: loss of the privacy of their PII, and vulnerability to the misuse of their PII. Generally, recovery of damages for breach of contract should place an aggrieved party in the same economic position it would have attained had the contract been performed.6 Crest Inc. v. Costco Wholesale Corp., 115 P.3d 349, 351 (Wash. Ct. App. 2005). Damages available for breach of contract under 6
The issue of contract damages is a question of fact to be determined by the jury. Sofie v. Fibreboard Corp., 771 P.2d 711, 716 (Wash. 1989) (en banc) (stating jury’s damage-finding function is constitutional in nature and must be respected); Brust v. Newton, 852 P.2d 1092, 1095 (Wash. Ct. App. 1993) (citing Sofie, 771 P.2d 711) (“The question of damages [is] similarly factual in nature. Damage determinations are a classic example of the type of questions which are traditionally decided by a jury.”).
25
Washington law include consequential damages, which are damages that “flow naturally and inevitably from the breach, and are so related to it as to have been within the contemplation of the parties when they entered into the contract.” Wash. Contract Law and Practice, 25 David K. DeWolf & Keller W. Allen, Wash. Practice § 14.7 (2d ed. 2007); see also Microsoft Corp. v. Immersion Corp., No. 07-936, 2008 WL 2998238, at *3 (W.D. Wash. Aug. 1, 2008); Restatement (Second) of Contracts § 347 cmt. c (1981) (“consequential losses include such items as injury to person or property resulting from defective performance”). Time and money spent in addressing and mitigating the impact of the breach is a measure of damages. See Restatement (Second) of Contracts § 350(2) (1981) (citing Federal Signal v. Safety Factors, 886 P.2d 172, 185 (Wash. 1994)(efforts to repair, though unsuccessful, were reasonable); Bernsen v. Big Bend Elec. Co-op., Inc., 842 P.2d 1047, 1052 (Wash. Ct. App. 1993) (mitigation decision was reasonable)); Stockton Heartwoods, Ltd. v. Bielski, No. 1675, 2006 WL 571983, at *3 (E.D. Mo. Mar. 8, 2006) (recognizing damages to plaintiff for time spent as a result of a defendant’s breach of contract but dismisses the case on other grounds). If an aggrieved party makes reasonable efforts to make itself whole after the other party’s breach, the injured party may recover the cost of those efforts whether or
26
not they are successful. See Restatement (Second) Contracts § 350 (2); see also Federal Signal, 886 P.2d at 185; VII.C.2, infra. The remedies appropriate for Starbucks’ breach of contract include all those specified in the Amended Complaints: damages for all costs for, and time spent, on bank and credit monitoring to prevent identity theft and related fraud. ER 124, 287. These damages flow naturally and inevitably from Starbucks’ breach of its contract with Plaintiffs. Indeed, Starbucks’ post-theft communication to Plaintiffs instructed Plaintiffs to “take appropriate steps to protect [themselves] against potential identity theft.” ER 129, 293. It advised them to take credit monitoring steps “to ensure that your information is protected and secure,” evincing that their information is not fully protected and secure without monitoring. Id. The letter also offered one year of credit watch services to employees, indicating that such damages arise “naturally and inevitably” from Starbucks’ breach of its contractual duty to maintain the confidentiality of Plaintiffs’ PII. Id. 4.
Plaintiffs’ Claims Are Ripe for Adjudication
In light of the above duty to mitigate, the district court erred when it opined that Plaintiffs could wait to file suit until documented identity theft occurs. ER 84. A contract cause of action accrues when the wrongful act is committed—when the contract is breached. See, e.g., Schwindt v. Commonwealth Ins. Co., 997 P.2d 353,
27
356 (Wash. 2000) (en banc) (citing Safeco Ins. Co. v. Barcom, 773 P.2d 56 (Wash. 1989) (en banc); Denny's Rest., Inc. v. Security Union Title Ins. Co., 859 P.2d 619 (Wash. Ct. App. 1993); Bush v. Safeco Ins. Co. of Am., 596 P.2d 1357 (Wash. Ct. App. 1979)). Here the breach was Starbucks’ failure to safeguard Plaintiffs’ PII. Instead of waiting until worst-case-scenario predictions come true, Plaintiffs are taking the reasonable and foreseeable steps of monitoring their credit and bank accounts in order to attempt to minimize their damage from Starbucks’ breach of contract, steps that require both money and time. ER 105, 269-270. Plaintiffs also seek injunctive relief in the form of identity theft insurance and periodic compliance audits by a third party of the security of Starbucks’s computer systems. ER 125. The district court erred when it granted a motion to dismiss Plaintiffs’ contract claim, without review of any evidence on damages or injunctive relief, at this nascent stage in the litigation. B.
Starbucks Was Negligent In Allowing Plaintiffs’ PII To Be Compromised And Should Be Held Legally Accountable Plaintiffs seek to hold Starbucks accountable for its negligent conduct and to
deter future negligence, which could result in further exposure of employee PII.7 7
As reflected in the Plaintiffs’ complaints, Starbucks has a demonstrated history of allowing the PII of its employees to be compromised. ER 106, 270. In 2006 Starbucks failed to safeguard the PII of 60,000 of its employees stored on two unencrypted laptops which were either misplaced or stolen from Starbucks. ER
28
As explained in the following section, Plaintiffs have pled a plausible prima facie case of negligence under Washington law. ER 122-23, 285-86. Plaintiffs then explain that the lower court confused and conflated the concepts of injury, harm, and damages. Courts have parsed out the concepts injury, harm, and damage and found that each word has a distinct legal meaning. While plaintiffs only need to plead injury in a prima facie case of negligence, plaintiffs can and do explain that they have also plead harm and damage - elements which support the other noninjury elements of a prima facie negligence claim. Finally, Plaintiffs establish that the economic loss rule does not bar their negligence claims because the Plaintiffs’ negligence claims focus on the common law duty placed on Starbucks, on the loss of their personal property and is thus wholly distinct from their contract claims. 1.
Plaintiffs Have Pled Plausible Prima Facie Elements of Negligence Entitling Plaintiffs To Survive A Motion To Dismiss
Plaintiffs have alleged with sufficient detail the requisite elements of their negligence claim pursuant to Washington law. To establish a claim for negligence,
100, 265. Prior to 2006, an employee in Starbucks’ own human resource department was imprisoned for accessing the PII of Starbucks employees and providing it to members of an identity theft ring. ER 100-101, 265-266. Plaintiffs believe that Starbucks should be punished to deter any similar wrongful conduct in the future. See, e.g. Restatement (Second) of Torts §901(c) (stating that one of the principles for determining the measure of damages in tort is to punish wrongdoers and to deter wrongful conduct).
29
the plaintiff must allege: (1) duty, (2) breach, (3) causation, and (4) injury. 8 See Hutchins v. 1001 Fourth Ave. Assocs., 802 P.2d 1360, 1362 (Wash. 1991) (citing Christen v. Lee, 780 P.2d 1307 (Wash. 1989)). Before the district court, Starbucks did not dispute that Plaintiffs had plausibly pled Starbucks’ common law duty9 to safeguard its employees’ PII or the fact that it was breached10 as a result 11of its 8
Despite the standard for negligence in Washington, Starbucks focused its argument below on “damages.” ER 85, 88. The error has its roots in the conflation of injury, harm, and damage—an error perpetuated by the lower court. See, e.g., ER 53 (discussing damages in context of injury); ER 55 (mixing harm and damage); ER 56 (analyzing injury in terms of cost). 9 Although Starbucks has failed to raise any defect in the other prima facie elements, Plaintiffs addressed them briefly before the district court. First, Plaintiffs allege that Starbucks owed a duty to safeguard Plaintiffs’ PII in a manner consistent not only with certain guidelines from the Federal Trade Commission and the Washington State Office of the Attorney General. ER 107, 109-112, 271-275. Moreover, in Katz v. United States, 389 U.S. 347, 351(1967), the Supreme Court established the principle that the right of privacy protects persons. Katz developed the test of “reasonable expectations of privacy” as the test to be applied to determine whether an individual's right of privacy has been breached. Id. It is uncontested that Plaintiffs have a reasonable expectation to the privacy of their PII. Washington recognizes a common law right to privacy, Reid v. Pierce County, 961 P.2d 333 (Wash. 1998), and has adopted the Restatement (Second) of Torts § 652D (1977) for such a claim. Mayer v. Huesner, 107 P.3d 152, 155 (Wash. Ct. App. 2005). Common law breach of privacy claims can apply to employer-employee relationships when the employee’s personal information is publically disclosed by the employer. See id. at 156. Thus, employers have a common law duty to keep private employee data confidential. 10
Plaintiffs allege that Starbucks breached its common law duty by storing the information on a laptop that was unsecured, and failing to encrypt the data on that laptop. ER 111-112, 275.
30
own conduct. ER 13, 92. As such, challenges to the elements of duty, breach, and causation are waived. See Silvas v. E*Trade Mortg. Corp., 514 F.3d 1001 (9th Cir. 2008) (quoting Doi v. Halekulani Corp., 276 F.3d 1131, 1140 (9th Cir. 2002)) (stating “[I]t is well established that an appellate court,” will not consider issues that were not properly raised before the district court and noting that failure to raise an objection prior to judgment waives the right to challenge the issue on appeal); see generally State v. Robinson, 145 Wash. App. 1022, 2008 WL 2505445, at *13 (Wash. Ct. App. 2009) (citing WASH. R. APP. P. 2.5 (West. 2009) (failure to raise an argument results in its waiver); Hui v. Sunnyside Sch. Dist. No. 201, 132 Wash. App. 1015, 2006 WL 775164, at *11 (Wash. Ct. App. 2006) (citing defense counsel’s lack of objection is a tactical decision and a waiver); see also Whited v. Parking Violations Bureau, 111 Fed. Appx. 953 (9th Cir. 2004). Instead, Starbucks’ main dispute below was with Plaintiffs’ damages theory: Whether it was recognized under Washington law and, if so, whether it was sufficiently stated. This argument misses the point as damages are different from the injury needed to plead a prima facie case of negligence.
11
Plaintiffs alleged that, but for Starbucks’ breach of duty, Plaintiffs would not have suffered injury. And, as discussed below, Plaintiffs have alleged injuries that were caused by Starbucks’ negligent acts. ER 115, 279.
31
2.
Injury, Harm and Damages are Discrete Legal Concepts, The Understanding Of Which Are Critical To The Proper Adjudication Of The Plaintiffs’ Negligence Claim
As stated above, Plaintiffs have been injured, harmed and damaged by Starbucks’ negligent behavior. Unfortunately, the lower court, confused these concepts and, as result, found that they did not exist for Plaintiffs. While Plaintiffs only need to plead injury in a prima facie case of negligence, Plaintiffs have also shown that they have suffered harm and damages as a result of Starbucks’ negligence. a.
The Concepts of “Injury,” “Harm,” and “Damage” Are Distinct Legal Concepts Which Should Not Be Blurred
In the analysis of the underlying tort and contract claims, distinctions between the legal concepts of injury, harm, and damage must be recognized and observed. See Huff v. Roach, 106 P.3d 268, 270 (Wash. Ct. App. 2005) (citing Lavigne v. Chase, Haskell, Hayes & Kalamon, P.S., 112 Wash. App. 677, 682, 50 P.3d 306 (Wash. Ct. App. 2002)) (“Although ‘injury’ and ‘damages’ are often used interchangeably, an important difference exists in meaning”); Jordache Enter., Inc v. Brobeck, Phleger & Harrison, 56 Cal.Rptr.2d 661, 663, 667 (Cal. App. 2 Dist. 1996) (Jordache), rev’d on other grounds, 18 Cal.4th 739 (1998) (Jordache II); The Restatement of Torts defines “injury” as “the invasion of any legally protected interest of another,” and defines “harm” as “the existence of loss or
32
detriment in fact of any kind to a person resulting from any cause.” Restatement (Second) of Torts, § 7 (1)-(3), cmts. a-b (1965); see also McFarland v. Commercial Boiler Works, 116 P.2d 288, 292 (Wash. 1941)(citing Restatement of Torts § 281 (1934)) (stating negligence requires invasion of a legally protected interest); Frazee v. Western Dairy Products, 47 P.2d 1037, 1039 (Wash. 1935)(quoting Palsgraf v. Long Island R.R. Co., 248 N.Y. 339 (N.Y. 1928)) (“Negligence is not actionable unless it involves the invasion of a legally protected interest, the violation of a right”); Moore v. The Sally J., 27 F.Supp.2d 1255, 1263 (W.D. Wash. 1998) (explaining harm). “Damages” refers to monetary compensation recoverable, that is, the “sum of money awarded to a person injured by the tort of another.” Restatement (Second) of Torts § 12A (1965), Restatement (Second) of Torts § 902 (1979) (citing State ex rel. Macri v. City of Bremerton, 111 P.2d 612, 616 (Wash. 1941) (en banc)).12 “The rules for determining the measure of damages in tort are based upon the purposes for which actions of tort are maintainable.” Restatement (Second) of Torts § 901 (1979); see also Ford, 43 P.3d at 1227 (citing Restatement (Second) of Torts § 901). Such purposes include giving compensation for harms, punishing wrongdoers, and deterring wrongful conduct. See Restatement (Second) 12
These definitions are the same for torts and contracts. Restatement §902, comment a.
33
of Torts § 901 at (a), (c). As damages flow from an injury they do not constitute the injury itself. See Restatement (Second) of Torts §§ 12A , 902; see also ex rel Macri, 111 P.2d at 616 (“…it should be borne in mind that the term ‘damages' is in its legal sen[s]e defined as meaning the compensation which the law will award for an injury done.”). If injury and damages are conflated, the results reached can be internally inconsistent and yield incorrect analyses contrary to applicable law. Here, the injury was the loss of privacy and, as determined by the district court, the increased risk of identity theft, as well as emotional distress and anxiety. ER 48-50. The harm is the loss of the actual PII and the ability to control access to the PII—a detrimental change in condition to intangible rights—i.e., the proverbial toothpaste is out of the tube. The damages are time and out of pocket expenses incurred in mitigation as well as actual instances of identity theft and/or unauthorized charges. ER 101, 106, 117, 119, 124, 266, 269-70, 281, 283, 287. b.
Plaintiffs Have Alleged an Injury
Plaintiffs were injured by Starbucks as they have lost the privacy of their PII; it is not under lock and key at Starbucks as it was supposed to be. Plaintiffs have also suffered emotional distress and an increased risk of identity theft. Plaintiffs have established an injury as recognized by courts around the country. See Kuhn v. Capital One Financial Corp., 855 N.E.2d 790, 2006 WL 3007931, at
34
*3-4 (Mass. Ct. App. Oct. 23, 2006) (Table) (finding that despite the plaintiff not having to pay the fraudulent charges on her account, Plaintiff’s actions to have the account closed and to protect her credit constituted injury); Daly v. Metropolitan Life Ins. Co., 2 N.Y.S.2d 530, 4 Misc. 3d at 891-93 (N.Y. 2004); Jones v. Commerce Bancorp, Inc., 2006 WL 1409492, *2 (S.D.N.Y. May 23, 2006); Ruiz v. Gap Inc., 540 F.Supp.2d 1121, 1126 (N.D.Cal. 2008). (i)
Injury For Standing Encompasses Injury For Negligence Claim
Under an Article III analysis, the district court found that Plaintiffs had suffered an injury in fact. ER 48-50. Specifically, the district court held that although Plaintiffs had not yet suffered (what the court defined as) actual identity theft, it was irrelevant for purposes of standing that they “might suffer additional injuries in the future” because they had actual present injury, in the form of increased risk, now. ER 48 (emphasis in original). In support of this proposition, the district court found it incredible for Starbucks to argue no injury or risk of future harm in the face of “having already offered these Plaintiffs free credit monitoring.” ER 49. Moreover, the district court cited numerous decisions from this and other circuits that had found risk of future injury as sufficient for the present injury analyses. ER 48-50. In closing, the district court specifically held that “Plaintiffs’ allegations . . . establish a presently compensable injury” and “the
35
threat of identity theft in the wake of the loss of the laptop . . . constitute[s] an injury in fact.” ER 50. Despite recognizing injury for standing purposes, the district court erred in holding that a finding of injury for standing did not support a finding of injury on the underlying claims. In Lujan v. Defenders of Wildlife, the Supreme Court defined constitutional “injury in fact” as an “invasion of a legally protected interest which is (a) concrete and particularized . . . and (b) “‘actual or imminent, not ‘conjectural’ or ‘hypothetical.’’” 504 U.S. 555, 560 (1992) (citations omitted). Washington common law defines “injury” as simply “an invasion of a legally protected interest”. See Rettkowski v. Department of Ecology, 910 P.2d 462, 467 (Wash. 1996) (en banc) (citing Black's Law Dictionary 785 (6th ed. 1990)) (“The common law definition of ‘injury’ is ‘[t]he invasion of any legally protected interest of another.’”). Thus, “injury in fact” is, under these circumstances, a higher threshold than Washington’s common law “injury” standard because it starts with simple injury and additionally requires the invasion to be concrete, actual or imminent, and not hypothetical. Compare Lujan, 504 U.S. at 560 with Rettkowski, 910 P.2d at 467. Thus, the lower court erred when it found that Plaintiffs had met the higher threshold and yet somehow had failed to meet the lower threshold.
36
(ii)
Plaintiffs Are Seeking Remedies Well Established Causes Of Action
The district court also erred when it incorrectly framed the analysis as whether the Washington Supreme Court would “recognize a common law cause of action to recover for an increased risk of identity theft.” ER 13; see also ER 12 (“No Washington court has considered whether a plaintiff has either a contract or negligence cause of action arising from an increased risk of identity theft unaccompanied by damages from identity theft.”) In doing so, it ignored the negligence and contract causes of action pled in the Complaints. ER 122-124, 285287. Plaintiffs are not seeking to fashion a new cause of action for “increased risk of identity theft.” Rather, Plaintiffs have pled existing and recognized causes of action – negligence and breach of an implied contract.13 ER 122-124, 285-287. 13
Although noting its responsibility to look to other jurisdictions in the absence of Washington authority, ER 12, it ignored numerous cases from within this Circuit, and others, where claims have been upheld where plaintiffs expended time and out-of-pocket costs to address wrongs caused by a defendant’s conduct. Gap, 540 F.Supp.2d at 1126; Witriol v. LexisNexis Group, No. C05-02392 MJJ, 2006 WL 4725713 at *6 (N.D. Cal. Feb. 10, 2006)(costs associated with monitoring and repairing credit impaired by unauthorized release of private information upheld claim); Stollenwerk v. Tri-West Healthcare Alliance, No. 03-0185, 2005 WL 2465906 (D. Ariz. Sept. 8, 2005) (Stollenwerk I), aff’d in part, rev’d in part, Stollenwerk v. Tri-West Health Care Alliance, 254 Fed. Appx. 664, 668 (9th Cir. 2007)(Stollenwerk II)(claims of actual identity theft or fraudulent account activity upheld claim); Kuhn v. Capital One Fin. Corp., 855 N.E.2d 790, 2006 WL 3007931, at *3 (Mass. App. 2006) (time and money spent to repair identity theft and prevent future fraudulent activity upheld claim); Jones v. Commerce
37
(iii)
Washington Would Not Be The First Jurisdiction To Find Increased Risk of Identity Theft As Cognizable Claim Under State Law
In its opinion, the district court stated “if the Washington Supreme Court were to recognize a common law cause of action to recover for an increased risk of identity theft, it would apparently be the only court to do so.” ER 13. The Court continued “…as the court is aware, every court that has considered a similar claim has found that it is not cognizable under applicable state law. ER 13. However, courts have recognized an “increased risk of identity theft” as “cognizable under applicable state law” under similar claims. Gap, 540 F.Supp.2d at 1126; Stollenwerk I, 2005 WL 2465906, at *12(discussing denial of motion to dismiss at earlier proceeding).
Bancorp, Inc., No. 06 Civ. 835, 2006 WL 1409492, *2 (S.D.N.Y. May 23, 2006)(time spent in response to identity theft compensable); EMC Mortgage Corp. v. Jones, 252 S.W.3d at 857, 872 (Tex. App. 2008)(time spent to repair credit and loan problems compensable); Daly v. Metropolitan Life Ins. Co., 782 N.Y.S.2d 530 (N.Y. Sup. Ct. 2004)(negligence survives summary judgment when plaintiff pled time expended to rectify identity theft); Shames-Yeakel v. Citizens Fin. Bank, No. 07-c-5387, 2009 U.S. Dist. LEXIS 75093 (N.D. Ill. Aug. 21, 2009)(actual identity theft and fraudulent activity supported negligence claim); see also Shqeirat v. U.S. Airways, Inc., 515 F. Supp. 2d 984 (D. Minn. 2007)(release of social security numbers sufficient injury under constitutional right to privacy claim).
38
As this area of jurisprudence evolves, it is important to consider both the legal issues raised in other jurisdictions as well as the application of the law of the instant Court to the factual scenario. c.
Harm Exists for Plaintiffs’ Negligence Claim As Plaintiffs Have Experienced the Loss of Their PII Because of Starbucks’ Data Mishandling14
Harm is “the existence of loss or detriment in fact of any kind to a person resulting from any cause.” Restatement (Second) of Torts, § 7 (1965) (emphasis added). Thus, harm occurs when a: detriment or loss to a person which occurs by virtue of, or as a result of, some alteration or change in his person, or in physical things, and also the detriment resulting to him from acts or conditions which impair his physical, emotional, or aesthetic well-being, his pecuniary advantage, his intangible rights, his reputation, or his other legally recognized interests. Restatement (Second) or Torts §7, cmt. b (emphasis added); The Sally J, 27 F.Supp.2d at 1263. The term “harm” implies no particular causal relation. Id. at cmt c. Moreover, a person may suffer harm before he sustains all, or even the greater part, of the damages occasioned by the negligence. First Maryland Leasecorp v. Rothstein, 864 P.2d 17, 21 (Wash. Ct. App. 1993) (citing Gazija v. Nicholas Jerns Co., 543 P.2d 338 (Wash. 1975) (en banc)); Steele v. Organon, 14
The issues of injury and damage are addressed separately for each claim in §§ VII.A, VII.B.
39
Inc., 716 P.2d 920, review denied, 106 Wash.2d 1008 (1986)); Johnson, Christenson, Viger Constructors, Inc. v. Perry, Shelton, Walker & Assoc., PLLC, 133 Wash. App. 1008, 2006 WL 1462743, at *10 (Wash. Ct. App. 2006) (citing First Maryland, 864 P.2d 17). Given the affirmative duty to mitigate, incurring costs or paying fees to mitigate the effects of the negligence constitutes appreciable harm. Lew v. Goodfellow Chrysler-Plymouth, Inc., 492 P.2d 258, 261 (Wash. Ct. App. 1971) (quoting Hoff v. Lester, 168 P.2d 409 (Wash. 1946)) (“plaintiff cannot be compensated for damages which he might have prevented by reasonable efforts and expenditures.”). A person’s PII is their intangible property right in which Plaintiffs have a legally recognized right to privacy in the state of Washington and elsewhere. See O'Hartigan v. Department of Personnel, 821 P.2d 44, 47 (Wash. 1991) (en banc) (citing Thorne v. El Segundo, 726 F.2d 459 (9th Cir.1983), cert. denied, 469 U.S. 979 (1984)). See also n. 10, supra. 15 15
See also State v. Mayze, 622 S.E.2d 836, 841 (Ga. 2005) (citing GA. CODE. ANN. § 16-9-125 (“identity fraud is an offense against the victim’s possessory interest in his or her personal information,” and personal information is an intangible commodity); see, e.g., People v. Kozlowski, 117 Cal.Rptr.2d 504, 96 Cal. App. 4th 853, 869 (Cal. Ct. App. 2002) (finding that personal identification numbers, or PIN codes, constitute property because they are a means of access to bank accounts); People v. Dolbeer, 29 Cal.Rptr. 573, 214 Cal. App. 2d 619, 622-23
40
Plaintiffs alleged that they suffered appreciable harm when their PII was physically lost and they were no longer able to control the access to their PII. ER 105-106; see also §VII.B.3., infra. This constitutes appreciable harm as defined above. See, e.g., Panag v. Farmers Ins. Co. of Washington, 204 P.3d 885, 903 (Wash. 2009)(“The expenses incurred by the plaintiffs to monitor their credit represent a completed harm” under the Consumer Protection Act); see also Tallmadge v. Aurora Chrysler Plymouth, Inc., 605 P.2d 1275, 1278 (Wash. Ct. App. 1979) (explaining inconvenience of dealing with defective vehicle is compensable); McKeown v. First Interstate Bank, 194 Cal. App. 3d, 1225 at 122829 (Cal. Ct. App. 1987) (overturned other grounds, Laird v. Blacker, 279 Cal. Rptr. 700, 706 (Cal. Ct. App. 1991)). Additionally, Plaintiff Shamasa also alleges harm from the actual misuse of his PII. ER 106. Actual misuse of PII constitutes appreciable harm. See, e.g., Stollenwerk II, 254 Fed. Appx. at 667-68.
(1963) (holding that confidential lists of telephone subscribers constitute property because of their value). Moreover, the fact that Washington has criminalized identity theft shows that one has a possessory interest in his or her personal information. See WASH. REV. CODE ANN.§§ 9.35.020 (identify theft statute) 9.35.001 (statement of legislative intent for identity theft statute).
41
(i)
“Proof” Is Not Required At This Stage of The Litigation
The district court erred in concluding that harm could only be realized if “either proof of actual loss from identity theft or proof that a loss is highly likely to occur” existed. ER 15 (emphasis added). The district court already determined an inference that the stolen laptop has resulted in actual misuse. ER 16. Plaintiffs have adequately alleged harm. ER 115-120, 279-283. At this stage, nothing more, especially evidentiary proof, is required. See, e.g., Reese v. Malone, No. 08-1008, 2009 WL 506820, *10 (W.D. Wash. 2009) (explaining party survives motion to dismiss through adequate pleading with proof developed during discovery); Presidio Group, LLC v. GMAC Mortg., LLC, No. C08-5298RBL, 2008 WL 5110845, *5 (W.D. Wash. 2008) (stating in order to survive a motion to dismiss, plaintiff need only to plead facts such that reasonable expectation discovery would reveal evidence in support). Accordingly, Plaintiffs have adequately alleged harm here.16 16
Despite this backdrop, the district court erred in finding that Washington would not recognize remedies for “harms not yet realized,” and seeking to place a monetary minimum on harm. ER 15-16. That Stollenwerk II faced damages of $7,000 is irrelevant to whether Plaintiffs suffered harm here. Harm, as defined above, is not based on minimum out-of-pocket losses, but on a detrimental change in condition to tangible or intangible rights. Restatement (Second) of Torts, § 7 cmt. b. Plaintiffs have met this requirement.
42
3.
Plaintiffs Have Alleged Sufficient Damages Under Washington Law
The damages sought by Plaintiffs are of the classic type properly sought under negligence claims: A plaintiff “whose legally protected interests have been endangered by the tortious conduct of another” and/or “who has already suffered injury by the tort of another” “is entitled to recover for expenditures reasonably made or harm suffered in a reasonable effort to avert” harm. Restatement (Second) of Torts § 919 (1979); see also C.2, infra. Plaintiffs and members of the putative Class have incurred damages by spending significant amounts of time and money monitoring their credit information, as well as dealing with instances of identity theft. ER 101, 266. For example, Plaintiff Krottner has spent time and effort monitoring her credit and upon expiration of her one year of credit monitoring will incur expenses related to the continuation of credit monitoring. ER 105. Plaintiff Lalli signed up and paid out-of-pocket for Experian Triple Alert, a service which costs $16 a month for daily monitoring of his credit. ER 270. Plaintiff Shamasa alleged that he was a victim of identity theft when he discovered that an individual attempted to open a checking account in his name, and he will need to continue spending time to monitor his accounts in the future. ER 105-106. These are examples of time and expenditures of money that Plaintiffs would not need to protect their identities, but for Starbucks’ negligence. As discussed above, the
43
district court erred when it took the issue of damages from the jury. See §VII.A.3, supra. Courts have routinely held that time and money spent in monitoring bank accounts, requesting credit reports, purchasing monitoring services, and attempting to mitigate/remediate losses caused by lost PII constitute damages. See Stephens v. Omni Ins. Co., 159 P.3d 10, 25 (Wash. Ct. App. 2007) (holding that “time and expense” of investigating possible damage to credit rating is compensable for a consumer protection act violation); Sign-O-Lite Signs, Inc. v. DeLaurenti Florists, Inc., 825 P.2d 714, 720 (Wash. Ct. App. 1992) (holding that lost time, outside of litigation, spent dealing with dispute was a compensable under a consumer protection act violation); Kuhn, 2006 WL 3007931 at *3 (holding that time spent seeking to prevent or undo harm caused by negligence and breach of contract is compensable and that “one ‘whose legally protected interests have been endangered by the tortious conduct of another is entitled to recover for expenditures reasonably made or harm suffered in a reasonable effort to avert the harm threatened’”)(citing Restatement (Second) of Torts § 919); Witriol, supra; Jones, supra; EMC Mortgage, supra; Daly, supra; Federal Trade Comm'n v. Neovi, Inc., 598 F. Supp. 2d 1104 (S.D. Cal. 2008), supra. Indeed, Starbucks specifically advised Plaintiffs and members of the putative Class to take such
44
actions in order to protect themselves from identity theft. ER 129, 293. Accordingly, Plaintiffs have incurred and will continue to incur expenses related to credit monitoring and other preventative measures to protect their identities. ER 105-106, 269-270. In every instance of actual identity theft, damage has been found or at least assumed without discussion. See, e.g., Stollenwerk II, 254 Fed. Appx. at 667-68; Kuhn, 2006 WL 3007931, at *3; Daly, 4 Misc. 3d at 893; Jones, 2006 WL 1409492, at *2; Shames-Yeakel, 2009 U.S. Dist. LEXIS 75093, *39-41. Thus, in the instant case, Plaintiffs have alleged sufficient damages. 4.
The Economic Loss Rule Does Not Apply
Washington’s economic loss rule prohibits plaintiffs from recovering purely economic damages in tort when the plaintiff's entitlement to damages is based in contract. Alejandre v. Bull, 153 P.3d 864 (Wash. 2007) (en banc). “The rule prohibits plaintiffs from recovering in tort economic losses to which their entitlement flows only from contract because tort law is not intended to compensate parties for losses suffered as a result of a breach of duties assumed only by agreement.” Id. at 682 (quotation omitted) (emphasis added). The rule “ensures that a party to a contract cannot recover in tort the risk the parties had already allocated through contract.” Townsend v. Quadrant Corp., --- P.3d ----, 2009 WL 3337228, *7 (Wash. Ct. App. Oct. 19, 2009) (emphasis added).
45
Examples of economic losses include deterioration, disappointed economic expectations, or the loss of the benefit of the bargain. See id.; Alejandre, 153 P.3d at 870 n.3. Tort principles, in turn, concern legal obligations rather than bargainedfor obligations. Jackowski v. Borchelt, 209 P.3d 514, 519 (Wash. Ct. App. 2009). In other words, if common law provides a duty, the economic loss rule does not bar a claim based on the breach of that duty simply because a contract exists governing other matters. See id. at 520-21 (suit against realtor survives based on statutory and common law duties which existed in addition to governing contract). Moreover, “the rule does not bar recovery for personal injury or damage to property other than a defect in the property.” King v. Rice, 191 P.3d 946 (Wash. Ct. App. 2008) (emphasis added). As Justice Chambers recognized in his concurrence in Alejandre, “‘[t]he insight behind the [economic loss rule] doctrine is that commercial disputes ought to be resolved according to the principles of commercial law rather than according to tort principles designed for accidents that cause personal injury or property damage.’” 153 P.3d at 874 (Chambers, J., concurring) (quoting Miller v. U.S. Steel Corp., 902 F.2d 573, 575 (7th Cir. 1990) (Posner, J.)).17 It “is called in law an ‘economic loss,’ to distinguish it from an 17
For example, a claim for negligence would be barred by the economic loss doctrine if the purchaser of tires contracted to purchase a large quantity of tires with an advertised tread pattern that was not as the seller/manufacturer advertised.
46
injury to the plaintiff's person or property (property other than the product itself), the type of injury on which a products liability suit usually is founded.” Miller, 902 F.2d at 574. The Amended Complaints’ allegations of property damage are distinguishable from Alejandre, the sole Washington case on which Starbucks relied in its Motion to Dismiss. In Alejandre, the plaintiffs sought damages arising out of the defendant’s negligent misrepresentation regarding a defective septic system that was not disclosed at the time of the sale of the home. Alejandre, 153 P.3d at 870. The court held that this was essentially a claim for a defective product, which was purely economic in nature; the rule barred the plaintiffs’ desired recovery. Alejandre, 153 P.3d at 870. Here, however, Plaintiffs and the proposed Class do not allege a defect in a product. Rather, Plaintiffs’ negligence claim involves the negligent handling of PII over which Starbucks exercised control. Thus, Plaintiffs and the proposed Class properly complain of injury which is not an economic loss. In summary, for the economic loss rule to bar the negligence claim, the duty would have to be purely contractual, the parties to the contracts would have had to The losses flow purely from the contractual term that the tires would have a certain tread pattern, not from some injury to the property. Rather, this is solely a product defect. This is distinct from the loss of PII in the instant case, where losses flow from Defendant’s breach of a duty to safeguard the PII of Plaintiffs.
47
have negotiated and allocated the risk of loss of PII in the contracts at issue, and Plaintiffs would have to be seeking “economic losses” as defined by Washington courts. Here, Plaintiffs have alleged that Starbucks has a common law duty to safeguard the PII with which they were entrusted. See ER 122, 285; see also n.10, supra. Starbucks cannot in good faith argue that risk of identity has been allocated in the contracts at issue here (cf. VII.A., Contract Documents, supra (failing to provide for risk or allocation thereof)) or that Plaintiffs are seeking economic losses as defined by the applicable law. As such, the economic loss rule is simply inapplicable. Nor do the out-of-circuit cases cited by Starbucks below that rely on other states’ law, support application of the economic loss rule in the case at bar. The Banknorth N.A. v. B.J.'s Wholesale court applied Maine law to a service contract between a debit card issuer and a merchant, where a third party had hacked into the merchant's system and taken the debit card numbers of customers. See 442 F. Supp. 2d 206, 207-10 (M.D. Pa. 2006). The court found that, although Maine's highest court had only applied the economic loss rule in the product-liability context, lower Maine courts and Maine's federal district court had applied it to certain cases involving service contracts. Id. at 211-12. The court ruled that the terms of the relationship of a service provider and consumer may be defined
48
comprehensively by the terms of their contract, just as are the terms of a relationship between a product buyer and seller. Id. at 212. That case does not address an employment situation. The In re TJX decision also does not pertain to the employment context; it involved a suit by banks that had issued credit and debit cards against a retailer, arising from a data breach of the retailer's computer system that compromised the security of millions of consumers. 524 F. Supp. 2d 83, 85-87 (D. Mass. 2007). The plaintiffs argued that they were third-party beneficiaries of contracts between the retailer and its own bank, and between the retailer's bank and credit-card companies. Id. at 88. The only non-economic loss they claimed was that the compromised cards of their customers could no longer be used. Id. at 90. The court ruled that the Massachusetts economic loss doctrine barred recovery there. Id. at 90. The Pennsylvania State Employees Credit Union case likewise involves a complicated set of relationships among banks, customers, and retailers, rather than an employment situation. Pennsylvania State Employees Credit Union v. Fifth Third Bank, 398 F. Supp. 2d 317 (M.D. Pa. 2005). Again, the case does not address data breaches in the employment context. There, a credit union sued a retailer and its bank for the theft of the bank-card information of some of the credit union's customers arising from the inadequate security of the retailer. Id. at 319.
49
The court found that Pennsylvania courts apply the economic loss doctrine broadly, and ruled that the need to replace bank cards that could no longer be used does not constitute damage to person or property. Id. at 330. In contrast, in the case at bar, Plaintiffs have suffered a loss that cannot be remedied solely with money: the privacy of their PII has been compromised, and can never be restored. C. Credit Monitoring Is an Available Remedy Under Washington Law Medical monitoring is an established remedy in Washington courts. At least one Washington district court has specifically recognized medical monitoring as a remedy to a negligence claim under Washington law. Duncan v. Northwest Airlines, Inc., 203 F.R.D. 601, 608-09 (W.D. Wash. 2001) (allowing plaintiff claiming enhanced risk to pursue a medical monitoring remedy under a theory of negligence). In Duncan, a second-hand smoking case, the court held that although there was no “independent tort” for medical monitoring under Washington law, medical monitoring is a “remedy to a negligence claim under Washington law.” Id. Likewise, Plaintiffs seek a similar recognition that credit monitoring is a remedy to claims under negligence and/or tort theories of liability here.
50
1.
Washington Courts Traditionally Protect Plaintiffs in Areas of Developing Case Law.
Even before the availability of a monitoring remedy was certain, Washington courts expressed a preference for upholding complaints based on developing issues. As the Washington State Supreme Court has recognized, “[w]hen an area of the law involved is in the process of development, courts are reluctant to dismiss an action on the pleadings alone by way of a CR 12(b)(6) motion.” Bravo v. Dolsen Cos., 888 P.2d 147, 150-51 (Wash. 1995) (en banc) (quoting Haberman v. Wash. Pub. Power Supply Sys., 744 P.2d 1032, 1046 (Wash. 1987) (en banc)). The law surrounding identity theft is clearly evolving. In fact, the recent advent of the widespread use of laptop computers, and the storage of sensitive data on those devices, heightens the risk of identity theft in a way that is unprecedented in history, much less case law. This deferential approach—that of giving plaintiffs the benefit of the doubt under Rule 12(b)(6) motions involving novel issues—has been cited specifically in the context of a monitoring remedy in Washington. See Crowson v. Quality Food Ctrs., Inc., No. 04-2-05608-0, 2004 WL 1530885, at *2 (Wash. Super. June 14, 2004). In Crowson, a lawsuit regarding adulterated beef, plaintiffs sought the remedy of medical monitoring in advance of actual illness. Id. Quoting Bravo to emphasize that courts should allow plaintiffs’ monitoring claims to proceed, the
51
Crowson court specifically upheld the negligence claim seeking medical monitoring as a remedy. Id. (quoting Bravo, 888 P.2d 147). Likewise, in a very recently decided medical monitoring case, Donovan v. Philip Morris, 455 Mass. 215, 225, 914 N.E.2d 891 (2009), the court observed: Our tort law developed in the late Nineteeth and early Twentieth centuries, when the vast majority of tortious injuries were caused by blunt trauma and mechanical forces. We must adapt to the growing recognition that exposure to [dangers] may cause substantial injuries which should be compensable, even if the full effects are not immediately apparent. Id. (citing Hansen v. Mountain Fuel Supply Co., 858 P.2d 970, 977 (Utah 1993)). The Donovan court recognized that smokers with an increased risk of lung cancer, but who have not manifested any smoking-related disease, should be entitled to the remedy of medical monitoring, the sole remedy that plaintiffs sought. Id. Like Massachusetts, Washington law is similarly developing alongside technology. Just as a medical monitoring remedy, now established in Washington, helps injured parties assess the medical ramifications of a danger to which they have been exposed, the purpose of credit monitoring is to facilitate early detection of identity theft and further injury caused by a defendant’s culpable conduct and to minimize resulting damages. Cf. Stollenwerk I, supra; Caudle, infra.18 18
In Stollenwerk I the court, applying the standard for medical monitoring, fashioned a credit monitoring remedy to a claim which had: (1) a significant
52
Accordingly, Plaintiffs have alleged that they have been damaged under negligence and contract theories, and they have selected, at Starbucks’ suggestion, the remedy of credit monitoring to protect their PII from further harm. It is obviously too early to apportion liability, much less to designate a final remedy, at the motion to dismiss stage. See 5 Charles Alan Wright and A. Miller, Federal Practice and Procedure § 1255 (“The sufficiency of a pleading is tested by the Rule 8(a)(2) statement of the claim for relief and the demand for judgment is not considered exposure of sensitive personal information; (2) a significantly increased risk of identity fraud as a result of that exposure; and (3) the necessity and effectiveness of credit monitoring in detecting, treating, and/or preventing identity fraud. Stollenwerk I, 2005 WL 2465906, at *4; accord Caudle Towers, Perrin, Forster & Crosby, Inc 580 F.Supp.2d 273, 282 (S.D.N.Y. 2008)(credit monitoring claim under NY law may exist if (a) plaintiff's personal data was stored electronically and that the means of storage was lost or stolen and (b) “rational basis” for the fear that the data would be misused). On summary judgment, Stollenwerk I held that when a plaintiff had not suffered identity theft, there was no credit monitoring available if: (a) there had been no offer of proof that the theft was for data and not property, and (b) the significance of the increased risk was not quantified. Id. at *5. The Ninth Circuit echoed this by stating “Stollenwerk and DeGatica failed to produce evidence to overcome summary judgment” because they had “produced evidence of neither significant exposure of their information nor a significantly increased risk that they will be harmed by its misuse. The only proof of exposure they have offered is the burglary itself.” Stollenwerk II, 254 Fed. Appx. at 666. Similarly, Caudle was dismissed as plaintiffs failed to put on evidence supporting their rational basis for fear of future identity theft. 580 F. Supp. 2d at 281-82. Moreover, unlike here, there was no evidence of actual misuse connected to the theft. Id. at 282. Plaintiffs should be afforded the opportunity given Stollenwerk and Caudle to gather and present evidence in support of the credit monitoring remedy.
53
part of the claim for that purpose”); Doss v. Southern Cent. Bell Tel. Co., 834 F.2d 421, 424 n. 3 (5th Cir. 1987) (vacating order to dismiss where district court based its dismissal of complaint in part on the unavailability of remedy requested in complaint); Migliori v. Boeing N. Am., Inc., 97 F. Supp. 2d 1001, 1004 (C.D. Cal. 2000) (citing William W Schwarzer, et al., Civil Procedure Before Trial § 9:230) (noting that “a Rule 12(b)(6) motion ‘will not be granted merely because [a] plaintiff requests a remedy to which he or she is not entitled.’”). Accordingly, the credit monitoring remedy should have been upheld. 2.
Plaintiffs’ Duty to Mitigate Implicates the Remedy of Credit Monitoring
Plaintiffs have a duty to mitigate their damages in both contracts and torts. See, e.g., Burchfiel v. Boeing Corp., 205 P.3d 145, 153-54 (Wash. Ct. App. 2009); Young v. Whidbey Island Bd. of Realtors, 638 P.2d 1235, 1237 (Wash. 1982) (citing Restatement (Second) of Torts § 918 (1979)); Restatement (Second) of Contracts § 350(2) (1981) (citing Federal Signal, 886 P.2d at 185; Bernsen, 842 P.2d at1052). Starbucks advised their employees to “monitor their financial accounts carefully for suspicious activity and take appropriate steps to protect yourself,” ER 129, 293, and offered just one year of credit watch services. Plaintiffs Krotter and Lalli believed that one year of the monitoring Starbucks offered was not enough to protect their identities. Accordingly, to “monitor” and
54
“take appropriate steps,” Plaintiffs Krottner and Shamasa signed up for the free one-year credit monitoring service that Starbucks offered. ER 105. Plaintiff Krottner avers that she will pay for credit monitoring service upon the expiration of the one-year service for which Starbucks paid. ER 105. Plaintiffs Krottner and Lalli have expended time personally monitoring various financial accounts more frequently than they had previously, and intend to continue to do so. ER 105, 269270. Plaintiff Lalli paid for his own credit monitoring service.19 ER 270. The district court erred in finding that Washington requires that all losses be realized before monitoring damages are available for a negligence claim. Compare ER 15-16 with ER 16 (“Indeed, it may be that the relatively modest cost of credit monitoring is a much more cost-efficient remedy than a wait-and-see approach”). Such a rule is contrary with Washington’s current law on medical monitoring, whose purpose is to prevent all further injury from being realized – hence why such patients are monitored in the first instance. See Duncan, 203 F.R.D. at 604 (stating plaintiff had suffered injury from second hand smoke but wanted medical 19
It was within Plaintiff Lalli’s rights to choose a credit monitoring service rather than sign up for a service through Starbucks. Jaeger v. Cleaver Constr., Inc., 201 P.3d 1028, 1037 (Wash. Ct. App. 2009) (“Courts allow a wide latitude of discretion to the person who, by another's wrong, has been forced into a predicament where he is faced with a probability of injury or loss. If a choice of two reasonable courses presents itself, the person whose wrong forced the choice cannot complain that the injured party chose one over the other”) (citations omitted).
55
observation and testing to determine whether more serious illnesses would develop in the future). In light of Washington’s precedent, this Court should find that the lower court erred in requiring all losses be realized before awarding monitoring damages. Accordingly, under negligence and/or contract theories, Plaintiffs should be able to seek the remedy of credit monitoring to protect their PII from further harm. D.
In the Alternative, This Court Should Certify Issues to the Washington Supreme Court As stated above, this Court should reverse the district court’s orders
dismissing the cases and remand them for further proceedings. Alternatively, this Court should certify two issues to the Washington Supreme Court: (1) whether Washington law recognizes an increased risk of identity theft as a cognizable injury for purposes of negligence and/or breach of contract claims, and (2) whether loss of time and money for credit monitoring constitute cognizable damages for negligence and/or breach of contract claims under Washington law. See WASH. R. APP. P. 16.16 (“Certificate procedure is the means by which a federal court submits a question of Washington law to the Supreme Court”). The Ninth Circuit has certified issues to the Washington Supreme Court when “important and undecided issue[s]” are presented, and there is “no controlling precedent in the decisions of the Washington Supreme Court,” recognizing that “[c]ertification saves time,
56
energy, and resources and helps build a cooperative judicial federalism.” Broad v. Mannesmann Anlagenbau AG, 196 F.3d 1075, 1076 (9th Cir. 1999).20 As in In re Hannaford Brothers, where similar issues regarding damages in a privacy case were certified to the Supreme Court of Maine, the issues presented here are fundamental, urgent, and of statewide importance. See In Re Hannaford Bros. Co. Customer Data Sec. Breach Litig., No. 2:08-MD-1954 , 2009 WL 3193158 (D. Me. Oct. 5, 2009), see also Donovan, 914 N.E.2d at 215 (certifying similar issues regarding damages and injury to the Supreme Judicial Court of Massachusetts). As such, Washington should have the first opportunity to construe the law in this area. See generally Arizonans for Official English v. Ariz., 520 U.S. 43, 76-80 (1997) (suggesting certification to give the state the first opportunity to construe a newly enacted state statute); Boucher v. Shaw, 483 F.3d 613, 616 (9th Cir. 2007) (certifying question of whether individual managers are “employers” under Nev.Rev.Stat. § 608.011 as a question “of first impression [with] significant implications for Nevada's wage protection law”); Trustees of Constr. Indus. & 20
As the Broad court noted, it is not necessary to raise certification to the district court to preserve the issue here. 196 F.3d at 1076 n.3. This Court may consider certification if not raised in the district court if the issue is an issue of law not dependent on a factual record developed by the parties. Id. Here, whether Washington law recognizes these claims in the data breach context is not a matter that is dependent on the factual record. As such, certification would be appropriate here. ER 4.
57
Laborers Health & Welfare Trust v. Hartford Fire Ins. Co., 482 F.3d 1064, 1066 (9th Cir. 2007) (certifying question of whether the notice requirements of Nev.Rev.Stat. § 339.035(2) apply to third-party beneficiaries). Other than state and federal trial court opinions on the related issue of medical monitoring, there have been no definitive Washington Supreme Court opinions dealing with the issues of increased risk of identity theft or credit monitoring. Having the Washington Supreme Court decide the issues, instead of asking this Court to divine its philosophy on them, would save time and resources. These issues matter to the citizens of Washington because they will determine their rights to bring negligence and contract claims based on the expenditure of time and money following a data breach. The determination of rights is an appropriate use of the certification vehicle. See Affiliated FM Ins. Co. v. LTK Consulting Serv. Inc., 556 F.3d 920, 921 (9th Cir. 2009) (right to operate commercially and extensively on another's property may bring a suit in tort against a third party for damage to that property); Keystone Land & Dev’t Co. v. Xerox Corp., 353 F.3d 1093, 1098 (9th Cir. 2003) (whether Washington law would recognize a particular implied contract and if so, what is the appropriate measure of damage for its breach). Any delay in obtaining such a determination would
58
cause significant detriment to Washington consumers, employees, and/or to the public interest. The record below is adequate to present the issues. VIII. CONCLUSION Plaintiffs respectfully request that this Court reverse the district court’s ruling that granted dismissal of Plaintiffs’ claims for breach of contract and negligence.
REQUEST FOR ORAL ARGUMENT Pursuant to Rule 34 of the Federal Rules of Appellate Procedure, Appellant respectfully requests that oral argument be permitted. This appeal involves novel legal issues and oral argument will give the Court the opportunity to further explore these issues.
Dated: November 9, 2009
s/ Mila F. Bartos Mila F. Bartos Finkelstein Thompson LLP
59
STATEMENT OF RELATED CASES Pursuant to Ninth Circuit Rule 28-2.6, Plaintiffs are not aware of any related cases pending in this Court.
60
CERTIFICATE OF COMPLIANCE WITH FED. R. APP. P. 32(A)(7)(C) AND CIRCUIT RULE 32-1 I certify that pursuant to Fed. R. App. P. 32(a)(7)(C) and Ninth Circuit Rule 32-1, the attached opening brief is proportionately spaced, has a typeface of 14 points or more and contains 13,843 words.
Dated: November 9, 2009
s/ Mila F. Bartos Mila F. Bartos Finkelstein Thompson LLP
61
CERTIFICATE OF SERVICE I, Mila F. Bartos, hereby certify that I electronically filed the foregoing with the Clerk of the Court for the United States Court of Appeals for the Ninth Circuit by using the appellate CM/ECF system on November 9, 2009. I certify that all participants in the case are registered CM/ECF users and that service will be accomplished by the appellate CM/ECF system.
Dated: November 9, 2009
s/ Mila F. Bartos Mila F. Bartos
62