Data-Breach Class Action Against Coca-Cola Survives

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.thelegalintelligencer.com/id=1202738699309/DataBreach-Class-Action-Against-CocaCola-Survives?slreturn=20150901141026

Coca-Cola lost its bid to dismiss a proposed class action filed against it
by a former employee who said his identity was stolen after 55 laptops with
employee data went missing from the bottling company’s possession.

U.S. District Judge Joseph F. Leeson Jr. of the Eastern District of
Pennsylvania rejected Coke’s argument that plaintiff Shane K. Enslin’s
potential future damages were speculative and that any injuries that have
already occurred couldn’t be causally linked to Coke’s loss of the laptops.

“Here, plaintiff’s harms are not ‘future harms,’ but ongoing, present,
distinct and palpable harms,” Leeson said, noting Enslin has already
suffered alleged theft of funds from his bank accounts, unauthorized use of
credit cards and the unauthorized issuance of a new credit card in his name.

Enslin, who worked as a service technician for Keystone Coca-Cola Bottling
Co. in the Poconos region, also claimed that someone used his personally
identifiable information (PII) to get a job with UPS.

“Courts that have passed on claims arising out of the loss or theft of PII
have hesitated to find the existence of a constitutional injury-in-fact
before lost PII is actually misused, but a number of courts have found that
plaintiffs who have already suffered identifiable identity attacks, by
contrast, have standing to advance their claims,” Leeson said.

Leeson further rejected Coke’s motion to dismiss Enslin’s claims based on
damages he has suffered to prevent future harm. Leeson differentiated this
case from others that have found the cost to protect against future events
is no more of an actual injury than the alleged increased risk of an injury
when PII is stolen. Leeson said the money and time Enslin has put out to
stop future identity theft was to combat “actual, imminent and impending
harms.”

“Here, [Enslin] incurred an expense in connection with his action to close
his bank account in response to unauthorized access,” Leeson said.
“[Enslin] also expended time and effort protecting other credit cards and
bank accounts from the identity thieves, which [Enslin] did in response to
ongoing harms, not harms that were merely ‘hypothetical.’”

Coke further argued the timeframe between when Enslin stopped working for
Coke in 2007 and the time his PII was misused in 2014 was too great a span
to show a causal connection. It also argued the information stolen couldn’t
have given rise to the harm Enslin suffered.

“Although seven years passed between [Enslin’s] employment and the misuse
of his information, the chain linking the loss of [Enslin’s] SSN, credit
cards, and banking information, and the subsequent identity attacks
[Enslin] suffered, is plausible,” Leeson said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!