Data Security & Privacy

Starbucks Class Action Case Dismissed

 
Today, in Federal Court for the Western District of Washington, Judge Richard Jones dismissed two class actions that were filed against coffee giant Starbucks, Corporation.  I had been following these two cases closely (Krottner v. Starbucks Corp., and Lalli v. StarbucksCorp.), and from the beginning, the Plaintiff’s never really stood a chance of winning.  Based on the original complaint that was filed on behalf of Mr. Lalli and Ms. Krottner, attorney’s for the plaintiff’s did a very poor job of understanding what factual evidence would be needed in order to get this case before a jury, and the Judge’s opinion in the case reflects those sentiments.  Whenever I am asked about whether a person can sue because they received a "letter" stating that their personally identifiable information was released in an unauthorized manner, I simply state that they will need to be able to show (1) that they do in fact belong in court (i.e. standing), (2) there is some sort of actual harm (i.e. damages), and (3) that the defendant’s failed to act with reasonable care.  The first two requirements are starting to be addressed, but as Judge Jones states, the third has yet to be decided by any court.
 
Just like all the other courts which have had to deal with the issue of release of unauthorized data, the Western District of Washington does everything it can to avoid "being the one" to help shed some guidance on what an acceptable standard of care for safeguarding mission-critical data.  They are simply avoiding the conversation my kicking the cases out of court on "constitutional grounds" – which was done here by Judge Jones.  The decision in this case should be filed under the "heaven help us" category, because like I keep advocating for, businesses need to self-regulate/police how they safeguard their data, and create internal programs to mitigate the  risk of unauthorized release.  If we allow the courts to do this, and they seem very unwilling to accommodate us (thank god), then the resulting standard of care could be draconian.  However, and here is where the "heaven help us" category comes in, Judge Jones says:
 

"If prevention is the best policy in these circumstances, then the court predicts that the Washington legislature is better situated to assess the relevant policy considerations.

This is why we don’t let Judges’ run businesses.  Wake up corporate America (you too Starbucks)!  If you don’t start safeguarding mission-critical data, then our legislators will.  Then you will be sorry.

As for us Average Jane’s and Joe’s whose identity will be stolen (yes, I’m in that group too), the only good news to come from this case is that the first hurdle above (do I belong in court) seems to have been cleared for the most part; the second hurdle (damages) is starting to get cleared; and we can’t even mention the third hurdle (because once we do, then Corporate America will get its act together).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.