The U.S. Court of Appeals for the Third Circuit has found that plaintiffs must show a causal connection between the theft of their personal information and the purported harm that they have suffered in order to survive a summary judgment motion. The June 20 ruling in Enslin v. The Coca-Cola Company, makes it more difficult for data breach plaintiffs to prevail on their claims in courts in the Third Circuit.
In 2013, the Coca-Cola Company discovered that 55 older laptops had been stolen. Some of these laptops contained the personal information of former employees, including the name and driver’s license number of the plaintiff, Shane Enslin. Enslin alleged that after he learned about the theft, his accounts with several internet retailers were compromised and used to make unauthorized purchases. Enslin was not held responsible for any of the fraudulent charges.
Enslin filed a putative class action against Coca-Cola, asserting claims under Pennsylvania law for breach of contract, negligence, negligent misrepresentation, fraud, unjust enrichment, bailment, and conspiracy, as well as a claim under the federal Drivers Privacy Protection Act. The district court held that Enslin had adequately pled claims for breach of contract and unjust enrichment, but dismissed the other claims.
Following discovery, the district court granted Coca-Cola’s motion for summary judgment as to Enslin’s contractual claims and denied Enslin’s motion to certify a class and amend his complaint. The district court found that, contrary to Enslin’s characterization, the employment forms that he completed did not create “a general duty to protect Enslin’s personal information.”
The Third Circuit affirmed the district court’s summary judgment on Enslin’s contractual claims, the dismissal of Enslin’s other claims, and the denial of Enslin’s motion to certify a class.
In assessing Enslin’s contractual claims, the Third Circuit noted that, under Pennsylvania law, a breach of contract claim requires not only damages, but a “causal connection between the breach and the loss.” The court found that “[a]ll of the damages that Enslin seeks flow from the compromise of his retail accounts rather than directly from [the] theft of his personal information.” The court further found that there was no evidence tying the information on the stolen laptops to the unauthorized access to his accounts. On that point, the court found credible Coca-Cola’s expert testimony that “Enslin’s name and driver’s license number would not have been useful to the hackers in light of the numerous ways they might have obtained the information needed to compromise his accounts.” Therefore, Enslin’s contractual claims failed because he could not show Coca-Cola’s conduct caused his damages.
The Third Circuit also affirmed dismissal of Enslin’s negligence claim on the grounds that Pennsylvania’s economic loss doctrine bars recovery in the absence of either “physical injury or property damage.” Additionally, like his contractual claim, Enslin’s negligence claim failed because Enslin was unable to demonstrate proximate causation between the laptop thefts and his injury.
Finally, the court affirmed dismissal of Enslin’s Drivers Privacy Protection Act claim as barred by the relevant four-year statute of limitations.
The Third Circuit also affirmed the denial of Enslin’s motion to certify a class based on the entirely new theory of vicarious liability. Noting that in “nearly three years of litigation,” Enslin never pled that Coca-Cola could be held vicariously liable for the theft of the laptops, the Third Circuit held that the district court “did not abuse its discretion by refusing to entertain Enslin’s ‘request to, in effect, reboot this case after summary judgment ha[d] already been granted.’”
The Coca-Cola decision has significant implications for data breach actions, as it is one of the few such cases to proceed to summary judgment. It therefore sheds light on how at least one court of appeal will apply facts developed through discovery to the common theories asserted by plaintiffs against companies that have experienced a breach.
First, the Coca-Cola decision reaffirms the viability of the economic loss doctrine as a defense to negligence claims in data breach cases. The Third Circuit confirms the trend that there is no tort recovery for negligent conduct that causes purely financial losses, limiting potential tort liability in such cases. Second, it demonstrates that while plaintiffs may be able to avoid dismissal at the pleading stage by alleging that they experienced attempted fraud or identity theft following a breach, they still must come forward with evidence of a causal connection between the breach and any harm that they suffered in order to get to trial and ultimate establish liability. Plaintiffs cannot simply rely (at least in the Third Circuit) on the inferences from the fact that their personal information was involved in a data breach and that their financial accounts were compromised to avoid summary judgment. As The Third Circuit noted, there are other means that fraudsters might have utilized to obtain plaintiffs’ information to compromise their accounts. Indeed, given the frequency and near ubiquity of data breaches, proving causation will likely only become more difficult for plaintiffs in the future.