The U.S. Court of Appeals for the Ninth Circuit held recently, in Krottner v. Starbucks Corporation,1 that increased risk of future misuse of personal data following the theft of a laptop containing the unencrypted personal data of a group of current and former Starbucks employees amounted to an injury sufficient to confer standing to sue in federal court. Despite concluding that standing existed under Article III of the Constitution, the Ninth Circuit nonetheless upheld the dismissal of plaintiffs’ claims because they failed to allege an injury sufficient to state a claim under the relevant state law.

While the decision is limited to the very narrow facts contained in the record, it highlights the challenges defendants face in defeating class actions arising out of data breach incidents at the pleading stage, even when there has been no alleged use of the data following the breach. A motion to dismiss for lack of standing due to no actual or imminent injury represents one of the most common defense tactics in this type of litigation. Such motions are filed prior to discovery and therefore have important economic advantages for defendants.2

The decision also highlights the risks of potential data-breach-related litigation faced by all companies that collect, maintain, and use personal data. It further illustrates the increased importance of avoiding data breaches and developing effective response programs to manage related litigation risks when a breach occurs.