Enslin v. Coca-Cola Co.

Rule of Law:

A plaintiff has Article III standing in a data breach case when they allege actual misuse of their stolen personal information resulting in concrete financial losses and time spent mitigating the harm, not merely a speculative risk of future identity theft.

Facts:

• In 1996, Shane K. Enslin was hired by Keystone Coca-Cola Bottling Company ('Keystone Coke').
• As a condition of employment, Enslin provided his Personal Identification Information (PII), including his Social Security number, bank account information, and credit card numbers, which Keystone Coke stored in an unencrypted format on laptop computers.
• Enslin ended his employment with Keystone Coke in 2007.
• Over a nearly six-year period between 2007 and 2013, fifty-five laptops containing the PII of Enslin and approximately 74,000 other current and former employees were stolen from a Coca-Cola subsidiary.
• An employee, Thomas William Rogers, was later identified as responsible for the thefts.
• Several months after being notified of the data breach in February 2014, Enslin became a victim of identity theft.
• The identity theft included fraudulent purchases charged to Enslin's accounts, theft of funds from his checking account, attempts to open new credit cards in his name, and an individual using his identity to obtain a job at UPS.
• These incidents caused Enslin to incur financial losses, including a $17 bank fee, and to expend numerous hours attempting to resolve the fraudulent activities.

Procedural Posture:

• Shane K. Enslin filed a class action complaint against The Coca-Cola Company and several related entities ('the Coke Defendants') in the United States District Court for the Eastern District of Pennsylvania, a federal trial court.
• The Coke Defendants filed a Motion to Dismiss pursuant to Federal Rule of Civil Procedure 12(b)(1) for lack of subject matter jurisdiction (standing) and 12(b)(6) for failure to state a claim.