Enslin v. Coca-Cola Co.
136 F. Supp. 3d 654
E.D. Pa.2015Background
- Plaintiff Shane Enslin alleges personal identifying information (PII) — including SSN, bank and driver’s-license records — stored on employer-owned laptops was kept unencrypted and ultimately stolen from Coke entities, affecting ~74,000 individuals.
- Laptops were stolen over 2007–2013; thefts discovered Nov. 2013 and all devices recovered by Dec. 2013; an employee was later charged for the thefts.
- Plaintiff received notice of the breach and credit-monitoring; thereafter he alleges multiple specific instances of identity misuse (unauthorized purchases, drained bank account, new accounts opened, job obtained in his name).
- Enslin sued Coke defendants asserting ten claims: DPPA violation, negligence, negligent misrepresentation, fraud, breach of express and implied contract, breach of covenant of good faith, unjust enrichment, bailment, and civil conspiracy; seeks various damages.
- Defendants moved to dismiss for lack of Article III standing (Rule 12(b)(1)) and for failure to state claims (Rule 12(b)(6)). The court found Enslin has standing and dismissed several claims while allowing breach-of-contract and unjust-enrichment claims to proceed.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Article III standing — injury-in-fact | Enslin points to concrete, ongoing harms: fraudulent charges, drained accounts, time/expense addressing identity misuse | Defendants: harms are speculative or future-risk; monitoring/precaution expenditures cannot manufacture standing | Held: Plaintiff has suffered concrete misuse of PII and related costs/time; injury-in-fact established. |
| Standing — causation / traceability | Enslin alleges his PII was stored/controlled at various times by the Coke defendants and the misuse is plausibly traceable | Defendants: long time gap, some defendants had no relation to Enslin, stolen data insufficient to cause alleged harms | Held: At pleading stage allegations that defendants controlled/transferred PII and that misuse resulted are plausible; causation satisfied for standing (but not for every specific damage). |
| DPPA claim (18 U.S.C. § 2724) | Enslin: driver information was included in stolen PII and DPPA liability attaches | Defendants: PDI was voluntarily provided (or stolen) so there was no knowing disclosure by a DMV actor or voluntary public disclosure | Held: DPPA claim dismissed — theft or unsecured private possession does not constitute the required "knowing disclosure" under DPPA. |
| Negligence / negligent misrepresentation / fraud / bailment / conspiracy | Enslin asserts common-law torts based on defendants’ alleged failure to safeguard PII and alleged misrepresentations | Defendants: Economic-loss doctrine bars negligence and negligent-misrep; fraud inadequately pled (Rule 9(b)); PII is not personalty for bailment; conspiracy depends on underlying tort and specific intent | Held: Negligence and negligent misrepresentation dismissed with prejudice (economic-loss doctrine). Fraud dismissed for failure to plead with particularity. Bailment dismissed (PII not treated as personalty). Conspiracy dismissed (fails because fraud claim fails and lacks required allegation of sole intent to harm). |
| Contract and restitution/unjust enrichment | Enslin: employment relationship and privacy representations created express and implied contractual duties and restitution claim for opportunistic breach | Defendants: contractual remedies foreclose tort/restitution claims; restitution theory novel/rare | Held: Breach of express and implied contract claims survive. Unjust enrichment (restitution) claim survives under narrow opportunistic-breach theory; court declines to dismiss at pleading stage. |
Key Cases Cited
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (standing requires injury-in-fact, causation, redressability)
- Steel Co. v. Citizens for a Better Env’t, 523 U.S. 83 (federal courts limited to actual cases or controversies)
- Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir.) (no standing absent actual misuse of PII; costs to monitor insufficient when no injury)
- Clapper v. Amnesty Int’l USA, 568 U.S. 398 (future-risk of harm must be certainly impending or substantial)
- Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (pleading must be plausible)
- Ashcroft v. Iqbal, 556 U.S. 662 (threadbare conclusions insufficient; plausibility standard)
- In re Target Corp. Data Security Breach Litig., 66 F. Supp. 3d 1154 (D. Minn. 2014) (standing where plaintiffs suffered unauthorized card charges)
- Pichler v. UNITE, 542 F.3d 380 (3d Cir.) (DPPA liability where private actors obtained motor-vehicle records via license-plate use)
- Senne v. Village of Palatine, 695 F.3d 597 (7th Cir.) (voluntary public display of PDI can constitute DPPA disclosure)
- Sovereign Bank v. BJ’s Wholesale Club, 533 F.3d 162 (3d Cir.) (economic-loss doctrine bars negligence recovery for purely economic harms from data loss)
- In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942 (S.D. Cal. 2012) (PII not treated as bailment personalty; standing and causation analysis in data-breach context)
- Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451 (D.N.J. 2013) (dismissal of non-involved defendant for lack of traceability to plaintiff’s data loss)