• United States



by IDG News Service (San Francisco Bureau)

Starbucks Sued After Laptop Data Breach

Feb 25, 20093 mins
Data and Information SecurityMobile Security

A Starbucks employee has filed a class-action lawsuit against the company following an October laptop theft and data breach

A Chicago-area Starbucks employee has brought a class-action lawsuit against the coffee retailer, claiming damages from an October 2008 data breach.

Laura Krottner was one of 97,000 employees notified late last year after a Starbucks laptop containing employee names, addresses and Social Security numbers was stolen on Oct. 29. Krottner’s suit accuses the company of fraud and negligence.

The lawsuit was filed Thursday in federal court in Seattle. Starbucks has offered employees one-year’s free credit monitoring and protection, but Krottner is asking the court to extend that to five years. She is also seeking unspecified damages and asking that Starbucks be ordered to submit to periodic security audits of its computer systems.

“Starbucks failed to follow reasonable precautions to secure its employees’ [personally identifiable information], failed to provide timely notice, and failed to protect employees from invasion of privacy, fraud, identity theft, and associated expenses,” court filings state, adding that Krottner and the other employees must now spend “considerable time and money to protect themselves,” from identity theft.

The company was unable to immediately comment on the lawsuit, but it said it has seen no fraud linked to the incident, according to its breach notification letter.

Lately, however, chatter on some Starbucks message boards shows that there have been some ID theft victims as a result of the incident, the lawsuit states.

News of the lawsuit was first reported Saturday on the Spam Notes blog written by Venkat Balasubramani, the principal with Balasubramani Law.

The suit is the latest of several in which plaintiffs are trying to prove that data breaches are harmful, even if they do not result in identity theft, Balasubramani said in an interview Monday. Courts in Arkansas and Indiana have rejected similar claims in recent years, he noted.

The plaintiffs in the Starbucks case, who are seeking a jury trial, may have better luck, however. “Washington could be different,” he said. “I think Washington is viewed as a privacy friendly state.”

Late last month the U.S. Department of Veterans Affairs reached a US$20 million settlement with plaintiffs in a class-action suit seeking damages following the 2006 theft of a laptop and hard drive containing data on 26.5 million veterans. According to reports, veterans who can show harm related to the theft will be paid between $75 and $1,500.

Starbucks has lost laptops before. In November 2006, the company reported that it had lost two laptops containing the Social Security numbers of nearly 60,000 current and former employees.