Shane E. ENSLIN, on behalf of himself and all others similarly situated v. The COCA-COLA COMPANY; Coca Cola Refreshments Usa, Inc.; Coca-Cola Enterprises, Inc.; Keystone Coca-Cola and Bottling and Distribution Corporation; Keystone Coca-Cola Bottling Co.; Keystone Coca-Cola Bottling Company, Inc.; Keystone Coca-Cola Bottling Corporation; Thomas William Rogers, III; Doe Defendants 1-50; ABC Corporations 1–50; XYZ Partnerships and Associations Shane E. Enslin, Appellant in No. 17-3153 The Coca-Cola Company; Coca Cola Refreshments USA, Inc., Coca-Cola Enterprises, Inc., Keystone Coca-Cola and Bottling and Distribution Corporation; Keystone Coca-Cola Bottling Company, Keystone Coca-Cola Bottling Company, Inc., Keystone Coca-Cola Bottling Corporation, Appellants in No. 17-3256
Shane Enslin and Coca-Cola 1 cross appeal from a summary judgment for Coca-Cola in the United States District Court for the Eastern District of Pennsylvania. Enslin also appeals the denial of his motion for class certification notwithstanding a default judgment in his favor against Defendant Thomas Rogers. We will affirm both judgments and dismiss Coca-Cola's cross-appeal as moot.
The material facts are undisputed. Enslin began his career as a Coca-Cola service technician in 1996 when he went to work for Keystone Coca-Cola, which was then an independent bottler and distributor of Coca-Cola products. In 2001, Keystone was acquired by Coca-Cola Enterprises, so Enslin and others had to complete new employment paperwork. Those forms asked for each employee's address, telephone number, social security number, and driver's license number. Enslin worked for Coca-Cola Enterprises for several years after the Keystone acquisition, but left the company in 2007.
In 2013, Coca-Cola discovered that Thomas Rogers—who worked in the company's information technology department—had been stealing older laptop computers and taking them home. Some of those laptops had been used by Coca-Cola's human resources department and contained former employees’ personal information—including Enslin's name and driver's license number. Coca-Cola alerted Enslin and the other affected employees of the breach. The company attempted to recover the stolen computers, but Rogers had given some of the laptops away, and Coca-Cola cannot definitively say it found them all. Some time after Enslin learned of the breach, his accounts with several internet retailers were compromised and used to make unauthorized purchases. Enslin does not know who accessed his accounts or how they did so. He did not have to pay any of the fraudulent charges.
After the compromise of his retail accounts, Enslin filed this putative class action against Coca-Cola and Rogers in the District Court. He asserted claims under Pennsylvania law for breach of contract, negligence, negligent misrepresentation, fraud, unjust enrichment, bailment, and conspiracy, as well as a claim under the federal Drivers Privacy Protection Act, 18 U.S.C. § 2724. Rogers did not appear, but Coca-Cola did and moved to dismiss Enslin's complaint for failure to state a claim. The District Court held that Enslin had adequately pleaded claims for breach of contract and unjust enrichment, but otherwise granted Coca-Cola's motion and dismissed the rest of Enslin's complaint. Enslin v. The Coca-Cola Co., 136 F.Supp.3d 654, 669–680 (E.D. Pa. 2015).
Following discovery, Coca-Cola and Enslin filed cross-motions for summary judgment. Enslin also moved to certify a class and to amend his complaint. Coca-Cola sought judgment with respect to Enslin's contract claims on the theory that they were preempted by federal labor law. Although the Court rejected that preemption argument, it nevertheless granted summary judgment for Coca-Cola on other grounds, denied Enslin's motion to amend, and denied his motion for class certification as moot. Enslin v. The Coca-Cola Co., 2017 WL 1190979, at *17 (E.D. Pa. Mar. 31, 2017). Enslin moved for reconsideration with respect to the District Court's summary judgment, which the Court denied in a comprehensive opinion. Enslin v. The Coca-Cola Co., 2017 WL 3727033, at *1 (E.D. Pa. Aug. 30, 2017).
Meanwhile, over the course of nearly three years of litigation, Rogers never appeared to defend against Enslin's claims. So shortly after entering summary judgment in favor of Coca-Cola, the District Court entered a default judgment against Rogers for $17 (the amount it cost Enslin to buy checks for the new checking account he opened after his retail accounts were compromised). That judgment ran in Enslin's favor only, since the District Court had previously rejected Enslin's request to enter judgment against Rogers on a classwide basis. See id. at *10–11. Enslin and Coca-Cola filed timely notices of appeal.
Enslin's appeal presents four issues. He challenges: (1) the summary judgment on his contract claims; (2) the dismissal of his negligence claim; (3) the denial of his motion to amend his complaint to replead a claim under the Drivers Privacy Protection Act; and (4) the dismissal of his motion for class certification as moot with respect to Rogers. We consider each argument in turn.3
Enslin's contract claim is based on the premise that the employment forms he completed when Coca-Cola Enterprises acquired Keystone in 2001 obliged Coca-Cola to safeguard his personal information. Enslin, 2017 WL 1190979, at *8–9. The District Court determined that the “Employee Records” section of the Coca-Cola Enterprises Code of Conduct did create “binding contractual obligation[s]” on the company's part, id. at *10, but that a general duty to protect Enslin's personal information was not among them, id. at *11–13. In the District Court's view, Coca-Cola had assumed only the three duties expressly stated in the Code of Conduct: to “ ‘advis[e] employees of all personnel files maintained on them, collect[ ] only data related to the purpose for which the files were established,’ and ‘allow[ ] those authorized to use a file to do so only for legitimate Company purposes.’ ” Id. at *12 (alterations in original) (quoting Code of Conduct).4 Since nothing suggested that Coca-Cola had breached any of those obligations, the District Court concluded that the company was entitled to summary judgment. Id. at *11–14.
In this appeal, Enslin argues that the District Court erred by: (1) holding that there was no factual dispute relevant to determining the terms of the parties’ agreement; (2) interpreting the text of the Code of Conduct to impose three narrowly drawn obligations on Coca-Cola instead of a broad duty to protect Enslin's personal information; and (3) granting summary judgment sua sponte with respect to Enslin's claim that Coca-Cola had breached the contract's implied duty of good faith and fair dealing. Coca-Cola disagrees, but because we may affirm on any basis supported by the record, resolving this appeal does not require us to reach those disputes. See Phila. Taxi Ass'n, Inc. v. Uber Techs., Inc., 886 F.3d 332, 338 (3d Cir. 2018).
In order to prevail on a breach of contract claim in Pennsylvania, a plaintiff must show not only damages, but also “a causal connection between the breach and the loss.” Logan v. Mirror Printing Co. of Altoona, Pa., 410 Pa.Super. 446, 600 A.2d 225, 226 (1991). Even drawing all inferences in Enslin's favor, he cannot meet that burden here. All of the damages that Enslin seeks flow from the compromise of his retail accounts rather than directly from Rogers's theft of his personal information. But he provides no evidence from which a reasonable jury could conclude that his accounts were compromised because information was gleaned from the stolen laptops. Temporal proximity is insufficient here, particularly since Enslin did not undermine Coca-Cola's expert testimony that Enslin's name and driver's license number would not have been useful to the hackers in light of the numerous ways they might have obtained the information needed to compromise his accounts. So breach or no breach, Enslin's contract claims fail because he cannot show he was damaged as a result of Coca-Cola's conduct. We will affirm the District Court's summary judgment as well as its order denying Enslin's motion for reconsideration for that reason.
We turn next to Enslin's negligence claim, which was dismissed because Pennsylvania's economic loss doctrine bars tort recovery in the absence of either “physical injury or property damage.” Enslin, 136 F.Supp.3d at 672 (quoting Adams v. Copper Beach Townhome Cmtys., L.P., 816 A.2d 301, 305 (Pa. Super. Ct. 2003) ). Enslin argues that he should have been afforded a chance to replead his negligence claim since “[t]he precedents pertaining to data breach cases are continuously evolving,” Enslin Br. 46. But the truism that the law evolves does not change that the District Court was duty-bound to apply Pennsylvania tort law in its present state, not as it might exist if and when it is revised to satisfy consumer expectations that businesses will render their personal information both secure and readily accessible. Where Pennsylvania law was clear and Enslin did not—and still does not—propose any amendment that would overcome his failure to plead a non-economic loss, we cannot say the Court abused its discretion in dismissing his negligence claim with prejudice. We will accordingly affirm.
Enslin's other attempt to revive his negligence claim fares no better. Enslin asks us to certify to the Pennsylvania Supreme Court two questions concerning the continued viability of the economic loss doctrine in the data breach context. We decline to do so because certification would be futile. A claim for negligence, like a claim for breach of contract, requires proof of causation, and we have already explained that Enslin cannot meet that burden. Because certification would only “delay these proceedings” without affecting the outcome of the case, we will deny Enslin's motion. See Pollice v. Nat'l Tax Funding, L.P., 225 F.3d 379, 389 (3d Cir. 2000).
Enslin's third argument involves the Drivers Privacy Protection Act (DPPA), 18 U.S.C. §§ 2721–25. That law sharply limits the extent to which entities that receive personal information from state motor vehicle registries may disclose it to third parties. See generally id. § 2721. In addition to its substantive provisions, the DPPA also includes a private right of action for individuals whose personal information is “knowingly obtain[ed], disclose[d] or use[d]” for a purpose other than those permitted by the statute. Id. § 2724(a). DPPA claims are subject to a four-year statute of limitations, see 28 U.S.C. § 1658(a), which we assume—based on the parties’ apparent agreement—begins to run on the date of the statutory violation rather than the date of its discovery.
The District Court dismissed Enslin's DPPA claim for failure to plead a “knowing disclosure.” Enslin, 136 F.Supp.3d at 669–72. It later denied Enslin's motion for leave to replead his DPPA claim, holding that the request was untimely and futile. Enslin, 2017 WL 1190979, at *15–16 & n.20. We will affirm because Enslin's proposed DPPA claim would have been time-barred.
Enslin's DPPA theory was that “once he left Coca-Cola, the company no longer had any legitimate need for his records, so the transfer of those records from one Coca-Cola entity to another during the course of various acquisitions and consolidations were ‘disclosures’ of his information for a ‘purpose not permitted’ by the Act.” Id. at *16 n.20. According to the proposed amended complaint, the last such transfer was between The Coca-Cola Company and a wholly owned subsidiary called Coca-Cola Refreshments USA, Inc. on October 2, 2010. Even assuming that this was an unlawful disclosure for purposes of the DPPA, it still occurred more than four years before Enslin filed this suit on November 12, 2014.
Finally, Enslin claims the District Court erred when it denied his belated request to certify a class based on an entirely new theory of liability. We disagree.
After the Court granted summary judgment for Coca-Cola and denied Enslin's class-certification motion as moot, it asked Enslin to describe “how he wished to proceed with his claims against Rogers now that his claims against Coca-Cola had been resolved.” Enslin, 2017 WL 3727033, at *9. Enslin explained that Coca-Cola's summary judgment neither “extinguish[ed]” the company's liability nor mooted his class-certification motion, because Coca-Cola could still be held liable for Rogers's wrongdoing under a respondeat superior theory. ECF 210-1 at 2. But as the District Court noted, Enslin had never in “nearly three years of litigation” pleaded that Coca-Cola could be held vicariously liable. Enslin, 2017 WL 3727033, at *10. The Court did not abuse its discretion by refusing to entertain Enslin's “request to, in effect, reboot this case after summary judgment ha[d] already been granted.” Id.
Because we will affirm the District Court's summary judgment, we need not consider whether it could or should have reached the same result based on federal labor law. Accordingly, we will dismiss Coca-Cola's cross-appeal as moot.
* * *
For the foregoing reasons, we will affirm the orders of the District Court, deny Enslin's motion to certify a question of law to the Pennsylvania Supreme Court, and dismiss Coca-Cola's cross-appeal as moot.
1. We refer to the various Coca-Cola defendants individually and collectively as “Coca-Cola” except when distinctions between them are relevant to this appeal.
3. Our review of a summary judgment is plenary, applying the same familiar standards as the District Court did. Migliaro v. Fidelity Nat'l Indem. Ins. Co., 880 F.3d 660, 664 n.6 (3d Cir. 2018). We review orders denying motions for reconsideration, motions denying leave to amend, and motions denying class certification for abuse of discretion. Howard Hess Dental Labs. Inc. v. Dentsply Int'l, Inc., 602 F.3d 237, 246 (3d Cir. 2010); Great W. Mining & Mineral Co. v. Fox Rothschild LLP, 615 F.3d 159, 163 (3d Cir. 2010); In re Hydrogen Peroxide Antitrust Litig., 552 F.3d 305, 312 (3d Cir. 2008) (amended Jan. 16, 2009).
4. Neither party was able to locate the actual Code of Conduct that Enslin received in 2001. Enslin, 2017 WL 1190979, at *8. Coca-Cola did, however, produce a 1990s-vintage copy of the Code, which Enslin indicated was “substantially similar” to the 2001 version. Id. Based on Enslin's representation, the District Court assumed for purposes of deciding the parties’ summary judgment motions “that the copy that ha[d] been produced accurately capture[d] the terms of the Code from 2001.” Id. Enslin subsequently discovered that 2004 and 2005 versions of the Code were available on a public internet archive. Enslin, 2017 WL 3727033, at *6. The District Court held that those versions were not materially different from the 1990s version on which it had previously relied, id. at *7–8, and Enslin has identified no such differences on appeal.
HARDIMAN, Circuit Judge.