Enslin v. Coca-Cola Co., 2017 U.S. Dist. LEXIS 139525 (E.D. Pa. Aug. 30, 2017):

I. Introduction

Shane Enslin claims that he was the victim of identity theft, and he blames it on a theft of laptop computers from his former employer, Coca-Cola,¹ which were later found [*2]  to have contained the personal information of him and other Coca-Cola employees. Enslin claims that the company promised him—either expressly or implicitly—that it would secure the personal information he provided about himself during the hiring process and that the company breached that promise. He brought this suit on behalf of himself and approximately 74,000 current and former Coca-Cola employees whose information was stored on those laptops.

In a previous opinion, the Court granted summary judgment in Coca-Cola's favor after concluding that Coca-Cola owed him no general contractual duty to safeguard his personal information. 2017 WL 1190979 (E.D. Pa. Mar. 31, 2017). Enslin now moves for reconsideration of that decision, citing to a number of errors he believes the Court made. He also asks the Court to consider two new pieces of evidence he did not submit at summary judgment, which he claims did not come to light until after the Court had ruled against him. His motion is denied in both respects.

II. Background

The full background of this case can be found in the opinion granting summary judgment to Coca-Cola. 2017 WL 1190979. What follows is a brief overview of the case to provide context for Enslin's motion for reconsideration.

Enslin was employed [*3]  by the Coca-Cola organization from 1996 to 2007. He was originally hired by an independent Coca-Cola bottler, which, in 2001, was acquired by an affiliate of the parent Coca-Cola Company called Coca-Cola Enterprises. As part of that acquisition, Enslin had to complete new employment paperwork, which required him to provide various pieces of personal information. He also received a company handbook, which Coca-Cola Enterprises called its "Code of Business Conduct." During discovery, neither side was able to locate a copy of the handbook in effect at the time Enslin joined Coca-Cola Enterprises in 2001, but Coca-Cola did produce one from the 1990s, which Enslin believes to be substantially similar to the one he received in 2001.

Enslin left the company in 2007. Five years later, Coca-Cola discovered that one of its information technology employees had been taking home old laptop computers that the company was no longer using. Once it learned of the theft, Coca-Cola attempted to recover all of the missing laptops, and "while it has 'a very good feeling' that it has been able to recover [them] all, it cannot say for sure." 2017 WL 1190979, at *2. When it examined the laptops it was able to recover, the company [*4]  discovered that some of them had been used by its human resources department and still contained bits and pieces of personal information from some of its current and former employees, including Enslin.

Enslin claims that around that same time, he and his spouse were the victims of identity theft. He believes that the theft of the laptops was to blame. On behalf of himself and a putative class of current and former Coca-Cola employees, he brought this suit against Coca-Cola. His theory is that Coca-Cola contractually obligated itself to safeguard their personal information and did not hold up its end of the bargain.²

 At summary judgment, the Court concluded that Coca-Cola had made no such promise and therefore entered judgment in Coca-Cola's favor.

The Court first considered whether Coca-Cola had formed an express contract with him to safeguard his personal information. As a threshold matter, the Court agreed with Enslin that certain promises the company made in the "Code of Conduct"—the Coca-Cola Enterprises handbook—had the force of a legally binding contract. 2017 WL 1190979, at *8-11. But those promises that the company made stopped far short of assuming a general contractual duty to safeguard his personal [*5]  data. The relevant provisions of the handbook were quite clear on this point. The company agreed to "safeguard the confidentiality of employee records" in three, specifically enumerated ways: it would "advis[e] employees of all personnel files maintained on them," it would "collect[] only data related to the purpose for which the files were established," and finally, it would "allow[] those authorized to use a file to do so only for legitimate Company purposes." Id. at *8 (quoting from the handbook). Nothing more. Enslin relied heavily on the fact that other parts of the handbook (and various Coca-Cola information security policies) imposed many obligations on Coca-Cola employees with respect to the handling of sensitive information, and he argued that if the company had made sure that its employees had been following those policies to the letter, it would not have been possible for old laptops with sensitive information to be pilfered from the company. But the obligation to ensure that those policies were followed was an obligation the employees owed to the company, not the other way around. By promulgating detailed information security policies and requiring its employees to follow them, the company [*6]  was not assuming a contractual obligation to ensure that those policies were followed by its employees for their benefit.

Enslin then suggested that if an express promise to safeguard his information could not be found somewhere in the handbook or in the company's other policies, a contract term to that effect could be implied. But having concluded that Coca-Cola's obligations to its employees were clearly spelled out in those three specific promises it made in the handbook, there was no room to imply some other, additional duty. As the Court explained at the time, "[t]he law will not imply a different contract than that which the parties have expressly adopted," so "[t]o imply covenants on matters specifically addressed in the contract itself would violate this doctrine." Id. at *13 (quoting Hutchison v. Sunbeam Coal Corp., 519 A.2d 385, 388 (Pa. 1986)).

Finally, Enslin contended that Coca-Cola should be viewed as having formed an implied contract with him to safeguard his personal information at the moment he handed over his employment paperwork. But that argument failed for essentially the same reason as his argument that the Court should imply a promise of that nature into the express terms of the handbook: once it was clear that the company's duties in this [*7]  area were clearly spelled out in a section of the handbook, there could be no implied contract to a different effect. Id. ("There cannot be an implied-in-fact contract if there is an express contract that covers the same subject matter." (quoting Baer v. Chase, 392 F.3d 609, 616-17 (3d Cir. 2004))).

Enslin's implied contract argument also failed for a second, more fundamental reason. Contractual promises are not implied whenever one party thinks that it would be proper. The law implies a contract only when an interaction between two parties "can be explained only by the understanding that they are acting contractually." Id. So while contract law has no trouble implying a contract when the existence of a contract is "necessary to account for . . . relations found to have existed between the parties," id. (quoting Hertzog v. Hertzog, 29 Pa. 465, 465 (1857)), a contract will not be implied simply because one party believes that it would have been prudent, or proper, or fair for a contract to exist. The question is whether, drawing from the experience of "the ordinary course of dealing and the common understanding of men," the two sides "show[ed] a mutual intention to contract." Id. (quoting Hertzog, 29 Pa. at 465)). Enslin may have believed that it was fair and proper for Coca-Cola to be contractually bound [*8]  to safeguard the personal information that he turned over on his employment paperwork, but there is no "common understanding" that when a prospective employee fills out an employment application, the intent of both sides is that the employer has undertaken a general contractual duty to safeguard that information against unauthorized access and can be sued for breach if the employee believes that the employer did not do enough to protect it. See Longenecker-Wells v. Benecard Servs. Inc., 658 F. App'x 659, 662 (3d Cir. 2016) ("[The employees] have failed to plead any facts supporting their contention that an implied contract arose . . . other than that [their employer] required [their] personal information as a prerequisite to employment. This requirement alone did not create a contractual promise to safeguard that information . . . .").³

For those reasons, the Court concluded that there was no contract, express or implied, between Coca-Cola and Enslin that imposed a general contractual duty on Coca-Cola to safeguard his personal information.

III. Standard of Review — Motion for Reconsideration

"The purpose of a motion for reconsideration is to correct manifest errors of law or fact or to present newly discovered evidence." Harsco Corp. v. Zlotnicki, 779 F.2d 906, 909 (3d Cir. 1985). It is not, however, to "be used to relitigate [*9]  old matters, or to raise arguments or present evidence that could have been raised prior to the entry of judgment." Exxon Shipping Co. v. Baker, 554 U.S. 471, 485 n.5 (2008) (quoting 11 Charles Alan Wright & Arthur R. Miller, Federal Practice and Procedure § 2801.1, at 127-28 (2d ed. 1995)).

***

V. The "New" Evidence that Enslin has Presented

As mentioned at the start of this opinion, during discovery, neither side was able to locate a copy of the Coca-Cola Enterprises handbook from 2001 to 2007, the years of Enslin's employment. Instead, Enslin based his contract claims on the text of a handbook from the 1990s that Coca-Cola was able to locate (Coca-Cola also was able to locate a copy of the handbook from 2008, but Enslin did not use that version to support his claims). Because Enslin believed that the version from the 1990s was "substantially similar" to the one he was given in 2001—and because Coca-Cola had produced no evidence to the contrary—the Court was willing to assume, for the purposes of summary judgment, that this older handbook accurately captured the terms of their agreement. 2017 WL 1190979, at *8. But the Court cautioned that Enslin's failure to produce a copy of the handbook in effect during his term of employment "could call into question [his] ability to prove [at trial] the terms of the contract he claims he had," which, as the plaintiff, is his burden. Id. at *8 n.11. Ultimately, this issue was rendered moot because the Court concluded that even under the [*17]  text of the 1990s handbook that Enslin was relying upon, Coca-Cola did not owe him the contractual duties he believed it did.

Enslin claims that as he was "prepar[ing] . . . his appeal from this Court's [summary judgment] ruling," he happened to be looking over the 2008 version of the handbook that Coca-Cola produced when he noticed that the handbook had a web address printed on it, which employees could visit to see the most up-to-date version of the handbook. Mem. Supp. Mot. 5. It dawned on Enslin that he could try typing that web address into the "Wayback Machine"—a public database hosted by the Internet Archive, a nonprofit organization, that has the goal of "archiving the web."⁶   The Internet Archive employs software to "crawl" publicly available web pages and take snapshots of them in order to preserve webpages as they looked at different points in time. When Enslin entered the web address from the 2008 handbook into the Wayback Machine, he discovered that it had archived versions of the handbook as it had appeared in 2004 and 2005. Enslin believes that these versions of the handbook are more favorable to him than the 1990s version that he submitted at summary judgment, and he asks the Court [*18]  to consider them now as "newly discovered evidence."

"[N]ewly discovered evidence," it is true, is a valid ground for reconsideration of a previous decision. Harsco Corp. v. Zlotnicki, 779 F.2d 906, 909 (3d Cir. 1985). But "'new evidence,' for reconsideration purposes, does not refer to evidence that a party obtains or submits to the court after an adverse ruling." Howard Hess Dental Labs. Inc. v. Dentsply Int'l, Inc., 602 F.3d 237, 252 (3d Cir. 2010). To qualify as "new," it must be "evidence that a party could not earlier submit to the court because that evidence was not previously available." Id.

Enslin's evidence does not qualify. He does not suggest that this evidence was not available to him until after the Court issued its decision, because that couldn't be the case. The documents he wishes to submit were captured and preserved by the Internet Archive in 2004 and 2005 and publicly available on the Wayback Machine, and he had in his hands a copy of the 2008 handbook, with the website address listed on it, since at least the close of discovery in June 2016—nine months before the Court issued its decision on the parties' summary judgment motions. The fact that it did not strike Enslin to try using that website address to retrieve older copies of the policies from the Wayback Machine [*19]  until after the Court ruled against him does not make this evidence "new." See, e.g., Boldrini v. Wilson, 609 F. App'x 721, 724 (3d Cir. 2015) (per curiam) (concluding that a document a plaintiff located after his claims were dismissed was not new because "[h]e obtained the document merely by requesting it from the Pennsylvania State Police, as was his right under Pennsylvania law").

In any event, the versions of the handbook from 2004 and 2005 would not change the result. In his motion, Enslin highlights various differences between the language of these later versions of the handbook and the version from the 1990s, but none of these differences show that Coca-Cola undertook the sort of broad contractual duty to protect his personal information that Enslin believes it did.

First, he claims that the 2004 version of the handbook "makes clear that the document applies to every [Coca-Cola] employee from the company's directors, to its officers, and to its employees." Mem. Supp. Mot. 14. But so did the 1990s handbook. See Defs.' Mot. Summ. J. Ex. 10, at 0017674, ECF No. 170-13 ("The values and responsibilities outlined in this handbook are important to the Company and must be taken seriously by all of us."). Regardless, which of the company's employees [*20]  had obligations to the company under the handbook has nothing to do with the nature of the obligations that the company may have had to him.

Next, Enslin cites to various obligations that the 2004 and 2005 handbooks imposed on Coca-Cola's employees. Enslin points out that the 2004 handbook provides that its senior officers must "[a]ct in good faith, responsibly, [and] with due care, competence and diligence" and "[r]espect the confidentiality of information acquired in the course of one's work." Mem. Supp. Mot. Ex. D, at 8, ECF No. 194-6. The 2005 handbook states that every employee and director is "required to adhere to the principles and examples contained in the Code" and must "report what you believe, in good faith, to be violations of the Code committed by others." Mem. Supp. Mot. Ex. E, at 1, ECF No. 194-7. It also made clear that the company required "honest and ethical conduct" from each of its employees, not "a narrow compliance with the minimum standards imposed by law." Id. at 5. He also points out that it made clear to each employee that "[c]omputer hardware, software and data must be safeguarded from damage, alteration, theft, fraudulent manipulation and unauthorized access" and that each employee "must [*21]  adhere to specific security measures and internal controls for each computer system to which you are authorized access," id. at 14, though those two provisions were also present verbatim in the 1990s handbook, and the Court discussed them in its previous opinion. See 2017 WL 1190979, at *9. He also highlights the fact that the 2005 handbook directs employees to "refer to the Company's policies on the use of computers, e-mail, and other information systems," id. at 14, which he thinks is significant because it "expressly incorporates [the company's] information security policies into its [handbook]," but the Court had already assumed in its previous opinion that the company's employees were required to follow the company's information security policies.⁷

 See id. at *12. Finally, he points out that the 2005 handbook included "personal information about employees" among the information that the company considered to be confidential, but so did the 1990s handbook. See 2017 WL 1190979, at *9 (quoting from the 1990s handbook, which made reference to the "confidentiality of employee records" in connection with the three express duties the company agreed to assume with respect to employee records).

Enslin suggests that in light of all of these obligations the company [*22]  imposed on its employees in the 2004 and 2005 handbooks, these handbooks also "create[d] a duty for [the company] to follow its information security policies." Mem. Supp. Mot. 16. That simply repeats the same error Enslin made at summary judgment: he is conflating duties that the company imposed on its employees with obligations that the company owed to him. As the Court explained at the time, the various rules and information security policies the company required its employees to follow "are rules that employees were required to follow for the company's good—they were not put in place for the benefit of the employees." 2017 WL 1190979, at *12.

Enslin's argument to the contrary is not faithful to the text of the handbooks and company policies or to contract law. As the Court explored at some length in its previous opinion—and as Enslin repeats in his current briefing—his belief is that the "the company assumed a duty to him to ensure that its employees complied with their obligations under the [handbook and] . . . the detailed information technology policies that the company promulgated" and that if they had been followed, the theft of the laptops could not have occurred. Id. In effect, his theory is that he was [*23]  the third-party beneficiary of every other employee's promise to the company to follow the company's rules and policies, with the company agreeing to act as the guarantor of those promises so that it could be sued for breach if its employees failed to follow them.

Or, to put it another way, Enslin's understanding would mean that each information security policy the company promulgated constituted the terms of a contract the company had with him to protect his personal information—with any lapse by any of the company's employees creating grounds for breach of contract. See Enslin's Opp'n Summ. J. 28, 41 (arguing that the laptops that were stolen should have been encrypted pursuant to the company's "IPP and Asset Management policies" and that the failure to do so in accordance with those policies meant that Coca-Cola had breached its contract with him).

This sort of "sweeping contractual duty" cannot be found in the handbooks—whether the 1990s version or the 2004-05 versions—and cannot be implied. 2017 WL 1190979, at *12-14.

 

---

¹ For convenience of reference, the various Coca-Cola defendants will be referred to simply as "Coca-Cola," except when distinctions between them are relevant.

² His complaint also included numerous other claims under various theories of relief, but all but his contractual claims—and a derivative claim in restitution under the opportunistic breach theory—were dismissed at the pleadings. 2017 WL 1190979, at *2 n.3.

³ As the Court pointed out at the time, this is not to say that an employer has no obligations at all in that scenario. It may be quite possible to conclude that when an employer accepts information from a prospective employee, the employer is promising in return that will not actively "disclose that information to other people or use that information for non-business purposes." 2017 WL 1190979, at *14. That more reasonable understanding of the relationship that exists between the two sides neatly tracks two of the three express promises that Coca-Cola made to its employees in the handbook—to "collect[] only data related to the purpose for which the files were established" and "allow[] those authorized to use a file to do so only for legitimate Company purposes."

⁶ Internet Archive, Frequently Asked Questions — The Wayback Machine, https://archive.org/about/ faqs.php#The_Wayback_Machine (last visited Aug. 26, 2017).

⁷ Not to mention that the reference in the 1990s handbook to all employees needing to "adhere to specific security measures and internal controls for each computer system to which they are authorized access" effectively incorporated the company's information security policies into the handbook.