Good News for Companies: Pennsylvania District Court Rules That Plaintiffs Lack Standing without Actual or Imminent Misuse of Data

by Wilson Elser
Contact

“There are only two types of companies left in the United States … those that have been hacked and those that don’t know they’ve been hacked.” That is how U.S. District Judge John E. Jones III of the Middle District of Pennsylvania began his opinion in Storm v. Paytime, Inc. and Holt v. Paytime Harrisburg, Inc. The Court granted a motion to dismiss two consolidated class actions with a total of 233,000 proposed class members whose private information had been compromised after a payroll company had its systems hacked. Sympathetic to those who have been victims of a data breach, Judge Jones noted that, “it is not unreasonable for the victims to feel that a wrong has clearly been committed,” but questioned whether it was reasonable for a business to pay damages to thousands of customers when there has been no misuse of the information.

Background
Defendant Paytime, a national payroll service company, offers a variety of services to its clients, including payroll submission, which by necessity requires the submission of sensitive private information such as bank account and social security numbers. According to the complaints, Paytime discovered its systems were compromised 23 days after hackers initially gained access, and provided notice to impacted individuals 12 days later. Plaintiffs alleged that 233,000 individuals had their private information “misappropriated.” For most of the putative class, damages included an increased and “imminent” risk of identity theft, fraud and abuse. For one plaintiff, damages included the fact that his security clearance was suspended after reporting the breach to his employers who forced him to work at a different job site, which added four hours to his commute and cost him additional travel expenses and lost time.

The Court found these allegations insufficient and dismissed the cases, finding that the plaintiffs did not have standing to file suit in the first place because they failed to allege any misuse of their information, such as funds taken from their bank accounts or misuse of their social security numbers. For the plaintiff whose security clearance was suspended, the Court reasoned that working from another job site was akin to other preventative measures, such as credit monitoring, and not an actual injury. The Court pointed out that standing requires an injury in fact – “one that is ‘concrete in both a qualitative and temporal sense’ as opposed to merely ‘abstract.’” The injury must be actual, not hypothetical according to the Court; allegations of future injury are insufficient.

Rationale and Findings
The Court relied heavily on the Third Circuit’s decision in Reilly v. Ceridian Corp., 664 F.3d 38, 42, (3d Cir. 2011), a data breach case directly on point. Similar to the Paytime case, Reilly involved a breach of a payroll processing firm that resulted in the compromise of personally identifiable information. As provided in Reilly, when a data breach occurs “a plaintiff does not suffer a harm, and thus does not have standing to sue, unless plaintiff alleges actual ‘misuse’ of the information, or that such misuse is imminent.” The Third Circuit in Reilly affirmed the district court’s dismissal of the case, reasoning that the “plaintiffs’ alleged future harm resulting from the security breach was not sufficiently imminent to meet the threshold for standing … the risk of future injury was significantly attenuated, considering that it was ‘dependent on entirely speculative, future actions of an unknown third party.’”

Similarly, the Court in Paytime held that the plaintiffs did not provide factual allegations of misuse or allegations establishing impending misuse, and dismissed the complaints. Analyzing the holding in Reilly, the Court noted that the “touchstone” of a data breach is misuse of the data. “Reilly draws a clear line in the sand in this context as to when a data breach becomes harm.” District courts are “required to dismiss data breach cases for lack of standing unless plaintiffs allege actual misuse of the hacked data or specifically allege how such misuse is certainly impending. Allegations of increased risk of identity theft are insufficient to allege a harm.”

Perhaps the most interesting discussion occurred in a footnote to the Opinion. The plaintiffs tried to argue that there was a substantial risk that identity theft could occur, which, according to the plaintiffs, is sufficient to establish standing under Clapper v. Amnesty Intern. USA, 133 S. Ct. 1138 (2013). The Court noted that the discussion of “substantial risk” was (similarly) a footnote in the Clapper opinion; the Court would instead rely on the holding in Clapper. However, the Court continued, pointing out that even if the substantial risk standard were applied, the plaintiffs failed to meet that bar as well. The plaintiffs had argued that one in four people who receive breach letters are victims of identity theft. According to the Court, a 75 percent chance of not becoming a victim of identity theft means that injury is not impending for those individuals.

Despite the best efforts of companies to protect their systems, and ostensibly their clients’ or customers’ data, hackers are all too often successful at compromising these systems. Fortunately, courts continue to recognize the potentially troubling implications if plaintiffs were able to recover damages without suffering an injury in fact. As the Court stated, for “a court to require companies to pay damages to thousands of customers when there is yet to be a single case of identity theft proven strikes us as overzealous and unduly burdensome to businesses."

The Court continued, "There is simply no compensable injury yet … and courts cannot be in the business of prognosticating whether a particular hacker was sophisticated or malicious enough to both be able to successfully read and manipulate the data and engage in identity theft. Once a hacker does misuse a person's personal information for personal gain, however, there is a clear injury and one that can be fully compensated with money damages."

The Court also dismissed the plaintiffs’ alleged actual injury based on harm to their privacy interests. The plaintiffs argued that their privacy was invaded because it was “accessed by an unauthorized third party.” Dismissing this argument, the Court stated: "Here, plaintiffs do not allege that the unidentified hacker was actually able to view, read, or otherwise understand the data it accessed. They do not allege that their information was exposed in such a way as to make it easily viewed."

Summary
In conclusion, it is apparent that simply alleging that one is a victim of a data breach and thus at risk of identity theft is insufficient to withstand a motion to dismiss for lack of standing. Although plaintiffs continue to craft creative arguments for damages, such as a suspension of a security clearance, without actual misuse of the data, no injury in fact exists. Mere acquisition of confidential information by an unauthorized third party is not sufficient to give rise to a cause of action. However, the Storm v. Paytime, Inc. and Holt v. Paytime Harrisburg, Inc. decisions make clear that companies, despite their best efforts, may not be able to prevent a data breach whether as a result of a hacking or some other malicious attack. This highlights the importance of companies taking proactive steps today to prepare for tomorrow’s data breach.

Wilson Elser will continue to monitor this and other cases involving data breaches.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Wilson Elser | Attorney Advertising

Written by:

Wilson Elser
Contact
more
less

Wilson Elser on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.