Data breaches are becoming increasingly common. These incidents have spawned considerable litigation, including class action lawsuits brought by individuals whose personal information has been compromised. But many of these lawsuits have been dismissed at the outset on the basis of Article III standing—that is, many courts have found that the plaintiffs have not sufficiently established a concrete injury in order to seek redress from the courts.
Since at least 2011, federal courts in the Third Circuit (which encompasses Pennsylvania, New Jersey, Delaware, and the Virgin Islands) have typically relied on Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), to dismiss data breach claims for lack of standing. In Reilly, employees of a law firm brought a class action lawsuit against a payroll processing firm, Ceridian Corporation, alleging various claims related to increased risk of identity theft after an unknown hacker infiltrated Ceridian’s computer system and potentially gained access to the personal and financial information of 1,900 companies and 27,000 employees. The plaintiffs did not allege any actual misuse of their personal information, only that the information could be misused at any moment. The United States District Court for the District of New Jersey granted Ceridian’s motion to dismiss holding that plaintiffs lacked standing and failed to state a claim. On appeal, the Third Circuit explained that constitutional standing “requires an injury-in-fact, which is an invasion of a legally protected interest that is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical.” Id. The Court concluded that plaintiffs’ allegations of future injuries relied on speculation that the hacker read and understood their personal information, intended to commit future criminal acts by misusing that information, and was capable of misusing that information to the plaintiffs’ detriment. Id. at 42. The Court affirmed the district court’s dismissal of the case finding that the plaintiffs’ “allegations of hypothetical, future injury do not establish standing under Article III.” Id. at 41.
Reilly was decided before the recent wave of date breaches making national headlines, but it remains the seminal decision on the issue of standing in data breach litigation in the Third Circuit. Notably, two recent data breach decisions by federal district courts in the Third Circuit reflect that the district courts have continued to faithfully apply Reilly and dismiss data-breach lawsuits for lack of standing, making the Third Circuit a defense-friendly jurisdiction for this type of claim. See In re Horizon Healthcare Services Inc. Data Breach Litigation, No. 13-7418 (CCC), 2015 WL 1472483 (D.N.J. Mar. 31, 2015); Storm v. Paytime, Inc., No. 14-cv-1138, 2015 WL 1119724 (M.D. Pa. Mar. 13, 2015).
In re Horizon Healthcare Services Inc. Data Breach Litigation
In November 2013, a thief stole two laptop computers containing the personal and medical information of over 839,000 members of Horizon Healthcare Services, Inc. In December of that year, Horizon sent letters and issued a press release notifying its members of the theft, and it offered free credit monitoring and identity theft protection to those members whose social security numbers were on the laptops. Subsequently, a number of customers filed a class action lawsuit against Horizon alleging that they “have been placed at an imminent, immediate, and continued increased risk of harm from identity theft, identity fraud, and medical fraud, requiring them to take the time and effort to mitigate the actual and potential impact of the Data Breach on their lives.” In re Horizon Healthcare Services Inc. Data Breach Litigation, 2015 WL 1472483 at *1.
Horizon filed a motion to dismiss under Fed. R. Civ. P. 12(b)(1), arguing that the plaintiffs lacked standing to sue because the named plaintiffs did not allege that their personal information was actually accessed or misused. Id. at 4. Instead, the plaintiffs alleged economic harm, violations of common-law and statutory rights, and an imminent risk of future harm. Id. With respect to economic harm, plaintiffs alleged that they had standing because they received less than they bargained for since at least some portion of their insurance premiums were allocated for data protection. Id. at 4–5.Plaintiffs also argued that they had standing because their rights were violated even if no actual injury occurred. Id. And finally, plaintiffs argued that despite their lack of injury so far, identity theft could occur at any moment. Id.
The court rejected plaintiffs’ arguments. It held that the standing analysis focuses on whether the plaintiffs suffered an actual or certainly impendinginjury, not on whether any of plaintiffs’ rights have been violated. The court held that the plaintiffs lacked standing because they failed to allege that any harm had actually occurred to date, and their allegations of increased risk of future injuries were insufficient to meet the injury-in-fact element of standing under Reilly, which holds that future injuries stemming from the conjectural conduct of third parties are inadequate to confer standing. Id. at *5–6 (citing Reilly, 664 F.3d at 38).
Storm v. Paytime, Inc.
In April 2014, unknown third parties accessed Paytime, Inc.’s computer systems. Paytime disclosed the data breach and announced that the confidential personal information of employees of its clients had been accessed. Paytime is a national payroll company, and the plaintiffs in two consolidated class action lawsuits resulting from the data breach were current or former employees of companies that used Paytime as their payroll processing service. Storm, 2015 WL 1119724, at *3.
The Storm Court, citing Reilly, stated that the “Third Circuit requires its district courts to dismiss data breach cases for lack of standing unless plaintiffs allege actual misuse of the hacked data or specifically allege how such misuse is certainly impending. Allegations of increased risk of identity theft are insufficient to allege a harm.” Id. at *5 (citing Reilly, 664 F.3d at 43). The court went on to note that the “factual allegations are remarkably similar to those of Reilly.” Id. The main difference between the allegations in Reilly and those in Storm were the verbs used by the plaintiffs in their allegations. For example, in Storm, the plaintiffs alleged that over 233,000 people had their information “accessed without their authorization,” “stolen,” and “misappropriated.” Id. at 5–6. But in reviewing the plaintiffs’ allegations, the court found no factual allegations of misuse or even that misuse was certainly impending. Id. The court held that using different verbs, like “stolen” and “misappropriated,” was not effective in making the case distinguishable from Reilly, and because the plaintiffs did not allege any actual or certainly impending misuse of their personal information, the court dismissed the case for a lack of standing. Id. at *6.
The growing body of case law on the issue of standing in data breach litigation offers a simple lesson: companies that find themselves as defendants in class action lawsuits resulting from a data breach, especially in the Third Circuit, should scrutinize the complaint to determine whether the plaintiffs have alleged any injuries in fact and, if not, move the court to dismiss the litigation at the outset.