Payroll Company Breach Plaintiffs Lack Concrete Injuries for Standing

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

March 16 — Individuals whose confidential personal information was accessed by hackers during a breach of a national payroll processing company lack standing because they failed to allege the misuse of their data or that such misuse would be imminent, a federal district court held March 13.

“For a court to require companies to pay damages to thousands of customers, when there is yet to be a single case of identity theft proven, strikes us as overzealous and unduly burdensome to businesses,” Judge John E. Jones III of the U.S. District Court for the Middle District of Pennsylvania wrote in dismissing the consolidated putative class actions against Paytime Inc.

The court said its conclusion was consistent with the “vast majority of courts” that have reviewed data breach cases following the U.S. Supreme Court's decision in Clapper v. Amnesty Int'l USA, 133 S. Ct. 1138 (2013). In Clapper, the Supreme Court said that a threatened injury must be “certainly impending” for purposes of standing.

Some 233,000 Employees Affected

In April 2014, hackers gained unauthorized access to Paytime's computer systems, the court said. Current and former employees of companies that used Paytime for payroll processing sued Paytime, alleging that hackers “misappropriated” the personal and financial information of more than 233,000 individuals.

The district court granted Paytime's motion to dismiss, finding that the plaintiffs failed to allege an actual injury to support their standing.

The court said the facts were similar to those of Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), which said data breach plaintiffs must allege the actual misuse of their data or specifically allege how such misuse is impending. The plaintiffs here failed to allege any incidences of identity theft resulting from the data breach, the district court said.

In addition, under Reilly, allegations of an increased risk of identity theft are insufficient to support standing, the court said. A layperson might find that the lapse of time since the breach undermines the argument of a threat of future identity theft, the court added.

Security Clearances Suspended

One plaintiff alleged that he suffered actual damages when his employer temporarily suspended his security clearances as a result of the breach, requiring him to commute farther to a different job. “His supposed damages in the form of increased commute time and related expenses, although surely unfortunate, are merely a form of prophylactic costs the Supreme Court has warned cannot be used to ‘manufacture' standing, even if those costs are reasonable,” the court said, relying on Clapper.

Nor have the plaintiffs alleged that any harm to their privacy interest is actual or imminent because they didn't allege that the hacker read, copied or understood the data, the court said.

“There is simply no compensable injury yet, and courts cannot be in the business of prognosticating whether a particular hacker was sophisticated or malicious enough to both be able to successfully read and manipulate the data and engage in identity theft,” the court said. “Once a hacker does misuse a person's personal information for personal gain, however, there is a clear injury and one that can be fully compensated with money damages.”

Carlson Lynch Sweet & Kilpela LLP, Lockridge Grindal Nauen PLLP, Meredith & Narine LLC and Krishna B. Narine PC in Huntingdon Valley, Pa., represented the named plaintiffs. Lewis Brisbois Brisgaard & Smith LLP represented Paytime.

Full text of the court's opinion is available at