Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
March 16 — Individuals whose confidential personal information was accessed by hackers during a breach of a national payroll processing company lack standing because they failed to allege the misuse of their data or that such misuse would be imminent, a federal district court held March 13.
“For a court to require companies to pay damages to thousands of customers, when there is yet to be a single case of identity theft proven, strikes us as overzealous and unduly burdensome to businesses,” Judge John E. Jones III of the U.S. District Court for the Middle District of Pennsylvania wrote in dismissing the consolidated putative class actions against Paytime Inc.
The court said its conclusion was consistent with the “vast majority of courts” that have reviewed data breach cases following the U.S. Supreme Court's decision in Clapper v. Amnesty Int'l USA, 133 S. Ct. 1138 (2013). In Clapper, the Supreme Court said that a threatened injury must be “certainly impending” for purposes of standing.
In April 2014, hackers gained unauthorized access to Paytime's computer systems, the court said. Current and former employees of companies that used Paytime for payroll processing sued Paytime, alleging that hackers “misappropriated” the personal and financial information of more than 233,000 individuals.
The district court granted Paytime's motion to dismiss, finding that the plaintiffs failed to allege an actual injury to support their standing.
The court said the facts were similar to those of Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), which said data breach plaintiffs must allege the actual misuse of their data or specifically allege how such misuse is impending. The plaintiffs here failed to allege any incidences of identity theft resulting from the data breach, the district court said.
In addition, under Reilly, allegations of an increased risk of identity theft are insufficient to support standing, the court said. A layperson might find that the lapse of time since the breach undermines the argument of a threat of future identity theft, the court added.
One plaintiff alleged that he suffered actual damages when his employer temporarily suspended his security clearances as a result of the breach, requiring him to commute farther to a different job. “His supposed damages in the form of increased commute time and related expenses, although surely unfortunate, are merely a form of prophylactic costs the Supreme Court has warned cannot be used to ‘manufacture' standing, even if those costs are reasonable,” the court said, relying on Clapper.
Nor have the plaintiffs alleged that any harm to their privacy interest is actual or imminent because they didn't allege that the hacker read, copied or understood the data, the court said.
“There is simply no compensable injury yet, and courts cannot be in the business of prognosticating whether a particular hacker was sophisticated or malicious enough to both be able to successfully read and manipulate the data and engage in identity theft,” the court said. “Once a hacker does misuse a person's personal information for personal gain, however, there is a clear injury and one that can be fully compensated with money damages.”
Carlson Lynch Sweet & Kilpela LLP, Lockridge Grindal Nauen PLLP, Meredith & Narine LLC and Krishna B. Narine PC in Huntingdon Valley, Pa., represented the named plaintiffs. Lewis Brisbois Brisgaard & Smith LLP represented Paytime.
Full text of the court's opinion is available at http://www.bloomberglaw.com/public/document/Storm_v_Paytime_Inc_No_14cv1138_2015_BL_68446_MD_Pa_Mar_13_2015_C.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)