In March, three putative class actions stemming from data security breaches were dismissed due to lack of standing or to plaintiffs’ inability to state a valid claim. 

In the first, filed against national payroll service Paytime, Inc. in the wake of an unauthorized access to the company's computer networks, the court dismissed the case for lack of standing, finding that plaintiffs had alleged no actual misuse of the personal information that was accessed. See Storm v. Paytime, Inc.

In the second, filed in the Western District of Washington against national restaurant chain P.F. Chang's, the plaintiff alleged claims of claims of negligence, breach of implied contract, breach of fiduciary duty, strict liability, negligent misrepresentation, and violations of the Arizona Deceptive Trade Practices Act for P.F. Chang’s alleged failure to utilize industry-standard cybersecurity practices.  The court concluded that the plaintiff had not stated plausible claims for relief, holding among other things that the restaurant chain did not contract with the plaintiff to provide a specific level of security and that therefore the plaintiff could not advance a breach of implied contract claim. The court also held that compliance with certain cybersecurity standards is unlikely to be material to a consumer’s decision about whether to shop or dine with a particular retailer, and thus the plaintiff lacked a basis for a claim for deceptive practices. See Lovell v. P.F. Chang's China Bistro, Inc.

In the third case, the federal District Court for the District of New Jersey dismissed a putative class action against Horizon Blue Cross Blue Shield of New Jersey stemming from the theft of two password-protected laptops, holding the plaintiffs lacked standing because they could not show they had sustained any actual injuries that could be connected to the laptop theft. See In re Horizon Healthcare Services, Inc. Data Breach Litigation. [For disclosure, Arnold & Porter LLP represents Horizon Healthcare Services in this litigation.] These cases demonstrate the difficulties plaintiffs continue to face in asserting claims based on data security breaches in the absence of actual misuse of their data.