The US District Court for the Middle District of Pennsylvania recently dismissed a consolidated class action against Paytime, Inc. arising out of a data breach by hackers who accessed the personal and financial information of more than 230,000 individuals. The court held that the plaintiffs lacked standing. Despite the confirmed security breach, the plaintiffs had not alleged actual or impending harm. The plaintiffs’ claim that their personal data was misappropriated was insufficient absent proof the hackers actually viewed, understood, and used the data to the plaintiffs’ detriment.
Paytime is a national payroll service company offering web-based payroll submissions to employers. Employees of Paytime’s customers provided confidential personal and financial information to their employers, which was then forwarded to Paytime. In April 2014, hackers gained access to Paytime’s computer systems, and in May 2014, Paytime confirmed the breach. In June 2014, two separate class actions were filed seeking damages for the monetary and opportunity costs of monitoring their credit in light of the data breach. The district court consolidated the cases in February.
The court held that the plaintiffs did not have standing to sue Paytime because they had not suffered actual harm, nor was harm imminent. Applying Third Circuit law in the data breach context, the court held that the plaintiffs must allege actual misuse of the hacked information or specifically allege how misuse is impending. The court further held that costs incurred as a reasonable reaction to a risk of identity theft was insufficient because there was no certainty that identity theft was impending. The court pointed out that one year after the breach no plaintiff had become a victim of identity theft. The court also rejected the plaintiffs’ theory that they had alleged an actual injury because a single class member’s commute to work allegedly increased due to security clearance issues arising from the data breach. The court saw these as “prophylactic costs” that were an attempt to manufacture standing rather than an actual cost of the data breach.
Storm v. Paytime, Inc., No. 14-cv-1138 (M.D. Pa. Mar. 13, 2015).