No business wants to be the victim of a data breach, but to hear former Director of National Intelligence Mike McConnell tell it, every major corporation in America already has (whether they realize it or not). The discovery of a potential breach should set off a cascade of internal responses including forensic investigation, possible notification to government criminal investigative agencies, notification to affected customers, compliance reviews, legal analyses, information security audits, and business impact studies.
Once the business determines the scope of the breach and provides proper notification to the affected customers, employees, clients, and/or others, it must anticipate being sued – sometimes in individual cases, but more often in class actions. Alleged negligence, breach of contract, and violations of state consumer protection statutes all can form the bases of such lawsuits – with thousands or even millions of potential class members.
In the consolidated case of Storm v. Paytime, Inc., the U.S. District Court for the Middle District of Pennsylvania recently dismissed two such federal class action lawsuits brought against Paytime, Inc., a national payroll service company. Current and former employees of companies that used Paytime as their payroll processing service sought to represent a proposed class potentially numbering in the hundreds of thousands. They alleged that Paytime was the victim of a security breach during which an unknown third party (or parties) accessed their personal and financial information. Plaintiffs asserted causes of action against Paytime for negligence, breach of contract and violations of a state consumer protection statute, all arising out of Paytime’s alleged failure to properly safeguard against the breach and to timely discover and issue appropriate notifications regarding it.
Paytime moved to dismiss the consolidated lawsuits based on lack of Article III standing, arguing that none of the plaintiffs suffered any actual damage because none of the stolen information was alleged to have yet been misused by the hackers/thieves. The district court agreed, concluding that based on relevant precedents from the United States Supreme Court (in Clapper v. Amnesty Int’l. USA, 133 S. Ct. 1138 (2013)) and the Third Circuit (in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011)), standing in data breach cases depends on well-pled allegations that the plaintiffs’ information was actually misused or its misuse was “certainly impending.” Although the plaintiffs alleged they were at increased risk of identity theft and suffered other harms as a result of the Paytime data breach, the district court determined the risks were too speculative and uncertain to establish actual, imminent injury sufficient to confer Article III standing.
The district court reasoned that “the courts cannot be in the business of prognosticating whether a particular hacker was sophisticated or malicious enough to both be able to successfully read and manipulate the [stolen] data and engage in identity theft.” But this does not mean that all breached businesses are off the hook in federal suits, because “[o]nce a hacker does misuse a person’s personal information for personal gain … there is a clear injury and one that can be fully compensated with money damages.”
In addition, the district court suggested that had the plaintiffs been able to properly allege that the hacker(s) who misappropriated their information from Paytime were actually able to “view, read, or otherwise understand the data,” then they might be able to establish actual or “certainly impending” injury (and secure standing to sue in the process). In another recent federal suit (In re Adobe Systems, Inc. Privacy Litigation (No. 13-CV-05226-LHK)), the U.S. District Court for the Northern District of California denied a motion to dismiss for lack of standing on just that basis. There the plaintiffs alleged their personal information was specifically targeted by hackers who used Adobe’s own systems to decrypt it, and by the time of suit some of their information had already surfaced on the web.
Unfortunately, the frequency and severity of businesses’ data breaches continues to increase. Class actions and other lawsuits seeking to recover damages resulting from those breaches – actual or threatened – likewise will continue to multiply. Although Article III standing may be a significant hurdle for plaintiffs to overcome in such suits, many hacked businesses – like Paytime, Inc. – have made proactive decisions (for business and legal reasons) to offer affected individuals credit monitoring and identity theft protections for a year or more. It certainly appears to be money well-spent, regardless of how the legal landscape on standing in such cases might shift.