Yet another federal judge has concluded that an individual whose personal information was allegedly accessed during a data breach lacks standing to sue unless and until there has been a misuse of that personal information or such misuse can be proven “imminent.”  See Storm v. Paytime Inc., No. 14-CV-1138, 2015 WL 1119724 (M.D. Pa. Mar. 13, 2015).

In April 2014, hackers gained unauthorized access to the computer systems of Paytime, Inc., a national payroll service company. Several employees of companies that use Paytime’s services later filed suit against Paytime and sought class certification, alleging claims of negligence and breach of contract.  In response, Paytime moved to dismiss their claims, contending that plaintiffs lacked standing or, in the alternative, that they had failed to state claims as a matter of law. 

The court found that the plaintiffs did indeed lack standing to sue Paytime, relying heavily on the Third Circuit’s holding in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011). “In the event of a data breach, a plaintiff does not suffer a harm, and thus does not have standing to sue, unless [the] plaintiff alleges actual ‘misuse’ of the information, or that such misuse is imminent,” the Reilly court concluded. In Reilly, the employees of a law firm brought a putative class action against a payroll processing firm after it suffered a security breach by an unknown hacker, which they alleged caused increased risk of identity theft, costs of credit monitoring, and emotional distress. According to the court, the alleged future harm was “not sufficiently imminent,” however. Rather, it was “significantly attenuated, considering that it was ‘dependent on entirely speculative, future actions of an unknown third party.”

Likewise, in Paytime, the plaintiffs alleged they were at an increased risk of identity theft, spent time and money to protect themselves from identify theft, and have suffered “actual damages.”  What they failed to allege, the court explained, were “allegations of misuse or that such misuse is certainly impending.” None alleged that they had actually suffered any form of identity theft or even that any of their data had been misused.

Allegations of being at an increased risk of identity theft are not sufficient to amount to an imminent injury, the court decided, reasoning that the data breach had occurred more than a year ago. Given that none of the plaintiffs had yet become “actual victims of identity theft,” any layperson “with a common sense notion of ‘imminence’ would find this lapse of time, without any identity theft, to undermine the motion that identity theft would happen in the near future.”

The court acknowledged that Reilly’s standing requirements leave plaintiffs on the hook for the costs of preventive measures, but found that the logic of the doctrine is sound and its wisdom clear: given the constant efforts of hackers to access confidential data, “for a court to require companies to pay damages to thousands of customers, when there is yet to be a single case of identity theft proven, strikes us as overzealous and unduly burdensome to business.” Once a hacker succeeds in actually misusing a person’s personal information, the court explained, there is a “clear injury” that can be fully compensated with money damages and the plaintiff is “free to return to court and would have standing to recover his or her losses.”