Hewing to prior Third Circuit precedent in Reilly v. Ceridian and the Supreme Court’s precedent in Clapper v. Amnesty International, the Middle District of Pennsylvania recently joined the majority of federal district courts in dismissing putative data breach class actions for lack of standing where the named plaintiffs fail to allege identity theft. Although standing is a requirement in any case, it is particularly relevant in the data breach context, where actual damages due to identify theft may never come.
The case arose after Paytime, a national payroll service company, suffered a security breach on April 7, 2014; it discovered the breach on April 30, 2014. According to the plaintiffs’ allegations, more than 233,000 individuals had their personal and financial information, including names, dates of birth, social security numbers, and bank account information compromised as a result of the breach. As has become common practice in such breaches, Paytime offered 12 months of free credit monitoring and identity restoration services to all persons with information affected by the breach.
In granting the motion to dismiss, the district court held that the mere fear of identity theft – coupled with actions taken to prevent identity theft – is insufficient to show an actual or certainly impending injury, as required for Article III standing. In so holding, the district court applied the Third Circuit’s 2011 precedent in Reilly v. Ceridian, in which it affirmed the dismissal of a data breach putative class action because damages were “dependent on entirely speculative, future actions of an unknown third party” who might misuse plaintiffs’ personal information. Following this precedent and the fact that the plaintiffs had not alleged any actual or “certainly impending” injury, as required under the Supreme Court’s recent precedent in Clapper v. Amnesty International, the district court easily found that there was no standing:
Perhaps this strict imminency standard has some wisdom, for even though Plaintiffs may indeed be at greater risk of identity theft, the data breach in this case occurred in April 2014—almost a year ago—and Plaintiffs have yet to allege that any of them have become actual victims of identity theft. Indeed, putting aside the legal standard for imminence, a layperson with a common sense notion of ‘imminence’ would find this lapse of time, without any identity theft, to undermine the notion that identity theft would happen in the near future.
… [F]or a court to require companies to pay damages to thousands of customers, when there is yet to be a single case of identity theft proven, strikes us as overzealous and unduly burdensome to businesses.
Significantly, the plaintiffs asserted that one individual out of more than 233,000 potential class members suffered monetary damages as a result of the breach. According to the plaintiffs, this individual was a government contractor who required security clearances in order to perform his job, and, as a result of reporting this incident to his employer, his security clearances were suspended pending investigation. As a result, this individual was required to work temporarily at a different job site, resulting in a four-hour increase in his daily commute. The district court found that these preventative measures were: “different in form but not in substance from the classic forms of preventative measures taken in data breach cases, such as credit monitoring.” Because this plaintiff did not allege any actual “misuse” of his data, the court found that he lacked standing.
The above case stands in contrast to the In re: Target Corporation Customer Data Security Breach Litigation, where a Minnesota federal district court denied the retailer’s motion to dismiss putative class claims where some of the named plaintiffs allegedly suffered identity theft. That court recently granted a motion for preliminary approval of a class settlement providing for a fund of up to $10 million to be distributed through a claims process to class members who suffered identity theft as a result of the breach. The final approval hearing is set for November 10, 2015.