“There are only two types of companies left in the United States … those that have been hacked and those that don’t know they’ve been hacked.” That is how U.S. District Judge John E. Jones III of the Middle District of Pennsylvania began his opinion in Storm v. Paytime, Inc. and Holt v. Paytime Harrisburg, Inc. The Court granted a motion to dismiss two consolidated class actions with a total of 233,000 proposed class members whose private information had been compromised after a payroll company had its systems hacked. Sympathetic to those who have been victims of a data breach, Judge Jones noted that, “it is not unreasonable for the victims to feel that a wrong has clearly been committed,” but questioned whether it was reasonable for a business to pay damages to thousands of customers when there has been no misuse of the information.
Defendant Paytime, a national payroll service company, offers a variety of services to its clients, including payroll submission, which by necessity requires the submission of sensitive private information such as bank account and social security numbers. According to the complaints, Paytime discovered its systems were compromised 23 days after hackers initially gained access, and provided notice to impacted individuals 12 days later. Plaintiffs alleged that 233,000 individuals had their private information “misappropriated.” For most of the putative class, damages included an increased and “imminent” risk of identity theft, fraud and abuse. For one plaintiff, damages included the fact that his security clearance was suspended after reporting the breach to his employers who forced him to work at a different job site, which added four hours to his commute and cost him additional travel expenses and lost time.
The Court found these allegations insufficient and dismissed the cases, finding that the plaintiffs did not have standing to file suit in the first place because they failed to allege any misuse of their information, such as funds taken from their bank accounts or misuse of their social security numbers. For the plaintiff whose security clearance was suspended, the Court reasoned that working from another job site was akin to other preventative measures, such as credit monitoring, and not an actual injury. The Court pointed out that standing requires an injury in fact – “one that is ‘concrete in both a qualitative and temporal sense’ as opposed to merely ‘abstract.’” The injury must be actual, not hypothetical according to the Court; allegations of future injury are insufficient.
Rationale and Findings
The Court relied heavily on the Third Circuit’s decision in Reilly v. Ceridian Corp., 664 F.3d 38, 42, (3d Cir. 2011), a data breach case directly on point. Similar to the Paytime case, Reilly involved a breach of a payroll processing firm that resulted in the compromise of personally identifiable information. As provided in Reilly, when a data breach occurs “a plaintiff does not suffer a harm, and thus does not have standing to sue, unless plaintiff alleges actual ‘misuse’ of the information, or that such misuse is imminent.” The Third Circuit in Reilly affirmed the district court’s dismissal of the case, reasoning that the “plaintiffs’ alleged future harm resulting from the security breach was not sufficiently imminent to meet the threshold for standing … the risk of future injury was significantly attenuated, considering that it was ‘dependent on entirely speculative, future actions of an unknown third party.’”
Similarly, the Court in Paytime held that the plaintiffs did not provide factual allegations of misuse or allegations establishing impending misuse, and dismissed the complaints. Analyzing the holding in Reilly, the Court noted that the “touchstone” of a data breach is misuse of the data. “Reilly draws a clear line in the sand in this context as to when a data breach becomes harm.” District courts are “required to dismiss data breach cases for lack of standing unless plaintiffs allege actual misuse of the hacked data or specifically allege how such misuse is certainly impending. Allegations of increased risk of identity theft are insufficient to allege a harm.”
Perhaps the most interesting discussion occurred in a footnote to the Opinion. The plaintiffs tried to argue that there was a substantial risk that identity theft could occur, which, according to the plaintiffs, is sufficient to establish standing under Clapper v. Amnesty Intern. USA, 133 S. Ct. 1138 (2013). The Court noted that the discussion of “substantial risk” was (similarly) a footnote in the Clapper opinion; the Court would instead rely on the holding in Clapper. However, the Court continued, pointing out that even if the substantial risk standard were applied, the plaintiffs failed to meet that bar as well. The plaintiffs had argued that one in four people who receive breach letters are victims of identity theft. According to the Court, a 75 percent chance of not becoming a victim of identity theft means that injury is not impending for those individuals.
Despite the best efforts of companies to protect their systems, and ostensibly their clients’ or customers’ data, hackers are all too often successful at compromising these systems. Fortunately, courts continue to recognize the potentially troubling implications if plaintiffs were able to recover damages without suffering an injury in fact. As the Court stated, for “a court to require companies to pay damages to thousands of customers when there is yet to be a single case of identity theft proven strikes us as overzealous and unduly burdensome to businesses."
The Court continued, "There is simply no compensable injury yet … and courts cannot be in the business of prognosticating whether a particular hacker was sophisticated or malicious enough to both be able to successfully read and manipulate the data and engage in identity theft. Once a hacker does misuse a person's personal information for personal gain, however, there is a clear injury and one that can be fully compensated with money damages."
The Court also dismissed the plaintiffs’ alleged actual injury based on harm to their privacy interests. The plaintiffs argued that their privacy was invaded because it was “accessed by an unauthorized third party.” Dismissing this argument, the Court stated: "Here, plaintiffs do not allege that the unidentified hacker was actually able to view, read, or otherwise understand the data it accessed. They do not allege that their information was exposed in such a way as to make it easily viewed."
In conclusion, it is apparent that simply alleging that one is a victim of a data breach and thus at risk of identity theft is insufficient to withstand a motion to dismiss for lack of standing. Although plaintiffs continue to craft creative arguments for damages, such as a suspension of a security clearance, without actual misuse of the data, no injury in fact exists. Mere acquisition of confidential information by an unauthorized third party is not sufficient to give rise to a cause of action. However, the Storm v. Paytime, Inc. and Holt v. Paytime Harrisburg, Inc. decisions make clear that companies, despite their best efforts, may not be able to prevent a data breach whether as a result of a hacking or some other malicious attack. This highlights the importance of companies taking proactive steps today to prepare for tomorrow’s data breach.