A Pennsylvania court recently dismissed two consumer consolidated class actions concerning a data breach involving the computer system of defendant Paytime, Inc. for lack of standing. In that case, an unknown third party hacked consumers’ confidential personal and financial information. The plaintiffs alleged that Paytime failed to protect personal and financial information data including names, social security numbers, and bank account numbers and filed suit for breach of contract and negligence.

The district court concluded that “…the Third Circuit requires its district courts to dismiss data breach cases for lack of standing unless plaintiffs allege actual misuse of the hacked data or specifically allege how such misuse is certainly impending. Allegations of increased risk of identity theft are insufficient to allege a harm” (citing to Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011)). Although the court acknowledged in this case one instance where an employee had to travel further while his security clearance was temporarily suspended during the investigation of the breach, the court found that there was no actual allegation that any plaintiffs had suffered any form of identity theft. 

While recognizing the nuisance of credit monitoring due to the increased threat of data breaches, the court found that “require[ing]companies to pay damages to thousands of customers, when there is yet to be a single case of identity theft proven, strikes us as overzealous and unduly burdensome to businesses.” Based on plaintiffs’ failure to allege actual harm, the court dismissed the consolidated class actions for lack of standing because the plaintiffs’ alleged injuries were not actual or imminent. 

TIP: While some courts in the Third Circuit and the Seventh Circuit have found that plaintiffs’ risk of future harm without actual harm is insufficient to establish standing, not all courts have followed this reasoning. Thus, while the law continues to develop, some of the best protection steps a company can take to mitigate potential exposure are practical ones, like reviewing and improving security measures and remaining vigilant against unauthorized intrusions.