Pennsylvania court dismisses data breach suits for lack of actual injury

A Pennsylvania court recently dismissed two consumer consolidated class actions concerning a data breach involving the computer system of defendant Paytime, Inc. for lack of standing. In that case, an unknown third party hacked consumers’ confidential personal and financial information. The plaintiffs alleged that Paytime failed to protect personal and financial information data including names, social security numbers, and bank account numbers and filed suit for breach of contract and negligence.

The district court concluded that “…the Third Circuit requires its district courts to dismiss data breach cases for lack of standing unless plaintiffs allege actual misuse of the hacked data or specifically allege how such misuse is certainly impending. Allegations of increased risk of identity theft are insufficient to allege a harm” (citing to Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011)). Although the court acknowledged in this case one instance where an employee had to travel further while his security clearance was temporarily suspended during the investigation of the breach, the court found that there was no actual allegation that any plaintiffs had suffered any form of identity theft.

While recognizing the nuisance of credit monitoring due to the increased threat of data breaches, the court found that “require[ing]companies to pay damages to thousands of customers, when there is yet to be a single case of identity theft proven, strikes us as overzealous and unduly burdensome to businesses.” Based on plaintiffs’ failure to allege actual harm, the court dismissed the consolidated class actions for lack of standing because the plaintiffs’ alleged injuries were not actual or imminent.

TIP: While some courts in the Third Circuit and the Seventh Circuit have found that plaintiffs’ risk of future harm without actual harm is insufficient to establish standing, not all courts have followed this reasoning. Thus, while the law continues to develop, some of the best protection steps a company can take to mitigate potential exposure are practical ones, like reviewing and improving security measures and remaining vigilant against unauthorized intrusions.

Register now for your free, tailored, daily legal newsfeed service.

Pennsylvania court dismisses data breach suits for lack of actual injury
Blog Privacy & Data Security Law Blog

Filed under

Topics

Popular articles from this firm

PetSmart’s Unilateral Release of Chewy’s Guarantee Obligations *

The QPAM Exemption: Watch Out for Affiliates Convicted of Crimes Outside the U.S. *

First Circuit Decision Underscores the Importance of Meeting the Definition of a Trade Secret as it Relates to Compilations *

SEC renews focus on insider trading in private company stock *

Spotlight: standard-essential patents in USA *

More from Privacy & Data Security Law Blog

2020 Privacy Law Year in Review

Husband Joins Wife in Pleading Guilty to Stealing Trade Secrets from Children’s Hospital

New Judicial Interpretation in China Strengthens Protection of Trade Secrets

Court Battle Between India’s SaaS Industry Leaders Being Fought in California

First Circuit Decision Underscores the Importance of Meeting the Definition of a Trade Secret as it Relates to Compilations

Related practical resources PRO

Related research hubs