Third Circuit Holds That Plaintiffs Lack Standing to Sue for Data Breach Where Alleged Harm is Only Speculation That Personal and Financial Information May Be Misused
The Third Circuit in Reilly v. Ceridian Corp. affirmed the district court’s dismissal of a putative class action against payroll processing company Ceridian for a data breach, holding that the plaintiffs lacked standing because their alleged injuries were too speculative.
In December 2009, an unidentified hacker breached Ceridian’s Powerpay system and potentially gained access to personal and financial information belonging to approximately 27,000 employees at 1,900 companies. It was unknown, however, whether the hacker read, copied, or understood the data. Two individual plaintiffs filed suit on behalf of all individuals whose information was exposed in the security breach, alleging that they (1) had an increased risk of identity theft, (2) incurred costs to monitor credit activity, and (3) suffered emotional distress.
Concluding that the plaintiffs lacked standing, the court emphasized the necessity of an injury-in-fact, which must be actual or imminent, not conjectural or hypothetical. An increased risk of future harm from an unknown third party is insufficient. Although the plaintiffs speculated that the hacker would misuse their information, the court found that there was no evidence suggesting that would happen and there could be no injury unless and until the plaintiffs’ conjectures came true. That the plaintiffs voluntarily expended time and money to monitor their financial situation did not change the court’s conclusion.
The court distinguished Reilly v. Ceridian Corp. from cases in the Seventh Circuit and Ninth Circuit where plaintiffs bringing data-breach claims apparently had standing. The Third Circuit noted that the other cases involved threatened harms that were much more “imminent” and “certainly impending” due to evidence of improper intent. For example, in the Ninth Circuit case, an individual had attempted to open a bank account with a plaintiff’s information following the physical theft of a laptop.
The court also rejected the plaintiffs’ analogies to medical-device, toxic-tort and environmental-injury cases. In such cases, the court explained that injury has undoubtedly occurred (e.g., a defective device has been implanted into the body with a quantifiable risk of failure) or that monetary compensation may not adequately return the plaintiffs to their original position.