Third Circuit Holds That Plaintiffs Lack Standing to Sue for Data Breach Where Alleged Harm is Only Speculation That Personal and Financial Information May Be Misused
The Third Circuit in Reilly v. Ceridian Corp. affirmed the district court’s dismissal of a putative class action against payroll processing company Ceridian for a data breach, holding that the plaintiffs lacked standing because their alleged injuries were too speculative. In December 2009, an unidentified hacker breached Ceridian’s Powerpay system and potentially gained access to personal and financial information belonging to approximately 27,000 employees at 1,900 companies. It was unknown, however, whether the hacker read, copied, or understood the data. Two individual plaintiffs filed suit on behalf of all individuals whose information was exposed in the security breach, alleging that they (1) had an increased risk of identity theft, (2) incurred costs to monitor credit activity, and (3) suffered emotional distress.