Pa. court considers standing question in data breach cases

By Richard Bortnick on April 2, 2015

?????????????????????????????????In Storm & Holt v. Paytime, Inc., 1:14-cv-01138-JEJ (MD Penn. Mar. 13, 2015), the United States District Court for the Middle District of Pennsylvania addressed the Article III standing issue of when a cause of action may exist for a malicious data breach.

The case involved two consolidated putative class actions related to a data security breach of Paytime, Inc.’s systems. Paytime is a national payroll service company. The plaintiffs were current or former employees of entities that used Paytime as its payroll servicing provider. The plaintiffs’ employers provided Paytime with the plaintiffs’ confidential information, including full legal names, addresses, bank account information, Social Security numbers, and dates of birth in furtherance of Paytime’s payroll services to the employers. Unknown third parties then accessed the Paytime systems without authority. Paytime did not become aware of the security breach until twenty-three days following the breach. The plaintiffs alleged that Paytime delayed an additional thirteen days prior to notifying affected parties of the breach. Playtime later confirmed that the data breach occurred and that the unknown third parties had gained access to the confidential information.

After becoming aware of the data breach, the plaintiffs filed complaints against Paytime. There were two separate cases filed against Paytime. In both cases, the plaintiffs sought recovery of alleged damages related to the breach. Specifically, plaintiffs cited the time and money they would be required to expend to protect themselves from identity theft.

Prior to the consolidation of the cases, Paytime moved to dismiss arguing that the plaintiffs lacked Article III standing to raise the causes of action. In citing Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), the court emphasized that in the context of data breaches, plaintiffs will not satisfy Article III standing unless they can establish that misuse of the unlawfully accessed information has occurred or is imminent. In the absence of such allegations, a plaintiff will lack standing. The court held it was required to follow this principle that was espoused in Reilly.

Addressing the complaints in this case, the court cited to the plaintiffs’ allegations that their confidential information was “obtained” by unknown third parties and that they “are at an increased and imminent risk of becoming victims of identify theft crimes, fraud and abuse.” The court also focused on the language in the complaint alleging that certain members of the class incurred actual damages as a result of the data breach, such as the suspension of one plaintiff’s security clearances by his current employer due to the unauthorized access that the hackers had to his information.

Similar to other recent decisions on Article III standing in data breach cases, in dismissing the complaints, the court reasoned that the plaintiffs failed to allege sufficient facts to demonstrate that misuse of their information had occurred or was certainly impending. The complaints did not incorporate allegations that any of the plaintiffs had been victims of identity theft, that their bank accounts had been improperly accessed, that credit cards had been opened in their names, or that their Social Security numbers were used to impersonate them and gain unauthorized access to their accounts. There was also no allegation that the hackers actually read, copied, or understood the data that was accessed. Without such allegations, there could be no actual or imminent invasion of the plaintiffs’ privacy.

The court further rejected the plaintiffs’ arguments that their use of the terms “stolen” and “misappropriated” in the complaints created a cognizable harm that precluded dismissal. The court emphasized that the plaintiffs’ use of these terms did not affect the fact that the complaints were deficient of allegations of actual misuse of the data, which is what Reilly requires. The court further stressed that the plaintiff that had his security clearance revoked by his current employer did not establish actual damages because he and his employer had only engaged in preventative measures, and he, like the other plaintiffs, still could not cite to a single instance of the actual misuse

Richard J. Bortnick is senior counsel at Traub Lieberman Straus & Shrewsberry and contributing author for the Cyber Risk Network. He was previously shareholder in law firm Christie, Parabue and Young. Rick litigates and counsels US and international clients on cyber and technology risks, exposures and best practices, directors’ and officers’ liability, professional liability, insurance coverage, and commercial litigation matters.

He also drafts professional liability insurance policies of varying types, including cyber, privacy and technology forms, and is Publisher of the highly-regarded cyber industry blog, Cyberinquirer.com.