PDF

24 April 2015
Practice Groups:
Commercial Disputes
Cyber Law and
Cybersecurity
Federal Courts in the Third Circuit are Following the
National Trend and Dismissing Data Breach Cases
for Lack of Standing
By Nicholas Ranjan and Syed D. Ali
Introduction
Data breaches are becoming increasingly common. These incidents have spawned
considerable litigation, including class action lawsuits brought by individuals whose personal
information has been compromised. But many of these lawsuits have been dismissed at the
outset on the basis of Article III standing—that is, many courts have found that the plaintiffs
have not sufficiently established a concrete injury in order to seek redress from the courts.
Since at least 2011, federal courts in the Third Circuit (which encompasses Pennsylvania,
New Jersey, Delaware, and the Virgin Islands) have typically relied on Reilly v. Ceridian
Corp., 664 F.3d 38 (3d Cir. 2011), to dismiss data breach claims for lack of standing. In
Reilly, employees of a law firm brought a class action lawsuit against a payroll processing
firm, Ceridian Corporation, alleging various claims related to increased risk of identity theft
after an unknown hacker infiltrated Ceridian’s computer system and potentially gained
access to the personal and financial information of 1,900 companies and 27,000 employees.
The plaintiffs did not allege any actual misuse of their personal information, only that the
information could be misused at any moment. The United States District Court for the District
of New Jersey granted Ceridian’s motion to dismiss holding that plaintiffs lacked standing
and failed to state a claim. On appeal, the Third Circuit explained that constitutional standing
“requires an injury-in-fact, which is an invasion of a legally protected interest that is (a)
concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical.” Id.
The Court concluded that plaintiffs’ allegations of future injuries relied on speculation that the
hacker read and understood their personal information, intended to commit future criminal
acts by misusing that information, and was capable of misusing that information to the
plaintiffs’ detriment. Id. at 42. The Court affirmed the district court’s dismissal of the case
finding that the plaintiffs’ “allegations of hypothetical, future injury do not establish standing
under Article III.” Id. at 41.
Reilly was decided before the recent wave of date breaches making national headlines, but it
remains the seminal decision on the issue of standing in data breach litigation in the Third
Circuit. Notably, two recent data breach decisions by federal district courts in the Third
Circuit reflect that the district courts have continued to faithfully apply Reilly and dismiss
data-breach lawsuits for lack of standing, making the Third Circuit a defense-friendly
jurisdiction for this type of claim. See In re Horizon Healthcare Services Inc. Data Breach
Litigation, No. 13-7418 (CCC), 2015 WL 1472483 (D.N.J. Mar. 31, 2015); Storm v. Paytime,
Inc., No. 14-cv-1138, 2015 WL 1119724 (M.D. Pa. Mar. 13, 2015).
Federal Courts in the Third Circuit are Following the National
Trend and Dismissing Data Breach Cases for Lack of Standing
In re Horizon Healthcare Services Inc. Data Breach Litigation
In November 2013, a thief stole two laptop computers containing the personal and medical
information of over 839,000 members of Horizon Healthcare Services, Inc. In December of
that year, Horizon sent letters and issued a press release notifying its members of the theft,
and it offered free credit monitoring and identity theft protection to those members whose
social security numbers were on the laptops. Subsequently, a number of customers filed a
class action lawsuit against Horizon alleging that they “have been placed at an imminent,
immediate, and continued increased risk of harm from identity theft, identity fraud, and
medical fraud, requiring them to take the time and effort to mitigate the actual and potential
impact of the Data Breach on their lives.” In re Horizon Healthcare Services Inc. Data Breach
Litigation, 2015 WL 1472483 at *1.
Horizon filed a motion to dismiss under Fed. R. Civ. P. 12(b)(1), arguing that the plaintiffs
lacked standing to sue because the named plaintiffs did not allege that their personal
information was actually accessed or misused. Id. at 4. Instead, the plaintiffs alleged
economic harm, violations of common-law and statutory rights, and an imminent risk of future
harm. Id. With respect to economic harm, plaintiffs alleged that they had standing because
they received less than they bargained for since at least some portion of their insurance
premiums were allocated for data protection. Id. at 4–5. Plaintiffs also argued that they had
standing because their rights were violated even if no actual injury occurred. Id. And finally,
plaintiffs argued that despite their lack of injury so far, identity theft could occur at any
moment. Id.
The court rejected plaintiffs’ arguments. It held that the standing analysis focuses on whether
the plaintiffs suffered an actual or certainly impending injury, not on whether any of plaintiffs’
rights have been violated. The court held that the plaintiffs lacked standing because they
failed to allege that any harm had actually occurred to date, and their allegations of
increased risk of future injuries were insufficient to meet the injury-in-fact element of standing
under Reilly, which holds that future injuries stemming from the conjectural conduct of third
parties are inadequate to confer standing. Id. at *5–6 (citing Reilly, 664 F.3d at 38).
Storm v. Paytime, Inc.
In April 2014, unknown third parties accessed Paytime, Inc.’s computer systems. Paytime
disclosed the data breach and announced that the confidential personal information of
employees of its clients had been accessed. Paytime is a national payroll company, and the
plaintiffs in two consolidated class action lawsuits resulting from the data breach were
current or former employees of companies that used Paytime as their payroll processing
service. Storm, 2015 WL 1119724, at *3.
The Storm Court, citing Reilly, stated that the “Third Circuit requires its district courts to
dismiss data breach cases for lack of standing unless plaintiffs allege actual misuse of the
hacked data or specifically allege how such misuse is certainly impending. Allegations of
increased risk of identity theft are insufficient to allege a harm.” Id. at *5 (citing Reilly, 664
F.3d at 43). The court went on to note that the “factual allegations are remarkably similar to
those of Reilly.” Id. The main difference between the allegations in Reilly and those in Storm
were the verbs used by the plaintiffs in their allegations. For example, in Storm, the plaintiffs
alleged that over 233,000 people had their information “accessed without their authorization,”
“stolen,” and “misappropriated.” Id. at 5–6. But in reviewing the plaintiffs’ allegations, the
2
Federal Courts in the Third Circuit are Following the National
Trend and Dismissing Data Breach Cases for Lack of Standing
court found no factual allegations of misuse or even that misuse was certainly impending. Id.
The court held that using different verbs, like “stolen” and “misappropriated,” was not
effective in making the case distinguishable from Reilly, and because the plaintiffs did not
allege any actual or certainly impending misuse of their personal information, the court
dismissed the case for a lack of standing. Id. at *6.
Conclusion
The growing body of case law on the issue of standing in data breach litigation offers a
simple lesson: companies that find themselves as defendants in class action lawsuits
resulting from a data breach, especially in the Third Circuit, should scrutinize the complaint to
determine whether the plaintiffs have alleged any injuries in fact and, if not, move the court to
dismiss the litigation at the outset.
Authors:
Nicholas Ranjan
[email protected]
+1.412.355.8618
Syed D. Ali
[email protected]
+1.412.355.6229
Anchorage Austin Beijing Berlin Boston Brisbane Brussels Charleston Charlotte Chicago Dallas Doha Dubai Fort Worth Frankfurt
Harrisburg Hong Kong Houston London Los Angeles Melbourne Miami Milan Moscow Newark New York Orange County Palo Alto Paris
Perth Pittsburgh Portland Raleigh Research Triangle Park San Francisco São Paulo Seattle Seoul Shanghai Singapore Spokane
Sydney Taipei Tokyo Warsaw Washington, D.C. Wilmington
K&L Gates comprises more than 2,000 lawyers globally who practice in fully integrated offices located on five
continents. The firm represents leading multinational corporations, growth and middle-market companies, capital
markets participants and entrepreneurs in every major industry group as well as public sector entities, educational
institutions, philanthropic organizations and individuals. For more information about K&L Gates or its locations,
practices and registrations, visit www.klgates.com.
This publication is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in
regard to any particular facts or circumstances without first consulting a lawyer.
© 2015 K&L Gates LLP. All Rights Reserved.
3