• Cullen and Dykman LLP Blogs

  • Archives

  • Data Breach Decisions Setting A Higher Threshold For Standing For Plaintiffs Do Not Mean Businesses Are Off The Hook

    There are only two types of companies left in the United States:  those that have been hacked and those that will be hacked. In the last year alone, forty-three percent (43%) of U.S. companies experienced a data breach, resulting in the misappropriation of millions of individuals’ personal and financial information. As this number continues to grow, more and more victims are bringing data breach lawsuits to federal court. Shockingly, however, few are surviving summary judgment.

    Under Article III, section 2 of the United States Constitution, federal courts can only hear “cases and controversies.” This means that a plaintiff must allege a personal injury that is both actual and present or imminent for the court to hear the case.

    In most data breach cases, plaintiffs file their claims immediately following the breach. As a result, they assert claims for future, rather than present and actual or imminent, injuries. These injuries typically include: (a) the present and/or future need to spend time and money to monitor financial accounts, (b) the opportunity cost of the time spent monitoring accounts, (c) the costs of obtaining replacement checks and/or credit and debit cards; and (d) the significant possibility of monetary losses arising from unauthorized bank account withdrawals, fraudulent payments, and/or related bank fee charges.

    Since these injuries constitute future, rather than present, harms, the United States Supreme Court’s ruling in Clapper v. Amnesty International USA applies. 133 S. Ct. 1138 (2013). In Clapper, the Court held that a future injury must be “certainly impending” to meet the threshold for standing. This standard establishes a high bar for plaintiffs seeking to recover for injuries which have not, in fact, occurred. This is true even if the alleged injury appears likely or probable to occur. As a result, many recent data breach cases have been dismissed due to lack of standing.

    In Storm v. Paytime, Inc., Paytime, Inc. (“Paytime”), a national payroll service company that utilizes employee confidential information, including full legal names, addresses, bank account data, Social Security numbers, and dates of birth, experienced a data breach. This breach resulted in the misappropriation of over 233,000 individuals’ personal and financial information. Two class action cases were subsequently brought: one by Daniel Storm on June 13, 2014 and one by Barbara Holt on June 27, 2014. They were later consolidated into this one case. Together, plaintiffs alleged all the injuries listed above. Looking to the recent Third Circuit decision in Reilly v. Ceridian Corp., the Storm court dismissed the case for lack of standing.

    In Reilly, employees of a law firm brought a putative class action suit against Ceridian, a payroll processing firm, after Ceridian suffered a data breach by an unknown hacker. 664 F.3d 38 (3d Cir. 2011). Plaintiffs sued for negligence and breach of contract, claiming that they were subject to an increased risk of identity theft, incurred costs to monitor their credit activity, and suffered from emotional distress. The Third Circuit dismissed the case for lack of standing finding that, in the event of a data breach, a plaintiff does not have standing to sue unless the plaintiff alleges actual misuse of the information or that such misuse is imminent; allegations of increased risk of identity theft were deemed insufficient to meet the threshold. This standard has since become known as the Reilly standard.

    Finding the facts in Storm substantially similar to those in Reilly, the Storm court found that plaintiffs had not alleged that they actually suffered any form of identity theft as a result of the data breach. Specifically, they failed to allege “that their bank accounts ha[d] been accessed, that credit cards ha[d] been opened in their names, or that unknown third parties … used their Social Security numbers to impersonate them and gain access to their accounts.” Without substantive claims of actual data misuse, plaintiffs failed to meet the touchstone of the Reilly standard, resulting in the dismissal of their case.

    The same rationale was used in In re Horizon Healthcare Services, Inc. Data Breach Litigation, a case decided just this last March.  Civ. No. 13-7418 (2015). In Horizon Healthcare, the District Court for the District of New Jersey also dismissed a putative class action suit for lack of standing because plaintiffs could not show that they had sustained actual injuries connected to the theft of two password-protected laptops containing plaintiffs’ personal and financial information.

    Considering this issue from a plaintiff’s perspective, plaintiffs, in light of a data breach, should wait to file suit until an actual harm has occurred. This will ensure that they avoid “foot[ing] the bill” for taking preventive measures only to be dismissed at the summary judgment phase.

    Viewing the issue from a corporation’s perspective, corporations should not assume that this high standard will protect them from impending lawsuits. As Judge John E. Jones III opined in Storm, “[o]nce a hacker does misuse a person’s personal information for personal gain … there is a clear injury and one that can be fully compensated with money damages.”


    To learn more about plaintiff standing in data breach cases, please contact Cynthia A. Augello via email at caugello@cullenanddykman.com or via telephone at 516-357-3753.

    A special thank you to Cecilia Ehresman, a law clerk at Cullen and Dykman LLP, for her assistance with this blog post.