Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data — Reilly v. Ceridian
[Post by Venkat Balasubramani]
Reilly v. Ceridian Corp, 11-1738 (3rd Cir. Dec. 12, 2011)
Ceridian is a payroll processing firm. Reilly and Pluemacher were employees of a law firm that was a Ceridian customer. In December 2009, Ceridian suffered a “security breach.” A hacker infiltrated Ceridian’s system and gained access to information belonging to 27,000 employees at 1,900 companies. After investigating, Ceridian sent a letter to the affected individuals, letting them know that their personal information, including “first name, last name, social security number and, in several cases, birth date and/or bank account” information was accessed. Ceridian provided the affected inviduals one year of free credit monitoring and identity theft protection. (It’s unclear as to whether plaintiffs took advantage of this, but they alleged that they spent money for monitoring efforts.)
The Third Circuit focuses on the issue of whether plaintiffs have standing. The court canvasses the precedent and says most courts addressing standing for data breach plaintiffs have concluded that plaintiffs lack standing because the harm is too speculative. The court agrees:
Here, no evidence suggests that the data has been–or will ever be–misused. The present test is actuality, not hypothetical speculations concerning the possiblity of future injury.
Plaintiffs relied on Pisciotta v. Old National Bancorp and Krottner v. Starbucks for the proposition that the increased risk of identity theft is sufficient to confer Article III standing. The court distinguishes these cases on the basis that, in those cases, the threatened harms were “more imminent”. In Pisciotta there was evidence that the hacker’s intrusion was sophisticated, and in Krottner, there was evidence that someone attempted to misuse the purloined information.
Plaintiffs also cited, by analogy, where courts have broadened standing requirements in other contexts (toxic tort, defective medical devices, and environmental injury). The court is not persuaded. The court says that, in those cases, an injury has occurred, even if it has not manifested itself and it cannot be presently quantified. In contrast, in the data breach context, “any damages that may occur here are entirely speculative and dependent on the skill and intent of the hacker.” Second, the court says that the medical device and toxic tort cases raise “human health concerns.” Courts relax the test for standing where human “suffering” is involved. The injury in those cases cannot be remedied by money. This is similar to the environmental injury cases where courts say that plaintiffs challenging actions on the basis of environmental regulation should be allowed to proceed because monetary compensation may not fix the harm that will occur:
unlike priceless “mountains majesty,” the thing feared lost here is simple cash, which is easily and precisely compensable with a monetary award.
The court finally says that the amounts expended by plaintiffs is not sufficient to confer standing because the money was not spent to avert or deal with any “actual injuries.”
Courts have pretty uniformly rejected data breach lawsuits, but the recent trend is to do so on the basis of Article III standing, rather than on the merits. This case looks like it’s on the more restrictive end of the spectrum as far as standing goes.
The court’s attempt to distinguish other data breach cases on the basis that the harms in other cases were imminent or more obviously likely to occur isn’t the most convincing. Hackers have been known to compromise data in order to demonstrate security vulnerabilities, but if this is not the case, isn’t it fair to assume that data will be misused in some way? Aren’t all hackers by definition sophisticated? Aren’t all data breaches presumptively malicious? On the other hand, the data breach plaintiffs never seem to have adequate data to present to the court that the information in question is being misused. Even data pointing to the frequency of misuse in other breach cases would be useful to sway a court, but it’s either not available or not being highlighted by plaintiffs. It’s also surprising to see plaintiffs’ counsel not include someone in the lawsuit who has had their information misused. (Maybe data breach cases are not well suited to resolution on a class basis?)
Some courts (In re Hannaford; Ruiz v. Gap) have said that basic monitoring services are reasonable mitigation efforts and as a result, companies that suffer breaches are offering to affected individuals this as a matter of course. Here it’s unclear as to whether plaintiffs took advantage of this but also took efforts of their own. Although it’s not clear, it looks like in this court’s view, even basic monitoring is not necessary and a failure to provide it would not form the basis for standing.
While the cases are across the board in how they get there, one thing is for sure. Data breach plaintiffs have gotten little or no relief in the courts.