The Third Circuit splits with other federal courts in finding that risk of identity theft does not confer standing to bring a suit for data breach in Reilly v. Ceridian Corporation, Case No. 11-1738 (3rd Cir. Dec. 12, 2011), http://www.ca3.uscourts.gov/opinarch/111738p.pdf. The Third Circuit followed the reasoning applied in early cases, e.g., Key v. DSW, Inc., 454 F.Supp.2d 684, 690 (S.D. Ohio 2006), to find that an alleged increase in future risk of harm was insufficient. The Court apparently split however with the 1st, 7th and 9th Circuit Courts which found standing found where plaintiff alleged an increased risk of future harm, e.g., Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629 (7th Cir. 2007).
Ceridian is a payroll processing firm that collected personal and financial information about its customers’ employees. In December 2009, an unknown hacker infiltrated Ceridian’s “Powerpay” system, potentially gaining access to payroll information such as names, Social Security numbers, birth dates and bank account numbers. Employees of one of Ceridian’s customers brought the suit. The lawsuit did not allege that the hacker actually accessed, copied, or misused the data. Instead, the plaintiffs based their claim on their allegedly increased risk of identity theft, their emotional distress, and the credit-monitoring costs they incurred.
In its ruling, the U.S. Court of Appeals for the Third Circuit upheld a District Court decision dismissing the case, finding that these asserted injuries were too speculative to give the plaintiffs standing to bring a federal lawsuit. The Third Circuit focused on established “standing law” which requires the invasion of a legally protected interest that is both “concrete and particularized,” and “actual or imminent, not conjectural or hypothetical.” The Third Circuit wrote “Here, no evidence suggests that the data has been—or will ever be—misused.” “The present test is actuality, not hypothetical speculations concerning the possibility of future injury. Appellants’ allegations of an increased risk of identity theft resulting from a security breach are therefore insufficient to secure standing.”
The court also rejected the plaintiffs’ argument that the time and money they spent on credit monitoring was a sufficient injury, finding that “costs incurred to watch for a speculative chain of future events based on hypothetical future criminal acts are no more ‘actual’ injuries than the alleged ‘increased risk of injury’ which forms the basis for Appellants’ claims.” The Third Circuit distinguished Pisciotta and Krottner, discussed above, as the risk of harm was more “imminent” and “impending” in those cases compared to the threat of hypothetical harm alleged by the Ceridian plaintiffs. The Third Circuit also dismissed Pisciotta and Krottner as relying on “skimpy” analyses of the requirements of Article III standing.
The Third Circuit did not address the recent decision from the First Circuit in Anderson v. Hannaford Bros. Co., Nos. 10-2384, 10-2450 (1st Cir. Oct. 20, 2011). http://www.ca1.uscourts.gov/pdf.opinions/10-2384P-01A.pdf. In Hannaford, the First Circuit determined that out-of-pocket mitigation costs (such as credit insurance and fees associated with new credit cards) were reasonably foreseeable expenses and, therefore, were legally cognizable damages. The Hannaford system was targeted by a criminal enterprise which Hannaford admitted resulted in 1,800 fraudulent charges. The First Circuit distinguished the prior decisions on the ground that none involved allegations that any plaintiffs had suffered identity theft or actual misuse of credit card numbers (although not true as the Ninth Circuit found that only the plaintiff who had an incident of security theft had a claim - Stollenwerk v. Tri-West Heath Care Alliance, 254 Fed. Appx. 664 (9th Cir. 2007)). The First Circuit found it sufficient that plaintiffs had alleged they were aware that actual misuse occurred as to other card holders and so it was reasonable under Maine law for plaintiff to take action to militate against potential harm. For this reason, the Third Circuit might distinguish Hannaford for the same reasons it distinguished Pisciotta and Krottner, imminence of the threat of harm.
While Reilly raises the bar for plaintiffs seeking standing to bring a class action, companies should still be diligent in crafting their response to a breach. Ultimately standing will depend on the proximity of the individual plaintiff to the threat of identity theft and thus the facts of the breach. It is essential that the company targeted by the criminal attack take care in deciding whether a breach requiring notice actually occurred. "There has been a Data Security Breach, But is Notice Required," [Article Link]. A thorough and thoughtful forensic analysis will be important. Different forms of notices may create the need for sub-classes and a separate analysis as to the reasonableness of the plaintiffs’ response and whether is any “increased risk of injury.”