According to Judge John E. Jones, III, “[t]here are only two types of companies left in the United States… ‘those that have been hacked and those that don’t know they’ve been hacked.'”
now infamous USAToday article statistic that 43% of companies have experienced a data breach, the US District Court for the Middle District in Pennsylvania held in Storm v. Paytime that, despite a breach, the plaintiffs (who had their personal information exposed but not actually mis-used) had not suffered actual or imminent damages and lacked standing to sue the company which was the target of hacking. This appears to be a pro-business data breach decision.
The Storm case involved two consolidated putative class action matters where the Storm plaintiffs alleged negligence and breach of contract while the consolidated Holt plaintiffs alleged a breach of the state unfair trade practices act and breach of contract. Defendant Paytime is a national payroll service company and, in order to facilitate payroll processing, the plaintiffs and proposed class had to provide confidential personal and financial information (see Paytime’s website).
According to the Memorandum Order, the unauthorized access occurred on April 7, 2014; Paytime discovered it on April 30; and Paytime sent notices on May 12 (note that plaintiffs alleged that the company “delayed” notification to the plaintiffs). By May 20, Paytime’s forensic experts completed their investigation and confirmed the breach and accessing of over 233,000 individuals’ information. Plaintiffs asserted that their damages included lost time to protect against identify theft, costs of monitoring credit/accounts, possible money loss, and “they also allege as an injury the increased risk of identity theft.”
The court reviewed controlling authorities on actual / impending damages, including the 2013 US Supreme Court case of Clapper v. Amnesty International, where (pre-Snowden), plaintiffs lacked standing to claim that the government had collected their telephone data and a Third Circuit case of Reilly v. Ceridian Corp. (a similar data breach claim against a payroll company). In Reilly, the court held that, “district courts… must dismiss data breach cases for lack of standing unless plaintiffs allege actual misuse of the hacked data or specifically allege how such misuse is certainly impending. Allegations of increased risk of identity theft are insufficient to allege a harm.”
Finding that the plaintiffs’ claims are “remarkably similar to those of Reilly,” the Storm court found that the plaintiffs’ “credit information and bank accounts look the same today as they did prior to Paytime’s data breach in April 2014” and, despite the use of words such as “stolen” and “misappropriated,” the plaintiffs’ claims were indistinguishable from Reilly. In short, plaintiffs “have not alleged actual ‘misuse’ of the data, which is the touchstone of the Reilly standard.” The court noted that its “strict imminency standard” for damages was self-proving since “the data breach in this case occurred in April 2014 — almost a year ago — and plaintiffs have yet to allege that any of them have become actual victims of identity theft.”
Finally, the court noted that, while there are prior courts which have found standing, many of those contrary opinions were pre-Clapper cases “or rely on pre-Clapper precedent and are, at best, thinly reasoned.” Citing In re SAIC.