Storm v Paytime — Data Breach Case

Data Breach

According to Judge John E. Jones, III, “[t]here are only two types of companies left in the United States… ‘those that have been hacked and those that don’t know they’ve been hacked.'”

Citing the now infamous USAToday article statistic that 43% of companies have experienced a data breach, the US District Court for the Middle District in Pennsylvania held in Storm v. Paytime that, despite a breach, the plaintiffs (who had their personal information exposed but not actually mis-used) had not suffered actual or imminent damages and lacked standing to sue the company which was the target of hacking.  This appears to be a pro-business data breach decision.

The Storm case involved two consolidated putative class action matters where the Storm plaintiffs alleged negligence and breach of contract while the consolidated Holt plaintiffs alleged a breach of the state unfair trade practices act and breach of contract.  Defendant Paytime is a national payroll service company and, in order to facilitate payroll processing, the plaintiffs and proposed class had to provide confidential personal and financial information (see Paytime’s website).

According to the Memorandum Order, the unauthorized access occurred on April 7, 2014; Paytime discovered it on April 30; and Paytime sent notices on May 12 (note that plaintiffs alleged that the company “delayed” notification to the plaintiffs).  By May 20, Paytime’s forensic experts completed their investigation and confirmed the breach and accessing of over 233,000 individuals’ information.  Plaintiffs asserted that their damages included lost time to protect against identify theft, costs of monitoring credit/accounts, possible money loss, and “they also allege as an injury the increased risk of identity theft.”

The court reviewed controlling authorities on actual / impending damages, including the 2013 US Supreme Court case of Clapper v. Amnesty International, where (pre-Snowden), plaintiffs lacked standing to claim that the government had collected their telephone data and a Third Circuit case of Reilly v. Ceridian Corp. (a similar data breach claim against a payroll company).  In Reilly, the court held that, “district courts… must dismiss data breach cases for lack of standing unless plaintiffs allege actual misuse of the hacked data or specifically allege how such misuse is certainly impending.  Allegations of increased risk of identity theft are insufficient to allege a harm.”

Finding that the plaintiffs’ claims are “remarkably similar to those of Reilly,” the Storm court found that the plaintiffs’ “credit information and bank accounts look the same today as they did prior to Paytime’s data breach in April 2014” and, despite the use of words such as “stolen” and “misappropriated,” the plaintiffs’ claims were indistinguishable from Reilly.  In short, plaintiffs “have not alleged actual ‘misuse’ of the data, which is the touchstone of the Reilly standard.”  The court noted that its “strict imminency standard” for damages was self-proving since “the data breach in this case occurred in April 2014 — almost a year ago — and plaintiffs have yet to allege that any of them have become actual victims of identity theft.”

Finally, the court noted that, while there are prior courts which have found standing, many of those contrary opinions were pre-Clapper cases “or rely on pre-Clapper precedent and are, at best, thinly reasoned.” Citing In re SAIC.


Data Breach
Dangers of the Dark Web (Law Firm Leaders Summit 2021)

Is your data on the dark web? How about your usernames and passwords? Likely. At the Law Firm Leaders Summit this week in Orlando, I had the opportunity to discuss the dark web; three ways people get hacked; and how to find your information on the dark web. Thanks for …

Data Breach
Lessons From the Pandemic (APRL Association of Professional Responsibility Lawyers)

I recently hosted a panel of experts at the Association of Professional Responsibility Lawyers (APRL) conference discussing “Lessons from the Pandemic.” My colleagues include Brian Faughnan from Lewis Thomason; Joseph Corsmeier from the Law Office of Joseph Corsmeier, and Nicole Hyland of Frankfurt Kurnit. We covered current issues of ethics, …

Data Breach
Webinar: Cybersecurity for Remote Lawyers and Employees (by Christopher Hopkins)

Thanks to the Florida Defense Lawyers Association for sponsoring the free webinar (for members), “Cybersecurity for Remote Lawyers and Employees.” You can find out information to join the webinar here and here. This one-hour session will explain the risks and provide hands-on solutions that you can use right away. This …