Storm v Paytime — Data Breach Case

Data Breach

According to Judge John E. Jones, III, “[t]here are only two types of companies left in the United States… ‘those that have been hacked and those that don’t know they’ve been hacked.'”

Citing the now infamous USAToday article statistic that 43% of companies have experienced a data breach, the US District Court for the Middle District in Pennsylvania held in Storm v. Paytime that, despite a breach, the plaintiffs (who had their personal information exposed but not actually mis-used) had not suffered actual or imminent damages and lacked standing to sue the company which was the target of hacking.  This appears to be a pro-business data breach decision.

The Storm case involved two consolidated putative class action matters where the Storm plaintiffs alleged negligence and breach of contract while the consolidated Holt plaintiffs alleged a breach of the state unfair trade practices act and breach of contract.  Defendant Paytime is a national payroll service company and, in order to facilitate payroll processing, the plaintiffs and proposed class had to provide confidential personal and financial information (see Paytime’s website).

According to the Memorandum Order, the unauthorized access occurred on April 7, 2014; Paytime discovered it on April 30; and Paytime sent notices on May 12 (note that plaintiffs alleged that the company “delayed” notification to the plaintiffs).  By May 20, Paytime’s forensic experts completed their investigation and confirmed the breach and accessing of over 233,000 individuals’ information.  Plaintiffs asserted that their damages included lost time to protect against identify theft, costs of monitoring credit/accounts, possible money loss, and “they also allege as an injury the increased risk of identity theft.”

The court reviewed controlling authorities on actual / impending damages, including the 2013 US Supreme Court case of Clapper v. Amnesty International, where (pre-Snowden), plaintiffs lacked standing to claim that the government had collected their telephone data and a Third Circuit case of Reilly v. Ceridian Corp. (a similar data breach claim against a payroll company).  In Reilly, the court held that, “district courts… must dismiss data breach cases for lack of standing unless plaintiffs allege actual misuse of the hacked data or specifically allege how such misuse is certainly impending.  Allegations of increased risk of identity theft are insufficient to allege a harm.”

Finding that the plaintiffs’ claims are “remarkably similar to those of Reilly,” the Storm court found that the plaintiffs’ “credit information and bank accounts look the same today as they did prior to Paytime’s data breach in April 2014” and, despite the use of words such as “stolen” and “misappropriated,” the plaintiffs’ claims were indistinguishable from Reilly.  In short, plaintiffs “have not alleged actual ‘misuse’ of the data, which is the touchstone of the Reilly standard.”  The court noted that its “strict imminency standard” for damages was self-proving since “the data breach in this case occurred in April 2014 — almost a year ago — and plaintiffs have yet to allege that any of them have become actual victims of identity theft.”

Finally, the court noted that, while there are prior courts which have found standing, many of those contrary opinions were pre-Clapper cases “or rely on pre-Clapper precedent and are, at best, thinly reasoned.” Citing In re SAIC.


Data Breach
Christopher Hopkins to Discuss CyberSecurity and Technology Trends for Mediators and Arbitrators (Palm Beach Bar Association)

A great thanks to the Palm Beach Bar Association for inviting me to speak about cyber security and technology trends at the annual ADR CLE/CME on Monday, February 10,. 2020. This year the theme is “The New Flavors of ADR” and I can assure you that “the cyber” and tech …

Data Breach
Christopher Hopkins Discusses Cybersecurity & Technology for Lawyers At Law Firm Leaders Summit

I was invited to speak today in Tampa about cybersecurity and technology for lawyers at the Law Firm Leaders Summit conference. I presented to both “small firm” and “large firm” tracks at the seminar. We covered: Getting hacked on public wifi Phishing, Spearfishing and other hacks Ransomware U.S. Government’s “NIT” …

Data Breach
Christopher Hopkins Presents Keynote Cybersecurity Presentation at Florida Dispute Resolution Conference

Special thanks to the Florida Dispute Resolution Center and the 1,000+ attendees at this year’s ADR: Options and Opportunities (27th annual) Conference. My keynote address covered various forms of cybersecurity risks (not just for mediators) including phishing, spearfishing, WiFi Pineapple man in the middle attacks, DDOS attacks, physical attacks, and …