Concerning Whether Victims of Data Breaches Must Suffer Identity Theft or Financial Fraud In Order to Sue
Storm, et al. v. Paytime, Inc., currently before the U.S. Court of Appeals for the Third Circuit, concerns whether victims of data breaches have standing to sue if they have not suffered actual misuse of their personal information.
Does a data breach victim have standing to sue if she hasn’t actually suffered financial fraud or identity theft?
Factual History and Procedural Background
Paytime is a “national payroll service company” whose services include “human resource management services, time and attendance systems, and web-based payroll submission.” Employees “were required to provide to their employers confidential personal and financial information, including their full legal names, addresses, bank account data, Social Security numbers, and dates of birth.” Employers then sent this information to Paytime.
On April 7, 2014, “unknown third parties gained unauthorized access to Paytime’s computer systems” and stole the personal and financial information of more than 233,000 individuals. Paytime didn’t discover the breach until April 30, 2014, then waited until May 12, 2014 to disclose the breach to affected parties. Paytime offered to provide a year of “free credit monitoring and identity restoration services” for anyone affected by the breach.
Current or former employees of companies that used Paytime as their payroll processing service brought two lawsuits against Paytime following the breach: In Storm, et al. v. Paytime, Plaintiffs filed a class action complaint alleging negligence and breach of contract. Paytime moved to dismiss the amended complaint for failure to state a claim and for lack of jurisdiction. In Holt et al. v. Paytime, Plaintiffs filed a class action complaint alleging breach of contract and violation of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law. Paytime moved to dismiss the complaint for lack of subject matter jurisdiction and for failure to state a claim. Holt was transferred to the Middle District of Pennsylvania and the cases were consolidated.
The Plaintiffs in both cases allege injury from the increased risk of identity theft, and from the time and money spent protecting themselves from identity theft and fraud, “such as costs of monitoring their financial accounts, the opportunity cost of the time spent monitoring their accounts for identity theft, and costs of obtaining replacement checks and/or credit and debit cards.” The Storm Plaintiffs also allege actual damages, such as a plaintiff named Wilkinson whose government contractor job requires him to have security clearance, but whose clearance has been suspended due to the data breach, resulting in an additional four hour daily commute to a different job site. The Holt Plaintiffs also allege “the significant possibility of monetary losses arising from unauthorized bank account withdrawals, fraudulent payments, and/or related bank fees charged to their accounts.”
Lower Court Opinion
The lower court found that all Plaintiffs lacked Article III standing and granted Paytime’s motions to dismiss. Relying on Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), the court noted that “the Third Circuit requires its district courts to dismiss data breach cases for lack of standing unless plaintiffs allege actual misuse of the hacked data or specifically allege how such misuse is certainly impending.”
In reviewing the Plaintiffs’ allegations, the court found “no factual allegation of misuse or that such misuse is certainly impending.” Plaintiffs had not alleged that “that they have actually suffered any form of identity theft as a result of the data breach—to wit, they have not alleged that their bank accounts have been accessed, that credit cards have been opened in their names, or that unknown third parties have used their Social Security numbers to impersonate them and gain access to their accounts.”
In addition, the court followed Reilly by finding that the increased risk of identity theft “does not suffice to allege an imminent injury.” The court noted that more than a year has passed since the data breach, which “undermine[s] the notion that identity theft would happen in the near future.” The court also dismissed as irrelevant the fact that the “breach was done by skilled hackers working from ‘foreign’ IP addresses.”
The court also dismissed the actual damages proffered by Plaintiff Wilkinson in Storm as a “preventative measure” insufficient to grant standing. The court noted that “[h]is supposed damages, in the form of increased commute time and related expenses . . . are merely a form of prophylactic costs the Supreme Court has warned cannot be used to ‘manufacture’ standing, even if those costs are reasonable.” The court didn’t address the Plaintiffs’ claim of injury from he costs of credit monitoring, but it noted in passing that here, the Plaintiffs would not need to foot the bill for preventive measures because Paytime had arranged to provide a year of free credit monitoring.
The court celebrated the “stringent standard for standing” as logical and wise in data breach cases. Because there are so many data breaches, “[m]illions of people, out of reasonable fear and prudence, may decide to incur credit monitoring costs and take other preventive steps.” But requiring companies to “pay damages to thousands of customers, when there is yet to be a single case of identity theft proven,” is “overzealous and unduly burdensome to business.”
Finally, the court dismissed Plaintiffs’ claim that the data breach harmed their privacy interest because “their confidential personal information” was accessed by an unauthorized third party. Because Plaintiffs “do not allege that the unidentified hacker was actually able to view, read, or otherwise understand the data is accessed” or that “their information was exposed in such a way as to make it easily viewed,” there is no actual or imminent harm to privacy.
EPIC has a long history of advocating for consumers against the risks of identity theft and financial fraud.
In January 2016, EPIC launched Data Protection 2016, a nonpartisan campaign to make data protection an issue in the 2016 election. The campaign advocates for reduced identity theft and financial fraud and for investigations of the misuse of personal data.
In September 2015, EPIC filed an amicus brief in the Supreme Court case Spokeo v. Robins, which concerns whether courts have jurisdiction to review cases brought based on violations of federal statutory rights. Plaintiff Robins sued Spokeo for violating the Fair Credit Reporting Act by disclosing inaccurate information about him. EPIC filed an amicus brief, advising the Court that now is not the time “to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress.” EPIC highlighted the need for robust privacy and consumer protection laws by demonstrating that “Americans consumers today face an epidemic of privacy harms, including data breaches, identity theft, and financial fraud.” In 2015 alone, data breaches have “exposed more than one hundred and forty million records of personally identifiable information.” And according to the most recent Department of Justice report, “identity theft cost American consumers more than twenty-four billion dollars” in 2012.
In April 2014, EPIC submitted comments to the White House Office of Science and Technology Policy’s review of Big Data and the Future of Privacy. In its comments, EPIC warned the OSTP about the risks Americans face from the current big data environment, urged the swift enactment of the Consumer Privacy Bill of Rights, and highlighted the need for stronger privacy safeguards.
EPIC has also repeatedly advised legislators about the need to provide strong protections for consumer data. In October 2015, EPIC testified before the Senate Committee on Aging about protecting senior citizens from identity theft. EPIC warned about the growing risk of SSN-related identity theft, a risk magnified by the inclusion of SSNs on Medicare cards. EPIC had previously warned Congress and state legislators about the risks of using SSNs on identity documents. In June 2011, EPIC testified before the House Committee on Energy and Commerce about the SAFE Data Act, a bill intended to protect consumers’ personal information. EPIC emphasized the growing problem of data breaches and the likelihood that problems would get worse as more user data moves to cloud-based services. EPIC criticized the bill for preempting stronger state laws and for not adequately protecting personal information. The bill was not enacted. And in May 2009, EPIC testified before the House Committee on Energy and Commerce about H.R. 2221, the Data Accountability and Trust Act, and H.R. 1319, the Informed P2P User Act. EPIC opposed the preemption of state laws, recommended the use of text messages for breach notices, and suggested that personally identifiable information be broadly defined to include any information that identifies or could identify a particular person. Both bills died in committee.
U.S. Court of Appeals for the Third Circuit, No. 15-3690