As previously discussed here and here, standing is the current hot topic when it comes to data breach class actions. The bar for demonstrating a sufficient injury to be able to bring suit in a data breach case seems to be fairly high: plaintiffs have to show that a data breach actually caused them some sort of injury. In other words, it’s not enough to say that the act of a breach in and of itself is the injury. A recent federal court decision out of Pennsylvania continued the federal courts’ trend in setting a high bar for data breach standing.
In Storm v. Paytime, a putative class of plaintiffs brought suit in the middle district of Pennsylvania following a security breach of Paytime, Inc.’s (a national payroll service company) computer systems, “in which an unknown third party allegedly accessed Plaintiffs’ confidential personal and financial information.” The plaintiffs alleged claims of negligence, breach of contract and violations of Pennsylvania’s Unfair Trade Practices and Consumer Protection Law. Paytime eventually moved to dismiss the complaint, primarily on the argument that the plaintiffs lacked standing to bring suit.
Judge John E. Jones III agreed. Here is how his opinion begins: “There are only two types of companies left in the United States, according to data security experts: ‘those that have been hacked and those that don’t know they’ve been hacked.’ . . . Further, when a data breach occurs, especially one intentionally done by a hacker, it is not unreasonable for the victims to feel that a wrong has clearly been committed. But has there been an actionable harm that is cognizable in federal court? This is the question with which we must grapple in the matter sub judice.”
In discussing whether or not the plaintiffs in this particular case had standing, Judge Jones looked to the Third Circuit, which has held that plaintiffs in data breach cases “do[] not have standing to sue” unless they “allege[] actual ‘misuse’ of the information, or that such misuse is imminent.” In this case, however, the plaintiffs’ “credit information and bank accounts look the same today as they did prior to Paytime’s data breach.” Judge Jones concluded with a strong restatement of the high standard for standing, while also providing some encouraging words for potential data breach plaintiffs:
There is simply no compensable injury yet, and courts cannot be in the business of prognosticating whether a particular hacker was sophisticated or malicious enough to both be able to successfully read and manipulate the data and engage in identity theft. Once a hacker does misuse a person’s personal information for personal gain, however, there is a clear injury and one that can be fully compensated with money damages. . . . In that situation, a plaintiff would be free to return to court and would have standing to recover his or her losses.
Read Judge Jones’ full opinion here.