The United States Court of Appeals for the Third Circuit, in Reilly v. Ceridian Corporation, 2011 U.S. App. LEXIS 24561, 3 (3d Cir., December 12, 2011), found that “allegations of an increased risk of identity theft resulting from a security breach” were insufficient to secure Article III standing. In so doing, the court affirmed the dismissal of claims brought by former employees of a NJ law firm after the firm’s payroll processor was breached.
Recognizing that “a number of courts have had occasion to decide whether the ‘risk of future harm’ posed by data security breaches confers standing on persons whose information may have been accessed”, the Third Circuit sided with those courts finding that plaintiffs lack standing because the harm caused is too speculative. Specifically, the court did not consider an intrusion that penetrated a firewall and potentially allowed access to employee payroll data sufficient to meet the Article III requirement of an “actual or imminent” injury. No misuse was alleged so no harm was found.
As well, the Third Circuit rejected the notion that time and money expenditures to monitor financial information conferred plaintiffs with standing. Id. at 5 (“That a plaintiff has willingly incurred costs to protect against an alleged increased risk of identity theft is not enough to demonstrate a ‘concrete and particularized’ or ‘actual or imminent’ injury.”). See also In re Michaels Stores PIN Pad Litigation, Slip Op. at 14 (N.D. Ill November 23, 2011) (reasoning that “individuals cannot create standing by voluntarily incurring costs in response to a defendant’s act. Accordingly, Plaintiffs cannot rely on the increased risk of identity theft or the costs of credit monitoring services to satisfy the ICFA’s injury requirement.”).
The Third Circuit’s decision stands in sharp contrast to those decisions that stretched hard to find a cognizable harm sufficient to trigger constitutional standing as well as a recent ruling from the First Circuit reversing a dismissal because costs associated with credit card reissuance fees and ID theft insurance were deemed sufficient to constitute an injury.
There is now a growing body of law that has sprung from public data breaches that can be used by either side of the class action table. The key metric will be how such decisions can be tooled by plaintiff’s counsel to defer dismissal. Given the potential use of cy pres settlements, defense counsel need to cut off the discovery beast before it grows out of control and gives rise to such settlement discussions. All plaintiff’s counsel needs to do is hope for a sympathetic judge before the wheel is spun.