Header graphic for print
Inside Privacy Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

Federal Appeals Court: Risk of ID Theft Does Not Confer Standing for Data Breach Suit

Posted in Data Breaches, Data Security, Litigation, United States

Employees whose personal information might have been accessed in a data breach cannot sue the breached company in federal court based only on the possibility that the breach might lead to identity theft, a federal appeals court ruled Monday.

The case, Reilly v. Ceridian Corporation, is a proposed class action brought by employees whose companies used Ceridian Corporation to process company payrolls. An unknown hacker breached Ceridian’s firewall in December 2009, potentially gaining access to payroll information such as names, Social Security numbers, birth dates and bank account numbers. However, the lawsuit did not allege that the hacker actually accessed, copied, or misused the data. Instead, the plaintiffs based their claim on their allegedly increased risk of identity theft, their emotional distress, and the credit-monitoring costs they incurred.

The U.S. Court of Appeals for the Third Circuit upheld a District Court decision dismissing the case, finding that these asserted injuries were too speculative to give the plaintiffs standing to bring a federal lawsuit. Article III of the U.S. Constitution requires that federal courts hear only actual “cases or controversies.” The Supreme Court has held that this requirement bars lawsuits where the plaintiffs have not alleged that they have suffered or imminently will suffer a concrete injury. The Third Circuit held that the Ceridian plaintiffs’ complaint had not met these requirements.

“Here, no evidence suggests that the data has been—or will ever be—misused,” the court wrote. “The present test is actuality, not hypothetical speculations concerning the possibility of future injury. Appellants’ allegations of an increased risk of identity theft resulting from a security breach are therefore insufficient to secure standing.”

The court also rejected the plaintiffs’ argument that the time and money they spent on credit monitoring was a sufficient injury, finding that “costs incurred to watch for a speculative chain of future events based on hypothetical future criminal acts are no more ‘actual’ injuries than the alleged ‘increased risk of injury’ which forms the basis for Appellants’ claims.”

Courts have reached similar conclusions in several recent online privacy suits, including suits against Amazon, Facebook, and LinkedIn. (Covington represents LinkedIn in that litigation.)