Last week, the U.S. Supreme Court declined to hear an appeal of a Third Circuit Court of Appeals decision that put an end to a proposed class action lawsuit stemming from a data breach.  The suit, Reilly v. Ceridian Corp., was brought by two individuals who were among approximately 27,000 employees at 1,900 companies whose personal and financial information was contained in a payroll processing company computer system breached by an unknown hacker in December 2009.

The plaintiffs brought numerous claims, including negligence and breach of contract, against the payroll processing company and alleged that as a result of the breach they have suffered an increased risk of identity theft, incurred costs to monitor their credit activity, and suffered emotional distress.  In December 2011, the Third Circuit affirmed the lower court’s ruling that the plaintiffs’ claims of harm caused by the data breach were too speculative and that, as a result, the plaintiffs did not have standing to bring the suit. 

In their petition to the Supreme Court, the plaintiffs argued that the high Court should hear their case in order to resolve a conflict among several Courts of Appeals.  According to the plaintiffs, at least three Courts of Appeals have found standing in data breach cases where no resulting identity theft had occurred, on the theory that the threat of future harm or increased risk of future harm constituted injury for the purpose of establishing standing.  The Supreme Court denied the plaintiffs’ petition and will not hear the case.