eDiscovery Daily Blog

eDiscovery Case Law: Court Dismisses Identify Theft Case Where No Harm Was Proven


In the case Reilly v. Ceridian Corp, 11-1738 (3rd Cir. Dec. 12, 2011), the Third Circuit affirmed the district court’s dismissal of a class action against payroll processing company Ceridian for a data breach, finding that the plaintiffs case lacked merit because their alleged injuries were too speculative.

An unknown hacker breached Ceridian’s Powerpay system in December 2009, potentially gaining access to payroll information such as names, birth dates, bank account numbers and Social Security numbers belonging to approximately 27,000 employees at 1,900 companies. Two individual plaintiffs filed suit on behalf of all of the individuals whose information was exposed in the security breach.  However, the lawsuit did not allege that the hacker actually accessed, misused or copied the data. Instead, the plaintiffs claim was based on an allegedly increased risk of identity theft, emotional distress and the credit-monitoring costs they incurred.

The U.S. Court of Appeals for the Third Circuit upheld a District Court decision dismissing the case, finding that these asserted injuries were too speculative to give the plaintiffs standing to bring a federal lawsuit and emphasized the need for an injury-in-fact, which must be actual or imminent, not hypothetical.

The court distinguished this case from other cases in the Seventh and Ninth Circuits where plaintiffs bringing claims for data breaches were found to have standing. The Third Circuit judges noted that those other cases involved threatened harms that were much more “imminent” and “certainly impending” due to evidence of improper intent (such as the Ninth Circuit case, where an individual had attempted to open a bank account with a plaintiff’s information following the physical theft of a laptop).

Even though the plaintiffs voluntarily expended time and money to monitor their financial situation, the court concluded:

“Here, no evidence suggests that the data has been—or will ever be—misused”…The present test is actuality, not hypothetical speculations concerning the possibility of future injury. Appellants’ allegations of an increased risk of identity theft resulting from a security breach are therefore insufficient to secure standing.”

So, what do you think?  Should the case have been dismissed?  Or should a company be held responsible for security breaches regardless what is done with the data that’s breached?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.