Third Circuit Holds Data Breach Plaintiffs Lack Standing

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.huntonprivacyblog.com/2012/01/articles/third-circuit-holds-data-breach-plaintiffs-lack-standing/

On December 12, 2011, the United States Court of Appeals for the Third
Circuit affirmed a decision that employees of Ceridian Corporation’s
(“Ceridian’s”) customers did not have standing to sue Ceridian after
the payroll processing firm suffered a data breach.

In December 2009, a hacker may have gained access to personal and
financial information of Ceridian’s customers, including names,
addresses, Social Security numbers, dates of birth and bank account
information. Although it is not known if the hacker read, copied or
understood the data, Ceridian sent notification letters to affected
individuals informing them of the breach and offering to provide one
year of complimentary credit monitoring and identity theft protection.

The appellants, who were employees of a law firm that was a former
customer of Ceridian, filed a complaint alleging that, as a result of
the breach, they experienced an increased risk of identity theft,
incurred costs to monitor credit activity and suffered emotional
distress. The U.S. District Court for the District of New Jersey
granted Ceridian’s motion to dismiss for lack of standing and failure
to state a claim.

On the appeal, the Third Circuit affirmed the dismissal, agreeing with
the district court that “allegations of a hypothetical, future injury
do not establish standing under Article III.” The court noted that the
appellants relied on speculation that the hacker: (1) read, copied and
understood their personal information; (2) intends to commit future
criminal acts by misusing the information; and (3) is able to use such
information to the detriment of appellants by making unauthorized
transactions. According to the court, “[u]nless and until these
conjectures come true, Appellants have not suffered any injury; there
has been no misuse of the information, and thus, no harm.”

In support of its conclusion, the Third Circuit cited cases that were
dismissed because the alleged future harm was deemed “neither imminent
nor certainly impending,” distinguishing decisions in Pisciotta v. Old
National Bancorp and Krottner v. Starbucks in which there was evidence
that the threatened harms were significantly more “imminent” and
“certainly impending.” The court also held that the appellants’
analogies to defective medical device, toxic substance and
environmental injury cases were not valid on several grounds,
including because such cases involve an actual physical injury, hinge
on human health concerns and cannot necessarily be remedied by
monetary compensation.

In May 2011, we reported on Ceridian’s settlement with the Federal
Trade Commission over charges the FTC filed against Ceridian in
connection with the 2009 breach. As part of the resulting consent
order, Ceridian is prohibited from making misleading claims regarding
its privacy practices and is required to maintain a comprehensive
information security program.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Small, inexpensive USB drives pose huge threats to organizations left unprotected. 
Download Chapter 1 of CREDANT Technologies eBook
Data Protection to the Rescue
http://www.credant.com/campaigns/external_media_ebook/chapter1/lp/